Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1793
Views
5
Helpful
4
Replies

AnyConnect VPN client vs Clientless SSL

adamgibs7
Level 6
Level 6

‎01-07-2023 01:47 PM - edited ‎01-07-2023 09:45 PM

Dears

if i m using a AnyConnect vpn to connect to corporate, it is creating a vpn tunnel from the pc to asa firewall on the perimeter, My question is that if the user pc is infected from malware that malware can travel to the corporate network and it can create a mess up in the organization for example user once it is connected through vpn to the corporate LAN then he can execute a Microsoft RDP connection to any of the server and the malware can travel to that server as well , so the IT security specialist are advising that use a clientless ssl vpn and access the corporate network either a web application or a remote desktop to a server , which will protecting malware to pass from user pc to the corporate network. 

Please correct me if this is a wrong understanding.

thanks

Labels:
4 Replies 4

Karsten Iwen
VIP
VIP

‎01-07-2023 02:01 PM

Yes, you are right. If the VPN client has unrestricted access to the network, any kind of harm can be caused. That's the reason that also for VPN-users the "least privilege" model should be implemented and only access to the needed resources should be allowed.

And especially if you don't trust the VPN-endpoint, allowing only restricted access to a terminal-server can be one of the ways to improve the situation. Web-applications is also good and can be restricted even without a VPN. Clientless VPN could also be used, but there I would prefer the restricted access to the terminal-server.

0 Helpful

adamgibs7
Level 6
Level 6
In response to Karsten Iwen

‎01-07-2023 10:03 PM

Dear Karsten

Thanks for the reply,

i was thinking not to enable a client based vpn but enable a clientless ssl vpn, where a user will open a browser and connect to firewall and based on on his login access what he is been allowed to access on the webpage (web application or RDP) he will click on those access,

so the question is still the malware will be able to travel through clientless vpn ???

thanks

0 Helpful

Karsten Iwen
VIP
VIP
In response to adamgibs7

‎01-08-2023 12:02 AM

The question is how you implement the clienteles VPN. For webpages the ASA is a proxy to the internal servers and the attack surface will be reduced. But a reverse-proxy in the DMZ with application layer filtering will give you much more security and flexibility.

For RDP there are multiple options. With port-forwarding and Smart-tunnels, you still allow the RDP port to connect to the server. That is not much different to restricted AnyConnect access. The RDP plugin will be more secure unless being compromised itself. Again, if you want advanced security, an RDP gateway in a DMZ will give you much more security.

0 Helpful

Marius Gunnerud
VIP
VIP

‎01-09-2023 01:46 AM

Just to add to what Karsten has already said, if you are worried about servers being infected by vulnerable client machines, instead of allowing direct access to servers you might be better off implementing a solution such as Citrix Netscaler, or similar.  In my opinion, the Clientless VPN is an OK solution only if you do not have the budget to implement Netscaler or similar.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents