Cisco Secure Desktop

Cisco Secure Desktop (CSD) provides a secure desktop environment to remote users after validating a number of security parameters on the client workstation. The purpose of CSD is to minimize the risk posed by the remote workstations by collecting necessary information from them. If the received information matches the preconfigured criteria, the security appliance can create a secure environment and optionally apply certain policies to and restrictions on the user session. When the user session is disconnected, the secure desktop environment is removed. When this happens, users who want to access corporate resources from a hotel workstation or even from an Internet café can create a secure vault from which corporate resources can be accessed through clientless or even AnyConnect VPN Client. When the user is finished using the public workstation, the vault can be destroyed to ensure that data cannot be accessed by a different user. CSD removes cookies, temporary files, browser history, and even any downloaded content when the secure vault is destroyed.

CSD is designed to help system administrators to enforce security policies for remote users. When a user tries to connect to the SSL VPN gateway, a client component is downloaded and installed on the client workstation. This client component scans the computer and gathers information such as the operating system, installed service pack, antivirus version, and installed personal firewall. This information is sent to the SSL VPN gateway such as the security appliance and then matched against predefined criteria. If the user’s computer meets the criteria, the user is given appropriate access to the internal resources. If the criteria are not met, users are granted either limited or no access. For example, an administrator might require that all remote computers must have Windows XP with Service Pack 2 installed. If remote computers meet this condition, they are matched against a profile and then allowed to launch CSD or Cache Cleaner. If dynamic access policy (DAP) is used, appropriate actions such as network restrictions can be applied to the user sessions. Cache Cleaner is discussed in the next section, and DAP is discussed later in the chapter. You can configure a number of parameters and group them together to define a specific location. When a remote host is scanned and the received information matches the criteria, the host is assigned that location. CSD supports five attributes to identify the location of an SSL VPN client. For example, you can define a range of IP addresses and a specific registry key, group them together, and declare them as Work. When clients connect from this address range and have that registry key, they are given access based on the defined policies. The supported attributes include the following: