Disabling SSL clientless login without disabling anyconnect
Please bear with me - I know little of the ASAs, amd not really a security person and don't have access to the equipment. I am trying to help almost by hearsay.
The description I have is:
We cannot disable SSL Clientless login without disabling fat client loggin (AnyConnect) or posture checking.
What this essentially means is once the service goes in, for the VPN solution to work we cannot stop the public facing ASA IP address from allowing https over port 443 connectivity.
OK the box will not allow individuals to login because they would fail the posture checks but by that stage we have reduced the attack surface as a potential attacker already knows what vendor solution we are using and who they are potentially attacking from the certificate.
ASA 5550 8.3.1
ASDM version 6.3.1 AnyConnect 2.4.1012 CSD 3.5.1077
Re: Disabling SSL clientless login without disabling anyconnect
In short, no.
AnyConnect also uses HTTP over SSL to login. So you cannot disable SSL session establishment in anyway as it is needed for AnyConnect. The difference between Clientless and AnyConnect is that ASA detects AnyConnect by the User-Agent HTTP header filed and redirects it to a different path. Even if you could prevent access for other User-Agents, this can be easily spoofed so a potential attacker can still take a peek, but I am not sure how useful that would be.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...