Re: [fw-wiz] Handling Invalid Login Requests in Firewall
From: Paul Robertson (proberts_at_patriot.net)
To: DLN Krishna <firstname.lastname@example.org> Date: Wed, 21 Jan 2004 15:32:41 -0500 (EST)
On Fri, 16 Jan 2004, DLN Krishna wrote:
> In one of ASIAN countries, firewall criteria indicates that, if user
> tries to log into
> the firewall appliance for more than X number of times, appliance MUST
> allow that user to log-in until the password of the user is changed.
That's really a bad idea[tm], especially if the administrator needs to
access the firewall remotely to fix things.
In the wrong work environment, I could see a lot of Friday afternoon
forgotten passwords by the workforce as well.
> There is another school of thought that this type of behavior might become
> DoS for genuine users. It is possible that, the attacker might try to
> multiple times with victim's user name and give wrong password. When
> this happens,
> victim will not be able to access, until his password is changed by
> Administrator might take many hours to change the password and also
> this can
> become a big head-ache for administrator.
Yes, this is a classic DoS attack setting, in fact, an attacker could just
run a dictionary attack for usernames and DoS all remote access.
> I feel that, logging a message (or sending alert to the administrator)
> log-in is not successful for X number of times with information such as
> source IP and source Port and user name, which is being used to log-in,
> would be good, over denying any further log-in attempts.
I would prefer that things be administrator selectable, but with the
default being to log, rather than deny.
> I would appreciate, if somebody could shed some light on any better
> approaches to handle this.
I'm not sure I'd allow anyone access to the credential port- maybe IPSec
with pre-shared keys to stop the abuse anyway?
Paul D. Robertson "My statements in this message are personal opinions
email@example.com which may have no basis whatsoever in fact."
firstname.lastname@example.org Director of Risk Assessment TruSecure Corporation
firewall-wizards mailing list