SASSL v1.0 Managing Advanced Cisco SSL VPN. 3 days lecture course and hands-on lab $2,495 USD 25 Digital Version

Transcription

1 Course: Duration: Fees: Cisco Learning Credits: Kit: 3 days lecture course and hands-on lab $2,495 USD 25 Digital Version Course Overview Managing Advanced Cisco SSL VPN (SASSL) v1.0 is an instructor-led three-day course focused on providing advanced knowledge and features of Secure Sockets Layer (SSL) VPNs on the Cisco Adaptive Security Appliance (ASA). Students will be able to evaluate various deployment options for SSL VPNs and configure advanced features using the Cisco Advanced Security Device Manager (ASDM) GUI. Objective Students will learn and able to meet following objectives: Describe client-based and clientless VPN solutions Explain the relationship between tunnel groups, group and user policies, connection profiles, and dynamic access policies Describe basic and advanced features of the clientless WebVPN solution, including smart tunnels, web ACLs, plug-ins, auto-signon, bookmarks, and portal customization Describe basic and advanced features within Cisco AnyConnect client version 3.0, including firewall policy push, Trusted Network Detection (TND), login scripts and profile editor Describe the features and benefits of Cisco Secure Desktop and understand the differences between the prelogin policies and Host Scan; use Cisco Secure Desktop to integrate Endpoint Assessment and Advanced Endpoint Assessment (AEA) Configure dynamic access policies (DAPs) Describe the process required to enroll the Cisco ASA appliance with a third-party certificate authority (CA) and how to enroll and retrieve user-based certificates to provide mutual authentication Explain how the username credential can be automatically populated and how the connection profile can be chosen automatically using the prefill and certificate mapping features in the Cisco ASA appliance December 30, / 8

2 Prerequisite Skills and Knowledge The knowledge and skills that a learner must have before attending this course are as follows: Skills and knowledge equivalent to those learned in Securing Networks with ASA Fundamentals (SNAF) Working knowledge of the Microsoft Windows operating system, including Microsoft Internet Explorer Understanding of SSL and certificate fundamentals It is recommended that a learner have the following knowledge and skills before attending this course: Skills and knowledge equivalent to those learned in Securing Networks with ASA Advanced (SNAA) -OR- Skills and knowledge equivalent to those learned in Virtual Private Networks (VPN) Laptop requirements Students registering for this course will be receive digital format course kit. To be able to view digital kit students will need to bring a laptop. The recommended system requirements are as under; Windows 7 or 8.1 or 10 is recommended. Mac OSX 10.6 or greater is supported as well. Intel Celeron or better processors are preferred. 1 GB or more of RAM Browser requirement: Internet Explorer 10 or Mozilla Firefox. (Safari, Mozilla Firefox for Mac OSX) Note: Our labs currently cannot run on Microsoft Edge (Windows 10) due to it not supporting Extensions/Add-ons or Google Chrome due to Java being removed from the platform itself. All students are required to have administrator rights to their PCs and cannot be logged in to a domain using any Group Policies that will limit their machine's capabilities. If you do not have administrator rights to your PC, you at least need permissions to download, install, and run Cisco Any Connect Client and Java. All PCs require the latest Java Runtime Environment, which can be downloaded from Course Outline Course Introduction The Course Introduction provides learners with the course objectives and prerequisite learner skills and knowledge. The Course Introduction presents the course flow diagram and the icons that are used in the course illustrations and figures. This course component also describes the curriculum for this course, providing learners with the information that they need to make decisions regarding their specific learning path. Overview Learner Prerequisite Skills and Knowledge Course Goal and Objectives Course Flow Additional References Lab Exercise Scenario Your Training Curriculum December 30, / 8

3 Module 1: Feature Mapping and Scenario Discussion This module provides an understanding of SSL technology and an overall understanding of which SSL VPN solution to implement given a set of requirements. Upon completing this module, the learner will be able to meet these objectives: Describe SSL technology Describe clientless SSL VPN features Describe AnyConnect features Design SSL VPN solution Select SSL VPN solution according to user access needs 1. SSL Technology Overview 2. Clientless SSL Feature Overview 3. AnyConnect Feature Overview 4. Group Deployment Type (Clientless versus AnyConnect) 5. License Requirements for Suggested Solution Module 2: Initializing ASA and Preparing for PKI and AAA Support This module provides an understanding of the ASA basic configuration required to allow the ASDM access to the ASA. The module also provides an understanding of enrolling with a third-party certificate authority and using self-signed and default certificates. RADIUS and LDAP authentication are discussed. Upon completing this module, the learner will be able to meet these objectives: Initialize ASA and enable ASDM Generate a self-signed persistent certificate Enroll a certificate from the CA server Integrate with the AAA server Monitoring 1. Basic ASA Configuration 2. Validating Licenses 3. Generating Self-Signed Certificate to Be Used with ASDM 4. Enrolling Digital Certificate from CA Server to Be Used for SSL VPN Access 5. Configuring Integration with AAA Servers (RADIUS, LDAP) 6. Review of Logging December 30, / 8

4 Module 3: Connection Profile and Group Policy Configuration This module provides an understanding of the fundamental policy assignments applied by the ASA when a remote user connects to the VPN. The module investigates the use of group policies by configuring bookmarks that will be used for clientless WebVPN users. Upon completing this module, the learner will be able to meet these objectives: Create a new connection profile and group policies for supporting clientless and AnyConnect remote VPN users Restrict tunneling protocols Create bookmarks using plug-ins, CIFS, HTTP and HTTPS links 1. Creating Connection Profiles and Group Policies 2. Configuring Group Policy 3. Creating Bookmarks Module 4: Enhanced Clientless WebVPN Features This module provides an understanding of enhanced features for clientless VPN access. Building on the basic bookmarks covered in the previous module, this module investigates the use of plug-ins and the use of Smart Tunnels and auto-signon for single-signon access. Kerberos Constrained Delegation, as it applies to VPN authentication, is discussed. Portal customization is discussed with simple examples. Upon completing this module, the learner will be able to meet these objectives: Configure Smart Tunnels Configure Auto-Signon Configure Auto-Signon with forms-based authentication Describe Kerberos Constrained Delegation Describe portal customization options 1. Plug-ins 2. Uploading the RDP Plug-in 3. Configuring Smart Tunnels 4. Auto-signon for HTTP/S resources 5. Auto-signon for forms-based authentication 6. Kerberos Constrained Delegation 7. Microsoft extensions to KCD for VPN authentication 8. Portal customization December 30, / 8

5 Module 5: Enhanced Cisco AnyConnect Client Features This module provides an understanding of the latest Cisco AnyConnect 3.0 features including login scripts, secure mobility, trusted network detection, and always-on. The module investigates AnyConnect customization by using the profile editor in ASDM to edit and deploy policies to remote users. Upon completing this module, the learner will be able to meet these objectives: Describe the new features of the AnyConnect 3.0 Configure some of the AC 3.0 features 1. AnyConnect 3.0 Features 2. AnyConnect Secure Mobility 3. Trusted Network Detection 4. Always-on VPN 5. Login Script 6. AnyConnect Client Profile configuration 7. AnyConnect diagnostics Module 6: Cisco Secure Desktop Deployment and Prelogin Assessment This module provides an understanding of Cisco Secure Desktop and the use of Cisco Secure Desktop with dynamic access policies (DAPs). Upon completing this module, the learner will be able to meet these objectives: Install and configure Cisco Secure Desktop Configure and manage: Keystroke Logger Detection Host emulator Cache cleaner Test and troubleshoot Cisco Secure Desktop issues Install and configure Cisco Secure Desktop Cisco Secure Desktop Overview Installing and configuring Cisco Secure Desktop Configure and Manage Keystroke Logger Detection Host Emulator Cache cleaner Test and troubleshoot Cisco Secure Desktop issues December 30, / 8

6 Module 7: Dynamic Access Policies This module covers the use of dynamic access policies (DAPs) with SSL VPNs. The module defines the basic operation of DAPs and investigates Endpoint Assessment watermark checks with DAPs, by using a detailed example. Upon completing this module, the learner will be able to meet these objectives: Configure DAP Use Endpoint Assessment Policies with DAP Work with policy objects 1. Describing DAP Attributes 2. Configuring DAP 3. Using Endpoint Assessment Policies with DAP 4. Working with Policy Objects Module 8: Securing Resources with Webtype and Network ACLs This module provides an understanding of the use of Webtype ACLs and network-based ACLs. The module investigates use cases of when one would use each technology. Upon completing this module, the learner will be able to meet these objectives: Describe Webtype ACLs Configure Webtype ACLs Apply Webtype ACLs Describe Network-Based ACLs Configure Network-Based ACLs Apply Network-Based ACLs 1. Feature Overview 2. Configuring and Applying Webtype ACLs 3. Configuring and Applying Network-Based ACLs Module 9: Cisco Secure Desktop Endpoint Assessment This module provides an understanding of the distinctions between Host Scan, and the Host Scan Extensions Endpoint Assessment and Advanced Endpoint Assessment (AEA) with DAPs. The module investigates the use of watermarking using AEA and providing remediation for Anti-virus/Anti-spyware services. The module also includes a discussion surrounding firewall checks and firewall rule policy configurations. Upon completing this module, the learner will be able to meet these objectives: December 30, / 8

7 Describe the difference between the Host Scan and the Advanced Host Scan Configure the Host Scan and the Advanced Host Scan features Use these features with the Dynamic Access Policy Troubleshoot DAP-related issues 1. Configuring Cisco Secure Desktop for Advanced Host Scan 2. Configuring DAP Policy to Utilize Advanced Host Scan 3. Testing and Troubleshooting the Configuration Module 10: Certificate-Based Authentication This module covers detailed certificate authentication options for the SSL VPN. The module defines how to obtain manual user certificates using a Microsoft CA and investigates certificate templates on the CA. The module also covers the various methods of mapping remote users to connection profiles including the use of the group alias, group URL access, and certificate profile mapping. There is a review of methods of Connection Profile selection, and Group Policy selection. The module then moves from Certificate Mapping to LDAP Attribute mapping. Finally, after enumerating all these configuration options, two variations on two-factor authentication are presented. Upon completing this module, the learner will be able to meet this objective: Configure client authentication and authorization using digital certificates 1. Obtain a User Certificate 2. Configure VPN authentication with client certificates 3. Configure Connection Profile selection 4. Configure Group Policy selection 5. Configure LDAP Attribute maps for Authorization settings 6. Two-Factor Authentication Module 11: Advanced Troubleshooting This module provides the tools to allow thorough troubleshooting for clientless and client-based SSL VPNs. Upon completing this module, the learner will be able to meet this objective: Use troubleshooting tools and techniques to overcome SSL VPN problems 1. SSL VPN Troubleshooting 2. AnyConnect Troubleshooting December 30, / 8

8 3. Clientless SSL VPN Troubleshooting Module 12: Scaling SSL VPN This module provides an understanding of VPN load balancing between several ASAs. The section describes the configuration and monitoring of the load-balanced sessions. Upon completing this module, the learner will be able to meet these objectives: Configure load balancing Configure shared license 1. Introduction 2. Configuring Load Balancing 3. Monitoring 4. Verifying and Troubleshooting 5. Configuring a Shared License Lab Overview Students will work on the following labs in course. 1. Lab 1: Accessing the Lab Machines 2. Lab 2: Initializing the Cisco ASA Appliance and Preparing for PKI and AAA Support 3. Lab 3: Configuring Basic Clientless and Client-Based SSL VPNs 4. Lab 4: Enhanced Clientless WebVPN Features 5. Lab 5: Enhanced Cisco AnyConnect Client Features 6. Lab 6: Cisco Secure Desktop Deployment and Prelogin Assessment 7. Lab 7: Host Scan and DAPs 8. Lab 8: Securing Resources with Webtype ACLs 9. Lab 9: Cisco Secure Desktop Endpoint Assessment 10. Lab 10: Certificate-Based Authentication 11. Lab 11: Advanced Troubleshooting 12. Configuration Files Summary 13. Teardown and Restoration December 30, / 8