topic Re: Is there a way to force the GlobalProtect client to not connect if the client sees certificate shenanigans? in General Topics

Is there a way to force the GlobalProtect client to not connect if the client sees certificate shenanigans?

ericgearhart — Sun, 14 Apr 2013 17:37:03 GMT

What I mean by the title of this discussion is that when the GlobalProtect client goes to initiate an SSL VPN session, instead of prompting the user to "cancel or continue," can the client respond to the user with something like "Invalid certificate detected. Due to security concerns your connection cannot be established at this time. Please call the Security Operations Center at 888-555-1212 for assistance with remote VPN connectivity or with any questions."

I'd rather not ask the user to choose, because it's highly likely they'll just click "Continue," opening themselves up for a Man-in-the-Middle attack.

It's trivially easy to do SSL man in the middle nowadays (http://mitmproxy.org/ is one example) so I'd rather them not connect then possibly have their entire VPN session captured by a 'bad guy.'

Re: Is there a way to force the GlobalProtect client to not connect if the client sees certificate shenanigans?

ericgearhart — Sun, 14 Apr 2013 17:39:07 GMT

Also this kind of plugs into another issue with GlobalProtect, in that policy is completely reset when the user reboots. When they reboot, even if there was a way to push this setting to the GP client, the setting would be turned back off on reboot until the user VPNs back in. Not good.

Re: Is there a way to force the GlobalProtect client to not connect if the client sees certificate shenanigans?

ericgearhart — Mon, 15 Apr 2013 22:57:30 GMT

This is essentially what I mean... this is Cisco's AnyConnect and the dialog it presents when there's an invalid certificate:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html#wp43939

Re: Is there a way to force the GlobalProtect client to not connect if the client sees certificate shenanigans?

ericgearhart — Mon, 15 Apr 2013 23:27:27 GMT

Also the dialog can be disabled, and the AnyConnect client can be configured to simply not connect after throwing an error:

Improved Security Behavior


When the client accepts an invalid server certificate, that certificate is saved in the client's certificate store. Previously, only the thumbprint of the certificate was saved. Note that invalid certificates are saved only when the user has elected to always trust and import invalid server certificates.

There is no administrative override to make the end user less secure automatically. To completely remove the preceding security decisions from your end users, enable Strict Certificate Trust in the user's local policy file. When Strict Certificate Trust is enabled, the user sees an error message, and the connection fails; there is no user prompt.

Re: Is there a way to force the GlobalProtect client to not connect if the client sees certificate shenanigans?

gwesson — Thu, 18 Apr 2013 16:14:56 GMT

GlobalProtect does not have a way to enforce strict checking. While it will throw an error as you mention, the user is free to make the decision about it.

This seems to me like a useful feature, and I would recommend working with your account team to submit a feature request to see if this can be added.

Best regards,

Greg

Re: Is there a way to force the GlobalProtect client to not connect if the client sees certificate shenanigans?

ericgearhart — Thu, 18 Apr 2013 17:02:27 GMT

Honestly Greg at this point we're looking to buy a pair of ASAs and go the AnyConnect route for remote user VPN access.

If you guys ("you guys" being PA) feel it's useful and a feature that makes sense, I'd ask that you guys go ahead and put in an FR/bug report/whatever for it.

I hate to sound so negative or sour, but GlobalProtect didn't live up to our expectations.