topic Re: block ip addresses that try to brute force into VPN in Network Security

block ip addresses that try to brute force into VPN

mikeyasg — Fri, 28 Apr 2023 06:48:13 GMT

Hello,

Starting from the last three weeks these IP Addresses are attempting to VPN into our network. In the ISE LiveLogs we can see that there are multiple attempts from these ip addresses. These IP addresses were added to the prefilter block rule on the FTD firewall. But still the authentication traffic is reaching the ISE server. shouldn't it be blocked the firewall.

Any ideas why this address is still able to attempt auth, even though it should be getting denied before it even gets that far?

Re: block ip addresses that try to brute force into VPN

Rob Ingram — Fri, 28 Apr 2023 07:04:46 GMT

@mikeyasg if the pre-filter rule you are referring to is configured on the FTD acting as the Remote Access VPN concentrator, then that will not work. The pre-filter and Access Control rules control traffic "through" the firewall and not "to" the firewall itself, so it cannot block those connections.

Rarely used, but you could use a control-plane ACL to deny the specific IP addresses and permit the rest of the remote access vpn connections. Example: https://integratingit.wordpress.com/2021/06/26/ftd-control-plane-acl/

Or deny the traffic on the upstream ISP router.

Re: block ip addresses that try to brute force into VPN

Mark Elsen — Fri, 28 Apr 2023 07:06:08 GMT

>...These IP addresses were added to the prefilter block rule on the FTD firewall.
- Depends on what you mean by that , guess that should not be 'prefilter block' , but just block or deny/drop (e.g.)

Re: block ip addresses that try to brute force into VPN

MHM Cisco World — Fri, 28 Apr 2023 10:35:45 GMT

this VPN is RAVPN or L2L VPN ?
if it L2L VPN then the solution is Control-plane
if it RAVPN then I think Duo can solve the issue <<- this I need to dive deep to check best solution for you but idea is the ASA make first auth and then send to ISE for second auth, here only the user that pass first Auth will send to ISE for more Auth, the ASA will drop other attempt

Re: block ip addresses that try to brute force into VPN

Marvin Rhoads — Fri, 28 Apr 2023 16:40:24 GMT

Agree with @Rob Ingram . Filter on an upstream router or terminate RA VPN on a firewall in the DMZ. then the Internet-facing firewall rules would apply to the incoming traffic.

Regarding Duo, generally the Duo configuration (whether SSO, Duo Auth Proxy or Duo Access Gateway) will be still trying to perform the first authentication against your primary authentication source - e.g., AD via ISE. So the attempts will still be logged by ISE (or AD if you bypass ISE for AuthC and only use it for AuthZ).

Re: block ip addresses that try to brute force into VPN

MHM Cisco World — Fri, 28 Apr 2023 16:57:28 GMT

Can I use Duo to protect ASA local account logins?

Absolutely! To protect users local to the ASA, with the Duo LDAPS configuration for SSL VPN, continue to use the "LOCAL" AAA Server Group for authentication and add the Duo LDAP AAA server group for secondary authentication.

To protect local ASA users connecting with the Duo RADIUS configuration for SSL VPN clients, use the duo_only_client and radius_server_duo_only configurations in your Authentication Proxy setup, and again continue to use the "LOCAL" AAA Server Group for authentication and add the Duo RADIUS AAA server group for secondary authentication.

https://duo.com/docs/cisco-faq

Re: block ip addresses that try to brute force into VPN

mikeyasg — Sat, 29 Apr 2023 07:09:41 GMT

The vpn is RAVPN and we are thinking to use control plane ACL as @Rob Ingram suggested. if it is applicable for RAVPN or blocking these ip on the upstream router. But blocking the traffic on upstream router would be adding the addresses everytime we face these issue.

Re: block ip addresses that try to brute force into VPN

Rob Ingram — Sat, 29 Apr 2023 07:52:28 GMT

@mikeyasg yes control-plane ACL works on RAVPN.

Re: block ip addresses that try to brute force into VPN

MHM Cisco World — Sat, 29 Apr 2023 09:31:17 GMT

Please can you confirm that

One IP is outside interface IP of FW

Other is IP from ravpn pool ??

Re: block ip addresses that try to brute force into VPN

mikeyasg — Tue, 02 May 2023 13:41:08 GMT

The outside interface is the vpn concentrator and the endpoint that is making the remote connection will get ip from the ravpn pool. But the screenshot that i shared is neither the outside interface nor the ip from the pool rather it is the ip address that belongs to the endpoint initiating the vpn connection.

Re: block ip addresses that try to brute force into VPN

MHM Cisco World — Tue, 02 May 2023 14:17:02 GMT

then if you sure that these IP is not OUT and VPN Pool
as other mention you can use ACL

Client-internet-ASA-INside-ISE
apply ACL to INside allow only Mgmt IP to send to ISE plus first IP of VPN Pool (for more sure allow all VPN Pool)
that it.
you will ask then how RAVPN connect to ISE , the RAVPN not direct connect to ISE for auth, the FW do this, FW work as proxy to auth RAVPN.

Re: block ip addresses that try to brute force into VPN

mikeyasg — Wed, 03 May 2023 13:55:09 GMT

Thank You all and @Rob Ingram We were able to use the control plane ACL and it was successful Thank You for your support.

Re: block ip addresses that try to brute force into VPN

MHM Cisco World — Wed, 03 May 2023 14:01:38 GMT

Sorry for my info.

What you permit and what you deny in control-plane acl??

Re: block ip addresses that try to brute force into VPN

willb1 — Wed, 17 Apr 2024 15:05:52 GMT

Having a router upstream from the FTD, wouldn't it be possible to create a correlation policy and use the Cisco IOS Null Route Module to automate blocking the offending IP's at the upstream router?

I began looking into this option this morning but am not clear as to how to create and associate the remediation step with the correlation policy.