Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1043
Views
5
Helpful
7
Replies

To prevent excessive numbers of connections cisco anyconnect (FMC&FTD)

Go to solution
skulikov944
Level 1
Level 1

‎07-01-2023 03:36 AM

Good afternoon colleagues.

Please advise, I have a virtual FMC and FTD in production, cisco anyconnect is configured inside in the basic configuration, with no additional features. Then all this is published to the Internet via a domain name where only the https port is available. In other words, vpn.domain.com - the employee can authenticate, download cisco anyconnect and work inside the network.
The problem is that not so long ago started brute-force from different ip addresses, the internal radius (Windows Server NPS) now and then blocks accounts like administrator, manager, guest and so on.
How can I protect myself against this? I looked at Intrusion - > Network Analysis Policies, but did not figure out what to do, how to fix this problem?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aref Alsouqi
VIP
VIP

‎07-01-2023 04:19 AM - edited ‎07-01-2023 04:20 AM

I don't believe the control plane ACL would help in this case as the traffic to be blocked wouldn't be destined to the FTD itself, but rather it would pass through and hit the RADIUS server for the authentication attempts. Also, I'm personally not a big fan of the control plane ACL, especially when you have to use FlexConfig to deploy it and maintain it and please keep in mind that the FTD currently doesn't support blocking the geo traffic to itself, not even with the control plane ACL, which means if you want potentially to use the control plane ACL to block some traffic from some countries, that has to be through a manual build up of the ACL rules. I think the two options that would help you in this case would be using the users certificates for authentication, or using 2FA, or both. That way impersonating the users wouldn't be possible.

View solution in original post

7 Replies 7

Go to solution
MHM Cisco World
VIP
VIP

‎07-01-2023 03:50 AM

access-list with keyword control plan apply to FTD interface 

0 Helpful

Go to solution
skulikov944
Level 1
Level 1

‎07-01-2023 04:04 AM

Maybe you have some examples of setup, manuals, links?

Go to solution
Aref Alsouqi
VIP
VIP

‎07-01-2023 04:19 AM - edited ‎07-01-2023 04:20 AM

I don't believe the control plane ACL would help in this case as the traffic to be blocked wouldn't be destined to the FTD itself, but rather it would pass through and hit the RADIUS server for the authentication attempts. Also, I'm personally not a big fan of the control plane ACL, especially when you have to use FlexConfig to deploy it and maintain it and please keep in mind that the FTD currently doesn't support blocking the geo traffic to itself, not even with the control plane ACL, which means if you want potentially to use the control plane ACL to block some traffic from some countries, that has to be through a manual build up of the ACL rules. I think the two options that would help you in this case would be using the users certificates for authentication, or using 2FA, or both. That way impersonating the users wouldn't be possible.

Go to solution
MHM Cisco World
VIP
VIP
In response to Aref Alsouqi

‎07-01-2023 04:30 AM - edited ‎07-01-2023 04:34 AM

month ago I was thinking same using 2FA but I see many case solved by using ACL Control plane. 
this one of them 
Solved: Block an IP Address Trying to Brute Force into VPN - Cisco Community

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to MHM Cisco World

‎07-01-2023 04:40 AM - edited ‎07-01-2023 04:42 AM

The tricky thing with this type of scenarios is that even if you block certain countries from hitting the firewall, you can't really guarantee that the allowed countries will only have legitimate traffic which is challenging. This is why certs and 2FA would be the way to go.

Also, the legacy way we used to use with 2FA which would just allow you to hit approve when you get the push notification is not really secure anymore, hence moving to the secure code prompt would be the way to go. In this way, if an attacker is trying to breach your apps and you get the code notification, you won't be able to approve that request becuase you don't know the 2FA code showing on the attacker's screen that you need before you can approve that request.

Go to solution
skulikov944
Level 1
Level 1
In response to Aref Alsouqi

‎07-07-2023 04:41 AM

Thanks for the explanation. That's what I did at the moment, I implemented certificate authentication with a revocation list. The current plan is 2FA

0 Helpful
Customers Also Viewed These Support Documents