hi,

there was a recent security scan on our anyconnect VPN headend and would like to "harden" the ASA FW.

for the SSL DH group, i would need to change it to 2048 bits but there are 2 options presented: group 14 (224-bit) and group 24 (256-bit). which i should i choose without impacting the CPU or VPN performance.

asa# show ssl
Accept connections using SSLv3 or greater and negotiate to TLSv1 or greater
Start connections using TLSv1 and negotiate to TLSv1 or greater
SSL DH Group: group2 (1024-bit modulus)
SSL ECDH Group: group19 (256-bit EC)

asa(config)# ssl dh-group ?

configure mode commands/options:

  group2   Configure DH group 2 - 1024-bit modulus

  group5   Configure DH group 5 - 1536-bit modulus

  group14  Configure DH group 14 - 2048-bit modulus, 224-bit prime order

           subgroup (FIPS)

  group24  Configure DH group 24 - 2048-bit modulus, 256-bit prime order

           subgroup (FIPS)

i would also need to move away from TLS 1/1.1 and force the anyconnect client to use TLS 1.2 instead.

do i just issue the 'ssl cipher tlsv1.2' global command? does it need to be the same for DTLS?

asa# show ssl ciphers

Current cipher configuration:

default (medium):

  ECDHE-ECDSA-AES256-GCM-SHA384

  ECDHE-RSA-AES256-GCM-SHA384

  DHE-RSA-AES256-GCM-SHA384

  AES256-GCM-SHA384

  ECDHE-ECDSA-AES256-SHA384

  ECDHE-RSA-AES256-SHA384

  DHE-RSA-AES256-SHA256

  AES256-SHA256

  ECDHE-ECDSA-AES128-GCM-SHA256

  ECDHE-RSA-AES128-GCM-SHA256

  DHE-RSA-AES128-GCM-SHA256

  AES128-GCM-SHA256

  ECDHE-ECDSA-AES128-SHA256

  ECDHE-RSA-AES128-SHA256

  DHE-RSA-AES128-SHA256

  AES128-SHA256

  DHE-RSA-AES256-SHA

  AES256-SHA

  DHE-RSA-AES128-SHA

  AES128-SHA

tlsv1 (medium):

  DHE-RSA-AES256-SHA

  AES256-SHA

  DHE-RSA-AES128-SHA

  AES128-SHA

tlsv1.1 (medium):

  DHE-RSA-AES256-SHA

  AES256-SHA

  DHE-RSA-AES128-SHA

  AES128-SHA

tlsv1.2 (medium):

  ECDHE-ECDSA-AES256-GCM-SHA384

  ECDHE-RSA-AES256-GCM-SHA384

  DHE-RSA-AES256-GCM-SHA384

  AES256-GCM-SHA384

  ECDHE-ECDSA-AES256-SHA384

  ECDHE-RSA-AES256-SHA384

  DHE-RSA-AES256-SHA256

  AES256-SHA256

  ECDHE-ECDSA-AES128-GCM-SHA256

  ECDHE-RSA-AES128-GCM-SHA256

  DHE-RSA-AES128-GCM-SHA256

  AES128-GCM-SHA256

  ECDHE-ECDSA-AES128-SHA256

  ECDHE-RSA-AES128-SHA256

  DHE-RSA-AES128-SHA256

  AES128-SHA256

  DHE-RSA-AES256-SHA

  AES256-SHA

  DHE-RSA-AES128-SHA

  AES128-SHA

dtlsv1 (medium):

  DHE-RSA-AES256-SHA

  AES256-SHA

  DHE-RSA-AES128-SHA

  AES128-SHA

dtlsv1.2 (medium):

  ECDHE-ECDSA-AES256-GCM-SHA384

  ECDHE-RSA-AES256-GCM-SHA384

  DHE-RSA-AES256-GCM-SHA384

  AES256-GCM-SHA384

  ECDHE-ECDSA-AES256-SHA384

  ECDHE-RSA-AES256-SHA384

  DHE-RSA-AES256-SHA256

  AES256-SHA256

  ECDHE-ECDSA-AES128-GCM-SHA256

  ECDHE-RSA-AES128-GCM-SHA256

  DHE-RSA-AES128-GCM-SHA256

  AES128-GCM-SHA256

  ECDHE-ECDSA-AES128-SHA256

  ECDHE-RSA-AES128-SHA256

  DHE-RSA-AES128-SHA256

  AES128-SHA256

  DHE-RSA-AES256-SHA

  AES256-SHA

  DHE-RSA-AES128-SHA

  AES128-SHA

asa# show vpn-sessiondb detail anyconnect

<SNIP>

SSL-Tunnel:
Tunnel ID : 9912.2
Assigned IP : 172.20.x.x Public IP : 98.196.x.x
Encryption : AES-GCM-256 Hashing : SHA384
Ciphersuite : ECDHE-RSA-AES256-GCM-SHA384
Encapsulation: TLSv1.2 TCP Src Port : 60180
TCP Dst Port : 443 Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 0 Minutes
Client OS : Windows
Client Type : SSL VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.8.03052
Bytes Tx : 8082 Bytes Rx : 3602
Pkts Tx : 6 Pkts Rx : 39
Pkts Tx Drop : 0 Pkts Rx Drop : 0

DTLS-Tunnel:
Tunnel ID : 9912.3
Assigned IP : 172.20.x.x Public IP : 98.196.x.x
Encryption : AES-GCM-256 Hashing : SHA384
Ciphersuite : ECDHE-ECDSA-AES256-GCM-SHA384
Encapsulation: DTLSv1.2 UDP Src Port : 60111
UDP Dst Port : 443 Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 30 Minutes
Client OS : Windows
Client Type : DTLS VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.8.03052
Bytes Tx : 7249188633 Bytes Rx : 2071825003
Pkts Tx : 9667600 Pkts Rx : 7676173
Pkts Tx Drop : 42132 Pkts Rx Drop : 0

asa(config)# ssl cipher ?

configure mode commands/options:
default Specify the set of ciphers for outbound connections
dtlsv1 Specify the ciphers for DTLSv1 inbound connections
dtlsv1.2 Specify the ciphers for DTLSv1.2 inbound connections
tlsv1 Specify the ciphers for TLSv1 inbound connections
tlsv1.1 Specify the ciphers for TLSv1.1 inbound connections
tlsv1.2 Specify the ciphers for TLSv1.2 inbound connections