Strengthen VPN Security and Reduce Alert Fatigue with These Expert Tips

Are you ready to rock and roll out a new remote access configuration that will have hackers "Runnin' with the Devil" back to their basements? In the mosh pit of cyber threats, VPNs serve as backstage passes to your corporate network, making them prime targets for threats like password-spraying attacks. While most IT pros deploy VPNs as part of their security strategy, many struggle with the alert fatigue that often follows.

In this article, I hope to help you crank up your remote access security while preventing alert fatigue from drowning out the most important signals.. We’re going to skip the “Simple Man” basics like MFA requirements, which you likely have in place already. Instead, I will “Breakdown” different vendor-specific options to keep your security strategy running as free ‘n easy as a Tom Petty guitar solo.

Cisco ASA & FPR

Cisco's AnyConnect offers several useful configurations to reduce password spraying alerts, though some require premium license tiers. Here are some key options for your security playlist:

1. Set the ASA WebVPN login page to “Fade to Black.” Using the keepout option will shutdown the login page completely, but continue to allow SSLVPN session use. This reduces your potential attack surface without affecting your crew’s ability to log in on approved clients.
2. Configure Group URLs for your groupies. Instead of allowing any visitor easy access, Group URLs allow hiding connection profiles. This way only people you’ve provisioned a “backstage pass” for can successfully connect.
3. Set the default connection profile to “Black Hole Sun.” Point the default profile to a sinkhole AAA provider. This means that attempts to log in outside your defined policies get immediately dumped. Attackers play the odds, so scoping access to exclude defaults again reduces your risk of successful attack.

Fortinet FortiGate

Fortinet's FortiGate appliances are ready to join your security supergroup with this lineup:

1. Use Local-In Policies to tell threat actors “Don’t Stand So Close To Me.”
   • If you’ve been using FortiGate for a while, you might not have the Local-In policy feature enabled. This allows you to prevent entry at the furthest edge of your network, making sure “It’s a Long Way to the Top" for potential attackers. Configure Geo-IP and Threat Intelligence Feeds on these policies to protect your SSL VPN login page before authentication attempts even begin.Don’t let that “Bad Company" opening act drone on with a solo for hours! Set your login attempt limits and lockout periods.
   • Configure SSL VPN Login Security settings to reduce maximum login attempts per minute and increase lockout periods. This slow spraying attempts and lets the script kiddies and threat actors know "We're Not Gonna Take It!"
2. It’s "Sad But True." Obfuscation isn’t a replacement for good security policy, but it still helps.. Change your default port. You can also use scanning services like Shodan and Censys, which fingerprint and publish details that any bad actor can make use of, to quickly spot-check your exposure. Move the target, and let the bad actors know, “You Can’t Always Get What You Want” from scanning services. (If you’re worried about access restrictions from hotels, I’ll be returning to that topic in my next article!)

SonicWall

SonicWall features vary significantly between models. SMA models allow customizing VPN portals and rate-limiting login attempts, but these options aren't available for NS and TZ firewalls. If you're using the latter models, you'll need to rely more on obfuscation techniques. That might not meet your “Satisfaction,” but we still have options if we get creative:

1. Don’t Let Alerts “Ramble On.” As mentioned in the Fortinet section, change your default SSL VPN port as your first line of defense on TZ or NS lines, or the alerts will “Rock You Like a Hurricane”.  
2. Un-”Fortunate Son.” If you’re a fan of the SonicWall UI, it’s best to look into spending a bit more “Money” and moving to the SMA line that offers rock solid defenses compared to NS and TZ. When it comes to SonicWall, “The Times They Are A-Changin’” and those older models need some “TLC.”  (I’m sorry that wasn’t a rock reference; maybe I was just chasing “Waterfalls” of good options.) 

Palo Alto Networks

Palo Alto Networks provides advanced options to reduce noise and enhance protection that will have your security team singing "We Are The Champions."

1. Block at the perimeter. Set up your policies to block suspicious traffic on the WAN side, instead of allowing that traffic through your “Cemetery Gates” to the LAN interface. This approach dramatically reduces SIEM alerts by stopping attacks before they reach authentication.
2. Use automated blocking for "A Little Less Conversation." Leverage Blumira’s dynamic blocklists if you have our XDR edition. This will automatically resolve findings and block IPs from entry attempts that are "Bad to the Bone." This is useful across the firewall vendors we support, to “Bron-Y-Aur Stomp” persistent threat actors and stop repeated entry attempts without manual triage.

WatchGuard

WatchGuard added VPN hardening features in 2024 to Fireware to keep your SIEM “Feeling Alright.” Here’s the “Ch-Ch-Changes” you should review::

1. Block IPs with consecutive failed authentication automatically: You don’t need to set the timer to “Ten Years Gone,” but you can stop frequent and slow drip password spraying alert fatigue. 
2. Reduce IP concurrency. Attackers will try to increase their spraying attempt rate through the use of multiple IPs, so you can "Take It to the Limit" by limiting the number of simultaneous attempts from different IPs allowed..

Check Point

Check Point offers some sophisticated security options that help your SIEM achieve the "Sound of Silence":

1. Enable device compliance checking to prevent unauthorized access before authentication even begins. Check Point's compliance verification works like concert security checking attendees before they reach the ticket counter. Compliant devices appear as a "Sharp Dressed Man" and proceed to authentication, while non-compliant devices are rejected immediately like a “Bad Penny.” No credentials, no entry. This pre-authentication screening dramatically reduces alert noise from potentially-compromised devices.
2. Leverage Check Point's scripting capabilities for automated response to common security events. While not limited to Check Point, these automation options can save your team from alert fatigue and allow for "No More Tears" when managing security alerts. The scripting potential is powerful enough to block repeated access attempts, flag anomalous behavior, and customize your security response. The full capabilities are too extensive to cover here, but exploring this feature can seriously reduce manual review time. 

Listen up, security headbangers: Implementing these vendor-specific hardening measures isn't just a direct road to"Paradise City," but it can reduce alert fatigue and strengthen defenses. I’ve focused on broadly applicable tips here, but your mileage may vary depending on your specific configuration, licensing, and access to specialized options like clientless VPNs.. 

While your initial VPN deployment might be playing Garage Band now, I hope these post-deployment configurations help you keep “Truckin’” toward reduced alerting and improved defenses that can address issues faster than Van Halen's solos! In my next post, I’ll cover alternatives to these approaches entirely so you can “Escape from the Prison Planet” of traditional VPN architecture. Until then…party on, Wayne!

If you enjoyed this musical tour through hardening your VPN security and not ready to stop rockin' yet, Dave's got you covered! He compiled all the rock classics (and that one TLC song) referenced in this article into a Spotify playlist. Crank up the volume while you're hardening your VPN configuration — because security is always with a soundtrack!