October 26, 2024 at 01:44PM
Cisco has implemented new security features for ASA and Firepower Threat Defense to combat brute-force and password spray attacks, enhancing network protection and resource efficiency. The update allows admins to configure settings to block repeated failed login attempts and other malicious connection attempts, significantly reducing successful attack rates.
### Meeting Takeaways:
1. **Introduction of New Security Features**:
– Cisco has enhanced security features on Cisco ASA and Firepower Threat Defense (FTD) to better defend against brute-force and password spray attacks.
2. **Understanding Attack Types**:
– **Brute-force attacks** target one account with multiple password attempts.
– **Password spray attacks** utilize the same password across multiple accounts to bypass defenses.
3. **Recent Attack Incidents**:
– Cisco reported a significant rise in brute-force attacks against VPN accounts affecting several networking devices, prompting the need for enhanced security measures.
4. **Impact of Attacks**:
– Successful attacks can lead to unauthorized access, account lockouts, and denial-of-service conditions.
5. **New Features Implementation**:
– Cisco rolled out new threat detection capabilities in June, with full availability for all software versions as of this month.
– Feedback from Cisco admins indicates significant success in reducing VPN brute-force attempts when features are enabled.
6. **Types of Attacks Blocked**:
– Repeated failed authentication attempts.
– Client initiation attacks, which flood resources without completing a connection.
– Invalid connection attempts targeting internal tunnel groups.
7. **Supported Software Versions**:
– New features are available for specific versions of Cisco ASA and FTD software:
– ASA: 9.16(4)67 and newer (9.16), 9.17(1)45 and newer (9.17), 9.18(4)40 and newer (9.18), 9.19(1)37 and newer (9.19), 9.20(3) and newer (9.20), 9.22(1.1) and newer (9.22).
– FTD: 7.0.6.3 and newer (7.0), 7.2.9 and newer (7.2), 7.4.2.1 and newer (7.4), 7.6.0 and newer (7.6).
8. **Enabling the New Features**:
– Commands to enable features:
– For invalid VPN access: `threat-detection service invalid-vpn-access`
– For client initiation hold-down: `threat-detection service remote-access-client-initiations hold-down
– For authentication hold-down: `threat-detection service remote-access-authentication hold-down
9. **Configuration Recommendations**:
– Example complete configuration:
“`
threat-detection service invalid-vpn-access
threat-detection service remote-access-client-initiations hold-down 10 threshold 20
threat-detection service remote-access-authentication hold-down 10 threshold 20
“`
– Admins should monitor for potential false positives and may adjust hold-down and threshold settings accordingly.
10. **Performance Considerations**:
– Enabling these features may have some impact on performance, though no significant downsides are expected, making it advisable to implement for improved security.
11. **Recommendation**:
– Organizations targeted by brute-force attacks on VPN accounts are strongly encouraged to enable these new features to prevent network breaches, particularly as compromised credentials can lead to ransomware attacks.