cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1062
Views
7
Helpful
7
Replies

It is posible to stop Brute Force attacks in Firepower Theat Defense?

Vicente Miño
Level 1
Level 1

Hello to everyone.

I have some doubts that arose as a result of Ethical Hacking carried out at my work, related to whether or not it is possible to stop brute force attacks on a site published from our on-premise network with FTD. Without going into too much detail, we have a dedicated link in which our clients connect to a site within our internal network, and asked how to stop brute force attacks against it in case one of our clients had their network compromised. They indicated that it can usually be done with a rate limit on the interface where traffic enters this published service. Checking the community I found this link that refers to the rate limit which is configured as a QoS policy:

Solved: Rate limiting on FTD - Cisco Community

Correct me if I'm wrong, but I understood that these types of attacks are at the session layer, therefore they must be mitigated at the level of the server that provides this service, not at the communications or security level.

If it were possible to stop it in the firewall, how could it be done? Would it be with a QoS policy? Or through an ACL in the control policy that filters access to this interface where the communication passes?

Note: This firewall is managed with an FMC.

Thank you very much in advance,

Best Regards,

1 Accepted Solution

Accepted Solutions

You cannot stop brute-force attacks in the firewall.  Depending on the rate these requests are coming at, QoS might help in rate-limiting the requests if you know the application and / or port being used.  But to mitigate this completely you would need to do that on the authenticating server (perhaps introduce 2factor authentication if not already in place)

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

7 Replies 7

ccieexpert
Spotlight
Spotlight

password spraying link is only for VPN.. not for another site (customer) coming in..

you can do this:

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/detecting_specific_threats.html

and based on some of these you can take action automatically like a shun etc

also if you had a DDOS appliance they usually do a better job of even finding brute force.. the 41xx and higher platforms had a virtual DDOS.. Also tune your end application/servers to lock out after 5 attempts etc... so brute force can be prevented..

You cannot stop brute-force attacks in the firewall.  Depending on the rate these requests are coming at, QoS might help in rate-limiting the requests if you know the application and / or port being used.  But to mitigate this completely you would need to do that on the authenticating server (perhaps introduce 2factor authentication if not already in place)

--
Please remember to select a correct answer and rate helpful posts

 

  - @Marius Gunnerud  >...You cannot stop brute-force attacks in the firewall.
                                     Well indeed you can't stop them at all (by 'words definition') ; I wonder wither products like
                                     firepower could have auto-rate limiting  or auto-dropping
                                     from the attacking sources in such circumstances ?

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Well, IPS in the FTD does have signature definitions for some specific brute-force attack types.  I suppose they will rate or drop attacks that match those specific signatures if those rules are enabled in IPS.  But since these are signatures they will be lagging a little bit when it comes to new attack types.  That  being said they are better than nothing.

These signatures will of course help but the root of the problem needs to be addressed on the authenticating server, i.e. 2factor auth, certificate auth, limit access to specific users if possible, etc.

--
Please remember to select a correct answer and rate helpful posts

In fact, the site uses 2fa when accessing the site, it asks to access the onmicrosoft portal, perfect, thank you very much for the help.
I understand that although it would comply by strengthening adding a rate limit, it would not mitigate the vulnerability 100%.

Review Cisco Networking for a $25 gift card