Hey all!
So you have Cisco ASAs that handle your client remote access, and you want to be sure you're using the strongest technical security you can configure. Cisco ASAs make this pretty easy to do, but you need to be aware of a few things:
- This change is global, to all SSL cryptography. This means you can't just switch over a couple of group policies for testing. It's recommended to make this change during off-hours so you can test yourself
- The change won't kick all the SSL tunnels that are built, so you can certainly make the change, test a connection, then switch back mid-day without an impact to your users
- This change also affects the web page that users access pre-VPN to download the AnyConnect client and access any bookmarks and other features exposed over clientless VPN. This does include the Cisco ASDM, which requires a Java update to work properly after this change. I'll cover this more down below.
TLS Version
First of all, use only TLS version 1.2. SSL 3.0/TLS1.0 has been found to have significant weaknesses, and TLS 1.1 is not longer recommended due to the additional features added in version 1.2. To make this change, run the following command. This limits all SSL connections to the ASA to use only version 1.2 (or greater, when available). When version 1.3 becomes standard, you'll want to update to that, but 1.3 is not yet implemented in ASA code.
ASAHostname(config)# ssl server-version ?
configure mode commands/options:
tlsv1 Enter this keyword to accept SSLv2 ClientHellos and negotiate TLSv1
(or greater)
tlsv1.1 Enter this keyword to accept SSLv2 ClientHellos and negotiate
TLSv1.1 (or greater)
tlsv1.2 Enter this keyword to accept SSLv2 ClientHellos and negotiate
TLSv1.2 (or greater)
ASAHostname(config)# ssl server-version tlsv1.2
Ciphers
Second, make sure that the ciphers used to encrypt the data are classified by Cisco as "High" security.
ASAHostname(config)# ssl cipher tlsv1.2 high
This classification includes:
ASAHostname# show ssl ciphers high
ECDHE-ECDSA-AES256-GCM-SHA384 (tlsv1.2)
ECDHE-RSA-AES256-GCM-SHA384 (tlsv1.2)
DHE-RSA-AES256-GCM-SHA384 (tlsv1.2)
AES256-GCM-SHA384 (tlsv1.2)
ECDHE-ECDSA-AES256-SHA384 (tlsv1.2)
ECDHE-RSA-AES256-SHA384 (tlsv1.2)
DHE-RSA-AES256-SHA256 (tlsv1.2)
AES256-SHA256 (tlsv1.2)
DH Group
Third, make sure that the Diffie-Hellman Group used to exchange data uses larger moduli, which should keep the key exchange tamper resistant against more powerful computers.
ASAHostname(config)# ssl dh-group ?
configure mode commands/options:
group1 Configure DH group 1 - 768-bit modulus
group2 Configure DH group 2 - 1024-bit modulus
group5 Configure DH group 5 - 1536-bit modulus
group14 Configure DH group 14 - 2048-bit modulus, 224-bit prime order
subgroup (FIPS)
group24 Configure DH group 24 - 2048-bit modulus, 256-bit prime order
subgroup (FIPS)
ASAHostname(config)# ssl dh-group group24
Testing
Your change is done, you can now test your VPN with AnyConnect. Also visit the page using a browser from the outside to view the clientless page and verify that security is classes as solid using Chrome.
I also recommend
Qualsys' SSL Labs testing toolkit, which is free. Make sure to check the box "do not show the results on the board" to keep your results private.
ASDM Fix ("Unable to launch device manager from...")
Because of the enforced strong encryption on the ASA, the default download of Java doesn’t contain the encryption libraries required to run the ASDM GUI application to manage the firewall. If Java is not updated with these libraries, the following error will be seen:
To allow Java to connect, the Java Cryptography Extension pack must be downloaded and pasted over the existing files in the local Java install. The JCE pack for Java family 8 can be found here:
http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
Both new library files must be dropped into this path: C:\Program Files (x86)\Java\(Java version path)\lib\security\. For instance, on a test machine this exact path is used: C:\Program Files (x86)\Java\jre1.8.0_131\lib\security\.
Keep an eye on this folder, though - every time Java updates itself, it will wipe out the JCE packs that you added, and you'll need to re-drop the JCE into the folder again.
Happy encrypting,
kyler