Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
609
Views
6
Helpful
7
Replies

It is posible to stop Brute Force attacks in Firepower Theat Defense?

Go to solution
Vicente Miño
Level 1
Level 1

‎08-16-2024 04:43 AM

Hello to everyone.

I have some doubts that arose as a result of Ethical Hacking carried out at my work, related to whether or not it is possible to stop brute force attacks on a site published from our on-premise network with FTD. Without going into too much detail, we have a dedicated link in which our clients connect to a site within our internal network, and asked how to stop brute force attacks against it in case one of our clients had their network compromised. They indicated that it can usually be done with a rate limit on the interface where traffic enters this published service. Checking the community I found this link that refers to the rate limit which is configured as a QoS policy:

Solved: Rate limiting on FTD - Cisco Community

Correct me if I'm wrong, but I understood that these types of attacks are at the session layer, therefore they must be mitigated at the level of the server that provides this service, not at the communications or security level.

If it were possible to stop it in the firewall, how could it be done? Would it be with a QoS policy? Or through an ACL in the control policy that filters access to this interface where the communication passes?

Note: This firewall is managed with an FMC.

Thank you very much in advance,

Best Regards,

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

‎08-19-2024 03:02 AM

You cannot stop brute-force attacks in the firewall.  Depending on the rate these requests are coming at, QoS might help in rate-limiting the requests if you know the application and / or port being used.  But to mitigate this completely you would need to do that on the authenticating server (perhaps introduce 2factor authentication if not already in place)

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

7 Replies 7

Go to solution
ccieexpert
Spotlight
Spotlight

‎08-18-2024 05:59 PM

password spraying link is only for VPN.. not for another site (customer) coming in..

you can do this:

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/detecting_specific_threats.html

and based on some of these you can take action automatically like a shun etc

also if you had a DDOS appliance they usually do a better job of even finding brute force.. the 41xx and higher platforms had a virtual DDOS.. Also tune your end application/servers to lock out after 5 attempts etc... so brute force can be prevented..

Go to solution
Marius Gunnerud
VIP
VIP

‎08-19-2024 03:02 AM

You cannot stop brute-force attacks in the firewall.  Depending on the rate these requests are coming at, QoS might help in rate-limiting the requests if you know the application and / or port being used.  But to mitigate this completely you would need to do that on the authenticating server (perhaps introduce 2factor authentication if not already in place)

--
Please remember to select a correct answer and rate helpful posts

Go to solution
marce1000
VIP
VIP
In response to Marius Gunnerud

‎08-19-2024 03:27 AM

 

  - @Marius Gunnerud  >...You cannot stop brute-force attacks in the firewall.
                                     Well indeed you can't stop them at all (by 'words definition') ; I wonder wither products like
                                     firepower could have auto-rate limiting  or auto-dropping
                                     from the attacking sources in such circumstances ?

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Go to solution
Marius Gunnerud
VIP
VIP
In response to marce1000

‎08-19-2024 03:48 AM

Well, IPS in the FTD does have signature definitions for some specific brute-force attack types.  I suppose they will rate or drop attacks that match those specific signatures if those rules are enabled in IPS.  But since these are signatures they will be lagging a little bit when it comes to new attack types.  That  being said they are better than nothing.

These signatures will of course help but the root of the problem needs to be addressed on the authenticating server, i.e. 2factor auth, certificate auth, limit access to specific users if possible, etc.

--
Please remember to select a correct answer and rate helpful posts

Go to solution
Vicente Miño
Level 1
Level 1
In response to Marius Gunnerud

‎08-27-2024 08:06 AM

In fact, the site uses 2fa when accessing the site, it asks to access the onmicrosoft portal, perfect, thank you very much for the help.
I understand that although it would comply by strengthening adding a rate limit, it would not mitigate the vulnerability 100%.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card