Re: [fw-wiz] Handling Invalid Login Requests in Firewall

From: Paul Robertson (proberts_at_patriot.net)
Date: 01/21/04

  • Next message: Don Parker: "Re: [fw-wiz] Handling Invalid Login Requests in Firewall"
    To: DLN Krishna <dlnk@intotoinc.com>
    Date: Wed, 21 Jan 2004 15:32:41 -0500 (EST)
    
    

    On Fri, 16 Jan 2004, DLN Krishna wrote:

    > Hi,
    >
    > In one of ASIAN countries, firewall criteria indicates that, if user
    > tries to log into
    > the firewall appliance for more than X number of times, appliance MUST
    > not
    > allow that user to log-in until the password of the user is changed.

    That's really a bad idea[tm], especially if the administrator needs to
    access the firewall remotely to fix things.

    In the wrong work environment, I could see a lot of Friday afternoon
    forgotten passwords by the workforce as well.

    >
    > There is another school of thought that this type of behavior might become
    > DoS for genuine users. It is possible that, the attacker might try to
    > log-in
    > multiple times with victim's user name and give wrong password. When
    > this happens,
    > victim will not be able to access, until his password is changed by
    > Administrator.
    > Administrator might take many hours to change the password and also
    > this can
    > become a big head-ache for administrator.

    Yes, this is a classic DoS attack setting, in fact, an attacker could just
    run a dictionary attack for usernames and DoS all remote access.

    >
    > I feel that, logging a message (or sending alert to the administrator)
    > when
    > log-in is not successful for X number of times with information such as
    > source IP and source Port and user name, which is being used to log-in,
    > would be good, over denying any further log-in attempts.

    I would prefer that things be administrator selectable, but with the
    default being to log, rather than deny.

    > I would appreciate, if somebody could shed some light on any better
    > approaches to handle this.

    I'm not sure I'd allow anyone access to the credential port- maybe IPSec
    with pre-shared keys to stop the abuse anyway?

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    proberts@patriot.net which may have no basis whatsoever in fact."
    probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Don Parker: "Re: [fw-wiz] Handling Invalid Login Requests in Firewall"