cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
22718
Views
90
Helpful
16
Replies

HTTP Strict Transport Security on ASA

gchevalley
Level 1
Level 1

Our PCI scan vendor has recently began flagging the outside interfaces of all of our firewalls that have AnyConnect enabled on them.  Does anyone know if there is a way to enable HSTS on AnyConnect / WebVPN or the outside interface?

1 Accepted Solution

Accepted Solutions

Show me anywhere in the PCI standard that requires this.  You wont be able to. You don't require this to be PCI compliant.

Here is the US Government's FIPS140-2 certificate for AnyConnect.

http://www.cisco.com/c/dam/en_us/solutions/industries/government/security_certification/pdfs/acumenany_connect_desktop.pdf

Being certified to FIPS140-2 security standards for cryptography - I think more than trumps your scan saying it is insecure.

View solution in original post

16 Replies 16

Philip D'Ath
VIP Alumni
VIP Alumni

No.

Anyconnect will only run over an encrypted channel - by design.  That is the whole point of it.

You don't have anything to worry about in this regard.

That is besides the point.  The scan engine is still detecting this alleged vulnerability that prevents us from being PCI compliant.  I can contest it for now but they will still require the solution to be implemented at some point in the near future.

Sys. Notes:  
Reference ID: 93244
Reference Type: fusionvm
Brief Description: HTTP Strict Transport Security (HSTS) is a security enhancement specified by a web application through the use of a
special response header. A lack of HSTS has been discovered. This could allow an attacker to conduct man-in-the-middle
attacks.

Concern: The HTTP Strict Transport Security provides enhancements by addressing multiple vulnerabilities related to
both passive and active network attackers by forcing interaction over secure connections. A lack of its use may allow
attackers to conduct man-in-the-middle attacks.

Solution: It is recommended that users implement the use of HTTP Strict Transport Security.

Risk Level (CVSS): Medium (5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N/E:POC/RL:OF/RC:C)

PCI Severity: Fail

Evidence: No http strict transport_security detected on https server.

Informative Details:

Detection Protocol: Unknown Service

Exposure ID: 93244

CPE of Detected Product: cpe:/p:protocol:http

Additional Vectors

Root Cause: Vendor Flaw
Risk Factor: Medium
Skill Level: Low
Likelihood: High
Data Loss: false
System Loss: false
Access Control Loss: false
Reputation Loss: true
Info Theft: true
Disclosure: true
Downtime: false
Monitoring Failure: false

Show me anywhere in the PCI standard that requires this.  You wont be able to. You don't require this to be PCI compliant.

Here is the US Government's FIPS140-2 certificate for AnyConnect.

http://www.cisco.com/c/dam/en_us/solutions/industries/government/security_certification/pdfs/acumenany_connect_desktop.pdf

Being certified to FIPS140-2 security standards for cryptography - I think more than trumps your scan saying it is insecure.

I'm having the same issue as 

How can Cisco release a fix for an issue that does not exist?

what you should be asking is when is your vendor going to fix their scan to prevent it reporting false positives.

Thanks Philip,

  • This is a known Cisco bug: CSCvc82150

  • Status is "Open"

  • My "vendor" is Homeland Security (DHS).

  • I realize this is a false positive.

Thanks again for helping out!

You'll notice it is listed as an enhancement request.

I'll keep my fingers crossed for you but I doubt anything will happen anytime soon.

lol

May want to look into Upgrading to 9.8.2

Rahul Govindan
VIP Alumni
VIP Alumni

I do not think there is any command to enable HSTS on the ASA. Last I checked, this was being fixed on the ASA to return the header. I checked the latest 9.7 release notes and there was no mention of the fix. You might want to open a TAC case to check if this was ever implemented on the ASA. I agree with [@p.dath] that this is not really going to affect the Anyconnect or Webvpn session as they only work on TLS/SSL channel.

Hi all,

I just came across this thread looking for HSTS support and noticed that as of ASA 9.8.2 (released Aug 2017), it looks like it's been implemented.

 

Per the release notes (https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/release/notes/asarn98.html#reference_ugl_3mz_d1b):

 

VPN Features

HTTP Strict Transport Security (HSTS) header support

HSTS protects websites against protocol downgrade attacks and cookie hijacking on clientless SSL VPN. It lets web servers declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol. HSTS is an IETF standards track protocol and is specified in RFC 6797.

We introduced the following commands: hsts enable, hsts max-age age_in_seconds

 

 

Just curious if anyone has tested this and has any feedback.

Thanks!

-casey

i have patched to 9.8.2 interim 14 and applied the two hsts settings and still failed via qualys 

 

i am missing

X-Content-Type-Options HTTP Header missing on port 443.
Content-Security-Policy HTTP Header missing on port 443.

 

please assist thanks

Tim Glen
Cisco Employee
Cisco Employee

In ASA OS 9.8(2) HSTS first became supported. 

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/release/notes/asarn98.html#reference_ugl_3mz_d1b

 

Hope this helps

 

Tim

 

james.king14
Level 1
Level 1

I found the answer for the webpage HSTS

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: