Solved: Insurance Scan

keithcclark71 · ‎11-09-2022

I had customer contact me on a Corvus Insurance company scan where they scanned the customers firewall and detected the Cisco VPN. The stated that I should hide the VPN name? WTF does that mean??? All VPN's that I know of usually associate to a name.

Also I am trying to search events by scans from them within Firepower Management center and I am not sure what my search criteria should be. I'd like to see logs of the scan that they did . Any ideas?

Rob Ingram · ‎11-09-2022

@keithcclark71 what type of VPN are you running on your hardware, Site-to-Site VPN or RAVPN?

If you are running an RAVPN on SSL/TLS (TCP/443), it's likely the web UI is available to anyone to open in a web browser, which will clearly state Cisco - they'd be unable to login obviously, without credentials.

An nmap scan such as "nmap -sV --script ssl-enum-ciphers -p 443 <ip/fdqn> - would return the following.

PORT STATE SERVICE VERSION
443/tcp open ssl/http Cisco ASA SSL VPN

Generally the VPN is open to the world to connect on the VPN ports, it's the authentication method(s) and the configured encryption ciphers that make it secure.

View solution in original post

Rob Ingram · ‎11-09-2022

@keithcclark71 if that's all the report is complaining about, thats not too bad. Most reports would complain about TLS 1.0/1.1 and weak ciphers.

I don't think changing the port is going to make much difference, a port scan would still find it.

View solution in original post

Rob Ingram · ‎11-09-2022

@keithcclark71 what type of VPN are you running on your hardware, Site-to-Site VPN or RAVPN?

If you are running an RAVPN on SSL/TLS (TCP/443), it's likely the web UI is available to anyone to open in a web browser, which will clearly state Cisco - they'd be unable to login obviously, without credentials.

An nmap scan such as "nmap -sV --script ssl-enum-ciphers -p 443 <ip/fdqn> - would return the following.

PORT STATE SERVICE VERSION
443/tcp open ssl/http Cisco ASA SSL VPN

Generally the VPN is open to the world to connect on the VPN ports, it's the authentication method(s) and the configured encryption ciphers that make it secure.

keithcclark71 · ‎11-09-2022

Exactly. I am only using the web for client download. The Anyconnect VPN itself I locked down to authenticate using yubikey hardware keys with certificate. Without the hardware key the VPN connection can never be initially established. I get irritated when someone scans my customers and then tells my customer they should hide the VPN name associated with the customers public IP address EX: vpn.customer.net 98.76.98.87 (Why would hiding then name here make any difference) I'll just move the Web off to diff port and be done with this but my customer reads their stupid report and thinks their wide open to attack and I gotta deal with it.

keithcclark71 · ‎11-09-2022

Oh another thing they did based off the scan was recommend to my customer "zero trust network access (ztna) solution" as opposed to using VPN. So my customer is now supposed to change from hardware keys to this zero trust deal and spend 100 grand to do so and eat all the money they spent with putting in security keys. Sorry more of a rant I suppose but WTF lol

Rob Ingram · ‎11-09-2022

I expect the scan report was completed by a Salesman.......££££££££££

Rob Ingram · ‎11-09-2022

@keithcclark71 if that's all the report is complaining about, thats not too bad. Most reports would complain about TLS 1.0/1.1 and weak ciphers.

I don't think changing the port is going to make much difference, a port scan would still find it.

adamzampa029394 · ‎06-08-2024

It sounds like Corvus Insurance detected your Cisco VPN during a scan. They likely meant to obfuscate or hide the fact that you're using a VPN for security reasons. To search for scan logs in Firepower Management Center, try using the search criteria "Corvus scan events."