Firewall Wizards mailing list archives
Re: Handling Invalid Login Requests in Firewall
From: Paul Robertson <proberts () patriot net>
Date: Wed, 21 Jan 2004 15:32:41 -0500 (EST)
On Fri, 16 Jan 2004, DLN Krishna wrote:
Hi, In one of ASIAN countries, firewall criteria indicates that, if user tries to log into the firewall appliance for more than X number of times, appliance MUST not allow that user to log-in until the password of the user is changed.
That's really a bad idea[tm], especially if the administrator needs to access the firewall remotely to fix things. In the wrong work environment, I could see a lot of Friday afternoon forgotten passwords by the workforce as well.
There is another school of thought that this type of behavior might become DoS for genuine users. It is possible that, the attacker might try to log-in multiple times with victim's user name and give wrong password. When this happens, victim will not be able to access, until his password is changed by Administrator. Administrator might take many hours to change the password and also this can become a big head-ache for administrator.
Yes, this is a classic DoS attack setting, in fact, an attacker could just run a dictionary attack for usernames and DoS all remote access.
I feel that, logging a message (or sending alert to the administrator) when log-in is not successful for X number of times with information such as source IP and source Port and user name, which is being used to log-in, would be good, over denying any further log-in attempts.
I would prefer that things be administrator selectable, but with the default being to log, rather than deny.
I would appreciate, if somebody could shed some light on any better approaches to handle this.
I'm not sure I'd allow anyone access to the credential port- maybe IPSec with pre-shared keys to stop the abuse anyway? Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Handling Invalid Login Requests in Firewall DLN Krishna (Jan 21)
- Re: Handling Invalid Login Requests in Firewall Paul Robertson (Jan 21)
- <Possible follow-ups>
- Re: Handling Invalid Login Requests in Firewall Don Parker (Jan 21)
- Re: Handling Invalid Login Requests in Firewall Ravi (Jan 22)
- Re: Handling Invalid Login Requests in Firewall DLN Krishna (Jan 22)
- Re: Handling Invalid Login Requests in Firewall Ravi (Jan 22)