Firepower FTD/ASA: Block Anyconnect brute force attack

on


Situation:

Attacker attempts to connect Anyconnect, Anyconnect sends authentication to ISE, ISE sends authentication to AD. In ISE logs, there are lots failed Radius requests with non-exist username, AD is overwhelmed, can't process more legitimate AD authentication request. During this attack, ISE normally is not the one get overwhelmed.  

Anyconnect user's public IP is in Radius attribute calling-station-ID

Issue:

1. ISE failed authentication suppression seems only for existing user accounts.

2. FTD /ASA Anyconnect doesn't have the ability to filter source IP geo location.

3. FTD Security Intelligence doesn't block IP to AC

4. FTD Prefilter policy doesn't work. 


Cisco Enhancement request:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs65322?rfs=iqvred


Anyconnect authentication failure syslog message

ASA

local user DB default

Feb 04 2025 20:38:32: %ASA-6-113015: AAA user authentication Rejected : reason = Invalid password : local database : user = tom: user IP = 192.168.2.151

After change syslog severity:

ASA(config)#logging message 113015 level warnings

Feb 04 2025 20:40:30: %ASA-4-113015: AAA user authentication Rejected : reason = Invalid password : local database : user = tom: user IP = 192.168.2.151





Solution:

1. "shun"  command on FTD/ADA CLI

2. deny attacker's IP in control plane ACL in appendix 1

3. enable anti-spoof on FW AC interface, create null0 route for attacker's IP.



 

================================

Appendix 1

1.         1. Add FlexConfig Object as below, replace with real IP and interface name.









 

 

2.       2. Configure FlexConfig Poilcy, apply  the FlexConfig Object














 

3.       3. Deploy policy



==========



Appendix 2

1. enable reverse path check 




2. Create null0 route for attackers




New Cisco ASA and FTD features block VPN brute-force password attacks


https://www.bleepingcomputer.com/news/security/new-cisco-asa-and-ftd-features-block-vpn-brute-force-password-attacks/

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221806-password-spray-attacks-impacting-custome.html

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/222383-configure-threat-detection-for-remote-ac.html

ASA:

threat-detection service invalid-vpn-access
threat-detection service remote-access-client-initiations hold-down 10 threshold 20
threat-detection service remote-access-authentication hold-down 10 threshold 20




Implement Hardening Measures for Secure Client AnyConnect VPN

https://www.cisco.com/c/en/us/support/docs/security/secure-client/221880-implement-hardening-measures-for-secure.html


These threat detection features are currently supported in the Cisco Secure Firewall versions listed next:

ASA Software:

  • 9.16 version train -> supported from 9.16(4)67 and newer versions within this specific train.
  • 9.17 version train -> supported from 9.17(1)45 and newer versions within this specific train.
  • 9.18 version train -> supported from 9.18(4)40 and newer versions within this specific train.
  • 9.19 version train -> supported from 9.19(1).37 and newer versions within this specific train.
  • 9.20 version train -> supported from 9.20(3) and newer versions within this specific train.
  • 9.22 version train -> supported from 9.22(1.1) and any newer versions.

FTD Software:

  • 7.0 version train -> supported from 7.0.6.3 and newer versions within this specific train.
  • 7.2 version train -> supported from 7.2.9 and newer version within this specific train.
  • 7.4 version train -> supported from 7.4.2.1 and newer version within this specific train.
  • 7.6 version train -> supported from 7.6.0 and any newer versions.

Comments

Post a Comment