The AnyConnect Posture Module provides the AnyConnect Secure Mobility Client the ability to identify the operating system, antivirus, antispyware, and firewall software installed on the host. The HostScan application, which is among the components delivered by the posture module, is the application that gathers this information.
In the adaptive security appliance (ASA), you can create a policy that evaluates endpoint attributes such as operating system, IP address, registry entries, local certificates, and filenames. Based on the result of the policy’s evaluation, you can control which hosts are allowed to create a remote access connection to the security appliance.
Starting with AnyConnect 3.0, the HostScan package becomes a shared component of the AnyConnect Secure Mobility client and Cisco Secure Desktop (CSD). Previously, the HostScan package was one of several components available only by installing CSD.
The purpose of separating the HostScan package from CSD is to allow you to update HostScan support charts more frequently than it was possible when they were delivered as part of CSD. The HostScan support charts contain the product name and version information of the antivirus, antispyware, and firewall applications used to assign Dynamic Access Policies (DAPs). We deliver the HostScan application and the HostScan support charts, as well as other components, in the HostScan package.
The standalone HostScan package and the HostScan package delivered with the posture module provide the same functionality. We provide a separate HostScan package so that you can update the HostScan support charts easily.
The HostScan package can now be delivered in one of three ways: with the AnyConnect Posture Module, with CSD, or as a standalone package. There are two types of AnyConnect posture modules: one version is pushed down by the ASA along with the AnyConnect installation and the other is configured as a pre-deployment module. The pre-deployment module can be installed on endpoints before they make their initial connection to the ASA.
In addition to identifying operating system, antivirus, antispyware, and firewall software installed on the endpoint, the host scan package delivers the components to perform an assessment, identify keystroke loggers, and detect host emulation and virtual machines running on the endpoint. Keystroke logger detection, host emulation and virtual machine detection were also features of CSD that are now included in the HostScan package.
Still, the HostScan package is not a replacement for CSD. Customers that want cache cleaning or the Secure Vault will need to install and enable CSD in addition to the HostScan package. See http://www.cisco.com/en/US/products/ps6742/products_installation_and_configuration_guides_list.html to learn about the Secure Vault feature in the CSD Configuration Guides.
You can install, uninstall, enable, and disable HostScan using the ASA’s Adaptive Security Device Manager (ASDM) or command line interface. You can configure policies using the Secure Desktop Manager tool on the ASDM.
Posture assessment and the AnyConnect telemetry module require HostScan to be installed on the host.
This chapter contains the following sections:
HostScan works with the ASA to protect the corporate network as described in the workflow that follows:
1. The remote device attempts to establish an AnyConnect Client session with the ASA.
2. The ASA downloads HostScan to the endpoint ensuring that the ASA and the endpoint are using the same version of HostScan. The version of HostScan on the endpoint could either be upgraded or downgraded to match the version of HostScan on the ASA.
3. The prelogin assessment checks for the following on the endpoint:
– Operating system
– Presence or absence of any files you specify.
– Presence or absence of any registry keys you specify. This check applies only if the computer is running Microsoft Windows.
– Presence of any digital certificates you specify. This check also applies only if the computer is running Microsoft Windows.
– IPv4 or IPv6 addresses within a range you specify.
4. As the endpoint undergoes the prelogin assessment, host scan gathers antivirus, firewall, and antispyware version information.
5. One of the following occurs, depending on the result of the prelogin assessment:
– The endpoint attributes do not meet the requirements of the prelogin assessment and the Login Denied message appears on the endpoint. In this case, interaction between the ASA and the endpoint stops.
– The endpoint attributes meet the requirements of the prelogin assessment. The prelogin assessment assigns a prelogin policy name to the endpoint and reports the name of the prelogin policy to the ASA. In this case, interation between the ASA and the endpoint continues.
6. HostScan checks for keystroke loggers and host emulation on the remote computer, based on the configuration of the policy the remote computer was assigned after the assessment.
7. Antivirus, firewall, or antispyware remediation occurs if it is warranted and you have a license for Advanced Endpoint Assessment.
8. The user logs in.
9. The ASA typically uses the authentication data gathered in 3. along with any configured endpoint attribute criteria gathered in 4. , which can include such values as the policy and HostScan results, to apply a dynamic access policy to the session.
10. Following the termination of the user session, HostScan terminates, and Cache Cleaner performs its cleanup functions.
Features Enabled with the AnyConnect Posture Module
The assessment runs after the user connects to the ASA, but before the user logs in. This assessment can check the remote device for files, digital certificates, the OS, IP address, and Microsoft Windows registry keys.
Secure Desktop Manager, the administrator interface to HostScan, provides a graphical sequence editor to simplify the configuration of the assessment module.
When configuring the assessment module, the HostScan administrator creates branches of nodes called sequences. Each sequence begins with the Start node, followed by an endpoint check. The result of the check determines whether to perform another endpoint check or to terminate the sequence with an end node.
The end node determines whether to display a Login Denied message, assign a policy to the device, or perform a secondary set of checks called a subsequence. A subsequence is a continuation of a sequence, typically consisting of more endpoint checks and an end node. This feature is useful to do the following:
- Reuse a sequence of checks in some cases but not others.
- Create a set of conditions that have an overall purpose that you want to document by using the subsequence name.
- Limit the horizontal space occupied by the graphical sequence editor.
Figure 5-1 Example of a Completed Assessment
The results of the checks of the assessment configured in the graphical sequence editor, Figure 5-1, determine whether the assessment results in the assignment of a particular policy or a denied remote access connection.
As you create each policy, Secure Desktop Manager adds a menu named after the policy. Each of the policy menus let you assign unique settings to the policy. These settings determine whether Keystroke Logger Detection, Host Emulation Detection, or Cache Cleaner installs on remote devices that match the criteria assigned to the policy. Administrators typically assign these modules to non-corporate computers to prevent access to corporate data and files after the session is over.
For a complete discussion of configuring HostScan and policies, refer to these chapters of the Cisco Secure Desktop Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators, Release 3.6 :
Figure 5-2 Policies
Keystroke Logger Detection
You can configure selected policies to scan for processes or modules that record keystrokes entered by the user, and deny VPN access if a suspected keystroke logging application is present.
By default, keystroke logger detection is disabled for each policy. You can use Secure Desktop Manager to enable or disable keystroke logger detection. You can specify the keystroke loggers that are safe or let the remote user interactively approve the ones that the scan identifies as a condition for running Cache Cleaner or HostScan on the remote computer.
If you enable it, keystroke logger detection downloads with Cache Cleaner or HostScan onto the remote computer. Following the download, keystroke logger detection runs only if the OS is Windows and the user login has administrator privileges.
The associated module runs only if the scan is clear, or only if you assign administrative control to the user and the user approves of the applications the scan identifies.
Note Keystroke logger detection applies to both user mode and kernel mode loggers as long as the end-user is logged in with administrator privileges.
Keystroke logger detection runs only on 32-bit Microsoft Windows OS’s. See the “Keystroke Logger Detection and Host Emulation Detection Supported Operating Systems” section.
Keystroke logger detection may be unable to detect every potentially malicious keystroke logger. It does not detect hardware keystroke logging devices.
Host Emulation Detection
Host emulation detection, another feature of policies, determines whether a remote Microsoft Windows operating system is running over virtualization software. You can use Secure Desktop Manager to enable or disable this feature, and deny access if a host emulator is present or report the detection to the user and let the user decide whether to continue or terminate.
By default, host emulation detection is disabled for each policy. If you enable it, it downloads with Secure Desktop, Cache Cleaner, or HostScan onto the remote computer. Following the download, host emulation detection runs first, along with keystroke logger detection if it is configured to do so. The associated module then runs if either of the following conditions are true:
- The host is not running over an emulator (or virtualization software).
- You did not configure it to always deny access, and the user approves of the detected host emulator.
See the “Keystroke Logger Detection and Host Emulation Detection Supported Operating Systems” section.
Keystroke Logger Detection and Host Emulation Detection Supported Operating Systems
Keystroke Logger Detection runs on the following operating systems:
- Windows 7 x86 (32-bit)
- Windows Vista SP1 and SP2 x86 (32-bit)
- Windows XP SP3 x86 (32-bit)
Host Emulation Detection runs on the following operating systems:
- Windows 7 x86 (32-bit) and x64 (64-bit)
- Windows Vista SP1 and SP2 x86 (32-bit) and x64 (64-bit) Windows XP SP3 x86 (32-bit) and x64 (64-bit)
Cache cleaner attempts to eliminate the information from the browser cache at the end of a clientless SSL VPN session or after web-launching an AnyConnect Client session. This information includes entered passwords, auto-completed text, files cached by the browser, browser configuration changes made during the session, and cookies. Cache Cleaner is an alternative to Secure Desktop (Vault). It is functionally more limited but has the flexibility to support more operating systems.
Cache Cleaner runs on Microsoft Windows, Apple Mac OS, and Linux. For detailed system requirements, see the Cisco Secure Desktop Release Notes.
This is a typical sequence of events when Cache Cleaner has been deployed and the endpoint attempts to create a clientless SSL VPN connection or attempts to launch AnyConnect using web launch:
Step 1 The endpoint connects to the ASA when the user enters its URL in a browser.
Step 2 Hostscan performs the assessment.
Step 3 Assuming that the endpoint passes the assessment, AnyConnect authentication begins. The user may enter a password or use a certificate to authenticate.
Step 4 For users running Internet Explorer without Clean the whole cache in addition to the current session cache (IE only) enabled, or for users running Safari or Firefox, the Cache Cleaner takes a snapshot of the browser’s cache approximately one minute after the user authenticates.
Step 5 As the user works, the browser caches information.
Step 6 When users logout of the VPN session:
- For users running Internet Explorer with Clean the whole cache in addition to the current session cache (IE only) enabled, Cache Cleaner attempts to delete the browser’s entire cache.
- For users running Internet Explorer without Clean the whole cache in addition to the current session cache (IE only) enabled, or running Safari or Firefox, Cache Cleaner attempts to delete all of the browser’s cache and then Cache Cleaner restores the snapshot it took of the cache.
To prevent any sensitive information from being restored on the computer, we recommend that you manually clean the browser’s cache, after your session and then close the browser.
Note We recommend that Cache Cleaner be configured with the Clean the whole cache in addition to the current session cache (IE only) option enabled.
HostScan is a package that installs on the remote device after the user connects to the ASA and before the user logs in. HostScan consists of any combination of the Basic HostScan module, Endpoint Assessment module, and Advanced Endpoint Assessment module based on the configuration set by the CSD administrator. HostScan runs on Microsoft Windows, Apple Mac OS X, and Linux. For detailed requirements, see System Requirements.
The HostScan package is bundled in these software packages:
- Cisco Secure Desktop (CSD). The ASA can deploy the HostScan package to the endpoint if CSD is enabled.
- AnyConnect package. The ASA can deploy the HostScan package to the endpoint if the AnyConnect package is configued as the HostScan package and HostScan is enabled.
- A pre-deployed posture module.
Note If HostScan was installed on the endpoint as part of a pre-deployed posture module but a HostScan package is not enabled on the ASA; when the endpoint connects to the ASA, the HostScan package on the endpoint will not perform endpoint assessment.
Basic HostScan Functionality
HostScan automatically identifies operating systems and service packs on any remote device establishing a Cisco clientless SSL VPN or AnyConnect client session and when CSD or HostScan/CSD is enabled on the ASA.
You can also configure HostScan to inspect the endpoint, for specific processes, files, registry keys, digital certificates, and IP addresses using the Secure Desktop manager. Secure Desktop manager is integrated with Adaptive Security Device Manager (ASDM) on the ASA.
HostScan performs all of these inspections before full tunnel establishment.
After HostScan gathers from the endpoint the operating system and service pack information along with the processes, files, registry keys, digital certificates, and IP addresses you configured it to gather, it sends this information to the ASA where it can be used to distinguish between corporate-owned, personal, and public computers. The information can also be used in assessments. See Prelogin Assessment for more information.
HostScan also automatically returns the following additional values for evaluation against configured DAP endpoint criteria:
- Microsoft Windows, Mac OS, and Linux builds
- Listening ports active on a connecting host running Microsoft Windows
- CSD components installed on the connecting host
- Microsoft Knowledge Base numbers (KBs)
For more information about DAP and Lua expressions see Integration with Dynamic Access Policies and Chapter 7, “Using Match Criteria to Configure Dynamic Access Policies” in Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators.
Endpoint Assessment is a HostScan extension that examines the remote computer for a large collection of antivirus and antispyware applications, associated definitions updates, and firewalls. You can use this feature to combine endpoint criteria to satisfy your requirements before the ASA assigns a specific dynamic access policy (DAP) to the session. See Chapter 7, “Using Match Criteria to Configure Dynamic Access Policies” in Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators for more information on DAPs.
Advanced Endpoint Assessment - Antivirus, Antispyware, and Firewall Remediation
With the purchase of an Advanced Endpoint Assessment license installed on the ASA, you can use these advanced features of HostScan:
On Windows, Mac OS X, and Linux desktops, Advanced Endpoint Assessment can attempt to initiate remediation of various aspects of antivirus, antispyware and personal firewall protection if that software allows a separate application to initiate remediation.
Antivirus —Advanced Endpoint Assessment can attempt to remediate these components of antivirus software:
- Force File System Protection — If the antivirus software is disabled, Advanced Endpoint Assessment can enable it.
- Force Virus Definitions Update — If the antivirus definitions have not been updated in the number of days defined by the Advanced Endpoint Assessment configuration, Advanced Endpoint Assessment can attempt to initiate an update of virus definitions.
Antispyware — If the antispyware definitions have not been updated in the number of days defined by the Advanced Endpoint Assessment configuration, Advanced Endpoint Assessment can attempt to initiate an update of antispyware definitions.
Personal Firewall — The Advanced Endpoint Assessment module can attempt to reconfigure firewall settings and rules if they do not meet the requirements defined in the Advanced Endpoint Assessment configuration.
- The firewall can be enabled or disabled.
- Applications can be prevented from running or allowed to run.
- Ports can be blocked or opened.
Note Not all personal firewalls support this feature.
If the end-user disables antivirus or personal firewall, after successfully establishing the VPN connection, our Advanced Endpoint Assessment feature will attempt to re-enable that application within approximately 60 seconds.
HostScan Support Charts
The HostScan support charts contain the product name and version information for the antivirus, antispyware, and firewall applications you use in your dynamic access policies.
In this release of the AnyConnect Secure Mobility Client, the HostScan package can be uploaded separately from Cisco Secure Desktop (CSD). This means you can deploy HostScan functionality without having to install CSD, and you are able to update your HostScan support charts by upgrading to the latest HostScan package.
You can download the HostScan support charts from cisco.com, here: http://www.cisco.com/en/US/products/ps10884/products_device_support_tables_list.html
These support charts can be viewed using Microsoft Excel, Microsoft Excel Viewer, or OpenOffice. Browsers such as Firefox, Chrome, and Safari provide the best download experience.
Configuring Antivirus Applications for HostScan
Before installing the posture module or HostScan package, configure your antivirus software to “white-list” or make security exceptions for the HostScan applications below. Antivirus applications can misinterpret the behavior of these applications as malicious.
Integration with Dynamic Access Policies
The ASA integrates the HostScan features into dynamic access policies (DAPs). Depending on the configuration, the ASA uses one or more endpoint attribute values in combination with optional AAA attribute values as conditions for assigning a DAP. The HostScan features supported by the endpoint attributes of DAPs include OS detection, policies, basic HostScan results, and endpoint assessment.
Note In order to enable HostScan features, you must have an AnyConnect Premium license installed on the ASA.
As an administrator, you can specify a single attribute or combine attributes that form the conditions required to assign a DAP to a session. The DAP provides network access at the level that is appropriate for the endpoint AAA attribute value. The ASA applies a DAP when all of its configured endpoint criteria are satisfied.
Note For a complete discussion about how you configure DAPs on the ASA using ASDM, find the Adaptive Security Device Manager (ASDM) Configuration Guide for your version of ASDM and read the chapter on “Configuring Dynamic Access Policies”.
Installing and Enabling HostScan on the ASA
These tasks describe installing and enabling HostScan on the ASA:
Downloading the Latest HostScan Engine Update
To download the latest Cisco HostScan Engine Updates, you must be a registered user of Cisco.com.
Step 1 Click this link to reach the software download area for Cisco VPN Client Tools:
Step 2 Expand Latest Releases in the product directory tree.
Step 3 Click Engine Updates.
Step 4 In the column on the right, find the latest version of hostscan_3.0.xxxx-k9.pkg and click Download Now.
Step 5 Enter your cisco.com credentials and click Login.
Step 6 Click Proceed with Download.
Step 7 Read the End User License Agreement and click Agree.
Step 8 Select a download manager option and click the download link to proceed with the download.
Installing or Upgrading HostScan
Use this procedure to upload, or upgrade, and enable a new HostScan image on the ASA. Use the image to enable HostScan functionality for AnyConnect or upgrade the HostScan support charts for an existing deployment of Cisco Secure Desktop (CSD).
You can specify a standalone HostScan package or an AnyConnect Secure Mobility Client version 3.0 or later package in the field.
If you previously uploaded a CSD image to the ASA, the HostScan image you specify will upgrade or downgrade the existing HostScan files that were delivered with that CSD package.
You do not need to restart the security appliance after you install or upgrade HostScan; however, you must exit and restart Adaptive Security Device Manager (ASDM) to access the Secure Desktop Manager tool in ASDM.
Note HostScan requires an AnyConnect Secure Mobility Client premium license.
Step 1 Download the latest version of the HostScan package using Downloading the Latest HostScan Engine Update.
Note You will need to have an account on Cisco.com and be logged in to download the software.
Step 2 Open ASDM and choose Configuration > Remote Access VPN > HostScan Image. ASDM opens the HostScan Image panel (Figure 5-3).
Figure 5-3 HostScan Image Panel
Step 3 Click Upload to prepare to transfer a copy of the HostScan package from your computer to a drive on the ASA.
Step 4 In the Upload Image dialog box, click Browse Local Files to search for the HostScan package on your local computer.
Step 5 Select the hostscan_ version .pkg file or anyconnect-win-version-k9.pkg file you downloaded in Step 1 and click Select. The path to the file you selected is in the Local File Path field and the Flash File System Path field reflects the destination path of the HostScan package. If your ASA has more than one flash drive, you can edit the Flash File System Path to indicate another flash drive.
Step 6 Click Upload File. ASDM transfers a copy of the file to the flash card. An Information dialog box displays the following message:
File has been uploaded to flash successfully.
Step 7 Click OK.
Step 8 In the Use Uploaded Image dialog, click OK to use the HostScan package file you just uploaded as the current image.
Step 9 Check Enable HostScan/CSD if it is not already checked.
Step 10 Click Apply.
Note If AnyConnect Essentials is enabled on the ASA, you receive a message that HostScan and CSD will not work with it. You have the choice to Disable or Keep AnyConnect Essentials.
Step 11 Click Save.
Enabling or Disabling HostScan on the ASA
When you first upload or upgrade a HostScan image using ASDM, you enable the image as part of that procedure. See the “Installing and Enabling HostScan on the ASA” section.
Otherwise, to enable or disable a HostScan image using ASDM, follow this procedure:
Step 1 Open ASDM and choose Configuration > Remote Access VPN > HostScan Image. ASDM opens the HostScan Image panel (Figure 5-3).
Step 2 Check Enable HostScan/CSD to enable HostScan or uncheck Enable HostScan/CSD to disable HostScan.
Step 3 Click Apply.
Step 4 Click Save.
Enabling or Disabling CSD on the ASA
Enabling Cisco Secure Desktop (CSD) loads the CSD configuration file and data.xml from the flash device to the running configuration. Disabling CSD does not alter the CSD configuration.
Use ASDM to enable or disable CSD as follows:
Step 1 Choose Configuration > Remote Access VPN > Secure Desktop Manager > Setup.
ASDM opens the Setup pane (Figure 5-3).
Note The Secure Desktop Image field displays the image (and version) that is currently installed. The Enable Secure Desktop check box indicates whether CSD is enabled.
Step 2 Check Enable Secure Desktop to enable CSD or uncheck Enable Secure Desktop to disable CSD.
Step 3 Close ASDM. A window displays the following message:
The configuration has been modified. Do you want to save the running configuration to flash memory?
Step 4 Click Save. ASDM saves the configuration and closes.
Uninstalling the HostScan Package
Uninstalling the HostScan package removes it from view on the ASDM interface and prevents the ASA from deploying it even if HostScan or CSD is enabled. Uninstalling HostScan does not delete the HostScan package from the flash drive.
Use this procedure to uninstall HostScan on the security appliance:
Step 1 Open ASDM and select Configuration > Remote Access VPN > HostScan Image.
Step 2 In the HostScan Image pane, click Uninstall. ASDM removes the text from the Location text box.
Step 3 Click Save.
Uninstalling CSD from the ASA
Uninstalling Cisco Secure Desktop (CSD) removes the CSD configuration file, data.xml, from the desktop directory on the flash card. If you want to retain the file, copy it using an alternative name or download it to your workstation before you uninstall CSD.
Use this procedure to uninstall CSD on the security appliance:
Step 1 Open ASDM and choose Configuration > Remote Access VPN > Secure Desktop Manager > Setup.
ASDM opens the Setup pane (Figure 5-3).
Step 2 Click Uninstall.
A confirmation window displays the following message:
Do you want to delete disk0:/csd_<n>.<n>.*.pkg and all CSD data files?
Step 3 Click Yes.
ASDM removes the text from the Location text box and removes the Secure Desktop Manager menu options below Setup.
Step 4 Close ASDM. A window displays the following message:
The configuration has been modified. Do you want to save the running configuration to flash memory?
Step 5 Click Save. ASDM saves the configuration and closes.
Assigning AnyConnect Posture Module to a Group Policy
Step 1 Open ASDM and choose Configuration > Remote Access VPN > Network (Client) Access > Group Policies.
Step 2 In the Group Policies panel, click Add to create a new group policy or select the group policy to which you want to assign the HostScan package and click Edit.
Step 3 In the Edit Internal Group Policy panel, expand the Advanced navigation tree on the left side of the panel and select AnyConnect Client.
Step 4 Uncheck the Optional Client Modules to Download Inherit checkbox.
Step 5 In the Optional Client Modules to Download drop down menu, check the AnyConnect Posture Module and click OK.
Step 6 Click OK.
Configuring the Logging Level for All Posture Module Components
By default, components in the posture module log “Error” severity level events. Use these instructions to change the logging severity level for all components of the posture module.
The posture module installs the cscan.log file in the user’s home folder. The cscan.log file shows only the entries from the last VPN session. Each time the user connects to the ASA, HostScan overwrites the entries in this file with new logging data.
To view or change the posture logging level:
Step 1 From the ASDM interface select Configuration > Remote Access VPN > Secure Desktop Manager > Global Settings. The Global Settings panel opens.
Step 2 Set the Logging Level using the Logging Level Definitions in the panel as a guide.
Step 3 Click Apply All to save the changes to the running configuration.
Note If HostScan is disabled for a particular connection profile, HostScan logging does not occur for users of that connection profile.
Posture Module Log Files and Locations
Posture module components output up to three logs based on your operating system, privilege level, and launching mechanism (Web Launch or AnyConnect):
- cstub.log - Captures logging when AnyConnect web launch is used.
- libcsd.log - Created by the AnyConnect thread that uses the HostScan API. Debugging entries would be made in this log depending on the logging level configuration.
- cscan.log - Created by the scanning executable (cscan.exe) and is the main log for posture and HostScan. Debugging entries would be made in this log depending on the logging level configuration.
The posture module puts these log files in the user’s home folder. The location is dependent on the operating system and VPN method.
Cisco Technical Assistant Center (TAC) uses these log files to debug problems if the need arises. You will not need to review these files. Should Cisco TAC need them, you will be asked to provide them with a DART Bundle. The DART utility will collect all the necessary AnyConnect configuration and log files and store them in a compressed file which you will then send to TAC. See the “Using DART to Gather Troubleshooting Information” section for more information about DART.