topic Re: It is posible to stop Brute Force attacks in Firepower Theat Defen in Network Security

It is posible to stop Brute Force attacks in Firepower Theat Defense?

Vix-O-Ren — Fri, 16 Aug 2024 11:43:14 GMT

Hello to everyone.

I have some doubts that arose as a result of Ethical Hacking carried out at my work, related to whether or not it is possible to stop brute force attacks on a site published from our on-premise network with FTD. Without going into too much detail, we have a dedicated link in which our clients connect to a site within our internal network, and asked how to stop brute force attacks against it in case one of our clients had their network compromised. They indicated that it can usually be done with a rate limit on the interface where traffic enters this published service. Checking the community I found this link that refers to the rate limit which is configured as a QoS policy:

Solved: Rate limiting on FTD - Cisco Community

Correct me if I'm wrong, but I understood that these types of attacks are at the session layer, therefore they must be mitigated at the level of the server that provides this service, not at the communications or security level.

If it were possible to stop it in the firewall, how could it be done? Would it be with a QoS policy? Or through an ACL in the control policy that filters access to this interface where the communication passes?

Note: This firewall is managed with an FMC.

Thank you very much in advance,

Best Regards,

Re: It is posible to stop Brute Force attacks in Firepower Theat Defen

MHM Cisco World — Sat, 17 Aug 2024 14:00:32 GMT

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221806-password-spray-attacks-impacting-custome.html

Check this

MHM

Re: It is posible to stop Brute Force attacks in Firepower Theat Defen

ccieexpert — Mon, 19 Aug 2024 00:59:07 GMT

password spraying link is only for VPN.. not for another site (customer) coming in..

you can do this:

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/detecting_specific_threats.html

and based on some of these you can take action automatically like a shun etc

also if you had a DDOS appliance they usually do a better job of even finding brute force.. the 41xx and higher platforms had a virtual DDOS.. Also tune your end application/servers to lock out after 5 attempts etc... so brute force can be prevented..

Re: It is posible to stop Brute Force attacks in Firepower Theat Defen

Marius Gunnerud — Mon, 19 Aug 2024 10:02:37 GMT

You cannot stop brute-force attacks in the firewall. Depending on the rate these requests are coming at, QoS might help in rate-limiting the requests if you know the application and / or port being used. But to mitigate this completely you would need to do that on the authenticating server (perhaps introduce 2factor authentication if not already in place)

Re: It is posible to stop Brute Force attacks in Firepower Theat Defen

Mark Elsen — Mon, 19 Aug 2024 10:27:38 GMT

- @Marius Gunnerud >...You cannot stop brute-force attacks in the firewall.
Well indeed you can't stop them at all (by 'words definition') ; I wonder wither products like
firepower could have auto-rate limiting or auto-dropping
from the attacking sources in such circumstances ?

Re: It is posible to stop Brute Force attacks in Firepower Theat Defen

Marius Gunnerud — Mon, 19 Aug 2024 10:48:49 GMT

Well, IPS in the FTD does have signature definitions for some specific brute-force attack types. I suppose they will rate or drop attacks that match those specific signatures if those rules are enabled in IPS. But since these are signatures they will be lagging a little bit when it comes to new attack types. That being said they are better than nothing.

These signatures will of course help but the root of the problem needs to be addressed on the authenticating server, i.e. 2factor auth, certificate auth, limit access to specific users if possible, etc.

Re: It is posible to stop Brute Force attacks in Firepower Theat Defen

Vix-O-Ren — Tue, 27 Aug 2024 15:06:55 GMT

In fact, the site uses 2fa when accessing the site, it asks to access the onmicrosoft portal, perfect, thank you very much for the help.
I understand that although it would comply by strengthening adding a rate limit, it would not mitigate the vulnerability 100%.

Re: It is posible to stop Brute Force attacks in Firepower Theat Defen

daynagar — Mon, 16 Sep 2024 19:05:30 GMT

Control Plane ACLs can be leveraged
https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221457-configure-control-plane-access-control-p.html

Re: It is posible to stop Brute Force attacks in Firepower Theat Defen

Da ICS16 — Tue, 06 May 2025 03:01:57 GMT

Hello @Marius Gunnerud

Between 2FA, Certificate Authentication and IPS which one is better solution?

Thanks,

Re: It is posible to stop Brute Force attacks in Firepower Theat Defen

Da ICS16 — Tue, 06 May 2025 03:05:06 GMT

Hello @Vix-O-Ren

Did you test with 2FA and fixed no AD user locked out during brute force?

Thanks.

Re: It is posible to stop Brute Force attacks in Firepower Theat Defen

Marius Gunnerud — Tue, 06 May 2025 09:21:38 GMT

Hi @Da ICS16 ,

This depends on what you are trying to protect. If it is a website purely for internal use, I would recommend all three, Certificate and 2FA for authenticating to resources, and IPS to protect traffic further.

If this is a public accessible website, I would recommend looking into segmenting the publicly accessible resources from the backend / internal resources if not done so already, with firewalling and access controls in place for internal resources. And IPS to inspect traffic to the public resources. In addition to this the public resources should be hardend and access right should be read only if they need access to internal databases so they cannot make any changes to internal resources.

Re: It is posible to stop Brute Force attacks in Firepower Theat Defen

Vix-O-Ren — Tue, 06 May 2025 16:28:46 GMT

Hello @Da ICS16 , In our case we use Symantec VIP Access, in simple words its similar to Cisco DUO. Its a Radius comunication beetween the MFA servers and the Firewalls.

In this specific case because the attacker uses random users like "cisco" or "tom" for example, they didn´t match any AD account.

And in the rare but possible scenario where the attacker somehow managed to find a user's name, they would have to try a few more times until they were blocked. At least from what I saw, the attack behavior was only a login attempt. When that failed, they continued with others. The methods we used to blocked this behavior completaly were three:
1) Remove the login on the webVPN platform
2) Enable internal buffer logs in the firewall to verify attacker attempts, users used, and IP addresses, comparing them with the radius logs
3) We used a FlexConfig policy to block these attacker IP addresses in ranges from /24 to /16. Through the firewall, we checked the geolocation of the attackers' public IPs, mostly from India and the Netherlands.

Re: It is posible to stop Brute Force attacks in Firepower Theat Defen

Da ICS16 — Wed, 07 May 2025 01:40:41 GMT

Hello @Vix-O-Ren

Thanks for your commend.

Any attack still occur and lead AD user locked out after your implementation?

thanks,

Re: It is posible to stop Brute Force attacks in Firepower Theat Defen

Da ICS16 — Wed, 07 May 2025 02:05:40 GMT

Hello @Marius Gunnerud

Cisco TAC recommend with below.

Certificate-Based (Trusted Client) Authentication
– Only endpoints presenting a valid client certificate can establish a VPN tunnel, so password guessing and AD account lockouts no longer apply. It scales naturally against broad-based attacks.

Is it possible to go? Prevent AD account locked out?

Thanks,

Re: It is posible to stop Brute Force attacks in Firepower Theat Defen

Marius Gunnerud — Wed, 07 May 2025 07:27:45 GMT

When using certificate authentication, you are only basing your authentication on validity of the certificate, so accounts will not be locked out. I would recommend also using MFA together with certificate authentication.

you could also use Dynamic Access Policies (DAP) to authenticate based on specific values within the certificate. For example, CN, or SAN values, or other values for that matter.

If you have ISE then I would recommend using ISE and not DAP for this certificate authentication.

Re: It is posible to stop Brute Force attacks in Firepower Theat Defen

Da ICS16 — Thu, 08 May 2025 01:46:53 GMT

Hello @Marius Gunnerud ,

Yes we use ISE for Auth.C & Auth.Z and Accounting rely on NGFW.

Could you share the URL of configure MFA with certificate authentication?

Thanks,

Re: It is posible to stop Brute Force attacks in Firepower Theat Defen

Marius Gunnerud — Thu, 08 May 2025 07:59:43 GMT

Check out this Cisco document for configuration:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-32/222208-configure-ssl-vpn-authentication-through.html?utm_source=chatgpt.com

Hope it helps.

Re: It is posible to stop Brute Force attacks in Firepower Theat Defen

Vix-O-Ren — Thu, 08 May 2025 14:33:13 GMT

Hi @Da ICS16 ,

So far, none have been detected, but we've taken an additional step. We use Zabbix on our platform, so we send these attack attempt logs to Zabbix, which then sends an alert to email. A new log appears. You should consider that any attack attempt, if not blocked by the Control Plane ACL, will appear as a new log. This log can be sent to your monitoring platform, if you have one, and alerts can be sent to your email to add those new IP addresses or networks to Flex Config in Firepower with the Control Plane ACL, or directly to your Control Plane ACL, if, for example, you have an ASA.

If for some reason you cannot do this from the firewall itself, the other option is to have your own MFA send Syslog messages directly to a Syslog server for analysis.

Unfortunately I didn't find any more automated options in this topic.