Cisco adds brute force protection for multiple ASA and FTD versions
Cisco gives admins tips on how to defend against brute force attacks on VPN log-ins from ASA and FTD devices. More versions are now supported.
Vulnerabilities threaten Cisco devices.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Since password spraying and brute force attacks on VPN log-ins became more frequent in April, Cisco has provided tips on how to secure VPNs. In the meantime, Cisco has updated the instructions several times – and also equipped other firmware versions of ASA and FTD appliances with protection functions that can be activated. Admins should know and activate them.
The guide with the tips from Cisco first provides an insight into the basic problem: Attackers try to gain unauthorized access to user accounts by trying out some commonly used passwords for several accounts. In the worst case, the attackers gain full access and can completely compromise affected devices, but this can also result in the consumption of resources and an associated denial of service. Other users can then no longer use VPNs for network access, for example.
Detecting attacks
In order to detect password spraying attacks, for example, it is necessary to monitor the system logs and use certain "show" commands. For example, an unusually high rate of rejected authentication attempts indicates an attack, which is indicated by the ASA syslog IDs %ASA-6-113015, %ASA-6-113005 or %ASA-6-716039 in the logs.
Videos by heise
In order to see such events, logging must first be activated. The second step is to configure the threat detections for the VPN services (Remote Access VPN Services). These then enable automatic blocking for IPv4 connections after adjustable threshold values are exceeded. The new detections are available for "Repeated failed authentication attempts", "Client initiation attacks" (attackers start a connection attempt but do not complete it) and "Connection attempts to invalid remote access VPN services" (attackers attempt to connect to tunnel groups that are intended exclusively for internal device functions).
Previously, the functions were only available for some ASA and FTD versions, but Cisco has now extended their availability. They are available for Cisco ASA 9.16(4)67, 9.17(1)45, 9.18(4)40, 9.19(1).37, 9.20(3) and 9.22(1.1) and newer versions within the development branches and for Cisco's FTD 7.0.6.3, 7.2.9, 7.4.2.1 and 7.6.0 and newer versions. The FTD branches 7.1 and 7.3 have not yet received the functions. Cisco admins should go through the instructions once and also evaluate the hardening suggestions under "Option 2".
(dmk)
