Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
441
Views
0
Helpful
4
Replies

VCS-E & AD Design Question

Justin Ferello
Level 5
Level 5

‎06-14-2013 08:57 AM - edited ‎03-18-2019 01:17 AM

All,

If one deploys Jabber via VCS-Control & TMS, then uses Direct AD integration on the VCS-C, so it joins the domain.  I am pretty sure that someone trying to log into an AD account via Jabber, entering the password wrong several times would lock the AD account, correct?  Now if you add a VCS-E to the mix, now you open your AD network to the world per say, in that someone from the outside, if they were able to figure out your usernames they could start locking all your accounts.

Does any have some ideas on ways to overcome this?        

Thank you,

Justin Ferello
Technical Support Specialist
KBZ, a Cisco Authorized Distributor
http://www.kbz.com
e/v: justin.ferello@kbz.com       

Thank you,
Justin Ferello
Technical Support Specialist, ScanSource KBZ
Labels:
0 Helpful
4 Replies 4

Martin Koch
VIP Alumni
VIP Alumni

‎06-14-2013 09:35 AM

Thats a nice question. I also thought of DOS capabilities but I never deeper tried.

The questin is how AD behaves, if it locks out the account, the "computer"=vcs where the

request comes from, the account for the computer where the request came from, ...

Also if its configurable who even can authenticate through the VCS (like only the jabber

group. Sure, you need a user in the Provisioning Directory to use Jabber but you might

be able use the AD integration to check if the credentials are valid for an AD  user.

Please remember to rate helpful responses and identify

0 Helpful

Paulo Souza
VIP Alumni
VIP Alumni

‎06-14-2013 10:34 AM

Let me add two cents here:

I dont think this to be a security problem. Because thinking this way, the enterprises would never provide any service on internet.

For example, many companies provide webmail service for their employees via internet. The webmail page is public, anybody can get there and try to log in. It does not represent a security problem exactly, because companies normally have several security policies with regards usernames and passwords, like complexity of passwords, time for expiration and so on. I would consider the same regarding Jabber through VCSe.

To improve security regarding DoS and things like that, there are specific solutions, like border IDS and IPS solutions.

Regards

Paulo Souza

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".
0 Helpful

Martin Koch
VIP Alumni
VIP Alumni
In response to Paulo Souza

‎06-14-2013 11:44 AM

If you use sip-tls I would say combinding the vcs with a ids or ips could be hard, so this

would be a function better placed on the vcs itself (or maybe a tool which can analyze logfiles).

Regards the webmail, most companies I know use some two way authentication or additional

information rather then just the password.

Please remember to rate helpful responses and identify

0 Helpful

rasimyigit
Level 1
Level 1

‎06-15-2013 11:20 AM

Certificates on the Client could be a way for more security but it is not easy to deploy certificates on all clients like jabber , movi or iPad

Sent from Cisco Technical Support iPhone App

0 Helpful
Customers Also Viewed These Support Documents