VPN Spray Attack

Solved
jmorphew
Getting noticed

VPN Spray Attack

We have a Cisco FTD 1120 that sits behind our Meraki MX250 firewall. We use the FTD for VPN access and nothing else.  We are currently being targeted by a VPN Spray attack, and I would like to manually block the source IP Addresses from attempting to login.  I’ve worked with support and with our current setup this doesn’t seem to be possible.  We’ve taken several other security measures, but I’d still like the option to GeoBlock or manually block them.

I’m looking for general advice on moving our VPN from the FTD to the MX.  We currently use AnyConnect VPN with the Umbrella Roaming client.  I know we would lose our ACLs if we moved to Meraki.  Is there any other consideration?  Or pros and cons of one setup over the other?

1 Accepted Solution
K2_Josh
Building a reputation

Here's a few advantages of a device running the VPN server behind a separate firewall:

1. There is potentially less of a CPU impact on the VPN server (assuming that Geoblocking consumes CPU). And fastpath could be enabled on the FTD.

2. No logging of the failed connections from the blocked IP ranges(/countries), unless all logs are being ingested back into the same SIEM

3. Not needing to be dependent on MX firmware not supporting certain Any connect features

4. Being able to restart only the VPN server for firmware upgrades.

The advantages of moving VPN to the MX is a simpler configuration and lower licensing costs.

View solution in original post

16 Replies 16
alemabrahao
Kind of a big deal
Kind of a big deal

Attempts cannot be blocked because the attempt can come from several different sources and there is no way to predict this. My advice for this first moment is to disable the service.

Remember to use MFA, this will not prevent the attempt, but at least it increases security a little.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
jmorphew
Getting noticed

I have the source IP list and it's primarily two countries.  The inbound geo-blocking doesn't work because the port forwarding rule supersedes the layer 7 rule.  Looking for more general advice on if moving VPN to the Meraki would be a good idea.  Yes, we have MFA in place.

alemabrahao
Kind of a big deal
Kind of a big deal

I personally think that the MX is very limited in terms of security features (to be honest, I'm not a big fan FTD).
In any case, even if you block the countries of origin, I don't know if it will solve your problem, as they can use a VPN and generate traffic from other countries.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
jmorphew
Getting noticed

It wouldn't solve the issue, but it would allow me to block the highest volume of attacks and prevent a denial of service.  We originally put in the FTD so we could use AnyConnect, which I understand is now supported by Meraki.  I'm interested in how Meraki would different in our ability to respond to the spray attack, but also overall differences between using MX and FTD for VPN.

alemabrahao
Kind of a big deal
Kind of a big deal

In fact, the correct thing would be for you to contract a service with your ISP to prevent denial of service attacks.

You can try to block it but the problem will return soon. I'm saying this from my own experience.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
mlefebvre
Building a reputation

Chatter on the Cisco forums alleges that the geoblocking you are looking for may be coming this summer, however I think you would be much happier overall if you were to pair Anyconnect with an MFA provider that has conditional access policies that allow geoblocking.

Cisco discussion: https://community.cisco.com/t5/network-security/cisco-ftd-vpn-access-geolocation-block-for-control-p...

 

Conditional Access policy providers:

https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-...

https://duo.com/blog/easily-enable-conditional-access-by-country-with-duo

https://developers.onelogin.com/quickstart/geoblock

https://jumpcloud.com/support/configure-a-conditional-access-policy

 

 

 

jmorphew
Getting noticed

Conditional access on our MFA provider is a good idea, thanks.  We can't implement some of the Cisco FTD features because it's behind the MX and doesn't have visibility to the source IP.  

K2_Josh
Building a reputation

The FTD platform allows GeoBlocking/GeoAllow and IP firewall rules for VPN access.

Why not add the rules to the FTD?

jmorphew
Getting noticed

The FTD does not see the source IP because it's behind the MX.  That is what I was told my the network engineer helping us anyway.

K2_Josh
Building a reputation

Is Static NAT configured on the MX? Meraki calls this 1:1 NAT.

If so, the inbound traffic should maintain the source IP address.

https://documentation.meraki.com/MX/NAT_and_Port_Forwarding/Port_Forwarding_and_NAT_Rules_on_the_MX

jmorphew
Getting noticed

Yes, a 1:1 NAT is configured for the FTD.  Thanks for that tip, that is not how it was explained to me.  Let me reach out to the engineer, that would give us quite a few more options on the FTD.

K2_Josh
Building a reputation

Also, I would try adding outbound firewall rules on the MX. That should prevent an actual attack and may cause the logging of such attempts to stop, depending on how logging and alerting is configured.

jmorphew
Getting noticed

thanks, yes I do have outbound traffic blocked on the MX.

jmorphew
Getting noticed

I contacted support and it sounds like if we moved our VPN to the MX, the (IDS/IPS) powered by Snort would be able to respond to this sort of attack on our behalf.  That seems like a good option for us.  Does anyone have high level advice on moving VPN from the Firepower to the MX?  Any pros or cons I might be overlooking?

alemabrahao
Kind of a big deal
Kind of a big deal

Take a look at the documentation.

 

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
K2_Josh
Building a reputation

Here's a few advantages of a device running the VPN server behind a separate firewall:

1. There is potentially less of a CPU impact on the VPN server (assuming that Geoblocking consumes CPU). And fastpath could be enabled on the FTD.

2. No logging of the failed connections from the blocked IP ranges(/countries), unless all logs are being ingested back into the same SIEM

3. Not needing to be dependent on MX firmware not supporting certain Any connect features

4. Being able to restart only the VPN server for firmware upgrades.

The advantages of moving VPN to the MX is a simpler configuration and lower licensing costs.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels