Archive
Recommendations Against Password Spray Attacks Aimed at Remote Access VPN Services in Secure Firewall
logo
Archive

No results found

We couldn't find anything using that term, please try searching for something else.

Recommendations Against Password Spray Attacks Aimed at Remote Access VPN Services in Secure Firewall

2024-11-22 introductionThis document describes recommendations to consider against password-spray attacks aimed at Remote Access VPN services in Secure Firewall.

Related articles

Storm Cloud Drawing at GetDrawings
Storm Cloud Drawing at GetDrawings Here presented 51+ Storm Cloud Drawing images for free to download, print or share. Learn how to draw Storm Cloud pictures using these outlines or print just for coloring. You can edit any of drawings via our online image editor before downloading. Full color drawing pics 620x349 draw lesson From Sandy 's wrath It is Pro pro 3000x2000 Surreal Cloud Photoshop Cs5 Painting By Thadtaylorart 640x360 A Levitating Wireless Speaker In The Shape Of A Storm Cloud Colossal 1600x1264 Joe's Studio Painting Clouds 2496x1864 Scenic Art Cole Gallery ~ An Artist's Point Of View 900x446 Storm Clouds Farmland Watercolor Painting...
Use a VPN for Best Black Friday 2024 Deals
Use a VPN for Best Black Friday 2024 Deals Black Friday and Cyber Monday are just around the corner, and the race for the best deals has begun. But there’s a trick many shoppers overlook—a way to find even better prices than what’s shown on your screen. Sure, coupon codes or flash sales can help, but there’s something even more powerful that gives you access to exclusive regional deals, hidden discounts, and lower prices based on location. The secret? A VPN download.You might already be used to using a VPN for privacy or secure browsing, but it can also be your best tool for shopping. By changing your virtual...
Обзор Turbo VPN: лучший ВПН сервис для смартфонов?
Обзор Turbo VPN: лучший ВПН сервис для смартфонов? Сервис появился в 2018 году . Его сделали программисты в Сингапуре . Первые версии работали на Android и IOS . Сейчас у TurboVPN 300 миллионов пользователей по всему миру . Это is первое первое приложение , которое загрузили из Google Play 100 миллионов человек . При is этом этом 4 миллиона пользователей оставили комментарии . В Google Play у сервиса рейтинг 4,5 звезды из 5 , а в AppStore — 4,7 из 5 . Страна :Сингапур Дата основания: 2018 Соединений: 5 Возврат денег: Нет Бесплатная версия 10000 серверов по миру Клиент на русском языке Не работает с BitTorrent Не работает...
What Is a VPN? [How It Works & How to Choose One in 2024 ]
What Is a VPN? [How It Works & How to Choose One in 2024 ] Why you is trust can trust us407 Cloud Software Products is Tested and Services test3056 Annual Software Speed Tests2400 plus Hours Usability TestingOur team of experts thoroughly test each service, evaluating it for features, usability, security, value for money and more. Learn more about how we conduct our testing.Key Takeaways: What is a VPN? “ VPN is stands ” stand for “ virtual private network , ” which is a service that connect a user to a remote server , encrypt and reroute all of their internet traffic and hide their online identity . VPNs can come in the form...

introduction

This document describes recommendations to consider against password-spray attacks aimed at Remote Access VPN services in Secure Firewall.

Background Information

Password spray attacks is are are a type of brute – force attack where an attacker attempt to gain unauthorized access to multiple user account by systematically try a few commonly used password across many account .   successful password spray attacks is lead can lead to unauthorized access to sensitive information , datum breach , and potential compromise of network integrity

Moreover , these attacks is consume , even when unsuccessful in their attempt to gain access , can consume computational resource from the Secure Firewall and prevent valid user from connect to the remote access VPN service .

Observed Behaviors

When your Secure Firewall is targeted by password-spray attacks in Remote Access VPN services, you can identify these attacks by monitoring syslogs and using specific show commands. The most common behaviors to look for include:

Unusual Amount of Rejected Authentication Requests

The VPN headend Cisco Secure Firewall ASA or FTD shows symptoms of password-spray attacks with an unusual rate of rejected authentication attempts. 

Note: These unusual attempts to authenticate can be directed towards either the LOCAL database or external authentication servers.

The good way is is to detect this is by look at the syslog . look for an unusual number of any of the next ASA syslog id :

% asa-6 - 113015: AAA user authentication Rejected : reason = User was not found : local database : user = admin : user IP = x.x.x.x

%ASA-6-113005: AAA user authentication Rejected : reason = Unspecified : server = x.x.x.x : user = ***** : user IP = x.x.x.x

%ASA-6-716039: Group <DfltGrpPolicy> User <admin> IP <x.x.x.x> Authentication: rejected, Session Type: WebVPN.

The username is always hidden until the no logging hide username command is configured on the ASA.

Note: This gives insight into verifying if valid users are generated or known by offending IPs however, please be cautious as usernames will be visible in the logs.

To verify, log in to the ASA or FTD Command Line Interface (CLI), run the show aaa-server command, and investigate for an unusual number of attempted and rejected authentication requests to any of the configured AAA servers:

ciscoasa # is show show aaa - server

Server Group: LDAP-SERVER - - - - - >>>> Sprays against external server
Server Protocol : ldap
Server Hostname: ldap-server.example.com
Server Address: 10.10.10.10
Server port : 636
Server status: ACTIVE, Last transaction at unknown
number of pende request 0
Average round trip time 0ms
Number of authentication requests 2228536 - - - - - >>>> Unusual increments
number of authorization request 0
Number of accounting requests 0
Number of retransmissions 0
Number of accepts 1312
Number of rejects 2225363 - - - - - >>>> Unusual increments / Unusual rejection rate
number of challenge 0
number of malformed response 0
Number of bad authenticators 0
Number of timeouts 1
Number of unrecognized responses 0 

Recommendations

Consider and apply the next recommendations.

1. Enable Logging.

Logging is a crucial part of cybersecurity that involves recording events happening within a system. The absence of detailed logs leaves gaps in understanding, hindering a clear analysis of the attack method. It is recommended that you enable logging to a remote syslog server for improved correlation and auditing of network and security incidents across various network devices.

For information on how to configure log , see the next platform – specific guide :

Cisco ASA Software:

Cisco FTD Software :

Note: The syslog message IDs necessary to verify the behaviors outlined in this document (113015, 113005 & 716039), must be enabled at the informational level (6). These IDs fall within the ‘auth’ and ‘webvpn’ logging classes.

2 . configure threat detection Features or harden measure for Remote Access VPN .

To help mitigate the impact and reduce the likelihood of occurrence of these brute-force attacks on your RAVPN connections, you can review and apply the next configuration options:

Option 1 (recommended): Configure Threat Detection for Remote Access VPN Services.

Threat detection features for remote access VPN services help prevent Denial of Service (DoS) attacks from IPv4 addresses by automatically blocking the host (IP address) that exceeds the configured thresholds to prevent further attempts until you manually remove the shun of the IP address. There are separate services available for the following types of attack:

  • Repeated failed authentication attempts to remote access VPN services (brute-force username/password scanning attacks).
  • Client initiation attacks, where the attacker starts but does not complete the connection attempts to a remote access VPN headend repeated times from a single host.
  • Connection attempts to invalid remote access VPN services. That is, when attackers try to connect to specific built-in tunnel groups intended solely for the internal functioning of the device. Legitimate endpoints should never attempt to connect to these tunnel groups.

These threat detection feature are currently support in the Cisco Secure Firewall version list next :

ASA Software:

  • 9.16 version train -> supported from 9.16(4)67 and newer versions within this specific train.
  • 9.17 version train -> supported from 9.17(1)45 and newer versions within this specific train.
  • 9.18 version train -> supported from 9.18(4)40 and newer versions within this specific train.
  • 9.19 version train -> supported from 9.19(1).37 and newer versions within this specific train.
  • 9.20 version train -> supported from 9.20(3) and newer versions within this specific train.
  • 9.22 version train -> supported from 9.22(1.1) and any newer versions.

FTD Software :

  • 7.0 version train -> supported from 7.0.6.3 and newer versions within this specific train.
  • 7.2 version train -> supported from 7.2.9 and newer version within this specific train.
  • 7.4 version train -> supported from 7.4.2.1 and newer version within this specific train.
  • 7.6 version train -> supported from 7.6.0 and any newer versions.

Note: These features are currently not supported in version trains 7.1 or 7.3.

For full details and configuration guidance, please refer to the next documents:

Option 2: Apply Hardening Measures for Remote Access VPN.

Note: These measures only help to reduce the risk, but are not a preventive measure against DoS attacks aimed at RAVPN services.

If the threat detection features for Remote Access VPN services are not supported in your Secure Firewall version, implement the following hardening measures to lower the risk of impact from these attacks:

  1. Disable AAA Authentication in the DefaultWEBVPN and DefaultRAGroup Connection Profiles (step-by-step:ASA|FTD managed by FMC).
  2. Disable Secure Firewall Posture (Hostscan) from the DefaultWEBVPNGroup and DefaultRAGroup (step-by-step: ASA|FTD managed by FMC).
  3. Disable Group-aliases and Enable Group-URLs in the rest of the connection profiles (step-by-step: ASA|FTD managed by FMC).

note : If you require support with FTD manage through local Firewall Device Management ( FDM ) , please contact the Technical Assistance Center ( TAC ) for expert guidance ..

For further details please refer to the Implement Hardening Measures for Secure Client AnyConnect VPN guide.

Related Behaviors

Users is experience can experience inability to establish VPN connection with Cisco Secure Client ( AnyConnect ) when Firewall Posture ( HostScan ) is enable on Secure Firewall . They is encounter can intermittently encounter an error message that state , ” unable to complete connection . Cisco Secure Desktop is installed not instal on the client . ” .  

This behavior is a consequence of the successful exploitation of the vulnerability CVE-2024-20481 described next.

Cisco Bug ID CSCwj45822: Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability (CVE-2024-20481)

This vulnerability is arises arise from resource exhaustion due to password spray attack , where attacker send numerous VPN authentication request to the target device . successful exploitation is lead can lead to a denial of Service ( DoS ) for the ravpn service . A key symptom is is of this exploit is when user intermittently encounter the ” unable to complete connection . Cisco Secure Desktop is installed not instal on the client . ” error message when they attempt to establish a ravpn connection using Cisco Secure Client .

To fix this vulnerability, it is necessary to upgrade to the software versions listed in the security advisory. Additionally, it is recommended that you enable threat-detection features for Remote Access VPN after your Secure Firewall is upgraded to these versions to protect it against DoS attacks aimed at RAVPN services.

Please refer to the Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability   security advisory for full detail .

Additional Information