Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
735
Views
12
Helpful
5
Replies

Remote Client Certificate Ownership Proof.

guibarati
Level 4
Level 4

‎12-15-2012 11:51 AM

Hi,

I'm planning on deploying a VPN solution with aprox. 1k remote users, using an ASA as Gateway.

It is mandatory for the project that only the specifically authorized machines can connect. (Laptop, smartphone or tablet). (Each user will have to choose which one to use, not all).

The Idea I came up with so far was using machine certificates.

But, since it's up to the client machine to store and secure the public/private keys and it's certificate, it would always be possible for this machine to export it's keys and certificate. Thus allowing another device to import it and gain access to the VPN.

Does anybody has some advice, like using some certificate extensions to tie up the certificate to the physical machine?

If not certificates, any other sugestion?

Thanks!

Labels:
0 Helpful
5 Replies 5

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎12-16-2012 02:11 AM

Making keys non-exportable (as is best practive, except for CA/RA operation) would be one of the way to do it.

I can guarantee that 99% of users will not know to overcome this.

example for ms:

http://technet.microsoft.com/en-us/library/cc962112.aspx

PIN protecting your private keys is also a way - in essense you want the security to be based on something you have (the certificate) and something you know (PIN) and make itteration of have/know a few more times if you want better (sense of) security ;-)

M.

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Marcin Latosiewicz

‎12-16-2012 07:15 AM

Marcin's anwser is right on the mark. +5

0 Helpful

guibarati
Level 4
Level 4
In response to Marvin Rhoads

‎12-16-2012 07:18 AM

The problem is with mobile devices.

For Iphones for example. I need to email a certificate and the keys to it. Then on Iphone I open the email and open the attachment file.

If I do it this email can be forwarded somewhere and used to connect the device to the vpn.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to guibarati

‎12-16-2012 07:40 AM

Well you have to balance the amount of trust you give users not to both forward the certificate AND give away their PIN with how much administrative overhead and technical safeguards you are going to build into your system.

I believe right now the methods described above are about as much as you can reasonably do with ASA plus Anyconnect alone.

If you layer on a mobile device management solution and, at the high end, something like Cisco Identity Services engine (ISE) you can get very granular with identity checking and posture assessment. For instance, you can limit access to a particular Mobile Equipment Identifier (MEID). The MEID is unique to a physical device. You can also use SCEP with MDM solutions. See http://www.apple.com/ipad/business/docs/iOS_MDM.pdf for example

guibarati
Level 4
Level 4
In response to Marvin Rhoads

‎12-17-2012 08:50 AM

Ok, I will have to submit it to the higher level and see if it's acceptable to them.

Thank you for relpying.

0 Helpful
Customers Also Viewed These Support Documents