Re: [fw-wiz] Handling Invalid Login Requests in Firewall

From: Paul Robertson (
Date: 01/21/04

  • Next message: Don Parker: "Re: [fw-wiz] Handling Invalid Login Requests in Firewall"
    To: DLN Krishna <>
    Date: Wed, 21 Jan 2004 15:32:41 -0500 (EST)

    On Fri, 16 Jan 2004, DLN Krishna wrote:

    > Hi,
    > In one of ASIAN countries, firewall criteria indicates that, if user
    > tries to log into
    > the firewall appliance for more than X number of times, appliance MUST
    > not
    > allow that user to log-in until the password of the user is changed.

    That's really a bad idea[tm], especially if the administrator needs to
    access the firewall remotely to fix things.

    In the wrong work environment, I could see a lot of Friday afternoon
    forgotten passwords by the workforce as well.

    > There is another school of thought that this type of behavior might become
    > DoS for genuine users. It is possible that, the attacker might try to
    > log-in
    > multiple times with victim's user name and give wrong password. When
    > this happens,
    > victim will not be able to access, until his password is changed by
    > Administrator.
    > Administrator might take many hours to change the password and also
    > this can
    > become a big head-ache for administrator.

    Yes, this is a classic DoS attack setting, in fact, an attacker could just
    run a dictionary attack for usernames and DoS all remote access.

    > I feel that, logging a message (or sending alert to the administrator)
    > when
    > log-in is not successful for X number of times with information such as
    > source IP and source Port and user name, which is being used to log-in,
    > would be good, over denying any further log-in attempts.

    I would prefer that things be administrator selectable, but with the
    default being to log, rather than deny.

    > I would appreciate, if somebody could shed some light on any better
    > approaches to handle this.

    I'm not sure I'd allow anyone access to the credential port- maybe IPSec
    with pre-shared keys to stop the abuse anyway?

    Paul D. Robertson "My statements in this message are personal opinions which may have no basis whatsoever in fact." Director of Risk Assessment TruSecure Corporation
    firewall-wizards mailing list

  • Next message: Don Parker: "Re: [fw-wiz] Handling Invalid Login Requests in Firewall"