I have been asked to deploy a small-scale remote access solution to one of our existing network perimeters. I have been carrying out some online research and think I have identified a low-cost solution, but I'd appreciate it if my thinking could be confirmed by the experienced support community!
Current Setup: ASA 5520 8.4(2) pair configured in Active/Standby acting as perimeter firewall
Requirement: Deploy Remote Access VPN with Two-Factor Authentication
Userbase: 5 - 10 users
VPN-Exposed Destination: A single host on inside - ports 3389/tcp (Remote Desktop) and 22/tcp (SFTP)
Solution Consideration: Needs to be as low cost as possible!
The 2FA solution I am leaning towards is the ASA's local user database (what you know) in conjunction with per-user certificates (what you have).
First Question - I believe that as the ASA is operating as A/S failover, I cannot use the ASA's local CA server - could someone please confirm if this is a case of "can not" or "should not"? I believe the CA database cannot be replicated between the ASA units, but temporarily losing VPN capability in the event of a failover situation is an acceptable risk for this environment.
Second Question - If the local ASA CA is not an option, are there any potential pitfalls I should be aware of with leveraging a Windows Server 2003 R2 domain controller CA on the inside of the firewall as an alternative?
Final Question - I was hoping that Cisco's IPSEC VPN Client would allow for two-factor authentication, but it appears this is not the case and only the SSL VPN supports this. This will unfortuntely require a license purchase; would the AnyConnect Essentials (ASA-AC-E-55XX=) suffice, as I believe this will be the lowest cost option? We want to keep it as simple as possible, and purely require the users to have directly-routed access to the inside host on the two ports stated (we don't want to use the 'clientless' HTTPS-based VPN portal, for example).
I agree that 5520's would be overkill for this minor VPN deployment if that was their only intended function, however the pair are responsibly for a much larger role in the perimeter design; the choice for the 5520s stems from other more important design requirements, including that all four network uplinks are GB to ensure the ASA is does not represent a throughput bottleneck.
Group certificate authentication was not deemed appropriate for two-factor authentication purposes by our industry security assessors, so per-user certificate authentication was recommended as the alternative.
I have now implemented the AnyConnect solution as planned, with username prefilled per-user certificates and the MS CA and all seems to be operating well. The low cost AnyConnect Essentials licenses provided more than enough functionality to satisfy this configuration.