Is AnyConnect with machine certificates secure enough?

Chess Norris · ‎04-04-2023

Hello,

I have a customer that need to replace their obsolete Microsoft Direct Access RAVPN and are looking for a solution that is transparent for the users and also as secure as possible.

They have the following requirements for the new RAVPN solution

Authentication with machine certificates
The solution should be as transparent/seamless for the user as possible, preferably there should be no need to connect manually
SLB (Start Before Logon) or equivalent function is a very strong desire because of the possibility to carry out password resets/post GPOs etc remotely.

At first, they thought they should migrate to Microsoft Always On, since it’s the official replacement for Direct Access, but they have security concerns because of the fact that the only thing required to connect is a valid machine certificate on the client.

The fear is therefore that a machine certificate can go astray without the customer knowledge and that an unauthorized client then has the opportunity to connect to the VPN.

They have therefore started investigating AnyConnect as a potential replacement and maybe use the ISE posture feature for an extra protection mechanism. The idea here is that the client would need both the certificate and – for example – a specific Windows registry key before the client are considered compliant and can access the environment.

The customer is however a bit concerned about the increased technical complexity of using ISE posture and this would also entails a significant cost in the form of ISE posture licenses.

Furthermore, I am unsure whether ISE Posturing can be combined with the other requirements, and more specifically SBL.

Would the Posturing module actually would work before the user has logged in? If posture cannot work with SLB, the posture function will be pointless.

So would you say that AnyConnect with just a machine certificates is secure enough without other secondary security measures like ISE posture or MFA?

According to this post it seems like it’s not that difficult to steel a certificate and then import it to another computer

https://www.tommacdonald.co.uk/stealing-cisco-vpn-certificates/

Would like to hear your thoughts and suggestions.

Thanks

/Chess

Kasun Bandara · ‎04-04-2023

if you need high security and it is concerned, then i suggest to go with ISE posturing too.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Octavian Szolga · ‎04-04-2023

Hi,

There's no right or bad answer. It all depends on the security needs, policies, level of trust that a company wants to adhere to.

Usually, considering that PKI is AD integrated, you have to use a domain computer in order to get network access be it 802.1x or VPN, because only domain computers have machine certificates, due to GPO being applied only to these.

It's just a matter of perspective, because you can find cons to almost any combination/method of network access. Regarding the use of mimikatz, you'd have to assume that admin rights are not available to regular users, so you don't just download mimikatz and 'let's follow that tutorial'.

Nowadays, best way to provide access (generally speaking) is by using MFA/2FA but I don't see how you can use that and retain what Direct Access provided.

Going back to your issue, from my point of view, Direct Access can be replaced by Anyconnect using:

Always on VPN
- unlike Direct Access, always on VPN does not establish a VPN prior to user login;
- it denies any network traffic when off corporate network except VPN headend (ASA)
- AD password caching for user should be available otherwise users will not the able to login
- after win login, you have to connect to the VPN in order to gain access to corporate resources and network connectivity in general

Anyconnect management tunnel
- this resembles more with DA (I haven't used it personally)
- when your PC boots up, you don't need manual user intervention; your PC automatically estabilishes a RAVPN to your network for GPO or whatever scripts you need to execute at boot on your PCs
- can be combined with 'always on/trusted network detection' when user login happens; somehing like 2 sessions: 1 for PC when no user logs in, disconnect when user logs in and wants to access all corporate resources, not just a subset;

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/215442-configure-anyconnect-management-vpn-tunn.html

BR,

Octavian

Chess Norris · ‎04-05-2023

Thank you Octavian for taking the time with this helpful answer.

I will have a closer look at AnyConnect management tunnel, because it's seems to offer the transparency my client require.

Normally we I use to implement AnyConnect with DUO or other MFA solutions, but user transparency is really important in this case.

Thanks

/Chess

Salman Mahajan · ‎04-12-2023

Hi @Chess Norris , with machine cert authentication for Secure Client ( Formerly Anyconnect ) , you can use Secure Client Posture (Formerly Hostscan) and configured DAP policies on Headend to check for User Compliance before allowing to connect and access corporate resource if you are concerned about technical complexity using ISE posture . This would also go well with SBL/Always on Feature .

Gustavo Medina · ‎04-12-2023

"Normally we I use to implement AnyConnect with DUO or other MFA solutions, but user transparency is really important in this case."

One of Duo's main goals is user experience @Chess Norris. Since you are designing a new solution you should consider passwordless, I recommend this documentary: https://duo.com/solutions/passwordless/the-life-and-death-of-passwords

Here at Cisco our VPN experience is seamless, Duo still checks for posture and makes sure the device is properly managed without sending the end user a Duo Push, you can read about our own implementation here: https://blogs.cisco.com/ciscoit/cisco-vpn-goes-passwordless-to-save-time-boost-security