Meraki

Community

VPN Spray Attack

Solved
jmorphew
Getting noticed
‎Apr 8 2024 12:47 PM
‎Apr 8 2024 12:47 PM

VPN Spray Attack

We have a Cisco FTD 1120 that sits behind our Meraki MX250 firewall. We use the FTD for VPN access and nothing else.  We are currently being targeted by a VPN Spray attack, and I would like to manually block the source IP Addresses from attempting to login.  I’ve worked with support and with our current setup this doesn’t seem to be possible.  We’ve taken several other security measures, but I’d still like the option to GeoBlock or manually block them.

I’m looking for general advice on moving our VPN from the FTD to the MX.  We currently use AnyConnect VPN with the Umbrella Roaming client.  I know we would lose our ACLs if we moved to Meraki.  Is there any other consideration?  Or pros and cons of one setup over the other?

Labels:
0 Kudos
1 Accepted Solution
In response to jmorphew
K2_Josh
Building a reputation
‎Apr 10 2024 4:52 PM
‎Apr 10 2024 4:52 PM

Here's a few advantages of a device running the VPN server behind a separate firewall:

1. There is potentially less of a CPU impact on the VPN server (assuming that Geoblocking consumes CPU). And fastpath could be enabled on the FTD.

2. No logging of the failed connections from the blocked IP ranges(/countries), unless all logs are being ingested back into the same SIEM

3. Not needing to be dependent on MX firmware not supporting certain Any connect features

4. Being able to restart only the VPN server for firmware upgrades.

The advantages of moving VPN to the MX is a simpler configuration and lower licensing costs.

View solution in original post

16 Replies 16
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 8 2024 12:51 PM
‎Apr 8 2024 12:51 PM

Attempts cannot be blocked because the attempt can come from several different sources and there is no way to predict this. My advice for this first moment is to disable the service.

Remember to use MFA, this will not prevent the attempt, but at least it increases security a little.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
jmorphew
Getting noticed
‎Apr 8 2024 1:00 PM
‎Apr 8 2024 1:00 PM

I have the source IP list and it's primarily two countries.  The inbound geo-blocking doesn't work because the port forwarding rule supersedes the layer 7 rule.  Looking for more general advice on if moving VPN to the Meraki would be a good idea.  Yes, we have MFA in place.

0 Kudos
In response to jmorphew
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 8 2024 3:29 PM
‎Apr 8 2024 3:29 PM

I personally think that the MX is very limited in terms of security features (to be honest, I'm not a big fan FTD).
In any case, even if you block the countries of origin, I don't know if it will solve your problem, as they can use a VPN and generate traffic from other countries.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
jmorphew
Getting noticed
‎Apr 8 2024 7:01 PM
‎Apr 8 2024 7:01 PM

It wouldn't solve the issue, but it would allow me to block the highest volume of attacks and prevent a denial of service.  We originally put in the FTD so we could use AnyConnect, which I understand is now supported by Meraki.  I'm interested in how Meraki would different in our ability to respond to the spray attack, but also overall differences between using MX and FTD for VPN.

0 Kudos
In response to jmorphew
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 8 2024 7:14 PM
‎Apr 8 2024 7:14 PM

In fact, the correct thing would be for you to contract a service with your ISP to prevent denial of service attacks.

You can try to block it but the problem will return soon. I'm saying this from my own experience.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
mlefebvre
Building a reputation
‎Apr 8 2024 10:31 PM
‎Apr 8 2024 10:31 PM

Chatter on the Cisco forums alleges that the geoblocking you are looking for may be coming this summer, however I think you would be much happier overall if you were to pair Anyconnect with an MFA provider that has conditional access policies that allow geoblocking.

Cisco discussion: https://community.cisco.com/t5/network-security/cisco-ftd-vpn-access-geolocation-block-for-control-p...

 

Conditional Access policy providers:

https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-...

https://duo.com/blog/easily-enable-conditional-access-by-country-with-duo

https://developers.onelogin.com/quickstart/geoblock

https://jumpcloud.com/support/configure-a-conditional-access-policy

 

 

 

0 Kudos
jmorphew
Getting noticed
‎Apr 9 2024 6:51 AM
‎Apr 9 2024 6:51 AM

Conditional access on our MFA provider is a good idea, thanks.  We can't implement some of the Cisco FTD features because it's behind the MX and doesn't have visibility to the source IP.  

0 Kudos
K2_Josh
Building a reputation
‎Apr 9 2024 7:13 AM
‎Apr 9 2024 7:13 AM

The FTD platform allows GeoBlocking/GeoAllow and IP firewall rules for VPN access.

Why not add the rules to the FTD?

0 Kudos
In response to K2_Josh
jmorphew
Getting noticed
‎Apr 9 2024 7:16 AM
‎Apr 9 2024 7:16 AM

The FTD does not see the source IP because it's behind the MX.  That is what I was told my the network engineer helping us anyway.

0 Kudos
In response to jmorphew
K2_Josh
Building a reputation
‎Apr 9 2024 7:50 AM
‎Apr 9 2024 7:50 AM

Is Static NAT configured on the MX? Meraki calls this 1:1 NAT.

If so, the inbound traffic should maintain the source IP address.

https://documentation.meraki.com/MX/NAT_and_Port_Forwarding/Port_Forwarding_and_NAT_Rules_on_the_MX

0 Kudos
In response to K2_Josh
jmorphew
Getting noticed
‎Apr 9 2024 8:12 AM
‎Apr 9 2024 8:12 AM

Yes, a 1:1 NAT is configured for the FTD.  Thanks for that tip, that is not how it was explained to me.  Let me reach out to the engineer, that would give us quite a few more options on the FTD.

0 Kudos
K2_Josh
Building a reputation
‎Apr 9 2024 7:19 AM
‎Apr 9 2024 7:19 AM

Also, I would try adding outbound firewall rules on the MX. That should prevent an actual attack and may cause the logging of such attempts to stop, depending on how logging and alerting is configured.

0 Kudos
In response to K2_Josh
jmorphew
Getting noticed
‎Apr 9 2024 7:24 AM
‎Apr 9 2024 7:24 AM

thanks, yes I do have outbound traffic blocked on the MX.

0 Kudos
jmorphew
Getting noticed
‎Apr 10 2024 7:15 AM
‎Apr 10 2024 7:15 AM

I contacted support and it sounds like if we moved our VPN to the MX, the (IDS/IPS) powered by Snort would be able to respond to this sort of attack on our behalf.  That seems like a good option for us.  Does anyone have high level advice on moving VPN from the Firepower to the MX?  Any pros or cons I might be overlooking?

0 Kudos
In response to jmorphew
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 10 2024 7:19 AM
‎Apr 10 2024 7:19 AM

Take a look at the documentation.

 

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to jmorphew
K2_Josh
Building a reputation
‎Apr 10 2024 4:52 PM
‎Apr 10 2024 4:52 PM

Here's a few advantages of a device running the VPN server behind a separate firewall:

1. There is potentially less of a CPU impact on the VPN server (assuming that Geoblocking consumes CPU). And fastpath could be enabled on the FTD.

2. No logging of the failed connections from the blocked IP ranges(/countries), unless all logs are being ingested back into the same SIEM

3. Not needing to be dependent on MX firmware not supporting certain Any connect features

4. Being able to restart only the VPN server for firmware upgrades.

The advantages of moving VPN to the MX is a simpler configuration and lower licensing costs.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.