Mailinglist Archive: opensuse-security (616 mails)
| < Previous | Next > |
Re: [suse-security] What to do against ARP-Poisoning?
- From: Roland Hilkenbach <roland@xxxxxxxxxxxxxxxxxx>
- Date: Tue, 19 Mar 2002 12:32:37 +0100
- Message-id: <200203191132.MAA02015@xxxxxxxxxxxxxxxxxxxxxxxx>
Am Dienstag, 19. März 2002 11:05 schrieb Reckhard, Tobias:
> Roland,
>
> > 1) All connections to my server can be redirected through an
> > attacking system
> > by using ARP-poisoning techniques
>
> Yes. And arp poisoning isn't your only worry. They could DoS your system,
> then steal your MAC address, too. ARP poison countermeasures won't help
> against that, only proper authentication of communicating parties will.
>
Oh yes I know - This was just a starting point...
> > 2) I can try to notice if something happens to the ARP-table
> > but I can not
> > prevent things from happening without having a secure switch
> > at Puretec ;-)
>
> And remember that switches aren't security enforcement devices and
> shouldn't be expected to be.
>
Pure OSI-Level 2 Switches certainly aren't ecurity enforcement devices but
they could improve security a bit by blocking false ARP-Packets
> > 3) All unencrypted traffic can thus be read by the attacker
>
> <nitpick> Oh, even encrypted traffic can be read by the attacker. He
> shouldn't be able to read the plaintext, though. </nitpick>
>
And even then there are SSL-Proxies and the like...
> > 4) Even if I use a VPN to transfer all data between my
> > internal network and
> > my server at Puretec (thus being protected), Emails (i.e)
> > will be exchanged
> > with other systems on the internet and it is highly
> > improbable that this
> > traffic will be encrypted too.
>
> That depends entirely on the other systems and the level of influence you
> have on them.
>
None, I suppose :-(
> > 5) That way all emails will be readable to an attacker no
> > matter what I do to
> > protect them
>
> Plaintext Internet traffic can be read while its underway and you have no
> assurance of the path that traffic will take. Neighbours of your server in
> the ISP's rack aren't the only ones capable of capturing 'your' traffic,
> though it is relatively easy for them.
>
You said it: it's _very_ easy for the neighbours, maybe _too_ easy. At least
it costs a little more effort to enter a foreign mailserver than to use your
own ;-) And I suppose you didn't take a look at those neighbours yet :-/
Open to everybody and everything including unprotected phpMyAdmin aso.
> Don't forget, though, that what matters is not so much the possibility of
> this happening or its probability, but rather the risk you're taking. I.e.
> how much of a problem would it be if someone captured your traffic? This
> will dictate how much effort you should put into attempts to (perhaps
> partially) fix the problem. One easy method to solve the arp poison issue
> is to place the server in an environment under your own physical control.
> That won't help defend against hackers 0wn1ng the mail exchangers of the
> people you send email to, which may well be well-known ISP machines.
>
Yeah, I just evaluated the possibility of using such a rootserver for company
purpose since it is _much_ cheaper than the leased line neccessary for ones
own server. And I have to admit: you get what you pay for - in this case
nothing (with respect to security).
> Tobias
I'm feeling like fighting Medusa: Each threat i try to cut grows several more
threats to show up! It's either frustrating or an interesting challenge - it
depends on the angle of view you have...
Thank you and your honest input
Roland Hilkenbach
> Roland,
>
> > 1) All connections to my server can be redirected through an
> > attacking system
> > by using ARP-poisoning techniques
>
> Yes. And arp poisoning isn't your only worry. They could DoS your system,
> then steal your MAC address, too. ARP poison countermeasures won't help
> against that, only proper authentication of communicating parties will.
>
Oh yes I know - This was just a starting point...
> > 2) I can try to notice if something happens to the ARP-table
> > but I can not
> > prevent things from happening without having a secure switch
> > at Puretec ;-)
>
> And remember that switches aren't security enforcement devices and
> shouldn't be expected to be.
>
Pure OSI-Level 2 Switches certainly aren't ecurity enforcement devices but
they could improve security a bit by blocking false ARP-Packets
> > 3) All unencrypted traffic can thus be read by the attacker
>
> <nitpick> Oh, even encrypted traffic can be read by the attacker. He
> shouldn't be able to read the plaintext, though. </nitpick>
>
And even then there are SSL-Proxies and the like...
> > 4) Even if I use a VPN to transfer all data between my
> > internal network and
> > my server at Puretec (thus being protected), Emails (i.e)
> > will be exchanged
> > with other systems on the internet and it is highly
> > improbable that this
> > traffic will be encrypted too.
>
> That depends entirely on the other systems and the level of influence you
> have on them.
>
None, I suppose :-(
> > 5) That way all emails will be readable to an attacker no
> > matter what I do to
> > protect them
>
> Plaintext Internet traffic can be read while its underway and you have no
> assurance of the path that traffic will take. Neighbours of your server in
> the ISP's rack aren't the only ones capable of capturing 'your' traffic,
> though it is relatively easy for them.
>
You said it: it's _very_ easy for the neighbours, maybe _too_ easy. At least
it costs a little more effort to enter a foreign mailserver than to use your
own ;-) And I suppose you didn't take a look at those neighbours yet :-/
Open to everybody and everything including unprotected phpMyAdmin aso.
> Don't forget, though, that what matters is not so much the possibility of
> this happening or its probability, but rather the risk you're taking. I.e.
> how much of a problem would it be if someone captured your traffic? This
> will dictate how much effort you should put into attempts to (perhaps
> partially) fix the problem. One easy method to solve the arp poison issue
> is to place the server in an environment under your own physical control.
> That won't help defend against hackers 0wn1ng the mail exchangers of the
> people you send email to, which may well be well-known ISP machines.
>
Yeah, I just evaluated the possibility of using such a rootserver for company
purpose since it is _much_ cheaper than the leased line neccessary for ones
own server. And I have to admit: you get what you pay for - in this case
nothing (with respect to security).
> Tobias
I'm feeling like fighting Medusa: Each threat i try to cut grows several more
threats to show up! It's either frustrating or an interesting challenge - it
depends on the angle of view you have...
Thank you and your honest input
Roland Hilkenbach
| < Previous | Next > |