Which two statements about the Cisco AnyConnect client Trusted Network Detection feature are true? (Choose two.)
Click on the arrows to vote for the correct answer
A. B. C. D.BC.
The Cisco AnyConnect client Trusted Network Detection (TND) feature allows organizations to apply different network access policies based on whether the endpoint is in a trusted or untrusted network. The feature relies on DNS and DHCP servers to detect the network status of the endpoint. Here are the explanations for the given options:
A. The statement is false. The TND feature uses both DNS and DHCP servers to detect the network status of the endpoint. The DNS server is used to resolve a domain name that the AnyConnect client sends when it is trying to connect to the secure gateway. If the DNS server returns a specific IP address, AnyConnect considers the endpoint to be in a trusted network. If the DNS resolution fails, AnyConnect considers the endpoint to be in an untrusted network.
B. The statement is true. An attacker can potentially host a malicious DHCP server and return data that triggers the client to believe that it resides in a trusted network. For example, the attacker could configure the DHCP server to return the same IP address that the DNS server returns for the trusted network. AnyConnect would then assume that the endpoint is in a trusted network and apply the corresponding access policies. This attack vector is known as DHCP spoofing.
C. The statement is true. If an attacker knows the DNS server value that is configured in the Cisco AnyConnect profile and provisions the DHCP server to return both a real and spoofed value, then Cisco AnyConnect may consider the endpoint to be in an untrusted network. For example, the attacker could configure the DHCP server to return two IP addresses, one for the trusted network and one for the attacker's network. AnyConnect would then assume that the endpoint is in an untrusted network and apply the corresponding access policies.
D. The statement is false. The TND feature can automatically establish a VPN connection when the user is outside the trusted network. This feature is called Trusted Network Connect (TNC). With TNC, the AnyConnect client can initiate a VPN connection automatically when it detects that the endpoint is in an untrusted network. The client can also verify the posture of the endpoint and enforce access policies before granting network access.
In summary, options B and C are the correct answers. An attacker can potentially use DHCP spoofing to bypass the TND feature and trick AnyConnect into believing that the endpoint is in a trusted network. The TND feature can also automatically establish a VPN connection when the user is outside the trusted network, contrary to option D.