cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
500
Views
0
Helpful
5
Replies
Beginner

Cisco Anyconnect VPN security loophole

Hi all,


I have an ASA5516 that is hosting several Anyconnect VPNs using a Radius Server for authentication.

 

The Split tunnel list is configured on the ASA. The "SPLIT TUNNEL LIST" injects static routes onto the clients PC for the resources specified.

However we have recently discovered that if the user is to manually enter a route on its PC to any destination with the VPN gateway as the next hop, Traffic to that destination will actually go via the VPN and if there is a route for the destination on the Firewall, it will route it all the way and back. Which is a huge security risk.

Am I missing something here? Is there an attribute that can allow me to add security ACL per user on the Radius Server? or one on the ASA? We use the same group-policy and tunnel-group for every user. However each user has access to different resources.

ASA config:

group-policy Anyconnect internal
group-policy Anyconnect attributes
wins-server none
vpn-idle-timeout 480
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
address-pools value Anyconnect_Pool
webvpn
anyconnect profiles value DfltProfile type user
always-on-vpn profile-setting


tunnel-group Anyconnect webvpn-attributes
group-url https://1.1.1.1/Anyconnect enable


The users are configured and authenticated by the Radius Server

using the attributes:

CVPN3000-IPSec-Split-Tunnel-List ; Framed-IP-Netmask ; Service-Type ; Class ; NAS-Port-Type.

 


Kind regards

 

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: Cisco Anyconnect VPN security loophole

HI,

You could apply a VPN Filter to the VPN session, this will restrict the user to only the destination defined in the Filter ACL.

 

Examples here and here.

 

HTH

5 REPLIES 5
Enthusiast

Re: Cisco Anyconnect VPN security loophole

Hi,
with your explanation, first thing came to my mind is bit odd. this is actually about company security policy violation in my case. to add windows routes, users need to have admin privilege. but for users in company we are not allowed admin permissions. may be different scenario for you situation. open for suggestions. :)
Beginner

Re: Cisco Anyconnect VPN security loophole

Hi Kusan,

This is not an office VPN service. It is provided to our clients to access some company internal resources. So we cannot dictate the security level on the clients machine.
If you know of a work around for this security loophole, do share.

Kind regards
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: Cisco Anyconnect VPN security loophole

HI,

You could apply a VPN Filter to the VPN session, this will restrict the user to only the destination defined in the Filter ACL.

 

Examples here and here.

 

HTH

Beginner

Re: Cisco Anyconnect VPN security loophole

Hi RJI,

Thats exactly what I was looking for. Thanks for that. I've used the Radius Attribute "Filter-ID" to specify an ACL set up on the ASA and it works. Access is restricted to only the specified resource.

Kind regards
Highlighted
Hall of Fame Master

Re: Cisco Anyconnect VPN security loophole

Also be advised that unless the allowed resource is hardened, the remote user can use it to navigate further into your network.

For instance, if you allow RDP to one workstation only (with VPN filter) nothing prevents that user from launching an RDP session from the allowed host into another host internal to your network. Same thing with ssh and other remote access protocols.