5506X - trying to still use firepower with clean pen test

Jason Lista · ‎12-13-2021

Dilemma: Trying to make this ASA-5506X last a little longer. Issue noted on pen test that http security headers not set on the clientless vpn portal.

Needs: 1) Firepower enabled (only works through 9.9.x)

2) http-headers setting functionality (seems to have been added later in 9.13, but https://www.cisco.com/web/software/280775065/142220/ASA-992-Interim-Release-Notes.html suggests it's available in 9.9.X and the bug link actually includes 9.8.4 as a known fixed release, but none of those versions recognize the http-headers command in webvpn config)

Potential solutions:

1) Is there another way to set content-security-policy, hsts etc. in these older versions without the http-headers command?

2) If this ends up being a one or the other situation, could I enable Anyconnect essentials, which removes the clientless VPN functionality (which I don't use anyway) and may mitigate the issue? Sending command "anyconnect essentials" in webvpn config returns "command requires anyconnect essentials license". Or is there another way to shut down the clientless VPN access and just use anyconnect (turning clientless off on the outside interface turns them both off currently)?

Here is my current license key (purchased anyconnect plus a number of years ago):

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 30 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Standby perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 50 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 50 perpetual
Total VPN Peers : 50 perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Enabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 160 perpetual
Botnet Traffic Filter : Disabled perpetual
Cluster : Disabled perpetual

Marvin Rhoads · ‎12-13-2021

Is clientless enabled in your default group policy? If so you should be able to disable it there.

Jason Lista · ‎12-13-2021

Thanks Marvin, that does work to disallow access, but the portal page is still up.

It seems once any kind of SSL VPN is up, the portal is available (even if just to download the anyconnect software). if the security headers are not able to be set, the issue will continue to appear on the pen test.

One other possibility may be to switch the anyconnect VPN to ipsec v2, which can be turned on without a portal page being accessible.

Marvin Rhoads · ‎12-14-2021

You may find this document useful if you are thinking about an IPsec IKEv2-only remote access VPN:

https://community.cisco.com/t5/security-documents/configuring-ipsec-ikev2-remote-access-vpn-with-cisco-secure/ta-p/4485165

I wrote it for just that use case (albeit on FTD).

Some users have reported they are happy using the "keepout" option as mentioned in this thread:

https://community.cisco.com/t5/vpn/disabling-clientless-browser-based-vpn/td-p/3065988

Jason Lista · ‎12-15-2021

Thank you very much Marvin, much appreciated for the config guide.

Any SSL service running will fail the pen test if the http-headers cannot be set, even if the keepout option is enabled.

Looks like for any version that supports Firepower on the 5506X, completely turning SSL services off (including client services) is the only way to get it off the report, limiting the Anyconnect to IPsec IKEv2-only (and no clientless VPN).

I did open a TAC case regarding CSCvd13180 being listed as fixed in 9.9(2)14 but not actually available.

Thanks again for your help.