• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4316
  • Last Modified:

SSL Certificate for VPN on Cisco ASA installation question

Experts,
I have an ASA 5510 that I have set up for SSL VPN using an internal web server for RADIUS authentication. Currently to access the VPN, a user types in HTTPS://IP ADDRESS:PORT#
Since we are using the default SSL certificate from the device the user receives a pop up stating that the certificate has a problem, and they have to choose to continue or not.
I went to purchase a certificate and was told that we can't purchase an SSL cert for an IP address that we lease.
I usually leave the router/firewall configs for a security expert but have had little assistance in this area.
What would be the most secure way to proceed? Add an A record for the IP address through my ISP?
(The address we are using is the address for the external interface on the ASA.) or can we change the address being used for the VPN to be the same address as the one that the firewall translates through NAT?
Would it be better to add an additional address to the ASA just for the SSL VPN, is that possible?

IF anyone could give me some advice on which direction they've gone in setting up an SSL VPN with a 3rd party certificate on an ASA that would be very much appreciated. I've looked at the documentation on installing the cert ..I'm more confused on getting the security right on the addressing - is it a security risk to have an a record pointed to the IP addres of the external interface of my asa?
THANKS so much for your help.
0
cmulwilliams
Asked:
cmulwilliams
  • 4
  • 3
1 Solution
 
tlamoniaCommented:
You CAN purchase a cert for the IP address you lease.  That IP is actually carved out of your ISPs block of IPs and assigned to you!  So go forth and purchase the cert and get your box going!  For the IP, just keep it simple.  The most secure way is to use the external IP (no name resolution) to connect.
-Todd
0
 
cmulwilliamsAuthor Commented:
Entrust told me that it wasn't possible to purchase a cert from them for a leasd IP, can you recommend someone that does allow buying the cert for  leased IP? That would save me alot of extra work.

Thanks so much!
0
 
tlamoniaCommented:
Sure.  Try one of these:
http://www.thawte.com/
http://www.networksolutions.com/SSL-certificates/index.jsp
When you order to cert, make sure you use your direct telephone number, some of these places will call you to verify that your organization is real/legit.
One last thought I forgot to mention.  SSL certs require an FQDN (Fully Qualified Domain Name), so you will have to add an A record in your DNS for this host.  If you don't, your users will get a pop-up stating that the cert does not match the name of the host.
-Todd
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
cmulwilliamsAuthor Commented:
Todd,

Thanks. Is it secure to have an A record pointed to the external interface of my organization?
Is it possible and would it be better to add another IP address to the ASA just for remote access?
Thanks again.
0
 
tlamoniaCommented:
Sure you can use another IP for remote access, but look at the trade-offs- what you're doing is increasing the complexity of your configuration (harder to maintain), making it harder on your users (they will still get a pop-up), and not significantly increasing your security.

Using an A record is secure since you are using SSL to encrypt both the authentication (username/password) and the data.  As long as you have strong passwords and a good password policy, it should be fine.  As a standard rule (with or without A records), your firewall should be configured to only allow the necessary ports to the ASA server.  If you don't have a firewall, then you should use ACLs on your router and/or the ASA to only allow TCP port 443 and block unnecessary services/ports.  Put it this way, banks use SSL with published A records, so you should be fine.  Just make sure you block everything except port 443 incoming and your passwords are strong.  Here's a Microsoft site for password best practices:
http://technet2.microsoft.com/windowsserver/en/library/e903f7a2-4def-4f5f-9480-41de6010fd291033.mspx?mfr=true
-Todd
0
 
cmulwilliamsAuthor Commented:
Todd,

Thanks so much, we have a strong password policy and we've blocked all other ports so that should work for us. I appreciate the time you've taken to help with this.
0
 
tlamoniaCommented:
Anytime, let me know if you run into any other problems.  Take care.
-Todd
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now