topic Re: Better way to protect the edge in Network Security

Better way to protect the edge

Carl Fitzsimmons — Mon, 27 Feb 2023 19:38:15 GMT

I have what I thought was going to be relatively easy task. Our syslog server logs more than 20,000 login attempts in 48 hours to log in using a variety of root, admin, administrator and random email accounts. While all have been prevented it may only be a matter of time before they are successful.

The network has an edge router C892FSP-K9 with several port forwarding statements for mail and a few other network services needed outside the office.

I moved ahead taking the logs and converting high occurrence attacks into an ACL and placing that on our edge egress interface a Cisco C892FSP-K9.

What happens is that we get a short lived benefit and then hammered again from new IPs.

I am rethinking the ACL solution I am currently using which uses a single IP Address DENY statement, one after the other, in an ACL list that is now hundreds of lines in length with at this time no apparent end in sight. I am think that there must be a better way to implement protection. The site does not want to move to an ASA device so I will need to implement using the C892FSP-K9.

So I am seeking a different way to implement edge security to stop such attacks and looking for some input on how to proceed.

Thanks

Re: Better way to protect the edge

Rob Ingram — Mon, 27 Feb 2023 20:41:42 GMT

@Carl Fitzsimmons perhaps consider the TCP intercept feature on IOS routers.

https://content.cisco.com/chapter.sjs?uri=%2Fsearchable%2Fchapter%2Fcontent%2Fen%2Fus%2Ftd%2Fdocs%2Fios-xml%2Fios%2Fsec_data_dos_atprvn%2Fconfiguration%2Fxe-16-10-1%2Fsec-data-dos-atprvn-xe-16-11-1%2Fsec-cfg-tcp-intercpt.html.xml&platform=Cisco%20IOS%20Software&release=IOS%20XE%20Gibraltar%2016.11.x

https://www.ciscopress.com/articles/article.asp?p=345618&seqNum=3

A Zone-Based Firewall (ZBFW) might be better than ACL, but a proper firewall would obviously be better.

Re: Better way to protect the edge

Leo Laohoo — Mon, 27 Feb 2023 22:37:29 GMT

How big is the WAN link?

Re: Better way to protect the edge

Carl Fitzsimmons — Wed, 01 Mar 2023 14:30:40 GMT

I will check this out

Re: Better way to protect the edge

Carl Fitzsimmons — Wed, 01 Mar 2023 14:31:13 GMT

Cable at 400Mb

Re: Better way to protect the edge

Marvin Rhoads — Wed, 01 Mar 2023 15:29:49 GMT

I wouldn't chase router security options for this use case. If the business won't sponsor a proper enterprise firewall like a Cisco Secure 1000 series (or Fortinet/Palo Alto etc.) then even pfSense running on Netgate would work ok - and MUCH better than even an expertly tuned router.

http://www.netgate.com/pfsense-plus-software/how-to-buy

Re: Better way to protect the edge

Leo Laohoo — Wed, 01 Mar 2023 22:25:57 GMT

@Carl Fitzsimmons wrote:
Cable at 400Mb

A puny 89x router will not be able to push beyond 50 Mbps with "vanilla" config.