Now that we have CSD installed let’s take a look at the configuration options in the ASDM. There are some items that can be configured in CLI but, like the portal customizations, most need to be done through the ASDM.
The description above does a pretty good job of outlining some of the key components. Let’s walk through some of the menus and see what options we have.
Note: I’m not going to discuss some of these features. Some of the features of secure desktop such as the keystroke logger, host emulation detection, and the Vault option will not be discussed. I chose not to discuss them because I have found in practical application of CSD users opt not to configure them. Are they worth looking at? Certainly, I just won’t talk about them because I don’t work with them enough.
The setup window gives you the option to specify the CSD image either by selecting it from flash or uploading it from your computer. Additionally, this is the screen where you enable CSD as well as uninstall it, should you decide to. The setup window allows you to do everything we did via the CLI in Part 1 of this series
Global settings allow you to configure the logging level for CSD. Interestingly enough, these logs are stored on the client machine. The options are, for the most part, self explanatory and we will talk about the log file location later in this series.
Prelogin policy allows you to define checks that CSD runs against the workstation prior to the user even being shown the login prompt. The ASDM allows you to create a tree like structure to define login policy. You can check for registry entries, certificates, files, OS, and IP address. The same functionality can be provided using basic host scan and DAPs (Dynamic Access Policies) which are evaluated at time of logon. However when you use DAPs you must define what files you want host scan to find and then define them a second time within the DAP. Prelogin policy does it all in one step.
Prelogin Policy – Default Policy
Again, the description speaks for itself in this case. I believe I mentioned earlier that I don’t see much value to the vault functionality; it turns out to be a sort of cumbersome piece of the CSD suite in practice. On the other hand, I am not discounting it as an inefficient or unnecessary. My point is that in practice most clients don’t want to use it.
Prelogin Policy – Default Policy – Cache Cleaner
In my opinion if you are going to use the cache cleaner the default settings are the best settings. The “Launch Hidden URL” option is deceiving. It’s used for checking for particular cookies on the client workstation.
Host scan pulls information that can be associated with DAPs which are evaluated upon logon. The basic host scan piece is very similar to the prelogin policy checks. There are some differences, basic host scan can only detect files, registry entries, and processes. Prelogin policy can check for registry entries, certificates, files, OS, and IP address. To make this point very clear see the table below.
Prelogin Policy | Host Scan with DAPs | |
Evaluated | Prior to user seeing the logon prompt | During Logon |
Check for File | YES | YES |
Check for Registry Entry | YES | YES |
Check for process | NO | YES |
Check OS | YES | NO |
Check for Certificate | YES | NO |
Check for IP address | YES | NO |
The second part of host scan is the endpoint assessment piece. Endpoint assessment allows you to search the computer for specific anti-virus, anti-spyware, and firewall applications. Additionally, you can return their version and last update time and grant or deny access based on any of that info. Sounds cool doesn’t it? Unfortunately it doesn’t work very well. My biggest complaint with CSD is that host scan just doesn’t work. I have spent hours testing the application against several anti-virus products and I just can’t get it to detect. The problem, from what I understand, is that getting all of the different software vendors to send all of their product/version info to Cisco is almost impossible to manage. So, if host scan can detect your company’s particular flavor of anti-virus accurately this would be an awesome product. Additionally, there is an advanced endpoint assessment license that allows you to configure client remediation. For instance, if a client attempts to connect and doesn’t have up to date anti-virus definitions the ASA can remediate the client by downloading the new definitions. Once the client is up to date on its definitions it will pass the DAP and be allowed access. This is reserved for ASA’s that have the advanced license however.
Summary
As I stated in my first post, CSD is somewhat of a triumph and a let down all at the same time. The product boasts superior capabilities but falls short in the implementation department. Again, I don’t believe this to be Cisco’s fault. I think that it’s just too hard to keep on top of other vendors and try to stay current with all of them at the same time. This being said, not all is lost. The prelogin policy and basic host scan pieces work flawlessly. Additionally, we can use advanced expressions to check to see if some applications (anti-virus, anti-spyware, etc..) are installed on the client machine I’ll lay out the rest of the posts in this series below subject to change.
Part 3 – The client install. What CSD installs and where it goes
Part 4 – Configuring Prelogin policies
Part 5 – DAPs
Part 6 – Using basic host scan results with DAPs
Part 7 – Advanced expressions within DAPs
Since it appears that you have been using the Cisco Secure Desktop for awhile now what is your current opinion of the solution? Is it worth the implementation and is it an effective solution for protecting your network from users connecting to the VPN from untrusted workstations? Any idea if the key logging protection actually works?
My opinion of CSD is much different than my opinion of the ‘vault’ functionality within CSD. The CSD plug-in is pretty neat in regards to its ability to posture the clients machine. The vault ,for the most part, ruins the whole solution. Mostly because its not supported on 64 bit operating systems. On top of that, you are trying to get plug-ins to install on unmanaged machines which is pain itself. If it works as intended it seems to provide a fair level of security. Not a huge fan of the entire solution though. Im putting more time into AnyConenct these days.