Cisco AnyConnect Secure Mobility Client : Posture module

Reading Time: 3 minutes

What is AnyConnect Secure Mobility Client?

AnyConnect secure mobility client is basically a VPN access tool that provides additional security while allowing a connection to the remote network.

As AnyConnect supports two VPN protocols IPsec and SSH which provides more security. It has multiple modules that enhance its functionality, capabilities and security

There are two Posture modules in AnyConnect:

ISE Posture

HostScan

How ISE Posture works:

ISE Posture first does client evaluation against posture requirement policies, post that clients receive requirement policy from headend. They collect all required data and compare against policies and sends back results to anyconnect via headend.

Further AnyConnect evaluates whether endpoint is compliant or not. If the endpoint is compliant then the VPN connection can proceed.

Note:- here, headend could be either ASA (adaptive security appliance) or FTD firewall or ISE server. 

Features of ISE Posture modules:
  • Posture checks
  • Necessary remediation
  • Reassessment of endpoint clients
  • Automatic compliance
Posture checks:

In this process, ISE posture module uses OPSWAT to perform posture checks. if endpoints fail to satisfy all mandatory requirements, it marks as non-compliant. network access will proceed only once the endpoint gets compliant.

Note:- OPSWAT (Omni-Platform Security with Access Technologies) is a security vendor that helps to protect from malware attack, provide secure data transfer and many more features.

Necessary remediation:

In this phase, We would see what has been detected and what needs to be done against policy. after that we will get “acceptable use policy notification” which should to be allowed to get access to the networks.

Patch management checks and remediations:

AnyConnect and Microsoft SCCM integrations provide patch management checks and patch management remediations. It checks critical patches in remote.

If it finds any missing patches then corrective action must be triggered for that. and post the successful completion of all the missing patches, patch management passes the check.

Reassessment of endpoint clients:

Post the endpoint is deemed compliant and is granted for network access. We have an option to do repeated reassessment to the remote hosts.

This posture check differs from initial posture checks, it allows the user to remediate if it configured as such. if it fails to meet the requirements, as a result the endpoint marks as non-compliant.

Automatic compliant:

In this phase, we will do posture lease, with this options, endpoints need not do posture checks again and again for multiple access if it gets compliant earlier.

Operations that may interrupt the ISE Posture flow:

Users may cancel in the middle of ISE Posture checks.

remediation times expire.

error during remediations.

lost connectivity between ISE server and AnyConnect.

Simultaneous users on endpoints:

It does not support separate posture assessment for multiple users, over the shared network.

If the first user gets the postures done, and endpoint grants for network access. all remaining users then inherit the same assessment.

Logging for ISE Posture module:

Here, logs will store in the sub-directory of installed anyconnect version. in case of any abnormal termination happens, mini dump logs will be placed on the same path.

Advanced panel:

The advanced panel of the Anyconnect UI is an area to display user preferences, statistics, security products, scan summary and message history which provides more information and also allows us to see the status of the process.

VPN Posture(HostScan) module:

HostScan is also another module of anyconnect which helps to gather what operating system, antivirus, antispyware, installed software on remote hosts. It also checks whether the software firewall enables or not on remote systems before establishing the connection to the VPN.

In addition, AnyConnect HostScan evaluates endpoints attributes such as IP address, registry entries, BIOS, local certificate and many more as per requirement policy asked by ASA. As a result of the evaluation, Any connect HostScan can allow hosts to make remote connections. It performs endpoint assessment and Advanced endpoint assessment on remote hosts while allowing a connection to VPN.

first of all, In endpoint assessment, Anyconnect HostScan checks the requirement policy such as antivirus, antispyware and software firewall. Likewise, Advanced endpoint assessment ensures to do remediations of antivirus, antispyware and software firewall on remote hosts. if the end-user disables requirements post the successful connection to VPN, then it would re-enable these requirements again within specified time duration.

logging of VPN Posture:

Log files would be placed in the user’s home directory against the Operating system.

Non-Windows:- /home/user_name/.cisco/hostscan/log
Windows:- C:\Users\user_name\AppData\Local\Cisco HostScan\log\cscan.log

Conclusion:

Here, we have discussed about two posture modules of AnyConnect which helps in terms of security to prevent from any unauthorised access and malicious attack. also it’s easy to use with simple UI.

References:- https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/configure-posture.html 

Leave a Reply