06-14-2013 08:57 AM - edited 03-18-2019 01:17 AM
All,
If one deploys Jabber via VCS-Control & TMS, then uses Direct AD integration on the VCS-C, so it joins the domain. I am pretty sure that someone trying to log into an AD account via Jabber, entering the password wrong several times would lock the AD account, correct? Now if you add a VCS-E to the mix, now you open your AD network to the world per say, in that someone from the outside, if they were able to figure out your usernames they could start locking all your accounts.
Does any have some ideas on ways to overcome this?
Thank you,
Justin Ferello
Technical Support Specialist
KBZ, a Cisco Authorized Distributor
http://www.kbz.com
e/v: justin.ferello@kbz.com
06-14-2013 09:35 AM
Thats a nice question. I also thought of DOS capabilities but I never deeper tried.
The questin is how AD behaves, if it locks out the account, the "computer"=vcs where the
request comes from, the account for the computer where the request came from, ...
Also if its configurable who even can authenticate through the VCS (like only the jabber
group. Sure, you need a user in the Provisioning Directory to use Jabber but you might
be able use the AD integration to check if the credentials are valid for an AD user.
Please remember to rate helpful responses and identify
06-14-2013 10:34 AM
Let me add two cents here:
I dont think this to be a security problem. Because thinking this way, the enterprises would never provide any service on internet.
For example, many companies provide webmail service for their employees via internet. The webmail page is public, anybody can get there and try to log in. It does not represent a security problem exactly, because companies normally have several security policies with regards usernames and passwords, like complexity of passwords, time for expiration and so on. I would consider the same regarding Jabber through VCSe.
To improve security regarding DoS and things like that, there are specific solutions, like border IDS and IPS solutions.
Regards
Paulo Souza
06-14-2013 11:44 AM
If you use sip-tls I would say combinding the vcs with a ids or ips could be hard, so this
would be a function better placed on the vcs itself (or maybe a tool which can analyze logfiles).
Regards the webmail, most companies I know use some two way authentication or additional
information rather then just the password.
Please remember to rate helpful responses and identify
06-15-2013 11:20 AM
Certificates on the Client could be a way for more security but it is not easy to deploy certificates on all clients like jabber , movi or iPad
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide