topic Re: Broute Force Protection in Network Security

Broute Force Protection

edoardodepiet — Thu, 29 Feb 2024 09:14:16 GMT

Hi Everyone,

we have N5K-C5596UP model and we would like to implement a brouteforce protection.

The protection probably should work by timing out more then ... failed attempted logins on SSH and RDP.

Let me know kindly how to implement this and thank you in advance!

Re: Broute Force Protection

Mark Elsen — Thu, 29 Feb 2024 13:03:28 GMT

- The switch will not natively provide such features ; if we look at network protection and prevention of storming security attacks in general you need to look at firewalling solutions (to protect intranet networking components) ,

Re: Broute Force Protection

liviu.gheorghe — Thu, 29 Feb 2024 14:29:14 GMT

Like @Mark Elsen mentioned, the NXOS does not provide these features. The only features related to brute-force attempts are related to logging:

nx9000-1(config)# login ?
on-failure Set options for failed login attempt
on-success Set options for successful login attempt

Other IOS variants like IOS XE have the features that you asked about, as seen in the following output from a ISR 1K running IOS XE 17.9.4a:

c1111(config)#login ?
block-for Set quiet-mode active time period
delay Set delay between successive fail login
on-failure Set options for failed login attempt
on-success Set options for successful login attempt
password-reuse-interval Set the number of days for reuse of password
password-warning-interval Set warning interval for user
quiet-mode Set quiet-mode options

Hope this helps.

Re: Broute Force Protection

edoardodepiet — Fri, 01 Mar 2024 15:23:16 GMT

Can you please tell what are those options for:

on-failure Set options for failed login attempt
on-success Set options for successful login attempt

Does this allow us to TIME OUT a certain IP after ... failed login attempts?

If this switch does not provide this solution, which firewall/hardware do you recommend for data center colocation?

Best Regards,

Edp

Re: Broute Force Protection

liviu.gheorghe — Fri, 01 Mar 2024 16:51:47 GMT

@edoardodepiet wrote:

Can you please tell what are those options for:

on-failure Set options for failed login attempt
on-success Set options for successful login attempt

Does this allow us to TIME OUT a certain IP after ... failed login attempts?

The options allow you to have the switch generate SYSLOG messages on login failure or successful attempts. It doesn't allow you to delay or restrict a certain IP after repeated failed attempts.

If this switch does not provide this solution, which firewall/hardware do you recommend for data center colocation?

The firewall model depends on what volume of traffic you expect it to handle.

Re: Broute Force Protection

edoardodepiet — Sat, 02 Mar 2024 03:43:58 GMT

Thank you again

The firewall model depends on what volume of traffic you expect it to handle.

- Do you measure it in GBPS? Then please provide some tips for:

30 - 50 GBPS
50 - 100 GBPS
100 - 500 GBPS

or the intervals you feel are relevant with the correct unit of measurement

Thanks again

Re: Broute Force Protection

liviu.gheorghe — Sat, 02 Mar 2024 08:58:14 GMT

Hello @edoardodepiet ,

Firewall throughput is measured usually in Gigabits per second (Gbps). Keeping the intervals you mentioned, but in Gbps, you have:

30 - 50 Gbps: Cisco 3100 Series ranging from 10 to 45 Gbps or Cisco 4100 Series ranging from 19 to 53 Gbps
50 - 100 Gbps: 4215 (71 Gbps) or 4225 (90 Gbps) or 9300 SM-40 (55 Gbps) or 9300 SM-48 (65 Gbps) or 9300 SM-56 (70 Gbps)
100 - 500 Gbps: Cisco 4245 (149 Gbps) or Cisco 9300 3xSM-56 (190 Gbps)

Re: Broute Force Protection

edoardodepiet — Thu, 14 Mar 2024 21:26:18 GMT

Thank you soo much for those models. Do you know how can i check/if you know how many IPs those can handle in ACL and ROOT?

Re: Broute Force Protection

liviu.gheorghe — Thu, 14 Mar 2024 21:52:51 GMT

Hello @edoardodepiet ,

take a look at the following document, page 26-27: https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKSEC-3455.pdf

Quite impressive.

Re: Broute Force Protection

edoardodepiet — Fri, 22 Mar 2024 00:12:43 GMT

Thank you soo much. Sorry but I am really noob on those topics. Which of those values should we consider for the 3 models you have sent? (Always reated your replies as Helpful)

Re: Broute Force Protection

Rob Ingram — Fri, 22 Mar 2024 08:02:24 GMT

@edoardodepiet there is a huge difference in cost between the models in the screenshots.

What is your budget? What are your requirements for the Firewall? How many connections? What is the bandwidth of the connected internet circuits? Do you require basic L3/L3 filtering or NGFW L7 (Threat, Anti-Malware etc) functionality?

Refer to the datasheets will give you an idea of the difference in performance of the hardware.

https://www.cisco.com/c/en/us/products/collateral/security/firepower-1000-series/datasheet-c78-742469.html

https://www.cisco.com/c/en/us/products/collateral/security/firepower-2100-series/datasheet-c78-742473.html

https://www.cisco.com/c/en/us/products/collateral/security/firewalls/secure-firewall-3100-series-ds.html

Re: Broute Force Protection

liviu.gheorghe — Fri, 22 Mar 2024 08:05:39 GMT

Well, to summarise, you will have for:

4100 series - between 2,250,000 and 3,000,000 ACE

9300 series - between 2,250,000 and 6,000,000 ACE