Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1582
Views
0
Helpful
9
Replies

Protect RA VPN from Brute force Attack

Debabrata Majhi
Level 1
Level 1

‎06-16-2024 07:42 AM

Hi all,

 

Now we are using RA VPN in Different firewall ,Will enable RA VPN In FTD manage by FMC 

Flow -External user -Permitter firewall FTD -RA VPN firewall FTD -

AAA-Cisco ISE -Mostly Authentication -Certificate + OTP 

Now our main concern is how to protect the Brute force attack ,We want to stop brute force attack from Perimeter firewall 

We have IPS Policy in Permitter  firewall  -My queries  is - IPS Policy enough to stop brute force attack ? or We need something more Like ,we need to enable WAF layer before entering packet to RA VPN ?

I don't want to send packet to ISE and stop access post 3 incorrect password  like that ,Basically I don't want to busy ISE server to handle this request -My Objective Firewall should stop the brute force attack before send packet to ISE 

As It might be possible that attacker can run scrip without Cisco secure client -In that case  OTP and certificate base authentication may not help us .

Need your advice to protect RA VPN from Brute force attack -Based on will finalize the design and device 

Advice/Suggestion much appreciated

Regards

Debabrata

0 Helpful
9 Replies 9

Debabrata Majhi
Level 1
Level 1

‎06-16-2024 12:40 PM

Hi MHM

Thanks for your prompt reply ,As I can understand only hardening we can do ,seems there is no method to completely prevent a brute force attack attempt,

Apart form the soft hardening  ,Can we do something more like  any  device  or software etc before RA VPN

 

Thanks

 

0 Helpful

Marius Gunnerud
VIP
VIP
In response to Debabrata Majhi

‎06-17-2024 06:15 AM

As I mentioned in your other post on this topic, there is no way of preventing this.  You can limit the number of authentication attempts, as well as how you authenticate, i.e. certificate, 2factor, etc.  Also enable logging of authentications so you can identify if a brute force attempt is happening and act on it.

2factor is good as it will act as an authentication proxy.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

ccieexpert
VIP
VIP
In response to Marius Gunnerud

‎06-17-2024 03:47 PM

using certifcates as your first level of auth will block all of these on the ASA and no further AAA processing to username/password or MFA will be done..

0 Helpful

Debabrata Majhi
Level 1
Level 1
In response to Marius Gunnerud

‎06-23-2024 01:51 PM

Hi Marius,

Thanks a lot your kind feedback ,We are exploring the possible  to protect as much as we can to secure our new vpn.

Thanks

 

0 Helpful

ccieexpert
VIP
VIP

‎06-16-2024 05:06 PM

if you implement client side certificates in addition to password/MFA, that will be stop majority of these attacks right on the FTD firewall as it doesnt find a cert, so it wont go further to ISE... it may be more work, but if you have MDM or MS CA and domian users, then its not that difficult.

0 Helpful

Debabrata Majhi
Level 1
Level 1
In response to ccieexpert

‎06-23-2024 01:47 PM

Hi CCIEEXPERT,

Thanks for your kind advice ,Just to clarify this part "but if you have MDM or MS CA and domian users, then its not that difficult."

You meant if we have own internal PKI ,It will be secure internal domain user ,However for external domain user we need to share the root CA, Intermediate CA and VPN certificate too -It will secure us from brute force attack majorly 

Please confirm 

 

Thaks

 

 

0 Helpful

ccieexpert
VIP
VIP
In response to Debabrata Majhi

‎06-23-2024 04:04 PM

hello

yes for external non domain user, also you can issue a cert from a internal PKI/CA even if they are not part of AD.. just put them in a different OU.. yes it will be more work but will give the best security.. one more thing to do is most people try to compromise VPNs based on a DNS that is registered... so if you actually make it a group url like vpn.mydomain.com/vpncorp or something like that then it will be more difficult to guess.. so someone who tries vpn.mydomain.com will just fail as there is not a tunnelgroup associated with it... ofcourse there are pros and cons.. if you are using without profiles, then someone has to remember the entire path...

0 Helpful

Da ICS16
Level 1
Level 1
In response to ccieexpert

‎04-28-2025 08:14 PM - edited ‎04-29-2025 07:45 PM

Hello @Debabrata Majhi agree with your previous statement "We are exploring the possible  to protect as much as we can to secure our new vpn".

 

@ccieexpert refer to your statement "for external user need to put them in different OU". Is it can prevent AD locked out?

Looking for fixed solution but seem Cisco not official announce it yet for ASA/FTD.

Let share if everyone has alternative solution to mitigate such kind of this attack.

Thanks,

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card