SSL Remote Access VPNs Jazib Frahim, CCIE No. 5459 Qiang Huang, CCIE No. 4937 Cisco Press Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA ii SSL Remote Access VPNs Jazib Frahim, Qiang Huang Copyright© 2008 Cisco Systems, Inc. Published by: Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without writ- ten permission from the publisher, except for the inclusion of brief quotations in a review. Printed in the United States of America First Printing June 2008 Library of Congress Catalog Card Number: 2005923483 ISBN-13: 978-1-58705-242-2 ISBN-10: 1-58705-242-3 Warning and Disclaimer This book is designed to provide information about the Secure Socket Layer (SSL) Virtual Private Network (VPN) technology on Cisco products. Every effort has been made to make this book as complete and as accurate as possi- ble, but no warranty or fitness is implied. The information is provided on an “as is” basis. The authors, Cisco Press, and Cisco Systems, Inc. shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it. The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems, Inc. Trademark Acknowledgments All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capital- ized. Cisco Press or Cisco Systems, Inc., cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. Corporate and Government Sales The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales, which may include electronic versions and/or custom covers and content particular to your business, training goals, marketing focus, and branding interests. For more information, please contact: U.S. Corporate and Government Sales 1-800-382-3419 [email protected] For sales outside the United States, please contact: International Sales [email protected] iii Feedback Information At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers’ feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through e-mail at [email protected]. Please make sure to include the book title and ISBN in your message. We greatly appreciate your assistance. Publisher Paul Boger Associate Publisher Dave Dusthimer Cisco Press Program Manager Jeff Brady Executive Editor Brett Bartow Managing Editor Patrick Kanouse Development Editor Betsey Henkels Senior Project Editor Tonya Simpson Copy Editor Written Elegance, Inc. Technical Editors Pete Davis, Dave Garneau Editorial Assistant Vanessa Evans Book Designer Louisa Adair Composition Mark Shirar Indexer Heather McNeil Proofreader Sheri Cain iv About the Authors Jazib Frahim, CCIE No. 5459, has been with Cisco for more than nine years. Having a bachelor’s degree in computer engineering from Illinois Institute of Technology, he started out as a TAC engineer in the LAN Switching team. He then moved to the TAC Security team, where he acted as a technical leader for the security products. He led a team of 20 engineers in resolving complicated security and VPN technologies. He is currently working as a technical leader in the Worldwide Security Services Practice of Advanced Services for Network Security. He is responsible for guiding customers in the design and implementation of their networks with a focus on network security. He holds two CCIEs, one in routing and switching and the other in security. He has written numerous Cisco online technical documents and has been an active member on the Cisco online forum NetPro. He has presented at Net- workers on multiple occasions and has taught many on-site and online courses to Cisco customers, part- ners, and employees. He has recently received his master of business administration (MBA) degree from North Carolina State University. He is also an author of the following Cisco Press books: Cisco Network Admission Control, Volume II: NAC Deployment and Troubleshooting, and Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance. Qiang Huang, CCIE No. 4937, is a product manager in the Cisco Systems Campus Switch System Technology Group, focusing on driving the security and intelligent services roadmap for Cisco market- leading modular Ethernet switching platforms. He has been with Cisco for almost ten years. During his time at Cisco, Qiang played an important role in a number of technology groups including the follow- ing: technical lead in the Cisco TAC security and VPN team, where he was responsible for troubleshoot- ing complicated customer deployments in security and VPN solutions; a security consulting engineer in the Cisco Advanced Service Group, providing security posture assessment and consulting services to customers; a technical marketing engineer focusing on competitive analysis and market intelligence in network security with specialization in the emerging SSL VPN technology. Qiang has extensive knowl- edge of security and VPN technologies and experience in real-life customer deployments. Qiang holds CCIE certifications in routing and switching, security, and ISP dial. He is also one of the contributing authors of Internetworking Technologies Handbook,Fourth Edition. Qiang received a master’s degree in electrical engineering from Colorado State University. v About the Technical Reviewers Pete Davis has been working with computers and networks since he was able to walk. By age 15, he was one of the youngest professional network engineers and one of the first employees at an Internet service provider. Pete implemented and maintained the systems and networks behind New England’s largest consumer Internet service provider, TIAC (The Internet Access Company). In 1997, Pete joined Shiva Corporation as a product specialist. Since 1998, Pete has been with Altiga Networks, a VPN con- centrator manufacturer in Franklin, Massachusetts, that was acquired by Cisco on March 29, 2000. As product line manager, Pete is responsible for driving new VPN-related products and features. Dave Garneau is principal consultant and senior technical instructor at The Radix Group, Ltd., a con- sulting and training company based in Henderson, Nevada, and focusing on network security. As a con- sultant, he specializes in Cisco network security (including IronPort, now part of Cisco) and VPN technologies (both IPsec and SSL VPN). As an instructor, he has trained more than 2500 people in eight countries to earn certifications throughout the Cisco and IronPort certification programs. He has written lab guides used worldwide by authorized Cisco Learning Partners, as well as publishing papers related to network security. Dave holds the following certifications: CCSP, CCNP, CCDP, CCSI, CCNA, CCDA, ICSP, ICSI, and CNE. vi Dedications Jazib Frahim: I would like to dedicate this book to my lovely wife, Sadaf, who has patiently put up with me during the writing process. I would also like to dedicate this book to my parents, Frahim and Perveen, who support and encourage me in all my endeavors. Finally, I would like to thank my siblings, including my brother Shazib and sisters Erum and Sana, sister-in-law Asiya, my cute nephew Shayan, and my adorable nieces Shiza and Alisha. Thank you for your patience and understanding during the development of this book. Qiang Huang: I would like to dedicate this book to my parents, who always taught me to make better use of my free time, and to my wife for her patience and support of this project. vii Acknowledgments Wewould like to thank the technical editors, Pete Davis and David Garneau, for their time and technical expertise. They verified our work and provided recommendations on how to improve the quality of this manuscript. We would also like to thank Vincent Shan, Andy Qin, James Fu, and Awair Waheed from the Cisco Security Technical Group for their help and guidance. We also recognize Saddat Malik for providing content source for several figures in Chapter 2. Special thanks go to Scott Enicke and Aun Raza for reviewing this book prior to final editing. We would like to thank the Cisco Press team, especially Brett Bartow and Betsey Henkels, for their patience, guidance, and consideration. Their efforts are greatly appreciated. Many thanks to our managers, Ken Cavanagh, Raj Gulani, and Hasan Siraj, for their continuous support throughout this project. Finally, we would like to acknowledge the Cisco TAC. Some of the best and brightest minds in the net- working industry work there, supporting our Cisco customers often under very stressful conditions and working miracles daily. They are truly unsung heroes, and we are all honored to have had the privilege of working side by side with them in the trenches of the TAC. viii ix Contents at a Glance Introduction xviii Chapter 1 Introduction to Remote Access VPN Technologies 3 Chapter 2 SSL VPN Technology 17 Chapter 3 SSL VPN Design Considerations 63 Chapter 4 Cisco SSL VPN Family of Products 85 Chapter 5 SSL VPNs on Cisco ASA 93 Chapter 6 SSL VPNs on Cisco IOS Routers 223 Chapter 7 Management of SSL VPNs 313 Index 332