Hmmm. Yeah; that's a lot of overhead. Seems a shame to have to switch apps because of a bad guy. That's an effective DOS attack, eh? I'd hesitate to switch apps because I'd be afraid they'd do the same thing. But I don't know the AnyConnect app either.
I seem to remember the VPN client could use certs as part of the auth. I wonder if that feature could be utilized to block non-client access? I haven't used the Cisco client for a year or so so I don't recall the available options. *********************** Charlie Kaiser [email protected] Kingman, AZ *********************** > -----Original Message----- > From: David W. McSpadden [mailto:[email protected]] > Sent: Thursday, February 18, 2010 7:59 AM > To: NT System Admin Issues > Subject: Re: CISCO VPN Client > > They change every 20 or 30 hits. > Mostly out of country. > I started by setting up rules to block them but then I had > about 100 rules to block and it became an all day job. > Easier to move the authorized users to AnyConnect which is > supported and kill the VPN Client which has end of lifed anyway. > > > -------------------------------------------------- > From: "Charlie Kaiser" <[email protected]> > Sent: Thursday, February 18, 2010 9:54 AM > To: "NT System Admin Issues" <[email protected]> > Subject: RE: CISCO VPN Client > > > Is there a way you can block the source IP(s) before they > get to the > > VPN endpoint? > > > > *********************** > > Charlie Kaiser > > [email protected] > > Kingman, AZ > > *********************** > > > >> -----Original Message----- > >> From: David W. McSpadden [mailto:[email protected]] > >> Sent: Thursday, February 18, 2010 7:45 AM > >> To: NT System Admin Issues > >> Subject: Re: CISCO VPN Client > >> > >> I have Kiwi Syslogger setup to email me every failed attempt to > >> authenticate through the VPN. > >> It went from 2 or 3 a day from lusers to 2500 to 5000 a > day and all > >> accounts I don't have in AD and all originating from the > VPN tunnel. > >> So disabling the tunnel didn't work, had to remove the > reference to > >> the tunnel entirely. Now we are back to 2 or 3 a day. > >> > >> > >> From: Bob Fronk <mailto:[email protected]> > >> Sent: Thursday, February 18, 2010 9:25 AM > >> To: NT System Admin Issues > >> <mailto:[email protected]> > >> Subject: RE: CISCO VPN Client > >> > >> > >> How did you discover this was happening? > >> > >> > >> > >> From: David W. McSpadden [mailto:[email protected]] > >> Sent: Wednesday, February 17, 2010 1:30 PM > >> To: NT System Admin Issues > >> Subject: Re: CISCO VPN Client > >> > >> > >> > >> Ok. I am looking at that area under Remote VPN in > Configuration and > >> someone has my VPN Client info and they are trying a Brute Force > >> Vocab attack to my AD's. So I have moved all my users to > AnyConnect > >> and I am ready to remove the VPN Client from the ASA or > disable it... > >> > >> > >> > >> From: Jon Harris <mailto:[email protected]> > >> > >> Sent: Wednesday, February 17, 2010 1:24 PM > >> > >> To: NT System Admin Issues > >> <mailto:[email protected]> > >> > >> Subject: Re: CISCO VPN Client > >> > >> > >> > >> Why are you getting rid of the VPN client? You don't > remove it you > >> disable it on the ASA. Just make sure all the rules are > correct for > >> the ASA first. > >> > >> > >> > >> Jon > >> > >> On Wed, Feb 17, 2010 at 1:13 PM, David W. McSpadden > <[email protected]> > >> wrote: > >> > >> > >> > >> Actually on the ASA. I think I have it found now but I am still > >> testing. > >> > >> From: Jon Harris <mailto:[email protected]> > >> > >> Sent: Wednesday, February 17, 2010 12:10 PM > >> > >> To: NT System Admin Issues > >> <mailto:[email protected]> > >> > >> Subject: Re: CISCO VPN Client > >> > >> > >> > >> Remove it is the best, they install into the same root directory > >> under Program Files but have separate directories under > that. They > >> are separate programs as Microsoft sees them. > >> > >> > >> > >> Jon > >> > >> On Wed, Feb 17, 2010 at 8:07 AM, David W. McSpadden > <[email protected]> > >> wrote: > >> > >> Anyone point me on how to Disable the old CISCO VPN Client > and leave > >> the AnyConnect still enabled? > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource > hog! ~ ~ > > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > > ~ Finally, powerful endpoint security that ISN'T a resource > hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
