Summary of Contents for Cisco 5520 - ASA IPS Edition Bundle
Page 1
Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators Software Release 3.1.1 October 2006 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Text Part Number: OL-8607-02...
Page 2
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CCVP, the Cisco Logo, and the Cisco Square Bridge logo are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.;...
Cisco.com Product Documentation DVD Ordering Documentation Documentation Feedback Cisco Product Security Overview Reporting Security Problems in Cisco Products Product Alerts and Field Notices Obtaining Technical Assistance Cisco Technical Support & Documentation Website Submitting a Service Request Definitions of Service Request Severity...
Page 4
Configuring Keystroke Logger for a Location 5-19 Configuring Cache Cleaner for a Location 5-22 Configuring Secure Desktop General for a Location 5-23 Configuring Secure Desktop Settings for a Location 5-25 Configuring Secure Desktop Browser for a Location 5-27 Cisco Secure Desktop Configuration Guide OL-8607-02...
Page 5
Networking and Firewall Questions Does the Secure Desktop or Cache Cleaner detect a second network card for location determination? I am using a personal firewall. What application must I “Allow” to access the network? Cisco Secure Desktop Configuration Guide OL-8607-02...
Page 6
Contents N D E X Cisco Secure Desktop Configuration Guide OL-8607-02...
Written for network managers and administrators, this guide describes how to install, configure, and enable Cisco Secure Desktop (CSD) on a Cisco ASA 5500 Series security appliance to provide a safe computing environment through which clients can connect from a variety of locations.
Cisco ASA 5500 Series Hardware Installation Guide • Migrating to ASA for VPN 3000 Concentrator Series Administrators Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide for the ASA 5510, ASA • 5520, and ASA 5540 Cisco Security Appliance Command Line Configuration Guide •...
The Product Documentation DVD is a library of technical product documentation on a portable medium. The DVD enables you to access installation, configuration, and command guides for Cisco hardware and software products. With the DVD, you have access to the HTML documentation and some of the PDF files found on the Cisco website at this URL: http://www.cisco.com/univercd/home/home.htm...
We encourage you to use Pretty Good Privacy (PGP) or a compatible product (for example, GnuPG) to encrypt any sensitive information that you send to Cisco. PSIRT can work with information that has been encrypted with PGP versions 2.x through 9.x.
Modifications to or updates about Cisco products are announced in Cisco Product Alerts and Cisco Field Notices. You can receive Cisco Product Alerts and Cisco Field Notices by using the Product Alert Tool on Cisco.com. This tool enables you to create a profile and choose those products for which you want to receive information.
Cisco engineer. The TAC Service Request Tool is located at this URL: http://www.cisco.com/techsupport/servicerequest For S1 or S2 service requests, or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
Information about Cisco products, technologies, and network solutions is available from various online and printed sources. The Cisco Online Subscription Center is the website where you can sign up for a variety of • Cisco e-mail newsletters and other communications. Create a profile and then select the subscriptions that you would like to receive.
Page 14
About This Guide Obtaining Additional Publications and Information World-class networking training is available from Cisco. You can view current offerings at • this URL: http://www.cisco.com/en/US/learning/index.html Cisco Secure Desktop Configuration Guide OL-8607-02...
Note You do not need to boot the security appliance after you install the CSD software. Install or upgrade the Cisco Secure Desktop (CSD) software as follows: Use your Internet browser to access the following URL and download the Step 1 securedesktop_asa_<n>_<n>*.pkg file to any location on your PC:...
Page 16
Installing or Upgrading the CSD Software Figure 1-1 CSD Manager Not Installed Click the “Cisco Secure Desktop” link. Step 4 ASDM opens the Configuration > VPN > WebVPN > CSD Setup pane (Figure 1-2). Cisco Secure Desktop Configuration Guide OL-8607-02...
Page 17
ASDM opens the Upload Image dialog box. Click Browse Local to prepare to select the file on your local PC. Step 6 The Selected File Path dialog box displays the contents of the latest, local folder you accessed (Figure 1-3). Cisco Secure Desktop Configuration Guide OL-8607-02...
Page 18
ASDM closes the Select File Path dialog box and displays the file in the Local File Path field. Click Browse Flash to specify the target directory for the file. Step 8 The Browse Flash Dialog box displays the contents of the flash card (Figure 1-4). Step 9 Cisco Secure Desktop Configuration Guide OL-8607-02...
Page 19
Step 13 ASDM closes the dialog box, transfers a copy of the file to the flash card, and removes the text from the fields in the Upload Image dialog box. Click Close. Step 14 Cisco Secure Desktop Configuration Guide OL-8607-02...
Page 20
Click Yes unless you want to keep the previous version. Step 16 ASDM closes the dialog box, revealing the installed image in the Secure Desktop Image field. Refer to “Enabling and Disabling CSD” to continue. Cisco Secure Desktop Configuration Guide OL-8607-02...
F1-asa1(config-webvpn)# show disk all -#- --length-- -----date/time------ path 6 8543616 Nov 02 2005 08:25:36 PDM 9 6414336 Nov 02 2005 08:49:50 cdisk.bin 10 4634 Sep 17 2004 15:32:48 first-backup 11 4096 Sep 21 2004 10:55:02 fsck-2451 Cisco Secure Desktop Configuration Guide OL-8607-02...
Page 22
CSD • For example, F1-asa1(config-webvpn)# csd enable F1-asa1(config-webvpn)# Enter write memory to save the running configuration. Step 6 For example, F1-asa1(config-webvpn)# F1-asa1(config-webvpn)# write memory Building configuration... Cryptochecksum: 71fa1950 45b7f82f 12b4e7c1 934111bb Cisco Secure Desktop Configuration Guide OL-8607-02...
The CSD Setup pane opens (Figure 2-1). Figure 2-1 CSD Setup (Enable/Disable) The Secure Desktop Image field displays the image (and version) that is currently installed. The Note Enable Secure Desktop check box indicates whether CSD is enabled. Cisco Secure Desktop Configuration Guide OL-8607-02...
Page 24
Chapter 2 Enabling and Disabling CSD Using ASDM to Enable or Disable CSD Check or uncheck Enable Secure Desktop and click Apply. Step 2 ASDM enables or disables CSD. Cisco Secure Desktop Configuration Guide OL-8607-02...
C H A P T E R Introduction The following sections describe the capabilities of Cisco Secure Desktop (CSD), introduce the Cisco Secure Desktop Manager (CSDM) interface, and describe how to save configuration changes: CSD Capabilities • Navigation • •...
DHCP-assigned IP addresses within a corporate address range connect from the Work location. After you create a location, you can configure the VPN Feature Policy, Keystroke Logger, Cache Cleaner, and Secure Desktop features for that location. Cisco Secure Desktop Configuration Guide OL-8607-02...
Page 27
(Locations apply to Microsoft Windows users only.) As an administrator, you specify the criteria to match the client to the location. Eligible matching criteria include certificate name and authority, IP address range, and local file or registry requirements. Each location also contains a set of Cisco Secure Desktop Configuration Guide OL-8607-02...
Page 28
Secure Desktop and Cache Cleaner launch only if the scan is clear, or only if you assign administrative control to the user and the user approves of the applications the scan identifies. Cisco Secure Desktop may be unable to detect every potentially malicious keystroke logger, including but not limited to hardware keystroke logging devices.
To save the running CSD configuration to the data.xml file, click Apply All. • To overwrite all settings in the running CSD configuration with those stored in the data.xml file, • click Reset All. Cisco Secure Desktop Configuration Guide OL-8607-02...
Page 30
Chapter 3 Introduction Saving and Resetting the Running CSD Configuration Cisco Secure Desktop Configuration Guide OL-8607-02...
In addition, because it is physically impossible to ensure 100 percent removal of all data sent to a remote system, organizations may use Cisco Secure Desktop to minimize access to trusted assets. Cisco Secure Desktop Configuration Guide...
Page 32
“Insecure” location. To change the order of the evaluation, choose a location name and click Move Up or Move Down. Click Apply All to save the running CSD configuration to the flash device. Cisco Secure Desktop Configuration Guide OL-8607-02...
Click the name Home in the menu on the left. Step 1 Check Enable identification using certificate criteria. Step 2 Complete the Issued to and Issued By fields of the certificate. Step 3 Check Secure Desktop next to “Use Module.” Step 4 Cisco Secure Desktop Configuration Guide OL-8607-02...
See the option descriptions in “Configuring Cache Cleaner for a Location” for more information about the settings on this pane. Step 4 Click Secure Desktop General under “Home.” The Secure Desktop General pane appears (Figure 4-1). Cisco Secure Desktop Configuration Guide OL-8607-02...
The Cache Cleaner pane appears. Step 2 Check Launch cleanup upon inactivity timeout. When checked, this option forces a timeout if the user leaves the computer without logging out. Set Timeout after to 5 minutes. Step 3 Cisco Secure Desktop Configuration Guide OL-8607-02...
Check Anti-spyware and choose the antispyware software. Step 6 Check Firewall and choose the firewall software. Step 7 Check OS and choose 2000 SP4, XP no SP, XP SP1, and XP SP2. Step 8 Click OK. Step 9 Cisco Secure Desktop Configuration Guide OL-8607-02...
Step 10 Click OK. Step 11 See the option descriptions in “Configuring a VPN Feature Policy for a Location” for more information. Click Apply All to save the running CSD configuration to the flash device. Cisco Secure Desktop Configuration Guide OL-8607-02...
See the option descriptions in “Setting Up CSD for Macintosh and Linux Clients” for more information about the settings in this window. Click Apply All to save the running CSD configuration to the flash device. Cisco Secure Desktop Configuration Guide OL-8607-02...
Examine the Windows Location attribute descriptions to plan a configuration that meets the security requirements of your network. Click Windows Location Settings in the menu on the left to define the location-based settings (also called adaptive policies) for CSD. Figure 5-1 shows the default settings. Cisco Secure Desktop Configuration Guide OL-8607-02...
Page 40
PC does not match any of the configured locations criteria. In the interest of security, we recommend that you do not check this option. By default, this attribute is unchecked. Cisco Secure Desktop Configuration Guide OL-8607-02...
By default, this attribute is unchecked. Defining Location Criteria To configure the settings for a location, click the location name in the menu on the left. The Identification for <Location> pane appears (Figure 5-2). Figure 5-2 Identification for <Location> Cisco Secure Desktop Configuration Guide OL-8607-02...
Cache Cleaner—Check if you want to require the Cache Cleaner to be present on the remote client • as a criterion for assigning this location entry. Both Secure Desktop and Cache Cleaner—Leave unchecked to let CSD apply the configured • feature policy. Cisco Secure Desktop Configuration Guide OL-8607-02...
“O” for organization unit name, and “E” for e-mail address. Type the value of one of these subordinate fields in the Issued To field on the Identification for <Location> pane to match it against the Issuer field of the certificate. Cisco Secure Desktop Configuration Guide OL-8607-02...
Page 44
Value in the Subject field that matches the value you specified in the “Issued By” field • • Value in the Issuer field that matches the value you specified in the “Issued To” field Cisco Secure Desktop Configuration Guide OL-8607-02...
Add to enter one or more IP address ranges. CSD checks the IP addresses of remote client PCs trying to connect. If a client has an address within the specified range, CSD assigns the properties of the location to the remote client. Cisco Secure Desktop Configuration Guide OL-8607-02...
As you do so, it becomes a double, horizontal arrow. Drag the arrow to the left or right to expose the contents of the column. Refer to the section that identifies the type of criteria you would like to configure: Registry Criteria • • File Criteria Cisco Secure Desktop Configuration Guide OL-8607-02...
Click one radio button from the following list and assign the associated values: Step 2 Exists—Click if the mere presence of the named registry key on the remote client PC is sufficient • to match the location you are configuring. Cisco Secure Desktop Configuration Guide OL-8607-02...
Page 48
String value menu—Choose one of the following options to specify the relationship of the String value of the registry key to the value to be entered to the right: contains – – differs – matches Cisco Secure Desktop Configuration Guide 5-10 OL-8607-02...
Step 1 • Entry Path—Enter the directory path of the file required to be present on or absent from the client system. Note Refer to the subsequent attribute descriptions for examples File paths. Cisco Secure Desktop Configuration Guide 5-11 OL-8607-02...
Page 50
Checksum equals to field. The Compute CRC32 Checksum dialog box opens (Figure 5-6). Figure 5-6 Compute CRC32 Checksum Retrieve the checksum as follows: Click Browse and choose the file on which to calculate the checksum. Cisco Secure Desktop Configuration Guide 5-12 OL-8607-02...
Configure a group-based VPN feature-based policy as follows: Click VPN Feature Policy under the name of the location you are configuring in the menu on the left. Step 1 The Group-Based Policy tab opens (Figure 5-7). Cisco Secure Desktop Configuration Guide 5-13 OL-8607-02...
Page 52
With this option set, CSDM dims the attributes in the Criteria area. If you click this radio button, you cannot change other settings on this tab. Cisco Secure Desktop Configuration Guide 5-14 OL-8607-02...
Page 53
The security categories are as follows: Cisco Secure Desktop Configuration Guide 5-15 OL-8607-02...
File access—Permits the use of the Secure Desktop to access files on a remote server. • Port forwarding—Permits the use of the Secure Desktop to connect a client application installed on • the local PC to the TCP/IP port of a peer application on a remote server. Cisco Secure Desktop Configuration Guide 5-16 OL-8607-02...
Page 55
If set, CSDM dims the attributes in the Criteria area. If you click this radio button, you cannot change other settings on this tab; your configuration of a VPN policy for this feature ends at this step. Cisco Secure Desktop Configuration Guide 5-17 OL-8607-02...
Page 56
CSDM includes this two such fields, one above the Anti-Virus window and the other above the Anti-Spyware window. For each enabled security category you check, click one of the options or control-click multiple options. Step 7 Cisco Secure Desktop Configuration Guide 5-18 OL-8607-02...
By default, System Detection does not scan for keystroke loggers. Configure scanning for keystroke loggers as follows: Click Keystroke Logger under the name of the location you are configuring in the menu on the left. Step 1 The Keystroke Logger window opens (Figure 5-9). Cisco Secure Desktop Configuration Guide 5-19 OL-8607-02...
Page 58
Otherwise, the user must terminate the session. Unchecking this attribute deactivates but does not delete the contents of the “List of Safe Note Modules” window. Cisco Secure Desktop Configuration Guide 5-20 OL-8607-02...
Page 59
CSDM closes the dialog box and lists the entry in the List of Safe Modules window. To remove a program from the list, click the entry in the “Path of safe modules” list, then click Note Delete. Click Apply All to save the configuration changes. Step 6 Cisco Secure Desktop Configuration Guide 5-21 OL-8607-02...
Clean the whole cache in addition to the current session cache (IE only)—Check to remove data • from the Internet Explorer cache upon activation, including files generated before the client’s CSD session began. Cisco Secure Desktop Configuration Guide 5-22 OL-8607-02...
OK to let CSD continue processing. (The Cisco Secure Tunneling Client is not one of those applications; it is accessible on both the local desktop and the CSD.) Unchecking this attribute minimizes the potential security risk posed by a user who...
Page 62
CSD from enforcing prevention of desktop switching, even if you disable this feature. You can configure both the Secure Desktop component of CSD and Cisco SSL VPN Client (SVC) to run simultaneously on client PCs. If you check this attribute, the SVC connection becomes available to both.
Do not encrypt files on removable drives—Check to prevent the user from saving encrypted files • onto portable drives while on the Secure Desktop. The Secure Desktop Manager dims this attribute if you check the previous attribute. Cisco Secure Desktop Configuration Guide 5-25 OL-8607-02...
Page 64
Deleting transparent or nontransparent files from outside of Outlook, such as from a Windows Explorer window, during a Secure Desktop session removes the file only from the Secure Desktop. Click Apply All to save the running CSD configuration. Cisco Secure Desktop Configuration Guide 5-26 OL-8607-02...
To modify a URL, choose it, click Edit, type the new URL in the dialog box, then click Edit. • To remove a folder or a URL, choose it and click Delete. • Click Apply All to save the running CSD configuration. Note Cisco Secure Desktop Configuration Guide 5-27 OL-8607-02...
Page 66
Chapter 5 Setting Up CSD for Microsoft Windows Clients Configuring the Secure Desktop for Clients that Match Location Criteria Cisco Secure Desktop Configuration Guide 5-28 OL-8607-02...
CSD environment. • File Access—Check to let the remote user use the Secure Desktop to access files on a remote server. Click Apply All to save the running configuration to the flash device. Cisco Secure Desktop Configuration Guide OL-8607-02...
Page 68
Chapter 6 Setting Up CSD for Microsoft Windows CE Clients Cisco Secure Desktop Configuration Guide OL-8607-02...
The Mac and Linux Cache Cleaner pane appears (Figure 7-1). Figure 7-1 Cache Cleaner — Mac and Linux Cache Cleaner This pane lets you configure both the Cache Cleaner and VPN feature policy for all Mac and Linux Note clients. Cisco Secure Desktop Configuration Guide OL-8607-02...
Page 70
Port Forwarding—Check to permit the use of the Secure Desktop to connect a client application • installed on the local PC to the TCP/IP port of a peer application on a remote server. Click Apply All to save the running configuration to the flash device. Cisco Secure Desktop Configuration Guide OL-8607-02...
When you modify the settings in the Secure Desktop Manager, you must deploy those settings by clicking the Apply All button in CSDM. The settings take effect the next time that a user starts either the Cache Cleaner application or the Secure Desktop application. Cisco Secure Desktop Configuration Guide OL-8607-02...
Vault or erases it from the disk. Also, CSD uninstalls the Secure Desktop software if you configure it to do so. Do Macintosh and Linux have a timeout setting? Yes, you can set a time-out for the Macintosh & Linux Cache Cleaner. Cisco Secure Desktop Configuration Guide OL-8607-02...
Once you have downloaded and installed the Secure Desktop, it appears as an entry in the Start menu. Users who want to reuse the Vault can click Start > Programs > Cisco Secure Desktop and enter the password with which they protected the Vault.
– Anonymizer AntiSpyware – Which personal firewall applications does System Detection support? The personal firewall applications that System Detection checks for includes: Cisco Security Agent (4.0 to 4.5) – – Internet Connection Firewall (ICF) (Windows XP to XP SP2) –...
No, they detect only the IP address of the first network card. I am using a personal firewall. What application must I “Allow” to access the network? You must allow the program main.exe to access the network. Cisco Secure Desktop Configuration Guide OL-8607-02...
Page 77
Disable access to network drives and network folders, attribute 5-25 Cache Cleaner Disable access to removable drives and removable folders, description attribute 5-25 FAQs Disable Cancel button when cleaning, attribute 5-22 Location Module, attribute 5-15, 5-18 Cisco Secure Desktop Configuration Guide IN-7 OL-8607-02...
Page 78
Exists, criterion for a registry key or file HKEY_LOCAL_MACHINE 5-9, 5-10, 5-11 HKEY_USERS home location, example configuration 4-2, 5-1 Home Page, attribute 5-27 FAQs A-1 to A-6 host integrity See System Detection fast user switching favorites 5-27 Cisco Secure Desktop Configuration Guide IN-8 OL-8607-02...
Page 79
Launch hidden URL after installation, attribute operating systems 5-16, 5-18 5-22 Launch hidden URL upon Secure Desktop closing, attribute 5-24 Let user reset timeout, attribute Linux Panda AntiVirus List of Safe Modules, pane 5-20 password Cisco Secure Desktop Configuration Guide IN-9 OL-8607-02...
Page 80
3-4, 5-27 Linux Cache Cleaner, when settings apply Macintosh configuring Timeout after, attribute 5-22, 5-24, 7-2 description transparent e-mail 5-26 encryption type Triple DES FAQs A-3, A-5 tutorial 4-1 to 4-3 force uninstall 5-24 Cisco Secure Desktop Configuration Guide IN-10 OL-8607-02...
Page 81
Web browsing Windows installation failure success 5-16 Windows CE, menu option Windows Location Settings examples menu option 3-2, 5-1 Windows operating systems and service packs work, example configuration 4-2, 5-1 ZoneAlarm Personal Firewall Cisco Secure Desktop Configuration Guide IN-11 OL-8607-02...
Page 82
Index Cisco Secure Desktop Configuration Guide IN-12 OL-8607-02...