06-16-2024 07:42 AM
Hi all,
Now we are using RA VPN in Different firewall ,Will enable RA VPN In FTD manage by FMC
Flow -External user -Permitter firewall FTD -RA VPN firewall FTD -
AAA-Cisco ISE -Mostly Authentication -Certificate + OTP
Now our main concern is how to protect the Brute force attack ,We want to stop brute force attack from Perimeter firewall
We have IPS Policy in Permitter firewall -My queries is - IPS Policy enough to stop brute force attack ? or We need something more Like ,we need to enable WAF layer before entering packet to RA VPN ?
I don't want to send packet to ISE and stop access post 3 incorrect password like that ,Basically I don't want to busy ISE server to handle this request -My Objective Firewall should stop the brute force attack before send packet to ISE
As It might be possible that attacker can run scrip without Cisco secure client -In that case OTP and certificate base authentication may not help us .
Need your advice to protect RA VPN from Brute force attack -Based on will finalize the design and device
Advice/Suggestion much appreciated
Regards
Debabrata
06-16-2024 07:45 AM
06-16-2024 12:40 PM
Hi MHM
Thanks for your prompt reply ,As I can understand only hardening we can do ,seems there is no method to completely prevent a brute force attack attempt,
Apart form the soft hardening ,Can we do something more like any device or software etc before RA VPN
Thanks
06-17-2024 06:15 AM
As I mentioned in your other post on this topic, there is no way of preventing this. You can limit the number of authentication attempts, as well as how you authenticate, i.e. certificate, 2factor, etc. Also enable logging of authentications so you can identify if a brute force attempt is happening and act on it.
2factor is good as it will act as an authentication proxy.
06-17-2024 03:47 PM
using certifcates as your first level of auth will block all of these on the ASA and no further AAA processing to username/password or MFA will be done..
06-23-2024 01:51 PM
Hi Marius,
Thanks a lot your kind feedback ,We are exploring the possible to protect as much as we can to secure our new vpn.
Thanks
06-16-2024 05:06 PM
if you implement client side certificates in addition to password/MFA, that will be stop majority of these attacks right on the FTD firewall as it doesnt find a cert, so it wont go further to ISE... it may be more work, but if you have MDM or MS CA and domian users, then its not that difficult.
06-23-2024 01:47 PM
Hi CCIEEXPERT,
Thanks for your kind advice ,Just to clarify this part "but if you have MDM or MS CA and domian users, then its not that difficult."
You meant if we have own internal PKI ,It will be secure internal domain user ,However for external domain user we need to share the root CA, Intermediate CA and VPN certificate too -It will secure us from brute force attack majorly
Please confirm
Thaks
06-23-2024 04:04 PM
hello
yes for external non domain user, also you can issue a cert from a internal PKI/CA even if they are not part of AD.. just put them in a different OU.. yes it will be more work but will give the best security.. one more thing to do is most people try to compromise VPNs based on a DNS that is registered... so if you actually make it a group url like vpn.mydomain.com/vpncorp or something like that then it will be more difficult to guess.. so someone who tries vpn.mydomain.com will just fail as there is not a tunnelgroup associated with it... ofcourse there are pros and cons.. if you are using without profiles, then someone has to remember the entire path...
04-28-2025 08:14 PM - edited 04-29-2025 07:45 PM
Hello @Debabrata Majhi agree with your previous statement "We are exploring the possible to protect as much as we can to secure our new vpn".
@ccieexpert refer to your statement "for external user need to put them in different OU". Is it can prevent AD locked out?
Looking for fixed solution but seem Cisco not official announce it yet for ASA/FTD.
Let share if everyone has alternative solution to mitigate such kind of this attack.
Thanks,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide