Solved: FTD 3140 series DOS Protection Features

Joseph Samuela · ‎02-05-2024

Hello @Marvin Rhoads and Cisco Tech Community

hope this email finds you well

appreciate if you could please confirm below for me

I am trying to find features of DOS protection on FTD model 3140 should my ISP link be flooded by threat Actor attacking through volume, application, network, and service traffic

can please advise does this

hardware model (FTD 3140) and software license ( Essentials, IPS, Malware, URL, Security Client Premier) have below

a) feature set that has Dos protection and only need license to activate it

b) or can i integrate DOS snort Rule Set into the appliance using snort version 2 or 3

c) or is there a 3rd Party Software like radware integration in 4100 series that only needs a Operating System version upgrade for it to be included

Thanks

Joseph

Marvin Rhoads · ‎02-06-2024

As of now, Radware integration (as a "decorator" application) is only available on the 4100/4200/9300 series of Cisco Secure firewalls. There's no true DDOS (Distributed Denial of Service) otherwise available on the Cisco Secure Firewall platforms. There is some limited protection against port scans and such but that's not really DDOS. DDOS protection is usually better handled via service from your service provider or other third party.

View solution in original post

Marvin Rhoads · ‎02-06-2024

As of now, Radware integration (as a "decorator" application) is only available on the 4100/4200/9300 series of Cisco Secure firewalls. There's no true DDOS (Distributed Denial of Service) otherwise available on the Cisco Secure Firewall platforms. There is some limited protection against port scans and such but that's not really DDOS. DDOS protection is usually better handled via service from your service provider or other third party.

Joseph Samuela · ‎02-28-2024

Thanks for your assistance and confirmation Marvin, indeed was reading up on GateKeeper and best DDos Strategy is furtherest from the target network via internet exchange points....as when it hits the interface of the target network its too late

thanks again Marvin

cjwolff · ‎05-09-2024

Hi @Marvin Rhoads I stumbled across this topic and I apologize if in any way its construed as threadjacking. At any rate I thank you very much for your input.

I have an FTD 2600 and TAC explained to me that the only solution is to use control plane ACL's to block ingress traffic from the public network. I have hundreds of thousands of brute force attempts on my VPN daily. Do these rate limiting features not exist on the 2600 and I need to look at the 4100?

Thank you,

Christopher J. Wolff

Marvin Rhoads · ‎05-09-2024

@cjwolff no Cisco firewall currently has a good defense to prevent these attacks from coming in to the device. We've been asking for some time that they implement geoblocking for connections to the firewall but that's still a work in progress.

Cisco's published advice for them is currently in the following document:

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221806-password-spray-attacks-impacting-custome.html

Some folks have advised using certificate-based authentication, but that's a non-trivial task to implement. Another option, if you have a larger infrastructure, is to put the VPN firewall "behind" an FTD perimeter firewall where you can use geoblocking as a first line of defense.

The phenomenon is across all vendors, as noted by TALOS:

https://blog.talosintelligence.com/large-scale-brute-force-activity-targeting-vpns-ssh-services-with-commonly-used-login-credentials/

If it's any consolation, almost every one of my customers is seeing the same relentless probing on their public-facing VPN devices.

cjwolff · ‎05-09-2024

Thank you very much @Marvin Rhoads this is great input. I really appreciate it.