Cisco SSL VPN solutions provide organizations with robust and flexible products for protecting the security and privacy of information, and can play an important part in an organization's compliance strategies. No single technology today addresses all security requirements under the proposed standards. In addition, given operating system limitations, no technology that interoperates with an operating system can ensure the total removal of all data, especially from an untrusted system with potentially malicious third party software installed. However, deployments using Cisco Secure Desktop (CSD), when combined with other security controls and mechanisms within the context of an effective risk management strategy and policy, can help reduce risks associated with using such technologies.
The following sections describe the capabilities of CSD, introduce the Secure Desktop Manager interface, and describe how to save configuration changes:
•Saving and Resetting the Running Configuration
CSD seeks to minimize the risks posed by the use of remote devices to establish a Cisco clientless SSL VPN or AnyConnect Client session. CSD provides a number of features that you can configure to work independently or together.
The following sections describe the CSD features:
•Integration with Dynamic Access Policies
•Secure Desktop (Vault)
•Keystroke Logger Detection
•Host Emulation Detection
Integration with Dynamic Access Policies
The security appliance integrates the CSD features into dynamic access policies (DAPs). Depending on the configuration, the security appliance uses one or more endpoint attribute values in combination with optional, AAA attribute values as conditions for assigning a DAP. The CSD features supported by the endpoint attributes of DAPs include OS detection, CSD policies, Basic Host Scan results, and Endpoint Assessment. (The sections that follow describe these features.)
As an administrator, you can specify a single attribute or combine attributes that together form the conditions required to assign a DAP to a session. The DAP provides network access at the level that is appropriate for the endpoint AAA attribute value. The security appliance applies a DAP when all of its configured endpoint criteria are satisfied.
Host Scan is a module that installs on the remote device after the user connects to the security appliance, before the user logs in. Host Scan consists of any combination of the following modules (Basic Host Scan, Endpoint Assessment, and advanced Endpoint Assessment), as configured by the CSD administrator. Host Scan runs on Microsoft Windows, Apple Mac OS, and Linux. For detailed requirements, see the Cisco Secure Desktop Release Notes.
Basic Host Scan
Basic Host Scan automatically identifies operating systems and service packs on connecting computers. It also lets you configure inspections for specified processes, files, and registry keys. Thus, you can use this feature to configure checks for watermarks on remote computers to determine whether they are corporate-owned. You can use the results to be returned by Basic Host Scan when configuring different DAPs to distinguish corporate computers, home computers, and public computers.
Basic Host Scan attempts to run on any remote device establishing a Cisco clientless SSL VPN or AnyConnect Client session, if CSD is enabled on the security appliance. The OS detection automatically qualifies or disqualifies the remote device from running Endpoint Assessment, Advanced Endpoint Assessment, Secure Desktop (Vault), and Cache Cleaner, whichever is configured to run. Process name, filename, and registry key checking to be performed by Basic Host Scan must be explicitly configured using Secure Desktop Manager. Basic Host Scan returns the name of the OS and service pack, and the results of any configured checks to the security appliance.
The security appliance evaluates the returned values against the endpoint criteria explicitly configured into the DAPs. Thus, you can assign DAPs to devices based on this data. To view the list of the operating systems and service packs this module detects, choose Configuration > Remote Access VPN > Network (Client) Access or Clientless SSL VPN Access > Dynamic Access Policies > Add or Edit, Add or Edit next to the endpoint attributes table, select Operating System from the Endpoint Attribute Type drop-down list, check OS Version, and click the arrow to the right of the adjacent operator.
Basic Host Scan automatically returns the following additional values for evaluation against configured DAP endpoint criteria:
•Microsoft Windows, Mac OS, and Linux builds
•Listening ports active on a connecting host running Microsoft Windows
•CSD components installed on the connecting host
•Microsoft Knowledge Base numbers (KBs)
If you want to configure endpoint criteria to match other data, enter the appropriate free-form Lua text into the Advanced Logical Expressions text box. Be aware that doing so requires sophisticated knowledge of Lua. For more information, open the Add or Edit Dynamic Access Policies window, click Advanced at the bottom of the Selection Criteria area, and click the Guide button to the right of the Logical Expressions text box.
Endpoint Assessment, a Host Scan extension, examines the remote computer for a large collection of antivirus and antispyware applications, associated definitions updates, and firewalls. You can use this feature to combine endpoint criteria to satisfy your requirements before the security appliance assigns a specific DAP to the session.
Advanced Endpoint Assessment
Advanced Endpoint Assessment, another Host Scan extension, lets you configure an attempt to update noncompliant computers. For example, you can use this feature to attempt to force updates of a specific antivirus application version and its antivirus definitions file.
Note This feature requires an Advanced Endpoint Assessment license.
The prelogin assessment module also installs itself after the user connects to the security appliance, but before the user logs in. This module can check the remote device for files, digital certificates, the OS, IP address, and Microsoft Windows registry keys.
Secure Desktop Manager, the administrator interface to CSD, provides a graphical sequence editor to simplify the configuration of the prelogin assessment module.
When configuring the prelogin assessment module, the CSD administrator creates branches of nodes called sequences. Each sequence begins with the Start node, followed by an endpoint check. The result of the check determines whether to perform another endpoint check or to terminate the sequence with an end node.
The end node determines whether to display a Login Denied message, assign a CSD policy to the device, or perform a secondary set of checks called a subsequence. A subsequence is a continuation of a sequence, typically consisting of more endpoint checks and an end node. This feature is useful to do the following:
•Reuse a sequence of checks in some cases but not others.
•Create a set of conditions that have an overall purpose that you want to document by using the subsequence name.
•Limit the horizontal space occupied by the graphical sequence editor.
CSD policies let you determine how remote devices connect to your virtual private network, and protect them accordingly. These policies specify the remote user experience, rights, and restrictions. You create these policies when you configure the prelogin assessment module. The results of the checks in the graphical sequence editor determine whether the prelogin assessment results in the assignment of a particular prelogin policy or in a denial.
As you create each policy, Secure Desktop Manager adds a menu named after the policy. Each of the policy menus let you assign unique settings to the policy. These settings determine whether the Secure Desktop (Vault) module, Cache Cleaner module, or neither module installs on remote devices that match the prelogin criteria assigned to the policy. Administrators typically assign these modules to noncorporate computers to prevent access to corporate data and files after the session is over. The sections that follow provide more information about the Secure Desktop and Cache Cleaner modules.
You might choose to assign neither Secure Desktop nor Cache Cleaner to the policy if the remote device is a corporate computer. For example, computers connecting from within a workplace LAN on a 10.x.x.x network are an unlikely risk for exposing confidential information. For these computers, you might set up prelogin policy named Secure to match the IP addresses on the 10.x.x.x network, and disable Secure Desktop and Cache Cleaner on that policy.
In contrast, users' home computers might be considered more at risk to viruses because of their mixed use. For these computers, you might set up a prelogin policy named home for employees' home computers on which they have installed a corporate-supplied certificate. DAP criteria that includes this prelogin policy should also require the presence of antivirus and antispyware software to grant full access to the network.
Finally, for untrusted locations such as Internet cafes, you might set up a prelogin policy named "Public" that has either no matching criteria, thus making it the default policy for remote access devices that do not meet the requirements of more secure policies; or you might define criteria that are less stringent. This prelogin policy would require a Secure Desktop installation, and include a short timeout period to prevent access by unauthorized users.
Secure Desktop (Vault)
Secure Desktop, encrypts the data and files associated with or downloaded during the remote session into a secure desktop partition, and presents a graphical representation of a desktop that includes an image of a lock to signify a safe environment for the remote user to work in. Upon session termination, it uses a U.S. Department of Defense (DoD) sanitation algorithm to remove the partition.
Typically used during clientless SSL VPN sessions, Secure Desktop attempts to reduce the possibility that cookies, browser history, temporary files, and downloaded content remain after a remote user logs out, the session times out, or after an abrupt termination occurs.
As an administrator, you can control Secure Desktop access to the registry, command window, network drives and folders, and removable drives.
Secure Desktop runs only on 32-bit Microsoft Windows OS's. For detailed requirements, see the Cisco Secure Desktop Release Notes. If a prelogin policy is configured to install Secure Desktop, but the operating system on the remote computer does not support it, Cache Cleaner attempts to install instead.
Browser plug-ins, shell extensions, and a cluttered registry can greatly extend the time needed for Secure Desktop to perform the read and write operations on the registry. Secure Desktop performs registry operations to do the filtering necessary to perform its tasks. It can therefore take a longer period of time than one would expect for the clientless SSL VPN login page to open Secure Desktop if the remote computer is slow or is cluttered.
Only the Documents and Settings, WINDOWS and Program Files directory on Microsoft Windows are visible from the Secure Desktop (Vault). For optimum security, only applications installed under in these directories are accessible under Secure Desktop. It does not support or allow access to applications not found in these default installation locations.
Secure Desktop does not encrypt or clean system memory information, including that which may be left on the disk by the operating system in the Microsoft Windows virtual memory file, commonly referred to as the paging file. Secure Desktop Manager provides an option that seeks to disable printing from within a user session. If local printing is permitted, there may be instances when data can remain in the local system print spool.
Cache Cleaner, an alternative to Secure Desktop, is functionally more limited, but has the flexibility to support more operating systems. It attempts to eliminate the information from the browser cache at the end of a clientless SSL VPN or AnyConnect Client session. This information includes entered passwords, auto-completed text, files cached by the browser, and browser configuration changes made during the session.
Cache Cleaner runs on Microsoft Windows, Apple Mac OS, and Linux. For detailed requirements, see the Cisco Secure Desktop Release Notes.
Keystroke Logger Detection
You can configure selected prelogin policies to scan for processes or modules that record keystrokes entered by the user, and deny VPN access if a suspected keystroke logging application is present.
By default, keystroke logger detection is disabled for each prelogin policy. You can use Secure Desktop Manager to enable or disable keystroke logger detection. You can specify the keystroke loggers that are safe or let the remote user interactively approve the ones that the scan identifies as a condition for running Secure Desktop, Cache Cleaner, or Host Scan on the remote computer.
If you enable it, it downloads with Secure Desktop, Cache Cleaner, or Host Scan onto the remote computer. Following the download, keystroke logger detection runs only if the OS is Windows and the user login has administrator privileges.
The associated module runs only if the scan is clear, or only if you assign administrative control to the user and the user approves of the applications the scan identifies.
Note Keystroke logger detection applies to both user mode and kernel mode loggers as long as the end-user is logged in with administrator privileges.
Keystroke logger detection runs only on 32-bit Microsoft Windows OS's. It runs on the same OS's as Secure Desktop (Vault).
Keystroke logger detection may be unable to detect every potentially malicious keystroke logger. It does not detect hardware keystroke logging devices.
Host Emulation Detection
Host emulation detection, another feature of prelogin policies, determines whether a remote Microsoft Windows operating system is running over virtualization software. You can use Secure Desktop Manager to enable or disable this feature, and deny access if a host emulator is present or report the detection to the user and let the user decide whether to continue or terminate.
By default, host emulation detection is disabled for each prelogin policy. If you enable it, it downloads with Secure Desktop, Cache Cleaner, or Host Scan onto the remote computer. Following the download, host emulation detection runs first, along with keystroke logger detection if it is configured to do so. The associated module then runs if either of the following conditions are true:
•The host is not running over an emulator (or virtualization software).
•You did not configure it to always deny access, and the user approves of the detected host emulator.
Host emulation detection runs only on 32-bit Microsoft Windows OS's. It runs on the same OS's as Secure Desktop (Vault).
When fully configured, CSD works with the security appliance to protect the corporate network as follows:
Step 1 The remote device attempts to establish a clientless SSL VPN or AnyConnect Client session with the security appliance.
Note Each of the "modules" identified in this section are features of CSD.
Step 2 A prelogin assessment module checks for the following on the remote device:
•Presence or absence of any files you (the CSD administrator) specify.
•Presence or absence of any registry keys you specify. This check applies only if the computer is running Microsoft Windows.
•Presence of any digital certificates you specify. This check also applies only if the computer is running Microsoft Windows.
•IP address within a range you specify.
Step 3 One of the following events occurs, depending on the result of the previous step:
•The Login Denied message appears if the remote computer runs the prelogin assessment and traverses a sequence that ends with a Login Denied end node. In this case, interaction between the security appliance and the remote device stops.
•The prelogin assessment module assigns a prelogin policy name to the device and reports the name of the prelogin policy to the security appliance.
Step 4 Host Scan downloads and runs with Secure Desktop, Cache Cleaner, or neither, depending on whether one of these modules is enabled on the prelogin policy assigned to the remote device. If Secure Desktop is enabled but it cannot run on the operating system detected, only Cache Cleaner runs.
Step 5 The user logs in.
Step 6 The security appliance typically uses the authentication data along with any configured endpoint attribute criteria, which can include such values as the prelogin policy and Host Scan results, to apply a DAP to the session.
Step 7 Following the termination of the user session, Host Scan terminates, and Cache Cleaner or Secure Desktop performs its cleanup functions.
The management interface called Secure Desktop Manager lets you configure CSD on the security appliance. After installing and enabling CSD, choose Configuration > Remote Access VPN > Secure Desktop Manager.
The Secure Desktop Manager pane opens. When CSD is disabled, only the Setup menu option is present. This option lets you enable CSD. When you install and enable Secure Desktop, exit ASDM, and establish a new ASDM connection, Secure Desktop Manager displays the full menu. Figure 1-1 shows the Secure Desktop Manager pane and the fully-expanded, default menu.
Figure 1-1 Secure Desktop Manager (Initial)
The following options are present in the Secure Desktop Manager menu:
•Setup—Lets you retrieve a CSD image from your computer and install the image, replace and install the existing image with a newer or older one, uninstall the image, and enable or disable CSD.
•Global Settings—Lets you change the level of CSD logging that occurs on VPN user endpoints when users connect to the security appliance.
•Prelogin Policy — Lets you view or configure the prelogin assessment of computers connecting to the security appliance, and add, view, rename, or remove prelogin policies to be applied to remote computers that pass prelogin assessment criteria.
Use the Prelogin Policy option to specify the conditions the remote computer must satisfy to qualify for a prelogin policy assignment. For example, you can assign a prelogin policy named "Secure" to remote computers with DHCP-assigned IP addresses within the corporate address range.
•Secure Desktop Customization—Lets you rebrand and customize the Secure Desktop windows displayed to remote users, including the Secure Desktop background (the lock icon) and its text color, and the dialog banners for the Desktop, Cache Cleaner, Keystroke Logger, and Close Secure Desktop windows.
•Default—By default, the prelogin policy diagram displayed by the graphical sequence editor has only one prelogin policy. Its name is Default. Secure Desktop Manager adds a menu to the left for every prelogin policy named in the Prelogin Policy diagram. You can view and change the settings assigned to the prelogin policy by clicking its name in the menu or clicking its subordinate options.
When you add a prelogin policy to the configuration, Secure Desktop Manager displays the name of the policy in the menu, along with the following options for configuring privileges and restrictions for that policy:
–Keystroke Logger & Safety Checks—Enables and disables scans of the remote PC for keystroke logging applications and a host emulator.
–Cache Cleaner — Click to refine the Cache Cleaner settings if Secure Desktop or Cache Cleaner on the parent menu is checked. This option now supports Microsoft Windows Vista, Windows XP, and Windows 2000; Apple Macintosh OS X 10.4 (PowerPC or Intel); and Linux.
–Secure Desktop (Vault) General—Lets you specify Secure Desktop (Vault) settings if it is enabled.
–Secure Desktop (Vault) Settings—Lets you place restrictions on Secure Desktop if it is enabled.
–Secure Desktop (Vault) Browser—Lets you specify the default home page for the browser. This option also lets you specify folders and bookmarks (or "favorites") to insert into the respective browser menu during the session.
•Host Scan—Click to specify files, processes, and Microsoft Windows registry keys to scan for after completing the prelogin assessment. The scan for these items is called a Basic Host Scan. You can also click Host Scan to enable Endpoint Assessment, a scan for antivirus, personal firewall, and antispyware applications and updates that are running on the remote computer. Finally, you can click Host Scan to configure an Advanced Endpoint Assessment, which updates the specified applications and updates on noncompliant computers. This latter feature requires you to have an Advanced Endpoint Assessment license.
Following the configuration of the prelogin policies and host scan options, you can configure a match of any one or any combination of the following Host Scan results to assign a dynamic access policy following the user login:
•registry key (Microsoft Windows only)
•personal firewall application
Saving and Resetting the Running Configuration
Secure Desktop Manager saves all CSD configuration data to disk0:/sdesktop/data.xml.
Note To copy the configuration settings from one security appliance to another, transfer a copy of the disk0:/sdesktop/data.xml file to the flash device of the target security appliance. Disable and reenable Cisco Secure Desktop to copy the disk0:/sdesktop/data.xml file into the running configuration.
The security appliance stores the settings displayed in the Secure Desktop Manager > Setup pane. Secure Desktop Manager stores the remaining settings in the disk0:/sdesktop/data.xml file. Secure Desktop Manager displays two buttons at the bottom of the panes beginning with Secure Desktop Manager > Prelogin Policy for interacting with that file. Use these buttons as follows:
•To save the running CSD configuration to the data.xml file, click Apply All.
•To remove all unapplied changes from this Secure Desktop Manager session, click Reset All.
An "Unapplied Changes" dialog box prompts you to save the CSD configuration if you try to navigate away from it or exit without having saved the configuration. Clicking Apply Changes in that window is equivalent to clicking the Apply All button.