07-01-2023 03:36 AM
Good afternoon colleagues.
Please advise, I have a virtual FMC and FTD in production, cisco anyconnect is configured inside in the basic configuration, with no additional features. Then all this is published to the Internet via a domain name where only the https port is available. In other words, vpn.domain.com - the employee can authenticate, download cisco anyconnect and work inside the network.
The problem is that not so long ago started brute-force from different ip addresses, the internal radius (Windows Server NPS) now and then blocks accounts like administrator, manager, guest and so on.
How can I protect myself against this? I looked at Intrusion - > Network Analysis Policies, but did not figure out what to do, how to fix this problem?
Solved! Go to Solution.
07-01-2023 04:19 AM - edited 07-01-2023 04:20 AM
I don't believe the control plane ACL would help in this case as the traffic to be blocked wouldn't be destined to the FTD itself, but rather it would pass through and hit the RADIUS server for the authentication attempts. Also, I'm personally not a big fan of the control plane ACL, especially when you have to use FlexConfig to deploy it and maintain it and please keep in mind that the FTD currently doesn't support blocking the geo traffic to itself, not even with the control plane ACL, which means if you want potentially to use the control plane ACL to block some traffic from some countries, that has to be through a manual build up of the ACL rules. I think the two options that would help you in this case would be using the users certificates for authentication, or using 2FA, or both. That way impersonating the users wouldn't be possible.
07-01-2023 03:50 AM
access-list with keyword control plan apply to FTD interface
07-01-2023 04:04 AM
Maybe you have some examples of setup, manuals, links?
07-01-2023 04:08 AM
07-01-2023 04:19 AM - edited 07-01-2023 04:20 AM
I don't believe the control plane ACL would help in this case as the traffic to be blocked wouldn't be destined to the FTD itself, but rather it would pass through and hit the RADIUS server for the authentication attempts. Also, I'm personally not a big fan of the control plane ACL, especially when you have to use FlexConfig to deploy it and maintain it and please keep in mind that the FTD currently doesn't support blocking the geo traffic to itself, not even with the control plane ACL, which means if you want potentially to use the control plane ACL to block some traffic from some countries, that has to be through a manual build up of the ACL rules. I think the two options that would help you in this case would be using the users certificates for authentication, or using 2FA, or both. That way impersonating the users wouldn't be possible.
07-01-2023 04:30 AM - edited 07-01-2023 04:34 AM
month ago I was thinking same using 2FA but I see many case solved by using ACL Control plane.
this one of them
Solved: Block an IP Address Trying to Brute Force into VPN - Cisco Community
07-01-2023 04:40 AM - edited 07-01-2023 04:42 AM
The tricky thing with this type of scenarios is that even if you block certain countries from hitting the firewall, you can't really guarantee that the allowed countries will only have legitimate traffic which is challenging. This is why certs and 2FA would be the way to go.
Also, the legacy way we used to use with 2FA which would just allow you to hit approve when you get the push notification is not really secure anymore, hence moving to the secure code prompt would be the way to go. In this way, if an attacker is trying to breach your apps and you get the code notification, you won't be able to approve that request becuase you don't know the 2FA code showing on the attacker's screen that you need before you can approve that request.
07-07-2023 04:41 AM
Thanks for the explanation. That's what I did at the moment, I implemented certificate authentication with a revocation list. The current plan is 2FA
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide