cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
19329
Views
90
Helpful
16
Replies

HTTP Strict Transport Security on ASA

gchevalley
Beginner
Beginner

Our PCI scan vendor has recently began flagging the outside interfaces of all of our firewalls that have AnyConnect enabled on them.  Does anyone know if there is a way to enable HSTS on AnyConnect / WebVPN or the outside interface?

1 Accepted Solution

Accepted Solutions

Show me anywhere in the PCI standard that requires this.  You wont be able to. You don't require this to be PCI compliant.

Here is the US Government's FIPS140-2 certificate for AnyConnect.

http://www.cisco.com/c/dam/en_us/solutions/industries/government/security_certification/pdfs/acumenany_connect_desktop.pdf

Being certified to FIPS140-2 security standards for cryptography - I think more than trumps your scan saying it is insecure.

View solution in original post

16 Replies 16

Philip D'Ath
Advisor
Advisor

No.

Anyconnect will only run over an encrypted channel - by design.  That is the whole point of it.

You don't have anything to worry about in this regard.

That is besides the point.  The scan engine is still detecting this alleged vulnerability that prevents us from being PCI compliant.  I can contest it for now but they will still require the solution to be implemented at some point in the near future.

Sys. Notes:  
Reference ID: 93244
Reference Type: fusionvm
Brief Description: HTTP Strict Transport Security (HSTS) is a security enhancement specified by a web application through the use of a
special response header. A lack of HSTS has been discovered. This could allow an attacker to conduct man-in-the-middle
attacks.

Concern: The HTTP Strict Transport Security provides enhancements by addressing multiple vulnerabilities related to
both passive and active network attackers by forcing interaction over secure connections. A lack of its use may allow
attackers to conduct man-in-the-middle attacks.

Solution: It is recommended that users implement the use of HTTP Strict Transport Security.

Risk Level (CVSS): Medium (5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N/E:POC/RL:OF/RC:C)

PCI Severity: Fail

Evidence: No http strict transport_security detected on https server.

Informative Details:

Detection Protocol: Unknown Service

Exposure ID: 93244

CPE of Detected Product: cpe:/p:protocol:http

Additional Vectors

Root Cause: Vendor Flaw
Risk Factor: Medium
Skill Level: Low
Likelihood: High
Data Loss: false
System Loss: false
Access Control Loss: false
Reputation Loss: true
Info Theft: true
Disclosure: true
Downtime: false
Monitoring Failure: false

Show me anywhere in the PCI standard that requires this.  You wont be able to. You don't require this to be PCI compliant.

Here is the US Government's FIPS140-2 certificate for AnyConnect.

http://www.cisco.com/c/dam/en_us/solutions/industries/government/security_certification/pdfs/acumenany_connect_desktop.pdf

Being certified to FIPS140-2 security standards for cryptography - I think more than trumps your scan saying it is insecure.

I'm having the same issue as