Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1213
Views
5
Helpful
5
Replies

Remote Access VPN Design

martinhurst
Level 1
Level 1

‎06-03-2020 05:52 AM

Good afternoon,

 

I am after a bit of help regarding a Remote Access solution we are designing to allow Engineers to manage and configure our network devices via SSH/HTTPs through a RA VPN via our Internet Edge.

 

We have a dedicated VPN firewall Cisco ASA 5525X in our Edge to terminate Engineers VPNs, but was wondering whether a Client based Anyconnect solution was better than a Clientless one for this design.

 

Ideally we would like to use exisiting Engineering laptops however we need to ensure that the security of our network is not compromised by an infected endpoint. Perhaps Clientless maybe a better solution in this case is what I was thinking.

 

Any help would be much appreciated. Thank you.

Labels:
0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎06-03-2020 06:08 AM

Hi,
I assume you are running ASA software on the 5525 and not FTD?

I'd personally run AnyConnect to allow the users to run the applications natively on their computers. If you are running ASA you can use DAP (Dynamic Access Policies) for posture assessment, to control access depending on applications running on the computer, i.e - if running AV and domain joined permit access.

You can use VPN Filters to restrict access to SSH/HTTPS

FTD software does not currently support DAP, but if you were using ISE for authentication you could use ISE for posture assessment.

HTH

justin.cordesman
Level 1
Level 1
In response to Rob Ingram

‎06-03-2020 08:46 AM

I agree.  Among other things, running SSH in a clientless setup is both technically ugly and offers questionable security.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-03-2020 11:21 PM

If I was asked to create a locked down VPN, I'd use:

 

  1. ISE with Posture Assessment linked to AD on the backend,
  2. MFA (Duo) for VPN authentication in addition to client certificates
  3. AMP for Endpoints and AnyConnect Umbrella Roaming Security module (or Umbrella Roaming Client) on the remote computers (enforced by the ISE Posture requirements)

If it was a corporate production environment (i.e. for customer-facing revenue-generating resources) I'd further segment access by requiring a jump server.

 

In either case also enforce MFA for device access in addition to VPN access (zero trust model).

0 Helpful

martinhurst
Level 1
Level 1
In response to Marvin Rhoads

‎06-04-2020 01:46 AM

Thank you for the feedback.

 

Yes we are running ASA software on the VPN Firewall. I think we have some Anyconnect Apex licenses for the remote engineers laptops, but there are concerns over the security posture of these laptops as they do connect to the Internet.

 

We don't have ISE, only ACS, so would have mean any posturing will be done within the ASA?

 

I have heard of Duo and I think this is a technology we could implement for this scenario, although are scope of users is probably around 25.

0 Helpful

Rob Ingram
VIP
VIP
In response to martinhurst

‎06-04-2020 01:59 AM

If the security posture is a concern then could also look to implement AMP for Endpoint and/or Cisco Umbrella to protect these devices when off your network.

Yes, run posture on the ASA. You'll need to upgrade ACS soon anyway, so you could consider ISE Posture in the future.

0 Helpful
Customers Also Viewed These Support Documents