cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
902
Views
4
Helpful
2
Replies

Disabling SSL clientless login without disabling anyconnect

paul.matthews
Level 5
Level 5

Please bear with me - I know little of the ASAs, amd not really a security person and don't have access to the equipment. I am trying to help almost by hearsay.

The description I have is:

We cannot disable SSL Clientless login without disabling fat client loggin (AnyConnect) or posture checking.

What this essentially means is once the service goes in, for the VPN solution to work we cannot stop the public facing ASA IP address from allowing https over port 443 connectivity.

OK the box will not allow individuals to login because they would fail the posture checks but by that stage we have reduced the attack surface as a potential attacker already knows what vendor solution we are using and who they are potentially attacking from the certificate.

ASA 5550 8.3.1

ASDM version 6.3.1
AnyConnect 2.4.1012
CSD 3.5.1077

Thanks for any pointers

2 Replies 2

Ivan Kovacevic
Cisco Employee
Cisco Employee

In short, no.

AnyConnect also uses HTTP over SSL to login. So you cannot disable SSL session establishment in anyway as it is needed for AnyConnect. The difference between Clientless and AnyConnect is that ASA detects AnyConnect by the User-Agent HTTP header filed and redirects it to a different path. Even if you could prevent access for other User-Agents, this can be easily spoofed so a potential attacker can still take a peek, but I am not sure how useful that would be.

any thanks for the response, I willforward the comments on.

Paul.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: