Any time holes are punched through a firewall defense, an
increased vulnerability occurs to those who would capitalize on those
vulnerabilities. Because authentication proxy should be configured with CBAC, it
only makes sense to implement the CBAC attack defenses introduced in Chapter 6.
Denial of Service (DoS) Attacks
Any time a firewall experiences a high level of connection
requests requiring authentication, legitimate network users might experience
delays in making needed connections or the connection could be rejected and the
user would need to try reestablishing the connection. For each request, the
authentication proxy prompts the users for login credentials. A high number of
open requests could indicate that the router is the subject of a denial of
service (DoS) attack.
As a protective mechanism, the authentication proxy monitors
incoming HTTP requests, limits the number of open requests, and then drops any
additional requests until the number of open requests has fallen below
40.
Source Address Spoofing
Spoofing a source address involves a
hacker substituting a known or suspected trusted address for their address both
to gain access and conceal their identity. When an HTTP session triggers a
successful authentication proxy session, a dynamic opening is created in the
firewall by reconfiguring an interface with temporary user-access privileges. As
long as this opening exists, it’s always technically possible for another user
to detect the source IP address information and spoof the address to gain access
behind the firewall.
Spoofing is a problem inherent to all access list
implementations. Important to realize is that the authentication proxy feature
doesn’t cause this address spoofing problem, but it does have some level of
vulnerability. The authentication proxy doesn’t specifically address this
problem.
Sections
Comments (0 posted)
Syndication
