05-05-2016 06:03 PM - edited 02-21-2020 08:48 PM
I have three questions about the Cisco AnyConnect VPN:
1. Is it possible to restrict the devices that can connect? I want to prevent people from installing the AnyConnect client on a non-company device and importing the required files that let them connect.
2. If the above is not possible, is there a way to uniquely identify these non-company devices that do connect? For example, after connecting, we'd like to scan for an IMEI number or some unique value on the phone in order to identify it.
3. Is there anything else that we can do to increase security when non-company devices do connect?
Thanks for the help.
05-05-2016 06:47 PM
Hi,
I think you can configure Anyconnect Posture assessment for the above requirement:
http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/anyconnectadmin31/ac05hostscanposture.pdf
Regards,
Aditya
Please rate helpful posts.
05-06-2016 09:08 AM
Would that be for requirement 1 or 2? Our problem is that we are having a hard time scanning the device (once it connects) and uniquely identifying it. For example, we'd like to lock it down to specific MAC addresses or IMEI numbers for mobile devices. Mobile devices are presenting the greatest difficulty.
Thank you.
05-06-2016 01:48 PM
For PCs you can check that they are domain computers. You can also check for unique registry keys etc. That you can do with an ASA and AnyConnect Apex licenses by using the Dynamic Access Policy (DAP) feature:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/200238-ASA-VPN-posture-with-CSD-DAP-and-AnyCon.html
However mobile devices will not support the AnyConnect posture assessment. In that case, you would need a larger enterprise solution. For instance a Mobile Device Management (MDM) system integrated with Cisco ISE (Apex level licensing). You then enroll devices in the MDM and ISE queries it via API at the time of connection to verify that the device is enrolled and compliant.
http://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/at_a_glance_c45-726284.pdf
http://www.cisco.com/c/en/us/products/security/partner-ecosystem.html
05-07-2016 10:52 AM
Hi Marvin,
Thanks for the info. Would that strategy work with all types of mobile devices? For example, Android, iOS (tablets, phones), Windows Phone, etc.?
Do you think that it would be cost prohibitive for a smaller company? (e.g., 50 employees)
Thank you again for the help.
05-08-2016 08:58 PM
ISE + MDM would probably not be a good fit for such a small company. The ISE and AC Apex licenses alone would be on the order of US$10k+ list price. Then add in a MDM solution.
An alternative may be to make remote access VPN users use certificates for authentication. You can stand up a role on an internal Windows server as a certificate authority and issue them to all remote devices (PCs, Android and iOS phones and tablets, Windows phones). Don't allow certificates to be issued externally, thus controlling what devices you issue certificates.
That way, even with the AnyConnect software on an unknown device, they cannot connect because they lack the mandatory certificate.
Here are a couple of articles to read on this approach:
https://supportforums.cisco.com/blog/152941/anyconnect-certificate-based-authentication
http://www.petenetlive.com/KB/Article/0001030
05-19-2016 03:01 PM
Hi Marvin,
We reviewed those options and I have a few more questions.
1. Regarding the ISE + MDM solution, would that actually be able to prevent the connection from unauthorized mobile device, or only check that the mobile device meets certain conditions (e.g., has antivirus)?
2. Our concern with the certificate option is that once the certificate is on one device, it can easily be copied to another (even though it's marked as "not-exportable"). Is there a way to prevent users from copying the cert off the device and onto another?
Thank you.
05-19-2016 07:38 PM
1. With MDM integration, you build in the MDM server(s) as an external identity store. Just like with any other identity store, ISE checks for the device or user (or both) as an part of authentication. It then uses attributes of the endpoint or user in the authorization policy. If a device is not known to your MDM server (and known to be compliant) it will either fail authentication or not be authorized access.
2. The certificate is just one part of the equation. The most secure organizations use a certificate that's embedded on a card like the US Department of Defense's Common Access Card (CAC). You also have the option of combining a certificate (something you have) with a userid/password (something you know) for 2-factor authentication. Also,with MDM more than just the certificate is required to be found registered and compliant - a typical MDM systems checks for all the available identifying information like device IMEI and serial number.
One wonders why such high security is required for a small company with 50 employees. Is there an extremely high threat environment that you are operating in?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide