we have an MX100 with Anyconnect enabled. I saw hundreds of AnyConnect VPN connection events per day in the MX event Log from a lot of unknown sources. First SSL Connection is established: Cipher: xxxx, a few seconds later the connection is closed. Is it normal for so many attacks on Anyconnect per day? Are there existing tools to scan a network for AnyConnect Server? How do you rate the risk to be hacked via AnyConnect ? How secure is AnyConnect ?
Every system connected to the internet presenting services to the outside world will be automatically hit by scanners, misfits etc. all the time. Normally they'll be scanning for easier to abuse targets, but there are definitely those hunting for Anyconnect servers out there.
Understandable as Anyconnect has had a few security issues. Compared to other services, the risk is not that high as Cisco is often very quick in patching those issues. But hey, there's nothing that comes risk-free. 😉
I've been trying to advocate for the need for something similar to Fail2Ban to provide more peace of mind for our customers using AnyConnect, given that TCP 443 is indeed such a common target of automatic probes on the internet.
If this is a feature request you'd like to see, please submit it through the official channels on Dashboard, as that's the sort of thing we'd need for it to get more traction/consideration in terms of dev roadmaps.
I had the same problem but by changing the AnyConnect connection port (other than the default port 443) I no longer have any unwanted connections. Scanners usually use the default port 443 to attack so it's best to change it.