Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Who Me Too'd this topic

Is AnyConnect with machine certificates secure enough?

Chess Norris
Level 4
Level 4

‎04-04-2023 11:11 PM

Hello,

I have a customer that need to replace their obsolete Microsoft Direct Access RAVPN and are looking for a solution that is transparent for the users and also as secure as possible.

They have the following requirements for the new RAVPN solution

  • Authentication with machine certificates
  • The solution should be as transparent/seamless for the user as possible, preferably there should be no need to connect manually
  • SLB (Start Before Logon) or equivalent function is a very strong desire because of the possibility to carry out password resets/post GPOs etc remotely.

At first, they thought they should migrate to Microsoft Always On, since it’s the official replacement for Direct Access, but they have security concerns because of the fact that the only thing required to connect is a valid machine certificate on the client.

The fear is therefore that a machine certificate can go astray without the customer knowledge and that an unauthorized client then has the opportunity to connect to the VPN.

They have therefore started investigating AnyConnect as a potential replacement and maybe use the ISE posture feature for an extra protection mechanism. The idea here is that the client would need both the certificate and – for example – a specific Windows registry key before the client are considered compliant and can access the environment.

The customer is however a bit concerned about the increased technical complexity of using ISE posture and this would also entails a significant cost in the form of ISE posture licenses.

Furthermore, I am unsure whether ISE Posturing can be combined with the other requirements, and more specifically SBL.

Would the Posturing module actually would work before the user has logged in?  If posture cannot work with SLB, the posture function will be pointless.

So would you say that AnyConnect with just a machine certificates is secure enough without other secondary security measures like ISE posture or MFA?

According to this post it seems like it’s not that difficult to steel a certificate and then import it to another computer

https://www.tommacdonald.co.uk/stealing-cisco-vpn-certificates/

Would like to hear your thoughts and suggestions.

Thanks

/Chess

1 person had this problem
Labels:
0 Helpful
Who Me Too'd this topic