Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

VPN Spray Attack

Solved
jmorphew
Getting noticed
3 weeks ago
3 weeks ago

VPN Spray Attack

We have a Cisco FTD 1120 that sits behind our Meraki MX250 firewall. We use the FTD for VPN access and nothing else.  We are currently being targeted by a VPN Spray attack, and I would like to manually block the source IP Addresses from attempting to login.  I’ve worked with support and with our current setup this doesn’t seem to be possible.  We’ve taken several other security measures, but I’d still like the option to GeoBlock or manually block them.

I’m looking for general advice on moving our VPN from the FTD to the MX.  We currently use AnyConnect VPN with the Umbrella Roaming client.  I know we would lose our ACLs if we moved to Meraki.  Is there any other consideration?  Or pros and cons of one setup over the other?

Labels:
0 Kudos
Subscribe
1 Accepted Solution
In response to jmorphew
K2_Josh
Building a reputation
3 weeks ago
3 weeks ago

Here's a few advantages of a device running the VPN server behind a separate firewall:

1. There is potentially less of a CPU impact on the VPN server (assuming that Geoblocking consumes CPU). And fastpath could be enabled on the FTD.

2. No logging of the failed connections from the blocked IP ranges(/countries), unless all logs are being ingested back into the same SIEM

3. Not needing to be dependent on MX firmware not supporting certain Any connect features

4. Being able to restart only the VPN server for firmware upgrades.

The advantages of moving VPN to the MX is a simpler configuration and lower licensing costs.

View solution in original post

Subscribe
16 Replies 16
alemabrahao
Kind of a big deal
Kind of a big deal
3 weeks ago
3 weeks ago

Attempts cannot be blocked because the attempt can come from several different sources and there is no way to predict this. My advice for this first moment is to disable the service.

Remember to use MFA, this will not prevent the attempt, but at least it increases security a little.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
jmorphew
Getting noticed
3 weeks ago
3 weeks ago

I have the source IP list and it's primarily two countries.  The inbound geo-blocking doesn't work because the port forwarding rule supersedes the layer 7 rule.  Looking for more general advice on if moving VPN to the Meraki would be a good idea.  Yes, we have MFA in place.

0 Kudos
Subscribe
In response to jmorphew
alemabrahao
Kind of a big deal
Kind of a big deal
3 weeks ago
3 weeks ago

I personally think that the MX is very limited in terms of security features (to be honest, I'm not a big fan FTD).
In any case, even if you block the countries of origin, I don't know if it will solve your problem, as they can use a VPN and generate traffic from other countries.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
jmorphew
Getting noticed
3 weeks ago
3 weeks ago

It wouldn't solve the issue, but it would allow me to block the highest volume of attacks and prevent a denial of service.  We originally put in the FTD so we could use AnyConnect, which I understand is now supported by Meraki.  I'm interested in how Meraki would different in our ability to respond to the spray attack, but also overall differences between using MX and FTD for VPN.

0 Kudos
Subscribe
In response to jmorphew
alemabrahao
Kind of a big deal
Kind of a big deal
3 weeks ago
3 weeks ago

In fact, the correct thing would be for you to contract a service with your ISP to prevent denial of service attacks.

You can try to block it but the problem will return soon. I'm saying this from my own experience.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
mlefebvre
Building a reputation
3 weeks ago
3 weeks ago

Chatter on the Cisco forums alleges that the geoblocking you are looking for may be coming this summer, however I think you would be much happier overall if you were to pair Anyconnect with an MFA provider that has conditional access policies that allow geoblocking.

Cisco discussion: https://community.cisco.com/t5/network-security/cisco-ftd-vpn-access-geolocation-block-for-control-p...

 

Conditional Access policy providers:

https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-...

https://duo.com/blog/easily-enable-conditional-access-by-country-with-duo

https://developers.onelogin.com/quickstart/geoblock

https://jumpcloud.com/support/configure-a-conditional-access-policy

 

 

 

0 Kudos
Subscribe
jmorphew
Getting noticed
3 weeks ago
3 weeks ago

Conditional access on our MFA provider is a good idea, thanks.  We can't implement some of the Cisco FTD features because it's behind the MX and doesn't have visibility to the source IP.  

0 Kudos
Subscribe
K2_Josh
Building a reputation
3 weeks ago
3 weeks ago

The FTD platform allows GeoBlocking/GeoAllow and IP firewall rules for VPN access.

Why not add the rules to the FTD?

0 Kudos
Subscribe
In response to K2_Josh
jmorphew
Getting noticed
3 weeks ago
3 weeks ago

The FTD does not see the source IP because it's behind the MX.  That is what I was told my the network engineer helping us anyway.

0 Kudos
Subscribe
In response to jmorphew
K2_Josh
Building a reputation
3 weeks ago
3 weeks ago

Is Static NAT configured on the MX? Meraki calls this 1:1 NAT.

If so, the inbound traffic should maintain the source IP address.

https://documentation.meraki.com/MX/NAT_and_Port_Forwarding/Port_Forwarding_and_NAT_Rules_on_the_MX

0 Kudos
Subscribe
In response to K2_Josh
jmorphew
Getting noticed
3 weeks ago
3 weeks ago

Yes, a 1:1 NAT is configured for the FTD.  Thanks for that tip, that is not how it was explained to me.  Let me reach out to the engineer, that would give us quite a few more options on the FTD.

0 Kudos
Subscribe
K2_Josh
Building a reputation
3 weeks ago
3 weeks ago

Also, I would try adding outbound firewall rules on the MX. That should prevent an actual attack and may cause the logging of such attempts to stop, depending on how logging and alerting is configured.

0 Kudos
Subscribe
In response to K2_Josh
jmorphew
Getting noticed
3 weeks ago
3 weeks ago

thanks, yes I do have outbound traffic blocked on the MX.

0 Kudos
Subscribe
jmorphew
Getting noticed
3 weeks ago
3 weeks ago

I contacted support and it sounds like if we moved our VPN to the MX, the (IDS/IPS) powered by Snort would be able to respond to this sort of attack on our behalf.  That seems like a good option for us.  Does anyone have high level advice on moving VPN from the Firepower to the MX?  Any pros or cons I might be overlooking?

0 Kudos
Subscribe
In response to jmorphew
alemabrahao
Kind of a big deal
Kind of a big deal
3 weeks ago
3 weeks ago

Take a look at the documentation.

 

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to jmorphew
K2_Josh
Building a reputation
3 weeks ago
3 weeks ago

Here's a few advantages of a device running the VPN server behind a separate firewall:

1. There is potentially less of a CPU impact on the VPN server (assuming that Geoblocking consumes CPU). And fastpath could be enabled on the FTD.

2. No logging of the failed connections from the blocked IP ranges(/countries), unless all logs are being ingested back into the same SIEM

3. Not needing to be dependent on MX firmware not supporting certain Any connect features

4. Being able to restart only the VPN server for firmware upgrades.

The advantages of moving VPN to the MX is a simpler configuration and lower licensing costs.

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.