Cisco 5520 - ASA IPS Edition Bundle, Cisco Secure Desktop Configuration Manual

Corporate Headquarters

Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 526-4100

Cisco Secure Desktop Configuration Guide

for Cisco ASA 5500 Series Administrators

Software Release 3.1.1 October 2006

Text Part Number: OL-8607-02

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

Cisco Secure Desktop Configuration Guide

CCVP, the Cisco Logo, and the Cisco Square Bridge logo are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networking Academy, Network Registrar, Pac ke t, PIX, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0609R)

iii

Cisco Secure Desktop Configuration Guide

OL-8607-02

CONTENTS

About This Guide vii

Audience and Scope vii

Organization and Use vii

Conventions viii

Related Documentation

For more information, refer to the following documentation:

• Release Notes for Cisco Secure Desktop

• Cisco ASA 5500 Series Release Notes

• Cisco ASDM Release Notes

• Regulatory Compliance and Safety Information for the Cisco ASA 5500 Series

• Cisco ASA 5500 Series Hardware Installation Guide

• Migrating to ASA for VPN 3000 Concentrator Series Administrators

• Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide for the ASA 5510, ASA

5520, and ASA 5540

• Cisco Security Appliance Command Line Configuration Guide

• Cisco Security Appliance Command Reference

Setting Up CSD for Microsoft Windows Clients

Describes how to configure Secure Desktop and Cache Cleaner support for remote clients running Microsoft Windows.

Setting Up CSD for Microsoft Windows CE Clients

Describes how to configure a VPN feature policy to enable or restrict web browsing and file access for remote clients running Microsoft Windows CE.

Setting Up CSD for Macintosh and Linux Clients

Describes how to configure the Cache Cleaner and VPN feature policy for clients running Macintosh or Linux.

Frequently Asked Questions Provides questions and answers on a broad range of CSD functions.

Table 1 Document Organization (continued)

Topic Purpose

Cisco Secure Desktop Configuration Guide

OL-8607-02

About This Guide

Obtaining Documentation

• Selected ASDM VPN Configuration Procedures for the Cisco ASA 5500 Series

• Cisco Security Appliance Logging Configuration and System Log Messages

Obtaining Documentation

Cisco documentation and additional literature are available on Cisco.com. This section explains the product documentation resources that Cisco offers.

Cisco.com

You can access the most current Cisco documentation at this URL:

http://www.cisco.com/techsupport

You can access the Cisco website at this URL:

http://www.cisco.com

You can access international Cisco websites at this URL:

http://www.cisco.com/public/countries_languages.shtml

Product Documentation DVD

The Product Documentation DVD is a library of technical product documentation on a portable medium. The DVD enables you to access installation, configuration, and command guides for Cisco hardware and software products. With the DVD, you have access to the HTML documentation and some of the PDF files found on the Cisco website at this URL:

http://www.cisco.com/univercd/home/home.htm

The Product Documentation DVD is created and released regularly. DVDs are available singly or by subscription. Registered Cisco.com users can order a Product Documentation DVD (product number DOC-DOCDVD= or DOC-DOCDVD=SUB) from Cisco Marketplace at the Product Documentation Store at this URL:

http://www.cisco.com/go/marketplace/docstore

Ordering Documentation

You must be a registered Cisco.com user to access Cisco Marketplace. Registered users may order Cisco documentation at the Product Documentation Store at this URL:

http://www.cisco.com/go/marketplace/docstore

If you do not have a user ID or password, you can register at this URL:

http://tools.cisco.com/RPF/register/register.do

Cisco Secure Desktop Configuration Guide

OL-8607-02

About This Guide

Documentation Feedback

You can provide feedback about Cisco technical documentation on the Cisco Technical Support & Documentation site area by entering your comments in the feedback form available in every online document.

Cisco Product Security Overview

Cisco provides a free online Security Vulnerability Policy portal at this URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

From this site, you will find information about how to do the following:

• Report security vulnerabilities in Cisco products

• Obtain assistance with security incidents that involve Cisco products

• Register to receive security information from Cisco

A current list of security advisories, security notices, and security responses for Cisco products is available at this URL:

http://www.cisco.com/go/psirt

To see security advisories, security notices, and security responses as they are updated in real time, you can subscribe to the Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed. Information about how to subscribe to the PSIRT RSS feed is found at this URL:

http://www.cisco.com/en/US/products/products_psirt_rss_feed.html

Reporting Security Problems in Cisco Products

Cisco is committed to delivering secure products. We test our products internally before we release them, and we strive to correct all vulnerabilities quickly. If you think that you have identified a vulnerability in a Cisco product, contact PSIRT:

• For emergencies only— security-alert@cisco.com

An emergency is either a condition in which a system is under active attack or a condition for which a severe and urgent security vulnerability should be reported. All other conditions are considered nonemergencies.

• For nonemergencies— psirt@cisco.com

In an emergency, you can also reach PSIRT by telephone:

• 1 877 228-7302

• 1 408 525-6532

Tip We encourage you to use Pretty Good Privacy (PGP) or a compatible product (for example, GnuPG) to

encrypt any sensitive information that you send to Cisco. PSIRT can wo r k with information that has been encrypted with PGP versions 2.x through 9.x.

Never use a revoked encryption key or an expired encryption key. The correct public key to use in your correspondence with PSIRT is the one linked in the Contact Summary section of the Security

Cisco Secure Desktop Configuration Guide

OL-8607-02

About This Guide

Product Alerts and Field Notices

Vulnerability Policy page at this URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

The link on this page has the current PGP key ID in use.

If you do not have or use PGP, contact PSIRT to find other means of encrypting the data before sending any sensitive material.

Product Alerts and Field Notices

Modifications to or updates about Cisco products are announced in Cisco Product Alerts and Cisco Field Notices. You can receive Cisco Product Alerts and Cisco Field Notices by using the Product Alert Tool on Cisco.com. This tool enables you to create a profile and choose those products for which you want to receive information.

To access the Product Alert Tool, you must be a registered Cisco.com user. (To register as a Cisco.com user, go to this URL: http://tools.cisco.com/RPF/register/register.do) Registered users can access the tool at this URL: http://tools.cisco.com/Support/PAT/do/ViewMyProfiles.do?local=en

Obtaining Technical Assistance

Cisco Technical Support provides 24-hour-a-day award-winning technical assistance. The Cisco Technical Support & Documentation website on Cisco.com features extensive online support resources. In addition, if you have a valid Cisco service contract, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not have a valid Cisco service contract, contact your reseller.

Cisco Technical Support & Documentation Website

The Cisco Technical Support & Documentation website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day at this URL:

http://www.cisco.com/techsupport

Access to all tools on the Cisco Technical Support & Documentation website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL:

http://tools.cisco.com/RPF/register/register.do

Note Use the Cisco Product Identification Tool to locate your product serial number before submitting a

request for service online or by phone. You can access this tool from the Cisco Technical Support & Documentation website by clicking the Tools & Resources link, clicking the All Tools (A-Z) tab, and then choosing Cisco Product Identification Tool from the alphabetical list. This tool offers three search options: by product ID or model name; by tree view; or, for certain products, by copying and pasting

xii

Cisco Secure Desktop Configuration Guide

OL-8607-02

About This Guide

Obtaining Technical Assistance

show command output. Search results show an illustration of your product with the serial number label location highlighted. Locate the serial number label on your product and record the information before placing a service call.

Tip Displaying and Searching on Cisco.com

If you suspect that the browser is not refreshing a web page, force the browser to update the web page by holding down the Ctrl key while pressing F5.

To find technical information, narrow your search to look in technical documentation, not the entire Cisco.com website. On the Cisco.com home page, click the Advanced Search link under the Search box and then click the Technical Support & Documentation radio button.

To provide feedback about the Cisco.com website or a particular technical document, click Contacts & Feedback at the top of any Cisco.com web page.

Submitting a Service Request

Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is assigned to a Cisco engineer. The TAC Service Request Tool is located at this URL:

http://www.cisco.com/techsupport/servicerequest

For S1 or S2 service requests, or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.

To open a service request by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411 Australia: 1 800 805 227 EMEA: +32 2 704 55 55 USA: 1 800 553 2447

For a complete list of Cisco TAC contacts, go to this URL:

http://www.cisco.com/techsupport/contacts

Definitions of Service Request Severity

To ensure that all service requests are reported in a standard format, Cisco has established severity definitions.

Severity 1 (S1)—An existing network is “down” or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.

Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operations are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.

xiii

Cisco Secure Desktop Configuration Guide

OL-8607-02

About This Guide

Obtaining Additional Publications and Information

Severity 3 (S3)—Operational performance of the network is impaired while most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.

Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

• The Cisco Online Subscription Center is the website where you can sign up for a variety of

Cisco e-mail newsletters and other communications. Create a profile and then select the subscriptions that you would like to receive. To visit the Cisco Online Subscription Center, go to this URL:

http://www.cisco.com/offer/subscribe

• The Cisco Product Quick Reference Guide is a handy, compact reference tool that includes brief

product overviews, key features, sample part numbers, and abbreviated technical specifications for many Cisco products that are sold through channel partners. It is updated twice a year and includes the latest Cisco channel product offerings. To order and find out more about the Cisco Product Quick Reference Guide, go to this URL:

http://www.cisco.com/go/guide

• Cisco Marketplace provides a variety of Cisco books, reference guides, documentation, and logo

merchandise. Visit Cisco Marketplace, the company store, at this URL:

http://www.cisco.com/go/marketplace/

• Cisco Press publishes a wide range of general networking, training, and certification titles. Both new

and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL:

http://www.ciscopress.com

• Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering

professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/ipj

• Networking products offered by Cisco Systems, as well as customer support services, can be

obtained at this URL:

http://www.cisco.com/en/US/products/index.html

• Networking Professionals Connection is an interactive website where networking professionals

share questions, suggestions, and information about networking products and technologies with Cisco experts and other networking professionals. Join a discussion at this URL:

http://www.cisco.com/discuss/networking

• “What’s New in Cisco Documentation” is an online publication that provides information about the

latest documentation releases for Cisco products. Updated monthly, this online publication is organized by product category to direct you quickly to the documentation for your products. You can view the latest release of “What’s New in Cisco Documentation” at this URL:

http://www.cisco.com/univercd/cc/td/doc/abtunicd/136957.htm

xiv

Cisco Secure Desktop Configuration Guide

OL-8607-02

About This Guide

Obtaining Additional Publications and Information

• World-class networking training is available from Cisco. You can view current offerings at

this URL:

http://www.cisco.com/en/US/learning/index.html

CHA P TER

1-1

Cisco Secure Desktop Configuration Guide

OL-8607-02

Installing or Upgrading the CSD Software

CSD Release 3.1 requires that you install ASA Release 7.1.1 and ASDM Release 5.1.1 or later.

Note You do not need to boot the security appliance after you install the CSD software.

Install or upgrade the Cisco Secure Desktop (CSD) software as follows:

Step 1 Use your Internet browser to access the following URL and download the

securedesktop_asa_<n>_<n>*.pkg file to any location on your PC:

http://www.cisco.com/cgi-bin/tablebuild.pl/securedesktop

Step 2 Use your Internet browser to log in to ASDM.

Step 3 Choose Configuration > CSD Setup.

The pane displays the message “Please install and/or enable Cisco Secure Desktop” if CSD is not installed (Figure 1-1).

1-2

Cisco Secure Desktop Configuration Guide

OL-8607-02

Chapter 1 Installing or Upgrading the CSD Software

Figure 1-1 CSD Manager Not Installed

Step 4 Click the “Cisco Secure Desktop” link.

ASDM opens the Configuration > VPN > WebVPN > CSD Setup pane (Figure 1-2).

1-3

Cisco Secure Desktop Configuration Guide

OL-8607-02

Chapter 1 Installing or Upgrading the CSD Software

Figure 1-2 CSD Setup (Installation)

Step 5

Click Upload to prepare to transfer a copy of the CSD software from your local PC to the flash card installed in the ASA 5500.

ASDM opens the Upload Image dialog box.

Step 6 Click Browse Local to prepare to select the file on your local PC.

The Selected File Path dialog box displays the contents of the latest, local folder you accessed (Figure 1-3).

1-4

Cisco Secure Desktop Configuration Guide

OL-8607-02

Chapter 1 Installing or Upgrading the CSD Software

Figure 1-3 Select File Path (Upload Image)

Step 7

Choose the securedesktop_asa_<n>_<n>*.pkg you downloaded in Step 1 and click Open.

ASDM closes the Select File Path dialog box and displays the file in the Local File Path field.

Step 8 Click Browse Flash to specify the target directory for the file.

Step 9 The Browse Flash Dialog box displays the contents of the flash card (Figure 1-4).

1-5

Cisco Secure Desktop Configuration Guide

OL-8607-02

Chapter 1 Installing or Upgrading the CSD Software

Figure 1-4 Browse Flash Dialog

Note The File Name field at the bottom of the dialog box displays the target filename. By default, it

matches the name of the source file you selected on your local PC. We recommend that you use the default name.

Step 10 (Optional) Choose the target folder in the Folders box.

Step 11 Click OK.

ASDM closes the Browse Flash Dialog box and displays the file in the Flash File System Path field.

Step 12 Click Upload File and click OK.

An Information dialog box displays the following message:

File is uploaded to flash successfully.

Step 13 Click OK.

ASDM closes the dialog box, transfers a copy of the file to the flash card, and removes the text from the fields in the Upload Image dialog box.

Step 14 Click Close.

1-6

Cisco Secure Desktop Configuration Guide

OL-8607-02

Chapter 1 Installing or Upgrading the CSD Software

The Use Uploaded Image dialog box displays the following message:

Use disk0:/securedesktop_asa_n_n.pkg as your new current image?

Step 15 Click OK to install the CSD software.

The Uninstall CSD dialog box opens if you upgraded from an earlier version of CSD, and displays the following message:

Do you want to delete disk0:securedesktop_asa_<Previous_Version>.pkg?

Step 16 Click Ye s unless you want to keep the previous version.

ASDM closes the dialog box, revealing the installed image in the Secure Desktop Image field.

Refer to “Enabling and Disabling CSD” to continue.

CHA P TER

2-1

Cisco Secure Desktop Configuration Guide

OL-8607-02

Enabling and Disabling CSD

You can use CLI or ASDM to enable or disable CSD. Refer to the section that names your preference.

• Using CLI to Enable or Disable CSD

• Using ASDM to Enable or Disable CSD

Using CLI to Enable or Disable CSD

Enabling CSD loads the CSD configuration file (data.xml) from the flash device to the running configuration. If you transfer or replace the data.xml file, disable and then enable CSD to load the file.

You can enter the following CLI command in privileged EXEC mode to display the status of the CSD image:

show webvpn csd

EXAMPLE

F1-asa1(config)# show webvpn csd Secure Desktop version 3.1.0.25 is currently installed and enabled.

Note Disabling CSD does not alter the CSD configuration.

Use the CLI to enable or disable CSD as follows:

Step 1 Log in to the CLI and enter the config t command.

Step 2 Enter webvpn to access the webvpn command mode.

For example,

F1-asa1(config)# webvpn

Step 3 Enter the following command to identify the disk that contains the securedesktop_asa_<Version>.pkg

file and display the name of the that file.

For example,

F1-asa1(config-webvpn)# show disk all

-#- --length-- -----date/time------ path 6 8543616 Nov 02 2005 08:25:36 PDM 9 6414336 Nov 02 2005 08:49:50 cdisk.bin 10 4634 Sep 17 2004 15:32:48 first-backup 11 4096 Sep 21 2004 10:55:02 fsck-2451

2-2

Cisco Secure Desktop Configuration Guide

OL-8607-02

Chapter 2 Enabling and Disabling CSD

Using CLI to Enable or Disable CSD

12 4096 Sep 21 2004 10:55:02 fsck-2505 13 21601 Nov 23 2004 15:51:46 shirley.cfg 14 9367 Nov 01 2004 17:15:34 still.jpg 15 6594064 Nov 04 2005 09:48:14 asdmfile.510106.rls 16 21601 Dec 17 2004 14:20:40 tftp 17 21601 Dec 17 2004 14:23:02 bingo.cfg 18 9625 May 03 2005 11:06:14 wally.cfg 19 16984 Oct 19 2005 03:48:46 tomm_backup.cfg 20 319662 Jul 29 2005 09:51:28 sslclient-win-1.0.2.127.pkg 21 0 Oct 07 2005 17:33:48 sdesktop 22 5352 Oct 28 2005 15:09:20 sdesktop/data.xml 23 369182 Oct 10 2005 05:27:58 sslclient-win-1.1.0.133.pkg 24 1836392 Oct 26 2005 09:15:26 securedesktop_asa_3_1_0_24.pkg

38600704 bytes available (24281088 bytes used)

******** Flash Card Geometry/Format Info ********

COMPACT FLASH CARD GEOMETRY Number of Heads: 4 Number of Cylinders 978 Sectors per Cylinder 32 Sector Size 512 Total Sectors 125184

COMPACT FLASH CARD FORMAT Number of FAT Sectors 61 Sectors Per Cluster 8 Number of Clusters 15352 Number of Data Sectors 122976 Base Root Sector 123 Base FAT Sector 1 Base Data Sector 155

F1-asa1(config-webvpn)#

Step 4 To install the image, enter the following command:

csd image securedesktop_asa_

.pkg

For example,

F1-asa1(config-webvpn)# csd image securedesktop_asa_3_1_0_25.pkg

Step 5 Enter one of the following commands:

• csd enable to enable CSD

• no csd enable to disable CSD

For example,

F1-asa1(config-webvpn)# csd enable F1-asa1(config-webvpn)#

Step 6 Enter write memory to save the running configuration.

For example,

F1-asa1(config-webvpn)# F1-asa1(config-webvpn)# write memory Building configuration... Cryptochecksum: 71fa1950 45b7f82f 12b4e7c1 934111bb

2-3

Cisco Secure Desktop Configuration Guide

OL-8607-02

Chapter 2 Enabling and Disabling CSD

Using ASDM to Enable or Disable CSD

15585 bytes copied in 3.710 secs (5195 bytes/sec) [OK] F1-asa1(config-webvpn)#

Using ASDM to Enable or Disable CSD

Enabling CSD loads the CSD configuration file (data.xml) from the flash device to the running configuration. If you transfer or replace the data.xml, disable and then enable CSD to load the file.

Disabling CSD does not alter the CSD configuration.

Use ASDM to enable or disable CSD as follows:

Step 1 Choose Configuration > VPN > Web VPN > CSD Setup.

The CSD Setup pane opens (Figure 2-1).

Figure 2-1 CSD Setup (Enable/Disable)

Note The Secure Desktop Image field displays the image (and version) that is currently installed. The

Enable Secure Desktop check box indicates whether CSD is enabled.

2-4

Cisco Secure Desktop Configuration Guide

OL-8607-02

Chapter 2 Enabling and Disabling CSD

Using ASDM to Enable or Disable CSD

Step 2 Check or uncheck Enable Secure Desktop and click Apply.

ASDM enables or disables CSD.

CHA P TER

3-1

Cisco Secure Desktop Configuration Guide

OL-8607-02

Introduction

The following sections describe the capabilities of Cisco Secure Desktop (CSD), introduce the Cisco Secure Desktop Manager (CSDM) interface, and describe how to save configuration changes:

• CSD Capabilities

• Navigation

• Saving and Resetting the Running CSD Configuration

CSD Capabilities

CSD seeks to minimize the risk of information being left after an SSL VPN session terminates. CSD’s goal is to reduce the possibility that cookies, browser history, temporary files, and downloaded content remain on a system after a remote user logs out or an S

SL VPN session times out. CSD encrypts data and

files associated with, or downloaded, during the SSL VPN session.

The pro

tection provided by CSD is valuable in case of an abrupt session termination, or if a session times out due to inactivity. Furthermore, CSD stores session information in the secure vault desktop partition; when the session closes, CSD overwrites and attempts to remove session data using a U.S. Department of Defense (DoD) sanitation algorithm to provide endpoint security protection.

CSD allows full customization of when and where it is downloaded. It supports profiles of network element connection types (corporate laptop, home PC, or Internet kiosk) and applies a different security policy to each type. These policies include System Detection, which is the definition, enforcement, and restoration of client security in order to secure enterprise networks and data. You can configure System Detection to confirm the presence of the CSD modules Secure Desktop or Cache Cleaner; and antivirus software, antispyware software, personal firewall software, and/or the Microsoft

Windows operating

system and service packs on the user's computer as conditions for enabling particular features.

Cisco SSL VPN solutions provide organizations with robust and flexible products for protecting the security and privacy of information, and can play an important part in an organization's compliance strategies. No single technology today addresses all security requirements under the proposed standards. In addition, given limitations of the Microsoft operating system, no technology that interoperates with the operating system can ensure the total removal of all data, especially from an untrusted system with potentially malicious third party software installed. However, deployments of Cisco SSL VPN using CSD, when combined with other security controls and mechanisms within the context of an effective risk management strategy and policy, can help to reduce risks associated with using such technologies.

+ 57 hidden pages

Cisco 5520 - ASA IPS Edition Bundle, Cisco Secure Desktop Configuration Manual

Specifications and Main Features

Frequently Asked Questions

User Manual