cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1147
Views
0
Helpful
6
Replies

cut-through authentication vs. virtual telnet/http

Hi,

I'm having difficulties understanding the meaning of the virtual telnet/http commands on the ASA.

I have configured an ASA and defined an access-list with all the traffic which is to be authenticated. These are protocols like RDP, which can't be intercepted by the ASA, but also HTTP and HTTPS which can indeed be intercepted (this is also referred as cut-trough authentication).

The setup principially works. Then a few consultants came and checked my config for errors. They also performed a portscan, where they found out that all protected services (which should only work after authenticating) were answered by the ASA (a tcp-session was started), so an attacker would know what potential services are behind the firewall.

The customer (and me) disliked this behaviour, and I thought this could be solved by using the virtual http feature. Define a seperate IP-Adress, to which you can connect via HTTPs and authenticate, after which you can reach all other services.

Can this be done with this feature? My testresults showed just the behaviour, that you can authenticate at the virtual http-address, but the cut-through authentication is still active, so that's not the solution.

To be honest, I even believe that the virtual telnet/http feature is completely useless! Why? Because to make it work, you have to

1) allow the ip an the inbound ACL

2) add the ip in the ACL where the authenticated traffic is defined

3) configure a NAT for this ip to be routed inside

I don't really see a practical reason for this command - Thanks for your thought...

Florian

6 Replies 6

...just two additions for clarification:

* the tcp-sessions which are started (although the client has not authenticated yet) are of course no sessions to the protected service, it's just the HTML-page returned by the ASA to perform the authentication. But this is to my mind a really ugly behaviour. E.g. if you try to connect with RDP (and you are not authenticated), you get an error-message from the client ("bad protocol").

* The reason why I think the feature is useless, is that you have to configure everything you would also have to configure for normal cut-through operation. So you could just omit the virtual http command - it would also work. You just have to allow http-traffic, too (no difference to the virtual-http variant). You have to teach the users that they have to connect with a browser to address, anyway.

Thanks,

Florian

jedavis
Level 4
Level 4

Florian,

I have virtual telnet configured and just attempted to run a Nessus scan from the outside to an address located on the most secure inside interface. I discovered the same behavior that you describe - the firewall responds to all denied access with the message:

Error: Must authenticate before using this service.

What I want to happen is that the firewall silently discard any attempt to access an inside address before authenticating, and only respond with any prompt when it's virtual telnet address is accessed.

Did you ever get any clarification on how this is supposed to work?

Thanks,

-Jeff

Hi Jeff,

I'm sorry to say that my findings are still the same - the feature has no meaning to me and just increases the workload of configuring the box without any additional benefit. The behaviour which you are describing and which is the behaviour which would make sense can't be achieved with any configuration I would be aware of. I even had a horrible TAC-case regarding this which lasted several month with no outcome, so it's best to forget the feature.

Regards,

Florian

Hi Florian / Jeff

I agree largely with what you are saying and have found similiar issues with it. if you are already authenticating to a web service the additional config of a virtual http service seems unnecessary.

But i think one instance where virtual telnet is useful is if you have services such as RDP etc. that you need to authenticate but you don't have a web server or telnet server to authenticate against.

Without virtual telnet i'm not sure how you could setup access to these services so you would need virtual telnet in this case.

Where i find the command particularly useless is that i want to authenticate people accessing for example terminal servers on a particular subnet. This subnet is also running web servers.

Now say i want to do this via http authentication. I'm trying to authentciate them because i don't know their IP addresses. So i enter an authentication command for http but now everyone who wants to use http has to authenticate and not just people who are going to be using terminal services.

Regards

The issue that I have is that once virtual telnet/http is configured then the firewall responds to attempts to connect through the firewall on all ports with a message "Error: Must authenticate before using this service." The behavior that I would like to see is that the firewall would silently drop these connection attempts unless the user has previously authenticated from the source IP address.

I too attempted to resolve this through TAC and their answer was "It doesn't work that way". Well, um... yeah, I knew that. My point is that I think it should. I suggested that this behavior be added in a future release as a configurable option.

-Jeff

I tried the TAC route myself and was informed that "this is expected behavior". For what it is worth I submitted a suggestion to my account team that as an enhancement to a future release this should be configurable.

-Jeff

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: