Cisco ASA pushed VPN automated blocking in August - https://www.cisco.com/web/software/280775065/163160/ASA-9164-Interim-Release-Notes.html
after the first few i gave up.
Do you feel that it is time to move behind traditional app-based MFA to a FIDO2? We can not deny Microsoft presence and it (Microsoft) seems to be very serious backing FIDO2.
I like DUO when one works with on-prem kit. But DUO messes up with Azure AD logs. Most of the Microsoft Log Analytics work books unable to recognise it was 2FA.
It is vendor independent, the full list of FIDO2 hardware is here - Microsoft Entra ID attestation for FIDO2 security key vendors - Microsoft Entra ID | Microsoft Learn
The Yubico has one of the best collection of the example use cases. Here is Cisco integration guide:
https://support.yubico.com/hc/en-us/articles/360020543519-Protecting-Cisco-VPN-connections-in-a-Microsoft-Environment-with-Yubico
-
Approaches 1 & 2 use a SAML integration with FIDO2, utilize phishing-resistant authentication that is compatible with our entire current product range: The Security Key series, the YubiKey 5 Series, and the YubiKey Bio.
-
Approach 3 utilizes an organization’s existing PKI infrastructure to support phishing-resistant smart card (PIV) authentication with YubiKey 5 Series and YubiKey 4 Series devices, as well as legacy devices that support the PIV protocol.
-
Approach 4 uses a SAML integration with TOTP, and is only supported on the YubiKey 5 series and YubiKey 4 Series devices.
-
Approach 5 uses the Microsoft Network Policy Server (NPS) extensions and RADIUS to authenticate users via TOTP, and is only supported on the YubiKey 5 series and YubiKey 4 Series devices.
Does DUO has admin options to seamlessly migrate users to verified push?
NB - I found this KB handy discussing the feature availability
Thank you for sharing this fairly recent KB titled “Best Practices Against Password Spray Attacks Impacting Remote Access VPN Services”.
I can see this was released 1 week ago!
yeah 
suppsoedly its coming in the next rev of firepower. though some of these are coming from inside the USA so that doesnt really help anyway.
Or all cloud providers
Are there lists of IP blocks that the big cloud providers use?
its an ASA running firepower services. we’re just starting to get quotes for firewall refreshes since this hardware is EOL, probbaly looking at firepower 31xx series boxes.
The “Best Practices Against Password Spray Attacks Impacting Remote Access VPN Services” KB is suggesting “Use Certificate-based authentication for RAVPN” as well. But oddly it is listed as “optional” while this is perhaps the best option.
If one uses Certificates for Group authentication the password based User authentication is rock solid protected.
My only concern is that some elements of the HostScan are done before any auth, group or user (the special web path on the same port 443 hosting downloadable XML with HostScan profile is open to the entire world).
The KB is hinting that those attacks affecting HostScan tests. Perhaps the server can get oversubscribed?
im running 5525x’s so this doesnt help.
It’s as simple as creating a policy enabling static verified push and applying it to an application integration. (AnyConnect in this case)
If they are trying to bruteforce specific usernames then something has been compromised. You could give different aliases to groups and see what the attacker uses for the new alias brute force. Also doesn’t duo have phone and region controls as well
soultion is quite easy , you need to setup a Syslog server. if you are using Graylog, just set up a notification or a task when multiple failed login requests (5) from the same IP adress, and program a python script to run to insert it as this IP in a block access list on the outside interface.(Port ACL)
Could “threat-detection” with shun be used in a similar way?