VPN SNX portal may be vulnerable to brute-force attack on passwords

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk180271
Technical Level
Product	SSL Network Extender
Version	R80.20 (EOL), R80.20SP, R80.30 (EOL), R80.30SP, R80.40, R81, R81.10, R81.20
OS	Gaia
Platform / Model	All
Date Created	29-Nov-2022
Last Modified	02-Jan-2023

Symptoms

The IPsec VPN blade has a dedicated portal for downloading and connecting through SSL Network Extender (SNX). If the portal is configured for username/password authentication, it is vulnerable to a brute-force attack on usernames and passwords.

Cause

The VPN SNX portal in the IPsec VPN Software Blade does not implement any protection against brute-force attack on usernames/passwords.

Solution

Overview

The protection for the VPN SNX Portal behaves in this way:

Each failed authentication attempt in the VPN SNX Portal triggers a delay (the default delay is 3 seconds).
If a client IP address fails to authenticate in the VPN SNX Portal several times in a row, the protection bans the client IP address for a specific period of time.
The default is 3 failed login attempts in a row.
The default ban duration is 5 minutes.

The protection is included starting from:

Check Point R81.20
Jumbo Hotfix Accumulator for R81.10 starting from Take 79
Jumbo Hotfix Accumulator for R81 starting from Take 77
Jumbo Hotfix Accumulator for R80.40 starting from Take 180
Jumbo Hotfix Accumulator for R80.30SP - Starting from Take 108
Jumbo Hotfix Accumulator for R80.30 starting from Take 255
Jumbo Hotfix Accumulator for R80.20SP - planned for the next Take (ETA is 29 Dec 2022, subject to change)
Jumbo Hotfix Accumulator for R80.20 starting from Take 230

Notes:

Before the fix for the VPN SNX Portal is integrated into the Jumbo Hotfix Accumulators for the R80.20SP / R80.30SP versions, contact Check Point Support to get a hotfix for these two versions.
Check Point recommends to always upgrade to the recommended version (Security Gateway / VSX).

Configuration

The VPN SNX Portal protection is enabled by default.

You can control some protection aspects of this protection with kernel parameters on the Security Gateway.

Note - For instructions for configuring kernel parameters, see the Quantum Security Gateway Guide for your version > Chapter "Working with Kernel Parameters" > Section "Firewall Kernel Parameters".

Kernel Parameter	Valid Values	Description
vpn_failed_auth_delay_seconds	0 <Integer>	Controls the delay before accepting the next login attempt from a specific IP address: 0 - Disables the feature (not recommended) Any positive integer - Configures the delay (in seconds) before accepting the next login attempt from a specific IP address Default - 3 seconds
vpn_failed_auth_attempt_threshold	<Integer>	Controls the number of failed authentication attempt (after how many consecutive login attempts, the SNX portal stops accepting the login attempts from a specific IP address): Any positive integer - Configures the number of failed login attempts Default - 3 failed attempts
vpn_brute_force_attack_penalty_seconds	0 <Integer>	Controls the ban penalty period for a failed authentication attempt (for how long the SNX portal stops accepting login attempts from a specific IP address): 0 - Disables the ban penalty period (not recommended) Any positive integer - Configures the ban penalty period (in seconds) Default - 300 seconds (5 minutes) Note - This feature protects only SNX Portal and SNX CLI.

Removing a client IP address from an active ban

Connect to the command on the Security Gateway.
Log in to the Expert mode.
Run:

vpn snx_unban <Client_IP_Address>

Example:

vpn snx_unban 192.168.22.33

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating