Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
24642
Views
90
Helpful
16
Replies

HTTP Strict Transport Security on ASA

Go to solution
gchevalley
Level 1
Level 1

‎01-26-2017 09:49 AM

Our PCI scan vendor has recently began flagging the outside interfaces of all of our firewalls that have AnyConnect enabled on them.  Does anyone know if there is a way to enable HSTS on AnyConnect / WebVPN or the outside interface?

8 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to gchevalley

‎01-26-2017 11:24 AM

Show me anywhere in the PCI standard that requires this.  You wont be able to. You don't require this to be PCI compliant.

Here is the US Government's FIPS140-2 certificate for AnyConnect.

http://www.cisco.com/c/dam/en_us/solutions/industries/government/security_certification/pdfs/acumenany_connect_desktop.pdf

Being certified to FIPS140-2 security standards for cryptography - I think more than trumps your scan saying it is insecure.

View solution in original post

16 Replies 16

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎01-26-2017 11:08 AM

No.

Anyconnect will only run over an encrypted channel - by design.  That is the whole point of it.

You don't have anything to worry about in this regard.

Go to solution
gchevalley
Level 1
Level 1
In response to Philip D'Ath

‎01-26-2017 11:21 AM

That is besides the point.  The scan engine is still detecting this alleged vulnerability that prevents us from being PCI compliant.  I can contest it for now but they will still require the solution to be implemented at some point in the near future.

Sys. Notes:  
Reference ID: 93244
Reference Type: fusionvm
Brief Description: HTTP Strict Transport Security (HSTS) is a security enhancement specified by a web application through the use of a
special response header. A lack of HSTS has been discovered. This could allow an attacker to conduct man-in-the-middle
attacks.

Concern: The HTTP Strict Transport Security provides enhancements by addressing multiple vulnerabilities related to
both passive and active network attackers by forcing interaction over secure connections. A lack of its use may allow
attackers to conduct man-in-the-middle attacks.

Solution: It is recommended that users implement the use of HTTP Strict Transport Security.

Risk Level (CVSS): Medium (5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N/E:POC/RL:OF/RC:C)

PCI Severity: Fail

Evidence: No http strict transport_security detected on https server.

Informative Details:

Detection Protocol: Unknown Service

Exposure ID: 93244

CPE of Detected Product: cpe:/p:protocol:http

Additional Vectors

Root Cause: Vendor Flaw
Risk Factor: Medium
Skill Level: Low
Likelihood: High
Data Loss: false
System Loss: false
Access Control Loss: false
Reputation Loss: true
Info Theft: true
Disclosure: true
Downtime: false
Monitoring Failure: false

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to gchevalley

‎01-26-2017 11:24 AM

Show me anywhere in the PCI standard that requires this.  You wont be able to. You don't require this to be PCI compliant.

Here is the US Government's FIPS140-2 certificate for AnyConnect.

http://www.cisco.com/c/dam/en_us/solutions/industries/government/security_certification/pdfs/acumenany_connect_desktop.pdf

Being certified to FIPS140-2 security standards for cryptography - I think more than trumps your scan saying it is insecure.

Go to solution
Anthony Convertine
Level 1
Level 1
In response to Philip D'Ath

‎04-04-2017 09:41 AM

I'm having the same issue as 

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to Anthony Convertine

‎04-04-2017 11:48 AM

How can Cisco release a fix for an issue that does not exist?

what you should be asking is when is your vendor going to fix their scan to prevent it reporting false positives.

0 Helpful

Go to solution
Anthony Convertine
Level 1
Level 1
In response to Philip D'Ath

‎04-04-2017 11:59 AM

Thanks Philip,

  • This is a known Cisco bug: CSCvc82150

  • Status is "Open"

  • My "vendor" is Homeland Security (DHS).

  • I realize this is a false positive.

Thanks again for helping out!

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to Anthony Convertine

‎04-04-2017 12:30 PM

You'll notice it is listed as an enhancement request.

I'll keep my fingers crossed for you but I doubt anything will happen anytime soon.

0 Helpful

Go to solution
Cozmo
Level 1
Level 1
In response to Anthony Convertine

‎11-14-2017 06:53 AM

lol
0 Helpful

Go to solution
b.steshoski
Level 1
Level 1
In response to Anthony Convertine

‎06-14-2018 09:37 AM

May want to look into Upgrading to 9.8.2

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎01-26-2017 12:41 PM

I do not think there is any command to enable HSTS on the ASA. Last I checked, this was being fixed on the ASA to return the header. I checked the latest 9.7 release notes and there was no mention of the fix. You might want to open a TAC case to check if this was ever implemented on the ASA. I agree with [@p.dath] that this is not really going to affect the Anyconnect or Webvpn session as they only work on TLS/SSL channel.

0 Helpful

Go to solution
Casey Lewis
Level 1
Level 1
In response to Rahul Govindan

‎11-13-2017 09:23 PM

Hi all,

I just came across this thread looking for HSTS support and noticed that as of ASA 9.8.2 (released Aug 2017), it looks like it's been implemented.

 

Per the release notes (https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/release/notes/asarn98.html#reference_ugl_3mz_d1b):

 

VPN Features

HTTP Strict Transport Security (HSTS) header support

HSTS protects websites against protocol downgrade attacks and cookie hijacking on clientless SSL VPN. It lets web servers declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol. HSTS is an IETF standards track protocol and is specified in RFC 6797.

We introduced the following commands: hsts enable, hsts max-age age_in_seconds

 

 

Just curious if anyone has tested this and has any feedback.

Thanks!

-casey

Go to solution
alicato43
Level 1
Level 1
In response to Casey Lewis

‎11-15-2017 02:02 PM

i have patched to 9.8.2 interim 14 and applied the two hsts settings and still failed via qualys 

 

i am missing

X-Content-Type-Options HTTP Header missing on port 443.
Content-Security-Policy HTTP Header missing on port 443.

 

please assist thanks

Go to solution
Tim Glen
Cisco Employee
Cisco Employee

‎05-01-2018 01:04 PM

In ASA OS 9.8(2) HSTS first became supported. 

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/release/notes/asarn98.html#reference_ugl_3mz_d1b

 

Hope this helps

 

Tim

 

0 Helpful

Go to solution
james.king14
Level 1
Level 1

‎02-05-2019 11:23 AM

I found the answer for the webpage HSTS

Preview file
49 KB
0 Helpful
Customers Also Viewed These Support Documents