Announcement

Collapse
No announcement yet.

Automated attack prevention.

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Automated attack prevention.

    Morning all,

    Most of my customers are now suffering from automated attacks at regular intervals. I have the firewall and OS tied down as much as I can but there is always the chance that a password will be guessed and its annoying for customers continually having accounts get locked out.

    I'm wondering if there are any IDS / IPS products out there that anyone can recomend?

    Many thanks

    Dave

  • #2
    Re: Automated attack prevention.

    I have only dealt with Cisco IPS sensors, either a stand alone appliance or the SSM module in the ASA itself. I can say they work really well but it isn't perfect. A good stateful/Application aware firewall at your network edge, IPS, Antivirus/Antispyware, and webfiltering should be in place too. What type of attacks are we talking about? Do you allow traffic originated on the outside to go to your hosts?
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: Automated attack prevention.

      Thanks for your reply,

      The only open ports and services used are RWW, OWA & RDP. All are pointed at the server. So far all have been targeted for dictionary attacks.

      Hope that helps,

      Many thanks

      Dave

      Comment


      • #4
        Re: Automated attack prevention.

        If you log the attacks you can block those source ip's from coming inbound, granted if they keep changing (They always do) then this will be useless but its something to do temporarily. May be a good idea to start applying connection limits to those boxes on your firewall to guard against a Dos attack. A better and more secure option would be to setup an ssl vpn to encrypt the end users sessions.That way you can remove the pinholes in the firewall for those servers. On cisco routers and ASA's you can setup links on the SSL VPN portal page to all your internal devices. As always enforcing a strong password policy and require frequent password changes. ( I know easier said then done)
        Last edited by auglan; 14th June 2012, 02:07.
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: Automated attack prevention.

          What firewall are you using??

          Comment


          • #6
            Re: Automated attack prevention.

            At present they have a draytek firewall in place. Yeah I have been blocking the source IP address's but, yes, they change with every 'batch' of attacks. The firewall is already set to identify and block Dos attacks, don't know if that actually works but I'm sure we'll find out.....

            How and where would you suggest applying connection limits?

            Ideally I was looking for a device that was capable of recognising said attacks, say, after 2 or 3 attempts and then blocking the rest...

            Dave
            Last edited by QuattroDave; 14th June 2012, 09:28. Reason: typo

            Comment


            • #7
              Re: Automated attack prevention.

              On an ASA (and probably other firewalls) you can set max connection limits on your NAT statements or on a group policy. Basically if we say set the connection limit to 50 for a particular server on the inside, once that limit is reached then no further connections can be established. This will stop a repeated attack from multiple sources but on the other hand it will stop legitimate traffic as well. The ASA will allow you to shun traffic as well from a particular source. I think the best option would be an SSL VPN. This way the only way to reach the hosts on the inside is via VPN which will be encrypted and protected in the tunnel. Then you can remove the pinholes in the firewall for those servers so anything not going through the vpn will be dropped on the outside interface. The ASA also offers threat detection. Here is a link on that feature:

              http://www.cisco.com/en/US/docs/secu...ns_threat.html

              The ASA does have a SSM IPS module that goes into a expansion slot on the ASA. Granted they are not cheap.
              Last edited by auglan; 14th June 2012, 14:43.
              CCNA, CCNA-Security, CCNP
              CCIE Security (In Progress)

              Comment

              Working...
              X