Protecting your Cisco Anyconnect VPN from unauthorized access or malicious attacks is one of the first things you should do after installing the VPN on your infrastructure. As cyber-attacks continue to rise, companies that have better cybersecurity procedures in place will feel the hard-hitting effects of ransomware demands less than companies that don’t.
The top cybersecurity protocol you should consider adding is Multi-factor authentication (MFA). Below are the steps to ensure you’ve fully enabled your Cisco AnyConnect MFA.
What is Multi-Factor Authentication (MFA)?
MFA, also known as 2FA (Two-factor authentication), is a digital security tool that verifies a user using two or more methods of identification verification. Users are asked to present something they know (like a password) as well as something they have (such as a hardware token or an authenticator app-generated OTP) or something they are (like a biometric scan), in order to gain entry to that digital asset.
Why should you add MFA to your Cisco AnyConnect VPN?
As remote and hybrid work environments continue in many industries, utilizing a Cisco AnyConnect VPN to access the company network remotely is a common way of ensuring additional security for remote workers. Even VPNs can be attacked though, and not having proper security protocols in place can give companies a false sense of security when using a VPN.
By requiring an additional layer of security to access a critical asset, like a VPN or firewall, MFA helps ensure that the only people who are accessing that digital location or asset are the ones who should be. MFA is a cost-effective and simple way to add significant security to your network. Increasingly, MFA is becoming a table-stakes requirement for companies in many industries and for many reasons, such as cyber insurance, so getting ahead of the game by implementing it soon is in many companies’ best interest.
How MFA Works When Cisco MFA is Enabled
Many administrators and end-users have concerns about how their organizational processes will change once additional security measures, such as MFA, are implemented. MFA doesn’t need to be a cumbersome process, though. It can be enabled to be as frictionless as possible for end-users, and intuitive so that administrators are not inundated with overwhelming support tickets from users.
This is an example of how the log-in process for the Cisco AnyConnect VPN would work with MFA enabled.
- Step 1: The user opens their Cisco application and enters their first-factor login credentials, which are verified by the system.
- Step 2: Once approved, the user receives a prompt to enter the second form of authentication, whether a one-time passcode from an authenticator app or hardware token, or a code sent via SMS or email. A push notification authentication method can also be enabled to send access requests with app notifications.
- Step 3: Finally, the user enters the code or accepts the request and as long as the entered code is correct, they are granted access to the system.
How To Protect Your Cisco AnyConnect VPN with MFA
The steps to adding MFA to your Cisco AnyConnect VPN are straightforward and can be performed by your IT network administrator. It’s best practice to follow the detailed steps provided to you by your MFA provider, but here are some things you may want to familiarize yourself with before starting the process:
- Credentials and permissions: Ensure you have the correct permissions with your credentials to make the changes necessary to your Cisco AnyConnect VPN.
- Installations and download: Most third-party MFA providers require you to download and install some type of connector in order to make the connection with the MFA service and your VPN. Make a list of all the items you’ll need to install.
- Ports: Understand which ports you will need to open and access in order for the MFA service to communicate with the Cisco AnyConnect VPN. Again, your MFA solution provider should have this list on-hand, so feel free to ask for help.
- Virtual machine: Some MFA solutions will require a virtual machine to run, so ensure you are familiar with and comfortable using your company’s virtual machine.
- Configuration: Make some decisions about how you want to configure your MFA solution, and whether you’ll be using an active directory or other SSO services for first-factor credentials.
Now that your Cisco AnyConnect VPN is secured with MFA and rolled out to your users, you can rely on the strength and security of your VPN to protect traffic on your network and reduce the likelihood of data breaches and ransomware attacks that come from credential theft and compromise.