Cisco IOS SSL VPN

Transcription

Cisco IOS SSL VPN

Data Sheet
Cisco IOS SSL VPN
SSL-Based Remote-Access VPN Solution
Product Overview
®
Cisco IOS SSL VPN is the first router-based solution offering Secure Sockets Layer (SSL) VPN
remote-access connectivity integrated with industry-leading security and routing features on a
converged data, voice, and wireless platform. SSL VPN is compelling; the security is transparent
to the end user and easy for IT to administer. Using only a Web browser, companies can extend
their secure enterprise networks to any Internet-enabled location, including home computers,
Internet kiosks, and wireless hotspots-thereby enabling higher employee productivity and
protecting corporate data while providing network access to partners and consultants.
Cisco IOS SSL VPN supports both clientless and full-network-access SSL VPN capabilities.
Clientless access uses a Web browser to connect to applications such as HTML-based intranet
content, e-mail, network file shares, and Citrix. A Java-based application helper provides support
for additional TCP-based applications that are not Web-enabled. Cisco IOS SSL VPN also
supports the Cisco SSL VPN Client, helping enable dynamic full network access remotely to
virtually any application. As part of Cisco IOS SSL VPN, Cisco Secure Desktop provides advanced
endpoint security and helps prevent data such as cookies, browser history, temporary files, and
downloaded content from being left behind after an SSL VPN session terminates. Cisco IOS SSL
VPN deployment is simple with Cisco Router and Security Device Manager (SDM) wizards. Cisco
SDM also performs real-time monitoring and management of SSL VPN sessions.
Cisco IOS SSL VPN is a single-box solution, unlike other vendor products that require multiple
devices and management systems. An integrated solution is easier to learn, deploy, provision,
manage, and maintain, and has higher availability. This integrated solution has lower initial capital
expenditure, lower deployment costs, and lower operational costs over the lifetime of the solution.
It also provides investment protection-existing Cisco integrated services routers support Cisco IOS
SSL VPN through a feature upgrade license and software upgrade (Figure 1).
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 1 of 8
Data Sheet
Figure 1.
Integrated Services Router with IOS SSL VPN
Customized Application Access for Employees, Partners, and Non-Company-Managed PCs
Cisco IOS SSL VPN delivers clientless and SSL tunneling client access methods, enabling the
appropriate level of application access based on the deployment environment. Clientless access
with Cisco IOS SSL VPN allows users to connect, with few requirements beyond a basic Web
browser, and access Web servers or resources such as file shares and e-mail through Microsoft
Outlook Web Access. Additional TCP-based application access is achieved through a helper
application enabled by a small Java applet download. Port forwarding relays data requested by the
port on the local machine to the corresponding application port on the network side-granting the
user access to more applications and network resources than a Web browser offers. Table 1 lists
the features of Cisco IOS SSL VPN.
Table 1.
SSL VPN Clientless Operations
Feature
Description
Web content
transformation
Allows access to HTML- and JavaScript-based intranet content for those trying to access Webbased services on the company network
Clientless Citrix
Allows Citrix clients to use applications running on a remote Citrix server as if they were running
locally
Microsoft Outlook Web
Access 2000 and 2003
Allows access to Web e-mail in Microsoft Outlook Web Access for Microsoft Exchange 2000
and 2003 at the central site
Windows File SharingCommon Internet File
System (CIFS)
Allows file access to Windows file servers
SSL VPN Client
Supports virtually any application with a transparent “LAN-like” user experience, providing
comprehensive application support.
Java-based
application helper
Supplements clientless access by providing connectivity to non-Web applications such as email, instant messaging, Microsoft Outlook Calendar, and client-initiated TCP-based
applications such as Telnet
Page 2 of 8
Data Sheet
Terminal Server Support for Citrix
To minimize costs while maximizing remote connectivity options, many businesses are centralizing
their application management and distribution to allow access to internal computing resources
through terminal server architecture. For this reason, it is important that a robust remote-access
solution support Citrix deployments with a simple, dependable, and easy-to-use protocol, while
providing a local, system-based experience for application use. Typical SSL solutions require
either a software client or the existence of an applet download (Java or ActiveX) to access internal
terminal server resources, slowing application initiation and creating potential access problems
due to software conflicts or browser settings. Cisco IOS SSL VPN provides truly clientless Citrix
support without relying on additional Java-based port forwarding mechanisms, delivering rapid and
highly stable system access, regardless of browser or security settings (Table 2).
Table 2.
Enhanced Access to Internal Network Infrastructure Resources with Clientless Citrix Support
Feature
Description
Access to system
resources
Clientless access alleviates potential problems caused when incongruent browser or security
settings prohibit the download of a client or applet.
Swift connectivity
Application initiation is instantaneous, with no additional software client or applet downloads
required.
High performance
No local application translation is required.
Highly stable support
Client software conflicts with unmanaged machines or unfamiliar images are avoided with
clientless access.
With the SSL VPN Client (Table 3), Cisco delivers a lightweight, centrally configured, easy-tosupport SSL VPN tunneling client that allows access to virtually any application. The SSL VPN
Client is compatible with any SSL-enabled browser and dynamically made available to the user in
one of three methods-ActiveX, Java, or an .exe file.
Table 3.
Cisco SSL VPN Client : Broad Application Access Through a Network-Tunneling Client
Feature
Description
Universal application
access
This feature provides full client capabilities over SSL, including access to Cisco IP SoftPhone
and voice-over-IP (VoIP) support, increasing remote-user productivity.
Ease of download and
installation
Dynamic download and multiple delivery methods help ensure transparent download and
distribution with Java, ActiveX, or .exe.
Small download size helps ensure rapid delivery.
No reboot is required after installation.
Increased security
Client can be either removed at the end of a session or left permanently installed.
Zero-touch remote
administration
Central-site configuration provides integration, with no administration on the remote client side
needed.
Supported operating systems: Windows 2000 and Windows XP
Advanced Endpoint Security Minimizes the Risk of Data Theft
The potential for network security attacks increases with the extension of the network to both
secure and external endpoints. Whether users are accessing the network from a corporatemanaged PC, personal machine, or public terminal, the Cisco Secure Desktop seeks to minimize
data leakage from the SSL session. The Cisco Secure Desktop host integrity verification feature
performs pre-connection posture assessment to verify that the endpoint seeking access
possesses the particular antivirus, firewall, and OS or service pack features required, and detects
certain installed malware before granting access to the network. The Cisco Secure Desktop then
creates a secure vault for session information by generating a virtual “sandbox” on the machine.
Page 3 of 8
Data Sheet
During the session, information is encrypted and written to the Cisco Secure Desktop partition on
the hard drive. At the close of the session, the secure vault is eradicated using a U.S. Department
of Defense (DoD) sanitization algorithm. Session information, including cache files, history,
cookies, file downloads, and passwords, are encrypted in real time, reducing the risk that data is
left behind. This feature is unique; many comparable cache cleaning products attempt a postsession cleanup of tracked files. Similarly, the automatic timeout features of the Cisco Secure
Desktop help ensure that session information is erased, whether or not the user takes the active
role in terminating the session. The Cisco Secure Desktop can often run with guest permissions,
providing advanced protection on endpoints regardless of Web settings, browser types, or system
privileges. Table 4 lists features of Cisco Secure Desktop.
Table 4.
Cisco Secure Desktop: Comprehensive Security of Information from the Network to the Endpoint
Feature
Description
Available with guest
permissions
Users accessing the network from remote machines may not have administrator privileges on all
systems. Cisco Secure Desktop can often be installed with only guest permissions, helping
ensure delivery and installation on all systems.
Preconnection posture
assessment
Host integrity verification checking detects the presence of antivirus software, personal firewall
software, and Windows service packs on the endpoint system prior to granting network access.
Comprehensive session
protection
Additional protection is provided for all data associated with the session, including passwords,
file download history, cookies, and cache files. All session data is encrypted to the secure vault
of the Cisco Secure Desktop.
End-of-session data
cleanup
Data in the secure vault is overwritten at the end of the session.
Keystroke logger
detection
Cisco Secure Desktop performs an initial check for certain software-based keystroke logging
software at the start of the session. If an anomalous program begins running inside the secure
vault after session initiation, the user is prompted to stop the suspicious activity.
Figure 2 gives an application example for Cisco IOS SSL VPN.
Figure 2.
Application Example: Regional Law Firm with Multiple Offices
Page 4 of 8
Data Sheet
Features and Benefits
Advanced endpoint security—The Cisco Secure Desktop offers preconnection security
posture assessment and seeks to minimize data such as cookies, browser history,
temporary files, and downloaded content from being left behind after an SSL VPN session
terminates.
Broad application support for SSL VPN—The Cisco IOS SSL VPN solution offers
extensive application support through its dynamically downloaded SSL VPN client, enabling
network-layer connectivity to virtually any application. The solution delivers truly clientless
support for Citrix application access, allowing a transparent, low-overhead extension of the
network resources to VPN users through a standard Web browser. Pure clientless and thinclient port forwarding options can be deployed for environments with limited application
access requirements, such as extranets.
Comprehensive deployment scenario coverage—SSL and IPsec are complementary
technologies that address unique user access requirements; both are necessary in order
for a company to meet the needs of a diverse user base. Cisco IOS Software supports both
IPsec and SSL VPN, allowing businesses to choose the most appropriate technology for
users accessing the network through different scenarios. This provides maximum flexibility
and application access, all on one platform, alleviating the need to deploy and manage
separate infrastructures.
Simple, low, per-user pricing—The simple licensing structure of Cisco IOS SSL VPN (no
added licenses for special features), combined with the consolidated technology platform,
provides customers with unparalleled cost savings and competitive per-user pricing.
Ease of deployment with zero-touch remote endpoint management—Intuitive, Webbased Cisco SDM provides a simple interface to configure and monitor all remote-access
users, providing ease of manageability across both IPsec and SSL VPN environments.
Group-based management features allow administrators to design security policies and
authentication methods for each group, a feature that is essential when extending network
resources to non-corporate-managed users and endpoints.
Feature Availability
Table 5 gives information about feature availability. Table 6 gives additional features of the Cisco
IOS SSL VPN solution.
Table 5.
Feature Availability
Feature
Platform Support
Availability
Cisco IOS Software
Release
Cisco IOS SSL VPN
Cisco 870, 1800, 2800, 3700, 3800, 7200, and 7301
March 13, 2006
12.4(6)T
Page 5 of 8
Data Sheet
Figure 3.
Cisco Integrated Services Routers: Core SSL VPN Features for Router-Based Remote Access
A complimentary 2-user trial license is included on all supported platforms at no
additional cost.
Table 6.
Additional Features
Feature
Description
Scalability
Platform dependent:
Cisco 870, 2 users
Cisco 1811, 10 users
Cisco 1841 and Cisco 2801, 25 users
Cisco 2851, 75 users
Cisco 3825 and 3845, 100 users
User authentication
RADIUS or authentication, authorization, and accounting (AAA) server
End-system integrity
(Cisco Secure
Desktop)
Antivirus check
Browser support
Netscape, Internet Explorer, Firefox, and Mozilla
Protocols
SSL 3.0 and 3.1; and Transparent LAN Services (TLS) 1.0 configuration and management
Configuration and
management
Console command-line interface (CLI), HTTP, HTTPS, Telnet, Secure Shell (SSH) Protocol, and
Web-based Cisco SDM
Syslog support
Console display, external server, and internal buffer
Cipher suites
SSL_RSA_WITH_RC4_128_MD5
Personal firewall check
Seeks to minimize risk of temporary and downloaded files and cookies from remaining on
system
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_DES_CSC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
Network access
control
IP address, Differentiated Services Code Point/type of service (DSCP/ToS), TCP/User Datagram
Protocol (UDP) port, per-user, and per-group
Virtualization
Ability to divide into multiple contexts, with each context as a complete, logical representation of
the IOS SSL VPN service, complete with separate policies and configuration
Page 6 of 8
Data Sheet
Feature
Description
Virtual Routing
and Forwarding (VRF)Aware
VRF mapping
Single IP model (URL-based or login-name-based)
Multiple IP model
Per-VRF AAA server
Per-VRF Domain Name System (DNS) server
Per-VRF gateway
Per-VRF number of users
Ordering Information
For ordering information, refer to Table 7.
Table 7.
Ordering Information
Product Name
Part Number
Feature License SSL VPN Up To 10 Users (Incremental)
FL-WEBVPN-10-K9
FL-WEBVPN-25-K9
FL-WEBVPN-100-K9
FL-WEBVPN-10-K9=
FL-WEBVPN-25-K9=
FL-WEBVPN-100-K9=
Part numbers ending in “=” are spares and can be ordered independently of any other
product(s).
For more details visit:
http://www.cisco.com/en/US/products/ps6657/prod_bulletin0900aecd80501bb7.html
To Download the Software
Visit the Cisco Software Center to download Cisco IOS Software.
The Cisco IOS Software Release 12.4(6)T Advanced Security Image and above contain the Cisco
IOS SSL VPN feature set. For more information about Cisco IOS SSL VPN, visit
www.cisco.com/go/iossslvpn, contact your local Cisco account representative, or send e-mail to
[email protected].
Page 7 of 8
Data Sheet
Printed in USA
C78-60016-04 1/07
Page 8 of 8

Cisco IOS SSL VPN

Transcription

Similar documents

EcoCloud Desktop Verbindung für Linux