cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
16861
Views
21
Helpful
9
Replies

Disabling clientless/browser based VPN

David Clark
Level 1
Level 1

I have a 5512x latest IOS, running AnyConnect 3.0 and I've created a policy in the asdm to filter VPN connections by MAC address of our laptop. If any computer other than my laptop the new policy defaults to the base policy which is set to terminate connection. Since my SSL VPN Service login page can be reached by putting in my firewall IP, I've been told that it is a vulnerability and I keep getting a vulnerability error after penetration test.

i know I can't turn off the webvpn service and like I said I've got filtering by policy on the MAC address of our laptop and I've edited the SSL VPN page that now says unathorized Access.

Is there more I can do eliminate this? Can the page be shutdown so that if someone puts my firewall ip into a browser it doesn't open or work.

Thanks,

Dave

9 Replies 9

Rahul Govindan
VIP Alumni
VIP Alumni

You cannot stop the ASA from showing up a page as far as I know. The Anyconnect client and clientless vpn use the same webvpn service on the ASA using port 443 (or a custom port you configure). There is no way to split them apart as 2 different services and shutdown just the ASA from responding to a browser based request. 

How would you suggest I deal with the vunerability? I'm already filtering by mac address and modified the login page to include unauthorized access.

Do you have some more information on which vulnerability is being hit, like CVE number etc? Usually, if you are running the latest version of the ASA, most of the vulnerabilities should be patched. The last vulnerability that I saw on the Cisco advisory that matches your scenario is detailed in this blog:

http://blogs.cisco.com/security/cisco-psirt-notice-about-public-exploitation-of-the-cisco-asa-clientless-ssl-vpn-portal-customization-integrity-vulnerability

I have a ASA 5512x with latest IOS and ASDM 7.1 along with anyconnect 3.0. I've been on several TAC support calls trying to explain this to them as well and they recommended filtering by mac address by policy through the ASDM. We only have one laptop used for remote vpn. 

I;m waiting on the report (cve info) from the pen test contractor but he had sent me this email.

cleartext or SSL vulnerabilities on my firewall listed in your report.  Those should be cleared up.  If you don’t want to use access control, two factor authentication should be used with AnyConnect – Duo is a good inexpensive option.  But regardless, the vulnerabilities should be cleared up IMHO as they are in every other institution I scan. 

 

TAC support is great but not NCUA examiner.  They see red all over the scan, they’ll want explanations in the report.

 

From my experience I’ve only seen one example of a bad guy compromising a cleartext vulnerability many years ago.  You have to be freakish to exploit SSL.  The chances that it would ever happen to your CU is infinitesimally small.  Having said that, I’ve never seen an institution not clear up those vulnerabilities.   

 

So, I opened a TAC service request and discovered this time that the TSL1v needed upgraded. My asa software is at 9.1.17.15 in ordered to  upgrade to fix this and certificates, I would need to also upgrade to anyconnect 4.0 from my current 3.0. Is there an upgrade in between that addresses this vunerability and allows me to keep 3.0?

Thanks,

Dave

If you have an ASA 5512-X, the latest software is not "9.1.17.15".  (I assume you meant 9.1.7.15.)

You should be running a release like 9.4.4.5, which is recommended by Cisco as seen here:

https://software.cisco.com/download/release.html?mdfid=284143128&flowid=31442&softwareid=280775065&release=9.4.4%20Interim&relind=AVAILABLE&rellifecycle=&reltype=latest

It does address all currently identified SSL/TLS vulnerabilities, assuming you configure it properly to disable SSLv3 and disable the use of weak ciphers.

AnyConnect 3.x is end of support and Cisco strongly recommends migrating to AnyConnect 4.x.

http://www.cisco.com/c/en/us/products/collateral/security/anyconnect-secure-mobility-client/eos-eol-notice-c51-734084.html

You may be able to pass your audit using the latest 3.x release (3.1.14018) but that's just buying you time. Anyconnect 4.x is really a better path.

 

Thank you for all the help...Purchasing the new anyconnect and upgrading the ASA 9.4 after that. From what I read, it should mitigate the vunerabilities.

I already have the "keep out" command configured.

Dave

Shakti Kumar
Cisco Employee
Cisco Employee

Hi David Clark ,

if the intention is to completely disable the webvpn page you can use keepout option under webvpn

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/jk.html

so the configuration should look like this

webvpn

keepout "unauthorized access"

This will shut down the portal page regardless of the tunnel group

Thanks

Shakti

i know that thread is bit old, but thought it useful to share the way that I have solve the same issue. I have added a rule on the portal access rules to deny any accesss, the configuration as below ;-

 

webvpn

portal-access-rule 1 deny user-agent match **

 

hope that will help others 

 

Mazin