Filter
Top Products
2-12
Cisco ASDM User Guide
OL-16647-01
Chapter 2 Introduction to the Security Appliance
New Features by Platform Release
Cisco Secure
Desktop
Host Scan As a condition for the completion of a Cisco AnyConnect or clientless SSL
VPN connection, the remote computer scans for a greatly expanded
collection of antivirus and antispyware applications, firewalls, operating
systems, and associated updates. It also scans for any registry entries,
filenames, and process names that you specify. It sends the scan results to the
security appliance. The security appliance uses both the user login credentials
and the computer scan results to assign a Dynamic Access Policy (DAP).
With an Advanced Endpoint Assessment License, you can enhance Host Scan
by configuring an attempt to update noncompliant computers to meet version
requirements.
Cisco can provide timely updates to the list of applications and versions that
Host Scan supports in a package that is separate from Cisco Secure Desktop.
Simplified prelogin
assessment and periodic
checks
Cisco Secure Desktop now simplifies the configuration of prelogin and
periodic checks to perform on remote Microsoft Windows computers. Cisco
Secure Desktop lets you add, modify, remove, and place conditions on
endpoint checking criteria using a simplified, graphical view of the checks.
As you use this graphical view to configure sequences of checks, link them
to branches, deny logins, and assign endpoint profiles, Cisco Secure Desktop
Manager records the changes to an XML file. You can configure the security
appliance to use returned results in combination with many other types of
data, such as the connection type and multiple group settings, to generate and
apply a DAP to the session.
Access Policies Dynamic access policies
(DAP)
VPN gateways operate in dynamic environments. Multiple variables can
affect each VPN connection, for example, intranet configurations that
frequently change, the various roles each user may inhabit within an
organization, and logins from remote access sites with different
configurations and levels of security. The task of authorizing users is much
more complicated in a VPN environment than it is in a network with a static
configuration.
Dynamic Access Policies (DAP) on the security appliance let you configure
authorization that addresses these many variables. You create a dynamic
access policy by setting a collection of access control attributes that you
associate with a specific user tunnel or session. These attributes address
issues of multiple group membership and endpoint security. That is, the
security appliance grants access to a particular user for a particular session
based on the policies you define. It generates a DAP at the time the user
connects by selecting and/or aggregating attributes from one or more DAP
records. It selects these DAP records based on the endpoint security
information of the remote device and the AAA authorization information for
the authenticated user. It then applies the DAP record to the user tunnel or
session.
Administrator
differentiation
Lets you differentiate regular remote access users and administrative users
under the same database, either RADIUS or LDAP. You can create and
restrict access to the console via various methods (TELNET and SSH, for
example) to administrators only. It is based on the IETF RADIUS
service-type attribute.
Table 2-5 New Features for ASA and PIX Version 8.0(2) (continued)
ASA Feature Type Feature Description