08-16-2024 04:43 AM
Hello to everyone.
I have some doubts that arose as a result of Ethical Hacking carried out at my work, related to whether or not it is possible to stop brute force attacks on a site published from our on-premise network with FTD. Without going into too much detail, we have a dedicated link in which our clients connect to a site within our internal network, and asked how to stop brute force attacks against it in case one of our clients had their network compromised. They indicated that it can usually be done with a rate limit on the interface where traffic enters this published service. Checking the community I found this link that refers to the rate limit which is configured as a QoS policy:
Solved: Rate limiting on FTD - Cisco Community
Correct me if I'm wrong, but I understood that these types of attacks are at the session layer, therefore they must be mitigated at the level of the server that provides this service, not at the communications or security level.
If it were possible to stop it in the firewall, how could it be done? Would it be with a QoS policy? Or through an ACL in the control policy that filters access to this interface where the communication passes?
Note: This firewall is managed with an FMC.
Thank you very much in advance,
Best Regards,
Solved! Go to Solution.
08-19-2024 03:02 AM
You cannot stop brute-force attacks in the firewall. Depending on the rate these requests are coming at, QoS might help in rate-limiting the requests if you know the application and / or port being used. But to mitigate this completely you would need to do that on the authenticating server (perhaps introduce 2factor authentication if not already in place)
08-17-2024 07:00 AM
08-18-2024 05:59 PM
password spraying link is only for VPN.. not for another site (customer) coming in..
you can do this:
and based on some of these you can take action automatically like a shun etc
also if you had a DDOS appliance they usually do a better job of even finding brute force.. the 41xx and higher platforms had a virtual DDOS.. Also tune your end application/servers to lock out after 5 attempts etc... so brute force can be prevented..
08-19-2024 03:02 AM
You cannot stop brute-force attacks in the firewall. Depending on the rate these requests are coming at, QoS might help in rate-limiting the requests if you know the application and / or port being used. But to mitigate this completely you would need to do that on the authenticating server (perhaps introduce 2factor authentication if not already in place)
08-19-2024 03:27 AM
- @Marius Gunnerud >...You cannot stop brute-force attacks in the firewall.
Well indeed you can't stop them at all (by 'words definition') ; I wonder wither products like
firepower could have auto-rate limiting or auto-dropping
from the attacking sources in such circumstances ?
M.
08-19-2024 03:48 AM
Well, IPS in the FTD does have signature definitions for some specific brute-force attack types. I suppose they will rate or drop attacks that match those specific signatures if those rules are enabled in IPS. But since these are signatures they will be lagging a little bit when it comes to new attack types. That being said they are better than nothing.
These signatures will of course help but the root of the problem needs to be addressed on the authenticating server, i.e. 2factor auth, certificate auth, limit access to specific users if possible, etc.
08-27-2024 08:06 AM
In fact, the site uses 2fa when accessing the site, it asks to access the onmicrosoft portal, perfect, thank you very much for the help.
I understand that although it would comply by strengthening adding a rate limit, it would not mitigate the vulnerability 100%.
09-16-2024 12:05 PM
Control Plane ACLs can be leveraged
https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221457-configure-control-plane-access-control-p.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide