Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1396
Views
3
Helpful
6
Replies

Request Solutions to Mitigate Brute-Force Attacks on AnyConnect VPN

Go to solution
ALI12
Level 1
Level 1

‎10-13-2024 05:00 AM

Dear Team,

We are currently using AnyConnect VPN, with authentication for domain users managed through the RADIUS server.

Recently, we've noticed persistent brute-force attacks targeting non-existent user accounts from various countries.

Given our current setup on the ASA 5516 (version 9.12(4)2), is it possible to implement country-based whitelisting to restrict login attempts.

Alternatively, are there other solutions or best practices we could consider to enhance security?

Your recommendations and suggestions would be greatly appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎10-13-2024 05:09 AM - edited ‎10-13-2024 05:28 AM

@ALI12 refer to this guide for more information, which is the latest recommendations from Cisco to protect from brute force attacks.

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221806-password-spray-attacks-impacting-custome.html

There is no Geolocation that can filter traffic "to" the ASA itself, you could configure a control-plane and allow or explictly deny certain networks, although not a great solution. Else install an FTD with Geolocation in front of the ASA or use an MFA which also has Geolocation functionality.

View solution in original post

6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎10-13-2024 05:09 AM - edited ‎10-13-2024 05:28 AM

@ALI12 refer to this guide for more information, which is the latest recommendations from Cisco to protect from brute force attacks.

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221806-password-spray-attacks-impacting-custome.html

There is no Geolocation that can filter traffic "to" the ASA itself, you could configure a control-plane and allow or explictly deny certain networks, although not a great solution. Else install an FTD with Geolocation in front of the ASA or use an MFA which also has Geolocation functionality.

Go to solution
ALI12
Level 1
Level 1
In response to Rob Ingram

‎10-13-2024 05:40 AM

Thank you, @Rob Ingram  for sharing your insights!

which option do you think is better: control-plane or using FTD ?

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to ALI12

‎10-13-2024 05:44 AM

@ALI12 The control-plane ACL on the ASA is not very scalable and a lot of effort to setup and maintain. Use an FTD with Geolocation in front of the ASA to permit/restrict traffic is the best solution, albeit there will be a cost involved.

Go to solution
ALI12
Level 1
Level 1
In response to Rob Ingram

‎10-13-2024 06:35 AM

@Rob Ingram 

Thank you so much; I truly appreciate it.

0 Helpful

Go to solution
ALI12
Level 1
Level 1

‎10-13-2024 04:51 AM

Dear Team,

We are currently using AnyConnect VPN, with authentication for domain users managed through the RADIUS server.

Recently, we've noticed persistent brute-force attacks targeting non-existent user accounts from various countries.

Given our current setup on the ASA 5516 (version 9.12(4)2), is it possible to implement country-based whitelisting to restrict login attempts.

Alternatively, are there other solutions or best practices we could consider to enhance security?

Your recommendations and suggestions would be greatly appreciated.

0 Helpful

Go to solution
ALI12
Level 1
Level 1
In response to ALI12

‎10-13-2024 05:02 AM

Dear Admin,

Could you please remove the topic I posted? I have already reposted it in the correct group, as shown below:

https://community.cisco.com/t5/vpn/request-solutions-to-mitigate-brute-force-attacks-on-anyconnect/m-p/5207838#M297464

0 Helpful
Customers Also Viewed These Support Documents