cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
422
Views
2
Helpful
5
Replies

FTD 3140 series DOS Protection Features

Joseph Samuela
Level 1
Level 1

Hello  @Marvin Rhoads and Cisco Tech Community

hope this email finds you well

appreciate if you could please confirm below for me 

I am trying to find features of DOS protection on FTD model 3140  should my ISP link be flooded by threat Actor attacking through volume, application, network, and service traffic 

can please advise does this

hardware model (FTD 3140)  and software license ( Essentials, IPS, Malware, URL, Security Client Premier) have below

 a) feature set that has Dos protection and only need license to activate it 

 b) or can i integrate DOS snort Rule Set  into the appliance using snort version 2 or 3 

c) or is there a 3rd Party Software  like radware integration in 4100 series that only needs a Operating System version upgrade for it to be included

 

Thanks

Joseph

 

 

 

 

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

As of now, Radware integration (as a "decorator" application) is only available on the 4100/4200/9300 series of Cisco Secure firewalls. There's no true DDOS (Distributed Denial of Service) otherwise available on the Cisco Secure Firewall platforms. There is some limited protection against port scans and such but that's not really DDOS. DDOS protection is usually better handled via service from your service provider or other third party.

View solution in original post

5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

As of now, Radware integration (as a "decorator" application) is only available on the 4100/4200/9300 series of Cisco Secure firewalls. There's no true DDOS (Distributed Denial of Service) otherwise available on the Cisco Secure Firewall platforms. There is some limited protection against port scans and such but that's not really DDOS. DDOS protection is usually better handled via service from your service provider or other third party.

Thanks for your assistance and confirmation Marvin, indeed was reading up on GateKeeper and best DDos Strategy is furtherest from the target network via internet exchange points....as when it hits the interface of the target network its too late

thanks again Marvin

Hi @Marvin Rhoads I stumbled across this topic and I apologize if in any way its construed as threadjacking.  At any rate I thank you very much for your input.

I have an FTD 2600 and TAC explained to me that the only solution is to use control plane ACL's to block ingress traffic from the public network.  I have hundreds of thousands of brute force attempts on my VPN daily.  Do these rate limiting features not exist on the 2600 and I need to look at the 4100? 

Thank you,

Christopher J. Wolff

@cjwolff no Cisco firewall currently has a good defense to prevent these attacks from coming in to the device. We've been asking for some time that they implement geoblocking for connections to the firewall but that's still a work in progress.

Cisco's published advice for them is currently in the following document:

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221806-password-spray-attacks-impacting-custome.html

Some folks have advised using certificate-based authentication, but that's a non-trivial task to implement. Another option, if you have a larger infrastructure, is to put the VPN firewall "behind" an FTD perimeter firewall where you can use geoblocking as a first line of defense.

The phenomenon is across all vendors, as noted by TALOS:

https://blog.talosintelligence.com/large-scale-brute-force-activity-targeting-vpns-ssh-services-with-commonly-used-login-credentials/

If it's any consolation, almost every one of my customers is seeing the same relentless probing on their public-facing VPN devices.

Thank you very much @Marvin Rhoads this is great input.  I really appreciate it.

Review Cisco Networking for a $25 gift card