02-22-2018 11:38 AM - edited 02-21-2020 07:24 AM
dears,
I have some question please answer
Is it 3DES can be brake or it still considered secure. pls suggest
corporate users are using anyconnect client vpn , to get a vpn client we have to enter the https://public ip address of the firewall and they get certificate error and then they get a chance to download the client.
Now it seems to me that https://public ip address to access the ASA for anyconnect client for first time it seem to me insecure, is it insecure pls suggest ?? or instead manually installing the client is best practice.
Solved! Go to Solution.
02-22-2018 12:31 PM
Hi, According to this cisco document, 3DES is considered legacy and provides marginal but acceptable security. AES should be an acceptable minimum nowadays, use the link provided to decide which algorithms to use.
I would recommend installing a signed certificate from a public certificate authority (eg Verisign, Comodo etc) and ensure the users laptops trust this certificate.
02-23-2018 03:02 AM
if i was running 9.2 i would patch it: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1
;-)
02-26-2018 09:21 AM
No - on an ASA SSL VPN trustpoint must be associated with the interface on which the client traffic arrives.
02-22-2018 12:31 PM
Hi, According to this cisco document, 3DES is considered legacy and provides marginal but acceptable security. AES should be an acceptable minimum nowadays, use the link provided to decide which algorithms to use.
I would recommend installing a signed certificate from a public certificate authority (eg Verisign, Comodo etc) and ensure the users laptops trust this certificate.
02-23-2018 01:27 AM
As noted in the other reply, 3DES should be avoided.
Assuming you have current code (9.2 or later), you can setup your ASA to only negotiate strong SSL ciphers with the client. The following commands will do that:
ssl cipher default custom "ECDHE-ECDSA-AES256-SHA384;AES256-SHA;AES128-SHA256" ssl cipher tlsv1 custom "ECDHE-ECDSA-AES256-SHA384;AES256-SHA;AES128-SHA256" ssl cipher dtlsv1 custom "ECDHE-ECDSA-AES256-SHA384;AES256-SHA"
That plus a certificate signed by a trusted Certificate Authority (CA) will help secure your SSL VPN better.
02-23-2018 02:21 AM - edited 02-23-2018 02:22 AM
Dears,
Thanks for your replies
the main goal here is to stop the https://public ip address of the ASA to be accessible directly by outside by keeping the anyconnect ssl vpn for the users.
thanks
02-23-2018 03:02 AM
if i was running 9.2 i would patch it: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1
;-)
02-23-2018 10:11 AM
Dears
By patching to fixed version what will be new, ASA will not be accessible by https:// <outside public IP> for hacking ??
thanks
02-24-2018 05:23 AM
As long as you are running SSL VPN for your Anyconnect users, the ASA outside address must be listening for the incoming SSL sessions.
By default it uses tcp/443 but it can be changed to use a non-standard tcp port if you like.
02-24-2018 05:25 AM
@Dennis Mink wrote:
if i was running 9.2 i would patch it: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1
;-)
I only mentioned 9.2 because that is the first release that introduced support for the stronger ciphers.
One should always consult the release notes and choose the best release for their environment based on platform, features, stability and security.
02-26-2018 07:13 AM
Dears,
Instead of outside interface can I enable a SSl termination on the public IP which is not assigned to any interface but lies in the configuration of ssl vpn in global config , I mean to say the logic of natting a server from public ip to a private ip only exception is there is no interface assigned.
Thanks
02-26-2018 09:21 AM
No - on an ASA SSL VPN trustpoint must be associated with the interface on which the client traffic arrives.
02-26-2018 09:41 AM - edited 02-26-2018 09:46 AM
thanks for your reply Marvin
I m running Version 9.6(3) so I must upgrade to the fix version ,
03-03-2018 12:29 AM
Dears,
Thanks for all you have contributed in this thread, i have rated to all.
regards
Adam
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide