Re: Protect RA VPN from Brute force Attack

Debabrata Majhi · ‎06-16-2024

Hi all,

Now we are using RA VPN in Different firewall ,Will enable RA VPN In FTD manage by FMC

Flow -External user -Permitter firewall FTD -RA VPN firewall FTD -

AAA-Cisco ISE -Mostly Authentication -Certificate + OTP

Now our main concern is how to protect the Brute force attack ,We want to stop brute force attack from Perimeter firewall

We have IPS Policy in Permitter firewall -My queries is - IPS Policy enough to stop brute force attack ? or We need something more Like ,we need to enable WAF layer before entering packet to RA VPN ?

I don't want to send packet to ISE and stop access post 3 incorrect password like that ,Basically I don't want to busy ISE server to handle this request -My Objective Firewall should stop the brute force attack before send packet to ISE

As It might be possible that attacker can run scrip without Cisco secure client -In that case OTP and certificate base authentication may not help us .

Need your advice to protect RA VPN from Brute force attack -Based on will finalize the design and device

Advice/Suggestion much appreciated

Regards

Debabrata

MHM Cisco World · ‎06-16-2024

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221806-password-spray-attacks-impacting-custome.html

MHM

Debabrata Majhi · ‎06-16-2024

Hi MHM

Thanks for your prompt reply ,As I can understand only hardening we can do ,seems there is no method to completely prevent a brute force attack attempt,

Apart form the soft hardening ,Can we do something more like any device or software etc before RA VPN

Thanks

Marius Gunnerud · ‎06-17-2024

As I mentioned in your other post on this topic, there is no way of preventing this. You can limit the number of authentication attempts, as well as how you authenticate, i.e. certificate, 2factor, etc. Also enable logging of authentications so you can identify if a brute force attempt is happening and act on it.

2factor is good as it will act as an authentication proxy.

--
Please remember to select a correct answer and rate helpful posts

ccieexpert · ‎06-17-2024

using certifcates as your first level of auth will block all of these on the ASA and no further AAA processing to username/password or MFA will be done..

Debabrata Majhi · ‎06-23-2024

Hi Marius,

Thanks a lot your kind feedback ,We are exploring the possible to protect as much as we can to secure our new vpn.

Thanks

ccieexpert · ‎06-16-2024

if you implement client side certificates in addition to password/MFA, that will be stop majority of these attacks right on the FTD firewall as it doesnt find a cert, so it wont go further to ISE... it may be more work, but if you have MDM or MS CA and domian users, then its not that difficult.

Debabrata Majhi · ‎06-23-2024

Hi CCIEEXPERT,

Thanks for your kind advice ,Just to clarify this part "but if you have MDM or MS CA and domian users, then its not that difficult."

You meant if we have own internal PKI ,It will be secure internal domain user ,However for external domain user we need to share the root CA, Intermediate CA and VPN certificate too -It will secure us from brute force attack majorly

Please confirm

Thaks

ccieexpert · ‎06-23-2024

hello

yes for external non domain user, also you can issue a cert from a internal PKI/CA even if they are not part of AD.. just put them in a different OU.. yes it will be more work but will give the best security.. one more thing to do is most people try to compromise VPNs based on a DNS that is registered... so if you actually make it a group url like vpn.mydomain.com/vpncorp or something like that then it will be more difficult to guess.. so someone who tries vpn.mydomain.com will just fail as there is not a tunnelgroup associated with it... ofcourse there are pros and cons.. if you are using without profiles, then someone has to remember the entire path...