So long story short we had a “pentest” by our cyber insurance company which seems like they just did a basic port scan.
They are highly concerned to the point where they may not give us coverage because of this:
They found port 443 open on our Cisco router for our VPN. They can go to the external IP and it resolves to a cisco page (X.X.X.X/+CSCOE+/logon.html). If you have credentials for that portal, you can download the Cisco Anyconnect client. I went to an external network and tried it. I couldn’t find any other functionality to that page other than the client download.
All of this stuff was set up long before my time at the company, but is this not standard? From my understanding the router portal is a feature that was put there on purpose.
They are really insisting that we shut down access to port 443. I am really insisting that closing that port would render our VPN services non-existent.
Are they being idiots? Am I being an idiot? Are we all being idiots? VPNs and routers are NOT my strong suit so I’m worried I’m missing something obvious.
Should I stand my ground that this guy who did the port scan doesn’t understand VPNs?
UPDATE: Hey I didn’t realize this thread ended up getting so many replies. Just in case anyone was wondering. We turned off the portal, and showed the insurance company that our router is on the latest stable release and that we have MFA. Seems like that did the trick.
Can you provide the AnyConnect client in another way and then shutdown this feature? Basically do trust your router to be a webhost too? If there was a vuln in the hosting software, then malicious actors could potentially take over the router and do many bad things.
I had the same thing come back from a recent pen test for our sonicwall. You’ll often get pentest/auditors that don’t understand all of the technologies out there that they run into (and its not fair to expect that of anyone). Most are very open to dialogue once you explain things to them, but every once in a while you’ll get one thats a pita.
I re-confirmed that management was disabled on all interfaces except the management network and provided them proof that management access was disabled via the WAN interface.
I’m a pentester and run into this on my clients and never report this as a finding. This one in particular “/+CSCOE+/logon.htm” too. Just make sure it’s updated because it’s had some big vulnerabilities in the last few years iirc.
Also for low findings, that I’d assume is this one, we usually just let them know and up to them to fix it. Like someone else said in this thread, this response is always legit and keeps a good paper trail - “we are aware of the risk and we accept it because of reason X”…
Otherwise if they’re being annoying, ask them if they can show a proof of concept on exploitation.
I’ve normally explained that we understand the vulnerability, that it’s needed for business functionality, and that we have assessed the risk and decided to accept it.
Since this seems like it’s your first rodeo, you need to understand how this theoretically works: they do the test, they come back with x issue, but you already know of x issue and have deemed it acceptable risk for y reason. Then you tell them that and if they have further questions they’ll send it back to you with notes.They always seems super serious but this is a common scenario for them so don’t sweat it, it’s just an audit mini-game you have to play.
Who is “insisting” you shut down 443? A pentester should not be insisting on anything, they give you results. That’s it.
Both you and him are oversimplifying. If he just said “Port 443 is open” that’s not enough. He should be giving you specific risks, exploits, vulnerabilities and CVE, etc.
You need to do a risk assessment of the page being available, assess what attacks might be possible, and discuss mitigations.
Patching the firewall against known vulnerabilities, implementing MFA on user name, etc are mitigiations. If these sufficiently lower the risk and there is a business need for it, document the mitigations and keep it. If they don’t mitigate it enough, as others said make it internal only, or behind a VPN for the download. I don’t think disabling this page prevents the vpn from working.
Should I stand my ground that this guy who did the port scan doesn’t understand VPNs? As a general rule, if you yourself say " VPNs and routers are NOT my strong suit " you shouldn’t be standing your ground against another professional. Educate yourself on the subject, then maybe take a stance. If I had a time I saw two people with a 1/3rd of an understanding arguing about an IT issue I’d be a very rich man. Be an authority on the topic or defer to one. Find evidence. Site sources. Make your case.
Your cyber insurance company is trash, and they’re looking for any reason to deny coverage. They’re also not staffed by SysAdmins and NetAdmins, they are box checkers that know how to run Tenable.
You need to push back in writing why these things are not issues and how they are just industry standards.
I dealt with this years ago. We just shutdown the web portal on the external interface on our ASAs and then I hosted the client somewhere else. I ended up creating a simple nginx Docker image, with a static page with buttons to download the Windows/Mac client; hosted it in a Kubernetes cluster elsewhere. I even built a pipeline around it so that the image got patched and we didn’t introduce other vulnerabilities. Anytime someone needed the client (on-boarding, reinstall, etc), the help desk just sent people to the link.
I wouldn’t fight them on it. It’s a convenient way to get a deployment package and profile out of the firewall but not at all necessary. Yes the port will need to stay open and I wouldn’t personally move it from 443 as its great for slicing out of public/hotel wifi with restrictions.
2 things, is your device up to date on firmware? And do you have 2 factor implemented for all connection profiles? If the answer to either is no, you need remediate or mitigate.
What is the device? Firepower? ASA? ISR of some sort?
Most of these pen tests are cookie cutter scans. Take the results with a grain of salt. I was told once all of my IP phones were a vulnerability due to not having valid SSL certs. Just state your case, fix what is valid and move on.
Throw up a NetWare 5.1 box with border manager , it’s so obscure they won’t know what to do with it, and it responds to brute force by abending and crashing