CSD - Cisco Secure Desktop
anytime, anywhere VPN security concerns
- Who owns the PC
- Is the PC properly secured
- Is it malware-infected
- Are passwords protected
- Cached webpages and downloaded files
Cisco Secure Desktop security features
- Cross-platform: Windows, Mac, Linux
- Prelogin assessment *
- Host Scan
- Secure Session *
- Cache Cleaner
- Keystroke Logger Detection *
*Windows only feature
Host Scan
looks for a watermark on the VPN client,
- a Registry value
- a certain file in a certain place
- a certificate
Secure Session
- Creates a secure workspace (Virtual Desktop) or partition for the session
- All corporate files and data are stored in the secure desktop
- Once the user logs out, the secure partition is wiped
Cache Cleaner
- Alternative to Secure Session
- Larger OS and web browser support
- Eliminates browser cache information at session end
- Passwords
- Autocomplete information
- browser file cache
- browser configuration modifications
Keystroke logger / Advanced Endpoint Protection
- Allows you to deny access if a keystroke logger or host emulation detected
- checks at the beginning and during the VPN session
- User is also notified of the keystroke logging application
- advanced endpoint protection
- Checks Antivirus software
- Checks firewall software
- Checks anti-spyware software
- Costs more money to automatically fix the issue
CSD Process
- User connects to the ASA via SSL
- Operating System detection module runs
- Pre-login assessment module runs
- If the host passes the pre-login assessment, CSD runs
- Keystroke logger/host emulation detection runs
- secure session/cache cleaner runs
- User authenticates to the VPN session
- Dynamic access policy applied
- Active VPN session
- VPN termination, session cleanup
compatible
The Cisco Secure Desktop package file needs to be uploaded to the ASA, once the ASA is restarted, all the options will be avaiable and it can be enabled.
Prelogin Policy
The prelogin policy is configured as a flow chart, this will select which policy is applied to the client or if access is denied.
Creating a new policy
Adding additional checks
The action can be set as a subsequence to make complex polices easier to read
Cisco Secure Client can't be configured from the command line, only in ASDM.
There are only two lines for CSD in the running config.
All of the configuration is stored as XML in a file /sdesktop/data.xml
Secure Desktop Configuration
If Secure Desktop is selected and the client is not compatible then Cache Clenaer is used.
Secure Desktop General
Secure Desktop Settings
Secure Desktop Browser
Keystroke Logger
Cache Cleaner
Secure Desktop Customization
The background wallpaper and images on message boxes can be replaced with custom images.
Host Scan
This is similar to checks that can be added to the Prelogin policy, but these are continually checked during the VPN session.
Dynamic Access Policy
AAA Attribute to match the AnyConnect VPN Profile
Action to be taken on matching
Client Connection
When connecting to the ASA, Secure Desktop starts installing before the login.
