Remote Access

 

Using VPN technology, employees can essentially take their office with them, including access to emails and network applications. VPNs can also allow contractors and partners to have limited access to the specific servers, web pages, or files required. This network access allows them to contribute to business productivity without compromising network security.

There are two primary methods for deploying remote-access VPNs:

  • Secure Sockets Layer (SSL)
    SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. SSL is an industry standard and is used by millions of websites in the protection of their online transactions with their customers.To be able to create an SSL connection a web server requires an SSL Certificate. When you choose to activate SSL on your web server you will be prompted to complete a number of questions about the identity of your website and your company. Your web server then creates two cryptographic keys – a Private Key and a Public Key.The Public Key does not need to be secret and is placed into a Certificate Signing Request (CSR) – a data file also containing your details. You should then submit the CSR. During the SSL Certificate application process, the Certification Authority will validate your details and issue an SSL Certificate containing your details and allowing you to use SSL. Your web server will match your issued SSL Certificate to your Private Key. Your web server will then be able to establish an encrypted link between the website and your customer’s web browser.

    The complexities of the SSL protocol remain invisible to your customers. Instead their browsers provide them with a key indicator to let them know they are currently protected by an SSL encrypted session – the lock icon in the lower right-hand corner, clicking on the lock icon displays your SSL Certificate and the details about it. All SSL Certificates are issued to either companies or legally accountable individuals.

    More: http://www.firewall.cx/cisco-technical-knowledgebase/cisco-services-tech/342-cisco-web-vpn.html

  • IP Security (IPsec)

The type of VPN method implemented is based on the access requirements of the users and the organization’s IT processes.

Both IPsec and SSL VPN technologies offer access to virtually any network application or resource. SSL VPNs offer such features as easy connectivity from non-company-managed desktops, little or no desktop software maintenance, and user-customized web portals upon login.

IPsec remote access:

The Cisco Easy VPN solution feature offers flexibility, scalability, and ease of use for both site-to-site and remote access IPsec VPNs. The Cisco Easy VPN solution consists of three components:

  • Cisco Easy VPN Server – A Cisco IOS router or Cisco ASA Firewall acting as the VPN head-end device in site-to-site or remote-access VPNs.
  • Cisco Easy VPN Remote – A Cisco IOS router or Cisco ASA Firewall acting as a remote VPN client.
  • Cisco VPN Client – An application supported on a PC used to access a Cisco VPN server.

Using the Cisco Easy VPN server makes it possible for mobile and remote workers using a VPN Client on their PCs, or using Cisco Easy VPN Remote on an edge router, to create secure IPsec tunnels to access their headquarters’ intranet, as shown in the figure.

Cisco SSL

Features and benefits:

  • Web-based, clientless access and complete network access without preinstalled desktop software. This facilitates customized remote access based on user and security requirements, and it minimizes desktop support costs.
  • Protection against viruses, worms, spyware, and hackers on a VPN connection by integrating network and endpoint security in the Cisco SSL VPN platform. This reduces cost and management complexity by eliminating the need for additional security equipment and management infrastructure.
  • Use of a single device for both SSL VPN and IPsec VPN. This reduces cost and management complexity by facilitating robust remote access and site-to-site VPN services from a single platform with unified management.

Cisco IOS SSL VPN is a technology that provides remote access by using a web browser and the web browser’s native SSL encryption. Alternatively, it can provide remote access using the Cisco AnyConnect Secure Mobility Client software.

The Cisco ASA provides two main deployment modes that are found in Cisco SSL VPN solutions:

  • Cisco AnyConnect Secure Mobility Client with SSL – Requires the Cisco AnyConnect Client
  • Cisco Secure Mobility Clientless SSL VPN – Requires an internet browser

The Cisco ASA must be configured to support the SSL VPN connection.

Cisco AnyConnect Secure Mobility Client with SSL

Client-Based SSL VPNs provide authenticated users with LAN-like, full network access to corporate resources. However, the remote devices require a client application, such as the Cisco VPN Client or the newer AnyConnect client to be installed on the end-user device.

In a basic Cisco ASA configured for full tunneling and a remote access SSL VPN solution, remote users use the Cisco AnyConnect Secure Mobility Client,  to establish an SSL tunnel with the Cisco ASA. After the Cisco ASA establishes the VPN with the remote user, the remote user can forward IP traffic into the SSL tunnel. The Cisco AnyConnect Secure Mobility Client creates a virtual network interface to provide this functionality. The client can use any application to access any resource, subject to access rules, behind the Cisco ASA VPN gateway.

Cisco Secure Mobility Clientless SSL VPN

The clientless SSL VPN deployment model enables corporations to provide access to corporate resources even when the remote device is not corporately-managed. In this deployment model, the Cisco ASA is used as a proxy device to network resources. It provides a web portal interface for remote devices to navigate the network using port-forwarding capabilities.

In a basic Cisco ASA clientless SSL VPN solution, remote users employ a standard web browser to establish an SSL session with the Cisco ASA. The Cisco ASA presents the user with a web portal over which the user can access internal resources. In the basic clientless solution, the user can access only some services, such as internal web applications, and browser-based, file-sharing resources

CiscoSSL_VPN_solution

Compare IPSec and SSL

IPsec exceeds SSL in many significant ways:

  • Number of applications that are supported
  • Strength of encryption
  • Strength of authentication
  • Overall security
compare IPsec and SSL