Note: The description is based on Cisco ASA 5510 version 9.1(4) and ASDM version 7.1(5)100. I have already written about this topic in the fifth part of this series. But a lot has changed since then, this description is more detailed and primarily focused on SSL VPN.
The main official documentation on this topic is Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators, Release 3.6. We can learn more about DAP in Configuring Dynamic Access Policies and Dynamic Access Policies (DAP), the article DAP Advanced Functions Configuration Example is also interesting.
If we have purchased the AnyConnect Premium license, we have gained Clientless SSL VPN and Cisco Secure Desktop (CSD, which includes several more or less independent functions, including Host Scan). On November 20, 2012, Cisco announced the retirement of the Secure Desktop (Vault), Cache Cleaner, Host Emulation Detection and Keystroke Logger Detection features. So from CSD, only Host Scan remains for us. We can still use the other features for now (until they are removed from the new updates), but Secure Desktop, for example, has not been developed for a long time, so the last supported OS is 32-bit Windows 7. The official announcement about the deprecation is Feature Deprecation Notice for Secure Desktop (Vault), Cache Cleaner, Keystroke Logger Detection, and Host Emulation Detection.
Cisco Secure Desktop and Host Scan
As mentioned, many features are collectively referred to as Cisco Secure Desktop (CSD), but only Host Scan seems to remain. From CSD 3.6, the HostScan package was separated and became a shared component, so it can be installed along with CSD, with the full AnyConnect client image or standalone. Installing the standalone package is recommended, as it is released more frequently than CSD. For example, the latest version of CSD is 3.6.6249 (from 5/8/2013), which includes HostScan 3.1.03104 (from 4/29/2013). But the standalone HostScan is 3.1.05152 (from 12/19/2013). This corresponds to the version of the AnyConnect client, which is 3.1.05152 (from 12/19/2013). The CSD settings are found under the Cisco Secure Desktop Manager (CSDM) interface, which is part of ASDM. The version shown here corresponds to the Host Scan version.
Host Scan is supported on various Windows versions (including 64-bit Windows 8.1), Mac OS X and a few Linux distributions. More information in the Release Notes for Cisco Secure Desktop, Release 3.6. The entire CSD configuration on the ASA is stored in disk0:/sdesktop/data.xml.
Application/Enabling CSD
The CSD features work for Clientless SSL VPN or connections using the AnyConnect client. If we enable CSD, it is enabled globally and will apply to all Clientless SSL VPN and AnyConnect client connections. This is because some checks are performed even before the actual login (pre-login) and can prevent the login dialog from being displayed. The only way to disable it for a specific AnyConnect Connection Profiles is to use the Group URL (it will then only work when connecting through this URL) and check the following option on the profile.
Do not run Cisco Secure Desktop (CSD) on client machine when using group URLs defined above to access the ASA. (If a client connects using a connection alias, this setting is ignored.)
Prelogin Policy
CSD also includes a Prelogin Policy (Prelogin Assessment), which is evaluated immediately after the connection is established and the current HostScan version is downloaded. Prelogin checks can include checking registries, files, certificates (only checks for existence and a certain attribute, not validity), OS version (not too detailed), IPv4/IPv6 addresses/ranges. If the Prelogin Policy requirements are not met, information about the rejection is displayed and the connection is terminated. Otherwise, a certain Prelogin Policy name is assigned and applied (in which we can define functions that are now all deprecated).
Endpoint Assessment
Using Endpoint Assessment, which is a HostScan function, information about antivirus, firewall and antispyware is obtained. When enabled, a large number of products (really hundreds of products) and information about the last update are automatically detected. If we have the Advanced Endpoint Assessment license (L-ASA-ADV-END-SEC=, the price is more than 15,000 crowns), it can attempt to remedy the deficiencies (enable, update definitions, firewall settings). The Endpoint Assessment parameters are evaluated before login, but we can use them after login using Dynamic Access Policies (DAP).
Only then does user authentication occur. Then the DAP is applied and can use the information from HostScan. At this stage, the login can be denied or certain attributes can be set.
Host Scan
HostScan consists of several modules: Basic HostScan, Endpoint Assessment and Advanced Endpoint Assessment. If HostScan/CSD or Secure Desktop is enabled, the OS and its Service Pack, listening ports (on Windows), CSD components, installed MS KB (updates) are automatically identified on the client. Using Basic HostScan, we can also have it search for a certain process, file, registry key. The purpose is to distinguish corporate computers from private or public ones. Using Endpoint Assessment, we can also detect antivirus, firewall and antispyware.
Using CSD on the client
If we have CSD enabled, after connecting using the AnyConnect client, the HostScan version (which is part of the client) is checked and the version from the server is downloaded if necessary. The AnyConnect client then performs the configured detections and checks, and sends the collected data to the ASA.
If we connect through the browser to Clientless SSL VPN, ActiveX or Java is used after the session is established. CSD (cstub.exe file) is downloaded and used, it performs the detections and checks and sends the data to the ASA. CSD/HostScan should work even without administrative privileges.
Integration of CSD (HostScan) with DAP
The fact that HostScan detects a certain parameter doesn't do anything by itself. Only the Prelogin Assessment can prevent the login dialog from appearing. HostScan provides us with data and it's up to us to use it somehow. The only place we can use it is through Dynamic Access Policies (DAP).
We can create various DAP policies that are assigned to the connection based on the value of one or more endpoint attributes, or in combination with an AAA attribute. From CSD, we can use OS detection, CSD prelogin policies, Basic HostScan and Endpoint Assessment. Alternatively, we can use free-form Lua text as a condition in Advanced - Logical Expressions. In the policy, we then set certain access and authorization attributes.
HostScan is always tied to CSD, but in the CSD Prelogin Policy we can uncheck the Secure Desktop and Cache Cleaner, and then only HostScan will be used.
Practical configuration
Configuration > Remote Access VPN > Host Scan Image
To use the CSD features, we need to select a CSD or HostScan image or both. At this location, we can select the HostScan image from the ASA flash memory, install a new one (downloaded from Cisco Download) or uninstall it (this will cancel the image selection in the configuration). Example: disk0:/hostscan_3.1.05152-k9.pkg.
There is also a checkbox Enable Host Scan/CSD, which enables CSD (and thus Host Scan). After applying, it immediately takes effect on all AnyConnect or Clientless connections. After enabling, the options for configuration also appear in ASDM.
Configuration > Remote Access VPN > Secure Desktop Manager > Setup
At this location, we can select the CSD image, the options are the same as for the Host Scan image. If we don't want to use Secure Desktop, we can set up only Host Scan. Example: disk0:/csd_3.6.6249-k9.pkg.
There is also a checkbox Enable Secure Desktop, which behaves the same as Enable Host Scan/CSD.
Configuration > Remote Access VPN > Secure Desktop Manager > Global Settings
Here we only choose logging options.
Configuration > Remote Access VPN > Secure Desktop Manager > Prelogin Policy
This is where the graphical designer for creating the decision tree is located. We can set various checks that will be performed before login and use them to assign a certain Prelogin Policy or deny login.
Under the Prelogin Policy are the created policies, there is at least one, which is initially called Default. Directly on it, we enable the use of Cache Cleaner and possibly Secure Desktop (Vault), and then define their parameters. If we don't enable any of these items, the policy doesn't do anything (but we can use its name in DAP).
Configuration > Remote Access VPN > Secure Desktop Manager > Host Scan
We have described the Host Scan options, here we can configure all the properties. In the Basic Host Scan section, we can add detection of various files, registry keys or processes. In the Host Scan Extensions section, we can enable some extension, by default we have Endpoint Assessment ver 3.6.8133.2.
Configuration > Remote Access VPN > Network (Client) Access > Dynamic Access Policies
DAP policies are applied last, when applied to VPN login, so they can override some values that were set, for example, using the Group Policy. There is always a default policy DfltAccessPolicy, which is used if no other DAP is assigned. So the default policy has no criteria for selection and is the last in the list. If we want to create different policies that allow access (and check certain conditions on them), we must not forget to set the default policy to block access (Action: Terminate). Of course, we can also do it the other way around, we have allowed by default and choose the situations where we block. We must also not forget that DAP apply to all types of Remote Access VPN.
When creating new policies, we first define when it should be applied (Selection Criteria). We can use many attributes from AAA (such as the used Group Policy, Connection Profile, IP address, username, any RADIUS or LDAP attribute) or Endpoint (these are the properties from CSD), or Logical Expression. And what should be set, i.e. Access/Authorization Policy Attributes. We can specify the action Continue, Quarantine, Terminate and set the displayed message. Apply ACLs, change access options (AnyConnect, Web-portal), enable/disable certain Clientless SSL VPN features.
Note: The Quarantine action allows applying a special restrictive ACL to the client, so that they can only access certain services and remedy their state. This feature requires Advanced Endpoint Assessment (and therefore the appropriate license).
Each created policy has a certain priority and the list is traversed according to them (from 0 upwards) when a session is created and a match is searched for in the selection criteria. All records that match are combined and the resulting policy that is applied is assembled.
At the bottom of the page, we can use the Test Dynamic Access Policies button. We enter the attributes and get the output of which policies and how they are applied in such a case.
There are no comments yet.