Re: Expressway MRA security concerns

nickkassel · ‎12-18-2015

We have just deployed Expressway MRA for a customer and they are now complaining that it is possible for a hacker to use a Jabber client to lock out their Jabber enabled domain accounts. There concerns are that someone could obtain the usernames from their email addresses and potentially download a Jabber client and attempt to login's to many accounts.

Has anyone had these concerns come up before and has any answers, I undertand SSO would be an option, however im interested if there are any other options?

Regards

Nick

Kevin Roarty · ‎12-18-2015

hi Nick,

Expressway includes a feature that can help mitigate an account lock out or brute force password attack. Specifically it's the "HTTP proxy authorization failure" rule under the automated detection configuration.

You can find more details in our admin guide on page 33, under the name automated detection (and sometimes automated intrusion protection).

As we note in the MRA deployment guide, do not enable the “HTTP proxy resource access failure” rule (a similarly worded but different rule). Phones and Jabber clients regularly request files that are not always available (by design), and these failed GET requests can end up triggering this rule (false positive) and blocking access to your end users.

HTH,

Kevin

nickkassel · ‎12-21-2015

Hi Kevin

Thanks very much for your response, I will check this out.

Regards

Nick

bhomoelle · ‎04-28-2016

Hi Nick,

we have customers with the same concerns....to

Did you find a solution solve that problem ??

Thanks in advanced

B.

nmartinez3 · ‎10-12-2016

Hello,

I have the same concern. did anyone find a solution or answer?

carlnewton · ‎11-01-2016

I think the problem is the same with outlook web access, and many other tools.

I think the answer has to be a combination of the expressway automatic detection feature, and a sensible (And aware) account lockout policy within AD.

Automatic detection may be capable of stopping the brute force attacks but the customer has to decide how far they want to go with it (how many bad password attempts are allowed)

nguzman · ‎04-25-2019

We are using SSO and also we are checking daily the Search History and Event Logs to see who is trying to connect to us. We are blocking manually those segments in System/ Protection/Firewall rules/Configuration. Make sure that UDP mode is off under the SIP configuration and add a firewall rule to drop those connections by TCP (Ports 0 to 65535). After that you will see that the call attempts will stop. These are some that we have detected in our system.

Prefix length Rearrange
196.52.43.0 RZ Universitaet Freiburg
77.247.109.0 CLOUD STAR HOSTING SERVICES
178.32.145.188 Abuse-C Role
178.32.145.191 Abuse-C Role
62.4.16.0 DEDIBOX-POOL-IPFO
102.165.48.0 Zilvinas Vaickus
195.154.128.0 FR-ILIAD-ENTREPRISES-CUSTOMERS
62.173.149.0 Internet-Cosmos LLC-Russia
152.206.0.0 Empresa de Telecomunicaciones de Cuba, S.A.
87.149.0.0 Deutsche Telekom Abuse Contact
122.228.19.64 IRT-CHINANET-ZJ
107.172.0.0 ColoCrossing-BuffaloNY
196.52.43.0 Chad Abizeid-nm@nm
45.79.0.0 Linode Network Operations, PA, USA
70.49.238.79 Sympatico HSE-CA
188.161.128.0 PALTEL-DSL_PALESTINA
51.68.80.0 PCI-SBG-FRANCE
54.39.176.0 PCI-BHS-CA
51.77.108.0 PCI-UK1-FRANCE
51.79.24.0 PCI-BHS5-CA
185.107.83.0 NFORCE_ENTERTAINMENT