Harden AnyConnect RA VPN Headend

johnlloyd_13 — Fri, 06 Nov 2020 01:07:57 GMT

hi,

there was a recent security scan on our anyconnect VPN headend and would like to "harden" the ASA FW.

for the SSL DH group, i would need to change it to 2048 bits but there are 2 options presented: group 14 (224-bit) and group 24 (256-bit). which i should i choose without impacting the CPU or VPN performance.

asa# show ssl
Accept connections using SSLv3 or greater and negotiate to TLSv1 or greater
Start connections using TLSv1 and negotiate to TLSv1 or greater
SSL DH Group: group2 (1024-bit modulus)
SSL ECDH Group: group19 (256-bit EC)

asa(config)# ssl dh-group ?

configure mode commands/options:

group2 Configure DH group 2 - 1024-bit modulus

group5 Configure DH group 5 - 1536-bit modulus

group14 Configure DH group 14 - 2048-bit modulus, 224-bit prime order

subgroup (FIPS)

group24 Configure DH group 24 - 2048-bit modulus, 256-bit prime order

subgroup (FIPS)

i would also need to move away from TLS 1/1.1 and force the anyconnect client to use TLS 1.2 instead.

do i just issue the 'ssl cipher tlsv1.2' global command? does it need to be the same for DTLS?

asa# show ssl ciphers

Current cipher configuration:

default (medium):

ECDHE-ECDSA-AES256-GCM-SHA384

ECDHE-RSA-AES256-GCM-SHA384

DHE-RSA-AES256-GCM-SHA384

AES256-GCM-SHA384

ECDHE-ECDSA-AES256-SHA384

ECDHE-RSA-AES256-SHA384

DHE-RSA-AES256-SHA256

AES256-SHA256

ECDHE-ECDSA-AES128-GCM-SHA256

ECDHE-RSA-AES128-GCM-SHA256

DHE-RSA-AES128-GCM-SHA256

AES128-GCM-SHA256

ECDHE-ECDSA-AES128-SHA256

ECDHE-RSA-AES128-SHA256

DHE-RSA-AES128-SHA256

AES128-SHA256

DHE-RSA-AES256-SHA

AES256-SHA

DHE-RSA-AES128-SHA

AES128-SHA

tlsv1 (medium):

DHE-RSA-AES256-SHA

AES256-SHA

DHE-RSA-AES128-SHA

AES128-SHA

tlsv1.1 (medium):

DHE-RSA-AES256-SHA

AES256-SHA

DHE-RSA-AES128-SHA

AES128-SHA

tlsv1.2 (medium):

ECDHE-ECDSA-AES256-GCM-SHA384

ECDHE-RSA-AES256-GCM-SHA384

DHE-RSA-AES256-GCM-SHA384

AES256-GCM-SHA384

ECDHE-ECDSA-AES256-SHA384

ECDHE-RSA-AES256-SHA384

DHE-RSA-AES256-SHA256

AES256-SHA256

ECDHE-ECDSA-AES128-GCM-SHA256

ECDHE-RSA-AES128-GCM-SHA256

DHE-RSA-AES128-GCM-SHA256

AES128-GCM-SHA256

ECDHE-ECDSA-AES128-SHA256

ECDHE-RSA-AES128-SHA256

DHE-RSA-AES128-SHA256

AES128-SHA256

DHE-RSA-AES256-SHA

AES256-SHA

DHE-RSA-AES128-SHA

AES128-SHA

dtlsv1 (medium):

DHE-RSA-AES256-SHA

AES256-SHA

DHE-RSA-AES128-SHA

AES128-SHA

dtlsv1.2 (medium):

ECDHE-ECDSA-AES256-GCM-SHA384

ECDHE-RSA-AES256-GCM-SHA384

DHE-RSA-AES256-GCM-SHA384

AES256-GCM-SHA384

ECDHE-ECDSA-AES256-SHA384

ECDHE-RSA-AES256-SHA384

DHE-RSA-AES256-SHA256

AES256-SHA256

ECDHE-ECDSA-AES128-GCM-SHA256

ECDHE-RSA-AES128-GCM-SHA256

DHE-RSA-AES128-GCM-SHA256

AES128-GCM-SHA256

ECDHE-ECDSA-AES128-SHA256

ECDHE-RSA-AES128-SHA256

DHE-RSA-AES128-SHA256

AES128-SHA256

DHE-RSA-AES256-SHA

AES256-SHA

DHE-RSA-AES128-SHA

AES128-SHA

asa# show vpn-sessiondb detail anyconnect

<SNIP>

SSL-Tunnel:
Tunnel ID : 9912.2
Assigned IP : 172.20.x.x Public IP : 98.196.x.x
Encryption : AES-GCM-256 Hashing : SHA384
Ciphersuite : ECDHE-RSA-AES256-GCM-SHA384
Encapsulation: TLSv1.2 TCP Src Port : 60180
TCP Dst Port : 443 Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 0 Minutes
Client OS : Windows
Client Type : SSL VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.8.03052
Bytes Tx : 8082 Bytes Rx : 3602
Pkts Tx : 6 Pkts Rx : 39
Pkts Tx Drop : 0 Pkts Rx Drop : 0

DTLS-Tunnel:
Tunnel ID : 9912.3
Assigned IP : 172.20.x.x Public IP : 98.196.x.x
Encryption : AES-GCM-256 Hashing : SHA384
Ciphersuite : ECDHE-ECDSA-AES256-GCM-SHA384
Encapsulation: DTLSv1.2 UDP Src Port : 60111
UDP Dst Port : 443 Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 30 Minutes
Client OS : Windows
Client Type : DTLS VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.8.03052
Bytes Tx : 7249188633 Bytes Rx : 2071825003
Pkts Tx : 9667600 Pkts Rx : 7676173
Pkts Tx Drop : 42132 Pkts Rx Drop : 0

asa(config)# ssl cipher ?

configure mode commands/options:
default Specify the set of ciphers for outbound connections
dtlsv1 Specify the ciphers for DTLSv1 inbound connections
dtlsv1.2 Specify the ciphers for DTLSv1.2 inbound connections
tlsv1 Specify the ciphers for TLSv1 inbound connections
tlsv1.1 Specify the ciphers for TLSv1.1 inbound connections
tlsv1.2 Specify the ciphers for TLSv1.2 inbound connections

Re: Harden AnyConnect RA VPN Headend

Rob Ingram — Fri, 06 Nov 2020 07:53:53 GMT

Hi @johnlloyd_13

You should go with DH group14, as group 2, 5 and 24 are depreciated from ASA 9.13 as being insecure. Group 14 will be the default.

Yes specify the same for DTLS, as you want to be using DTLS over TLS. When using DTLS it uses AES-GCM as default (which is observed by your output), so you can expect improved performance.

Here is a useful guide

https://community.cisco.com/t5/security-documents/asa-best-practices-for-remote-access-vpn-performance/ta-p/4070579

Re: Harden AnyConnect RA VPN Headend

johnlloyd_13 — Fri, 06 Nov 2020 08:03:25 GMT

hi rob,

thanks for your feedback and the cool link provided!

just another question, when i change these settings will it cause a disruption to the VPN users?

i want to take precautions here since a lot of us are WFH.

topic Harden AnyConnect RA VPN Headend in Network Security

Harden AnyConnect RA VPN Headend

Re: Harden AnyConnect RA VPN Headend

Re: Harden AnyConnect RA VPN Headend