Comments on: Cisco AnyConnect VPN Overview http://blog.ine.com/2009/01/03/cisco-anyconnect-vpn-overview/ Helping you become a Cisco Certified Internetwork Expert Wed, 28 Jul 2010 22:47:55 -0700 http://wordpress.org/?v=2.8.6 hourly 1 By: LEB http://blog.ine.com/2009/01/03/cisco-anyconnect-vpn-overview/comment-page-1/#comment-17843 LEB Sun, 04 Jan 2009 20:54:51 +0000 http://blog.ine.com/?p=435#comment-17843 One problem with AnyConnect is that since it uses SSL, it is vulnerable for a Man in The Middle attack. I have tested this myself, and was quite easily able to get both username and password by doing MiTM. Granted, I had to click accept on the certificate error that was presented, but normally users do this anyway. But with the new MD5 exploit for certificates, this can quite quickly become critical for an organization. So, yes, AnyConnect is quite nice, but I would reccomend either using token based authentication, or having the ASA request a client certificate to mitigate this attack. -Erik One problem with AnyConnect is that since it uses SSL, it is vulnerable for a Man in The Middle attack.

I have tested this myself, and was quite easily able to get both username and password by doing MiTM.

Granted, I had to click accept on the certificate error that was presented, but normally users do this anyway.

But with the new MD5 exploit for certificates, this can quite quickly become critical for an organization.

So, yes, AnyConnect is quite nice, but I would reccomend either using token based authentication, or having the ASA request a client certificate to mitigate this attack.

-Erik

]]> By: Anthony Sequeira, #15626 http://blog.ine.com/2009/01/03/cisco-anyconnect-vpn-overview/comment-page-1/#comment-17832 Anthony Sequeira, #15626 Sun, 04 Jan 2009 18:52:50 +0000 http://blog.ine.com/?p=435#comment-17832 Ahh - I just noticed that I did not complete the post - sorry!!! Thanks again for the heads up. Copy/Paste error. Ahh – I just noticed that I did not complete the post – sorry!!! Thanks again for the heads up. Copy/Paste error.

]]> By: Anthony Sequeira http://blog.ine.com/2009/01/03/cisco-anyconnect-vpn-overview/comment-page-1/#comment-17831 Anthony Sequeira Sun, 04 Jan 2009 18:48:11 +0000 http://blog.ine.com/?p=435#comment-17831 Hi pitt2k! Thanks for the query and feedback. I am trying to keep the posts shorter and more direct. I will add a conclusion - and will post a follow up blog today on issues with the client install. Look for it later today or tonight. Thanks again. Hi pitt2k!

Thanks for the query and feedback. I am trying to keep the posts shorter and more direct. I will add a conclusion – and will post a follow up blog today on issues with the client install. Look for it later today or tonight.

Thanks again.

]]> By: pitt2k http://blog.ine.com/2009/01/03/cisco-anyconnect-vpn-overview/comment-page-1/#comment-17818 pitt2k Sun, 04 Jan 2009 14:19:55 +0000 http://blog.ine.com/?p=435#comment-17818 Anthony, Does it require administrative rights on the client to install or use this software? P.S. Seems the article is unfinished. Anthony,

Does it require administrative rights on the client to install or use this software?

P.S. Seems the article is unfinished.

]]>