Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Handling Invalid Login Requests in Firewall

From: Paul Robertson <proberts () patriot net>
Date: Wed, 21 Jan 2004 15:32:41 -0500 (EST)
On Fri, 16 Jan 2004, DLN Krishna wrote:


Hi,

     In one of ASIAN countries, firewall criteria indicates that, if user
tries to log into
     the firewall appliance for more than X number of times, appliance MUST
not
     allow that user to log-in until the password of the user is changed.


That's really a bad idea[tm], especially if the administrator needs to
access the firewall remotely to fix things.

In the wrong work environment, I could see a lot of Friday afternoon
forgotten passwords by the workforce as well.



     There is another school of thought that this type of behavior might become
     DoS for genuine users.  It is possible that, the attacker might try to
log-in
     multiple times with victim's user name and give wrong password. When
this happens,
     victim will not be able to access, until his password is changed by
Administrator.
     Administrator might take many hours to change the password and also
this can
     become a big head-ache for administrator.


Yes, this is a classic DoS attack setting, in fact, an attacker could just
run a dictionary attack for usernames and DoS all remote access.



     I feel that, logging a message (or sending alert to the administrator)
when
     log-in is not successful for X number of times with information such as
     source IP and source Port and user name, which is being used to log-in,
     would be good, over denying any further log-in attempts.


I would prefer that things be administrator selectable, but with the
default being to log, rather than deny.


      I would appreciate, if somebody could shed some light on any better
      approaches to handle this.


I'm not sure I'd allow anyone access to the credential port- maybe IPSec
with pre-shared keys to stop the abuse anyway?

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: