topic Re: Stable FTD released version and fixed brute force attack in Network Security

Stable FTD released version and fixed brute force attack

Da ICS16 — Fri, 16 May 2025 02:58:18 GMT

Dear Team,

We are looking the stable FTD version can upgrade to fixed the vulnerability and ensure it cover suck of attack like VPN brute force...and prevent AD Account locked out even attacker known the legit AD user.

Kindly share commend / good practice to resolve it.

Best Regards,

Re: Stable FTD released version and fixed brute force attack

Rob Ingram — Fri, 16 May 2025 06:13:59 GMT

@Da ICS16 the threat detection feature for remote access VPN services helps prevent Denial of Service (DoS) attacks and is supported in the following releases.

These threat detection features are supported in the Cisco Secure Firewall Threat Defense versions listed next:

7.0 version train-> supported from7.0.6.3 and newer versions within this specific train.
7.2 version train-> supported from7.2.9 and newer version within this specific train.
7.4 version train-> supported from7.4.2.1 and newer version within this specific train.
7.6 version train-> supported from7.6.0 and any newer versions.

7.4.2 is the current Cisco gold star version.

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/222383-configure-threat-detection-for-remote-ac.html

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221806-password-spray-attacks-impacting-custome.html

Re: Stable FTD released version and fixed brute force attack

Da ICS16 — Fri, 16 May 2025 06:24:03 GMT

Hello @Rob Ingram Thanks for helpful commend.

Re: Stable FTD released version and fixed brute force attack

Marvin Rhoads — Mon, 19 May 2025 14:11:36 GMT

I have found that changing your VPN login URL to a non-default value (e.g., vpn.company.com/corp instead of simply vpn.company.com) and sending the defaultWebVPN profile to a non-existent AAA server is the best protection against these attacks.

Re: Stable FTD released version and fixed brute force attack

Da ICS16 — Tue, 20 May 2025 06:16:31 GMT

Hello @Marvin Rhoads

Thanks for commend. it is the workaround solution? Could you share doc/url me to review?

Best Regards,

Re: Stable FTD released version and fixed brute force attack

Da ICS16 — Tue, 20 May 2025 06:15:41 GMT

Hello @Rob Ingram

Cisco TAC is also recommended to upgrade to the current cisco golden star version. Did you tested and resolve the case from vpn bruteforce? thanks,

Re: Stable FTD released version and fixed brute force attack

Marvin Rhoads — Tue, 20 May 2025 12:09:56 GMT

@Da ICS16 it's this solution:

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221806-password-spray-attacks-impacting-custome.html#toc-hId-1334521269

Basically, valid users' profiles point to a non-published group-url. They use your legitimate authentication method. Non-legitimate users that try to go the the default profile are directed to either a. use certificates (which they won't have) or to a "sinkhole" (invalid) AAA server which will never authenticate them (nor affect any legitimate users' accounts).