Skip to content

Introduction

Note

Mideye Shield was introduced in Mideye Server 6.5.12.

Overview

Mideye Shield provides early-stage rejection of authentication requests based on the username and/or originating IP address. Its purpose is to reduce log spam and protect against DoS, brute-force, password spray, and MFA fatigue attacks.

Mideye Shield operates through two main mechanisms:

  1. Static Filter Rules – Matches based on username or Calling-Station-ID (user's IP address).
  2. Automated IP Blocking – Uses the central service shield.mideye.com to check IP addresses in real-time against a shared block list. The list is updated dynamically based on the success or failure of authentication requests.

Prerequisites

  • Username Filtering: Define uniform characteristics of valid usernames in Static Filter Rules (e.g., suffixes, @, ., or using regular expressions).

  • IP Filtering: RADIUS clients (VPN concentrators, firewalls) must send the client IP as Calling-Station-ID (attribute #31) in Access-Request messages.

  • Connectivity: Ensure outbound connectivity to shield.mideye.com on TCP port 443, and enable Shield in the Mideye Server configuration.

Privacy Considerations

When automated protection is active, IP addresses and authentication results (e.g., blocked, invalid username/password, timeout) are shared with the central Mideye Shield service for fraud scoring.

  • Allow Rules in Static Filter Rules can exempt trusted IPs/subnets from automated protection and data sharing.
  • These trusted sources skip automated checks and are not included in the central rating process.

How It Works

1. Information Extraction

For each incoming authentication request, Mideye Shield extracts: - Username - Calling-Station-ID (IP address)

2. Multi-Layered Security Checks

Layer 1 – Allow Rules & Auto-Blocked List - Allow Rules: Trusted IPs/subnets bypass all checks and data sharing. - Auto-Blocked List: Contains IP addresses dynamically blocked via the Mideye Shield service. - This list is maintained and updated automatically only when Mideye Shield dynamic blocking is enabled. - If Shield is not activated, this list does not exist.

Layer 2 – Static Filter Rules - Matches on usernames or IP addresses are rejected outright based on predefined patterns or rules.

Layer 3 – Dynamic Protection - Requests are evaluated via the central Shield service for real-time fraud scoring. - Requests above the risk threshold are rejected or silently discarded.

3. Possible Outcomes

  • Allow – Request proceeds to RADIUS authentication.
  • Access-Reject – Explicit rejection.
  • Discard – Silent drop (no response sent).

Note

Discarding requests silently can cause a failover if the VPN concentrator or firewall does not receive a response, leading to a timeout.

4. Continuous Feedback Loop

  • All authentication results (allow, reject, fail) are fed back to the automated Shield system to refine fraud scoring.
  • Allow Rule IPs are never shared or analyzed.

Key Benefits

  • Multi-Layered Security – Combines manual and automated controls for maximum protection.
  • Privacy Controls – Exclude sensitive or internal IPs from external fraud analysis.
  • Adaptive Threat Detection – Learns from every authentication attempt to continuously improve blocking decisions.

By combining static filtering with dynamic fraud scoring, Mideye Shield ensures legitimate users are granted access while suspicious requests are proactively blocked.