Table Of Contents
Integration with Dynamic Access Policies
Saving and Resetting the Running Configuration
Introduction
The following sections describe the capabilities of Cisco Secure Desktop, introduce the Secure Desktop Manager interface, and describe how to save configuration changes:
•
Cisco Secure Desktop Workflow
•
Features
Cisco Secure Desktop seeks to minimize the risks posed by the use of remote devices to establish a Cisco clientless SSL VPN or AnyConnect Client session. Cisco Secure Desktop provides a number of features that you can configure to work independently or together.
Cisco SSL VPN solutions provide organizations with robust and flexible products for protecting the security and privacy of information, and can play an important part in an organization's compliance strategies. No single technology today addresses all security requirements under the proposed standards. In addition, given operating system limitations, no technology that interoperates with an operating system can ensure the total removal of all data, especially from an untrusted system with potentially malicious third party software installed. However, deployments using Cisco Secure Desktop, when combined with other security controls and mechanisms within the context of an effective risk management strategy and policy, can help to reduce risks associated with using such technologies.
The following sections describe the Cisco Secure Desktop features:
•
Integration with Dynamic Access Policies
The security appliance integrates the Cisco Secure Desktop features into dynamic access policies (DAPs). Depending on the configuration, the security appliance uses one or more endpoint attribute values in combination with optional, AAA attribute values as conditions for assigning a DAP. The Cisco Secure Desktop features supported by the endpoint attributes of DAPs include OS detection, prelogin policies, Basic Host Scan results, and Endpoint Assessment. (The sections that follow describe these features.)
As an administrator, you can can specify a single attribute or combine attributes that together form the conditions required to assign a DAP to a session. The DAP provides network access at the level that is appropriate for the endpoint AAA attribute value. The security appliance applies a DAP when all of its configured endpoint criteria are satisfied. If, after the assignment of a DAP, a remote device later satisfies the conditions required by another DAP, the security appliance replaces the previous DAP assignment with the new one. Changes to the security of the remote device during the session is one example that shows the advantages of the flexibility of DAPs.
Host Scan
Host Scan is a module that installs on the remote device. It consists of any combination of the Basic Host Scan, Endpoint Assessment, and Advanced Endpoint Assessment, as configured by the Cisco Secure Desktop administrator. In Version 3.2, Host Scan runs on Microsoft Windows Vista, XP, and 2000 only.
The following sections describe the Host Scan features.
Basic Host Scan
Basic Host Scan inspects computers for any registry entries, process names, and filenames and associated hash values that you specify. You can use this feature to configure checks for watermarks on a remote computer, as well as configure checks for malware. The watermarks can signify whether the computer is corporate-owned. Thus, you can specify different Basic Host Scan results when configuring DAPs for corporate computers, home computers, and public computers.
Although Basic Host Scan includes checks that are also available in the prelogin assessment module, configuring these checks in the Basic Host Scan module provides for a more robust DAP assignment than one configured as part of a prelogin policy because Host Scan runs periodically. The prelogin assessment module runs only once.
Endpoint Assessment
Endpoint Assessment, a Host Scan extension, examines the remote computer for a large collection of antivirus, firewall, and antispyware applications, operating systems, and associated updates. You can use this feature to combine endpoint criteria to satisfy your requirements before the security appliance assigns a specific DAP to the session.
Advanced Endpoint Assessment
Advanced Endpoint Assessment, another Host Scan extension, lets you configure an attempt to update noncompliant computers. For example, you can use this feature to attempt to force updates of a specific antivirus application version and its antivirus definitions file. This feature requires an Advanced Endpoint Assessment license.
Prelogin Assessment
The prelogin assessment module installs itself after the user connects to the security appliance, but before the user logs in. This module can check the remote device for files, digital certificates, the OS version, IP address, and Microsoft Windows registry keys.
Secure Desktop Manager, the administrator interface to Cisco Secure Desktop, provides a graphical sequence editor to simplify the configuration of the prelogin assessment module.
When configuring the prelogin assessment module, the Cisco Secure Desktop administrator creates branches of nodes called sequences. Each sequence begins with the Start node, followed by an endpoint check. The result of the check determines whether to perform another endpoint check or to terminate the sequence with an end node.
The end node determines whether to display a Login Denied message, assign a prelogin policy to the device, or perform a secondary set of checks called a subsequence. A subsequence is a continuation of a sequence, typically consisting of more endpoint checks and an end node. This feature is useful to do the following:
•
•
•
Prelogin Policies
Prelogin policies let you determine how PCs running Windows operating systems connect to your virtual private network, and protect them accordingly. Prelogin policies specify the remote user experience, rights, and restrictions. You create prelogin policies when you configure the prelogin assessment module. The results of the checks in the graphical sequence editor determine whether the prelogin assessment module assigns a particular prelogin policy.
As you create each policy, Secure Desktop Manager adds a menu and assigns the name of the policy to that menu. By default, the graphical sequence editor end node contains a prelogin policy named Default. Thus, by default, Secure Desktop Manager also contains a menu named Default. This menu and the menus for any other prelogin policies you create let you assign the Secure Session module, Cache Cleaner module, or neither module to the remote device. Administrators typically assign these modules to noncorporate computers to prevent access to corporate data and files after the session is over. The sections that follow provide more information about the Secure Session and Cache Cleaner modules.
You might choose to assign neither Secure Session nor Cache Cleaner to the prelogin policy if the remote device is a corporate computer. For example, PCs connecting from within a workplace LAN on a 10.x.x.x network behind a NAT device are an unlikely risk for exposing confidential information. For these PCs, you might set up prelogin policy named Secure to match the IP addresses on the 10.x.x.x network, and disable Secure Session or Cache Cleaner on that policy.
In contrast, users' home PCs might be considered more at risk to viruses because of their mixed use. For these PCs, you might set up a prelogin policy named home for employees' home PCs on which they have installed a corporate-supplied certificate. This prelogin policy, when configured as one of the DAP criteria, would require the presence of antivirus and antispyware software to grant full access to the network.
Finally, for untrusted locations such as Internet cafes, you might set up a prelogin policy named "Public" that has either no matching criteria, thus making it the default policy for remote access devices that do not meet the requirements of more secure policies; or you might define criteria that are less stringent. This prelogin policy would require a Secure Session installation, and include a short timeout period to prevent access by unauthorized users.
Secure Session
Secure Session, also called Secure Desktop or Vault, encrypts the data and files associated with or downloaded during the remote session into a secure desktop partition, and presents a graphical representation of the desktop on the remote device to signify a safe environment for the remote user to work in. Upon session termination, it uses a U.S. Department of Defense (DoD) sanitation algorithm to remove the partition.
Typically used during clientless SSL VPN sessions, Secure Session attempts to reduce the possibility that cookies, browser history, temporary files, and downloaded content remain after a remote user logs out, the session times out, or after an abrupt termination occurs.
If a prelogin policy is set to run Secure Session on the remote device, but the operating system identified by OS Detection does not support Secure Session, Cisco Secure Desktop attempts to install Cache Cleaner on the remote device instead.
Secure Session runs over Microsoft Windows XP or 2000. Secure Session does not encrypt or clean system memory information, including that which may be left on the disk by the operating system in the Windows virtual memory file, commonly referred to as the paging file. Secure Desktop Manager provides an option that seeks to disable printing from within a user session. If local printing is permitted, there may be instances when data can remain in the local system print spool. See the "Interoperability" section for more information about Secure Session.
Cache Cleaner
Cache Cleaner, an alternative to Secure Desktop, is functionally more limited than Secure Session, but has the flexibility to support more operating systems. It attempts to eliminate the information from the browser cache at the end of a clientless SSL VPN or AnyConnect Client session. This information includes entered passwords, auto-completed text, files cached by the browser, and browser configuration changes.
Cache Cleaner runs on Microsoft Windows Vista, XP, and 2000; Apple Macintosh OS X 10.4 (PowerPC or Intel); and Linux. See the "Interoperability" section for more information about Cache Cleaner.
Keystroke Logger Detection
Keystroke logger detection lets you configure a prelogin policy to scan for keystroke logging applications and deny access if a suspected keystroke logging application is present. You can use Secure Desktop Manager to enable or disable this feature, and specify the keystroke logging applications that are safe or let the remote user interactively approve of the applications the scan identifies.
By default, keystroke logger detection is disabled for each prelogin policy. If you enable it, it downloads with Secure Desktop and Cache Cleaner for Microsoft Windows onto the remote device. Following the download, keystroke logger runs first. Secure Desktop or Cache Cleaner runs only if the scan is clear, or only if you assign administrative control to the user and the user approves of the applications the scan identifies.
Keystroke logger detection may be unable to detect every potentially malicious keystroke logger, including but not limited to hardware keystroke logging devices.
Host Emulation Detection
Host emulation detection, a feature of prelogin policies, determines whether the remote operating system is running over virtualization software. You can use Secure Desktop Manager both to enable or disable this feature, and to deny access.
By default, host emulation detection is disabled for each prelogin policy. If you enable it, it downloads with Secure Desktop or Cache Cleaner onto the remote device. Following the download, host emulation detection runs, along with the keystroke detection if it too is enabled. Secure Desktop or Cache Cleaner runs only if the scan is clear or if you enable host emulation but you do not enable it to deny access.
OS Detection
OS Detection is the first Cisco Secure Desktop module to install on the remote device when the user connects to the security appliance. It identifies both the operating system and service pack. This information qualifies or disqualifies the remote device for other Cisco Secure Desktop installation modules. These modules include the prelogin assessment, Host Scan, Secure Session, and Cache Cleaner.
OS Detection attempts to install automatically on any remote device establishing a Cisco clientless SSL VPN or AnyConnect Client session, if Cisco Secure Desktop is enabled on the security appliance.
The security appliance evaluates the value returned by OS Detection against any DAPs that specify the OS and service pack as an endpoint attribute. Thus, you can assign DAPs to devices based on this data. The "Interoperability" section lists the operating systems and service packs this module detects.
Cisco Secure Desktop Workflow
When fully configured, Cisco Secure Desktop works with the security appliance to protect the corporate network as follows:
Step 1
Step 2
Note
Step 3
Step 4
•
•
The security appliance can use the prelogin policy alone, or in combination with other endpoint attribute values, such as the operating system, to assign a DAP to the session.
Step 5
Step 6
Step 7
Step 8
Secure Desktop Manager
Use Secure Desktop Manager to configure Cisco Secure Desktop on the security appliance. After installing and enabling Cisco Secure Desktop, choose Configuration > Remote Access VPN > Secure Desktop Manager.
The Secure Desktop Manager pane opens. When Cisco Secure Desktop is disabled, only the Setup menu option is present. This option lets you enable Cisco Secure Desktop.
Figure 1-1 shows the fully-expanded, default menu and the Secure Desktop Manager pane, which appears after you install and enable Secure Desktop, exit the ASDM connection, and establish a new ASDM connection.
Figure 1-1 Secure Desktop Manager (Initial)
The following options are present in the Secure Desktop Manager menu:
•
•
Use the Windows Location Settings option to specify the conditions the remote PC must satisfy to qualify for a prelogin policy assignment. For example, you can assign a prelogin policy named "Secure" to remote computers with DHCP-assigned IP addresses within the corporate address range.
•
When you add a prelogin policy to the configuration, Secure Desktop Manager displays the name of the policy in the menu, along with the following options for configuring privileges and restrictions for that policy:
–
–
–
–
•
Cisco Secure Desktop does not support prelogin policies for computers running Mac OS X or Linux operating systems; however, it does support a limited set of security features for those platforms.
•
Following the configuration of the prelogin policies and host scan options, you can configure a match of any one or any combination of the following Host Scan results to assign a dynamic access policy following the user login:
•
•
•
•
•
•
•
•
Saving and Resetting the Running Configuration
Secure Desktop Manager saves all Cisco Secure Desktop configuration data to disk0:/sdesktop/data.xml.
Note
The security appliance stores the settings displayed in the Secure Desktop Manager > Setup pane. Secure Desktop Manager stores the remaining settings in the disk0:/sdesktop/data.xml file. Secure Desktop Manager displays two buttons at the bottom of the panes beginning with Secure Desktop Manager > Windows Location Settings for interacting with that file. Use these buttons as follows:
•
•
An "Unapplied Changes" dialog box prompts you to save the Cisco Secure Desktop configuration if you try to navigate away from it or exit without having saved the configuration. Clicking Apply Changes in that window is equivalent to clicking the Apply All button.
Interoperability
The following sections list the operating systems and browsers the Cisco Secure Desktop components support on clientless SSL VPN and AnyConnect sessions:
Operating Systems
The following sections list the operating systems identified by the Cisco Secure Desktop OS Detection module, and specify which operating systems the other Cisco Secure Desktop modules support:
OS Detection
OS Detection reports the following operating systems and service packs for DAP assignment:
•
•
•
•
•
•
•
•
•
•
•
•
•
OS Interoperability
Table 1-1 shows which operating systems the Cisco Secure Desktop modules support.
Table 1-1 Operating Systems Supported by Cisco Secure Desktop
Microsoft Windows Vista
Yes
Yes
-
Yes
Microsoft Windows XP
Yes
Yes
Yes
Yes
Microsoft Windows 2000
Yes
Yes
Yes
Yes
Apple Macintosh OS X 10.4 (PowerPC or Intel)
-
-
-
Yes
Linux
-
-
-
Yes
1 Includes both English and non-English support for 32-bit Microsoft operating systems. Cisco Secure Desktop does not support the 64-bit versions.
2 Cache Cleaner also supports WebLaunch of Cisco AnyConnect on a PC running Windows 2000 or XP.
Browsers
Table 1-2 shows the Internet browsers that Secure Session and Cache Cleaner support. These modules may also work with other browsers.
Table 1-2 Browsers Supported by Secure Session and Cache Cleaner
Internet Explorer 6.0 Service Pack 1
Yes
Yes
Internet Explorer 7.0
Yes
Yes
Mozilla 1.7. to 1.7.13
Yes
Yes
Mozilla Firefox 1.0
Yes
-
Mozilla Firefox 1.5
Yes
-
Mozilla Firefox 2.0
Yes
-
Safari 1.0 to 1.3
-
Yes
Safari 2.0
-
Yes
1 Cache Cleaner also supports Clientless SSL VPN connections with Microsoft Internet Explorer 5.0 or later on Windows Vista, XP, 2000, and 98.
Clientless SSL VPN
Table 1-3 shows the interoperability of the Cisco Secure Desktop modules on remote computers establishing clientless (browser-based) SSL VPN sessions.
Table 1-3 Clientless SSL VPN and Cisco Secure Desktop Interoperability
Microsoft Windows Vista
Yes
Yes
-
Yes
Microsoft Windows XP
Yes
Yes
Yes
Yes
Microsoft Windows 2000
Yes
Yes
Yes
Yes
Apple Macintosh OS X 10.4 (PowerPC or Intel)
-
-
-
Yes
Linux
-
-
-
Yes
1 Includes both English and non-English support for 32-bit Microsoft operating systems. Cisco Secure Desktop does not support the 64-bit versions.
AnyConnect Client
Table 1-4 shows the interoperability of the AnyConnect Client modes with Cisco Secure Desktop modules on remote computers.
Table 1-4 AnyConnect Client and Cisco Secure Desktop Interoperability
Standalone
Microsoft Windows Vista
Yes
Yes
-
-
Microsoft Windows XP
Yes
Yes
Yes
-
Microsoft Windows 2000
Yes
Yes
Yes
-
Apple Macintosh OS X 10.4 (PowerPC or Intel)
-
-
-
-
Linux
-
-
-
-
WebLaunch
Microsoft Windows Vista
Yes
Yes
-
Yes
Microsoft Windows XP
Yes
Yes
Yes
Yes
Microsoft Windows 2000
Yes
Yes
Yes
Yes
Apple Macintosh OS X 10.4 (PowerPC or Intel)
-
-
-
Yes
Linux
-
-
-
Yes
1 By default, the Start Before Logon (SBL) feature of AnyConnect Client is disabled. Cisco Secure Desktop modules are not interoperable with AnyConnect Client if SBL is enabled.
2 Includes both English and non-English support for 32-bit Microsoft operating systems. Cisco Secure Desktop does not support the 64-bit versions.
