Mailinglist Archive: opensuse-security (616 mails)
| < Previous | Next > |
RE: [suse-security] What to do against ARP-Poisoning?
- From: "Reckhard, Tobias" <tobias.reckhard@xxxxxxxxxxx>
- Date: Tue, 19 Mar 2002 11:05:50 +0100
- Message-id: <96C102324EF9D411A49500306E06C8D1A56E20@xxxxxxxxxxxxxxxxx>
Roland,
> 1) All connections to my server can be redirected through an
> attacking system
> by using ARP-poisoning techniques
Yes. And arp poisoning isn't your only worry. They could DoS your system,
then steal your MAC address, too. ARP poison countermeasures won't help
against that, only proper authentication of communicating parties will.
> 2) I can try to notice if something happens to the ARP-table
> but I can not
> prevent things from happening without having a secure switch
> at Puretec ;-)
And remember that switches aren't security enforcement devices and shouldn't
be expected to be.
> 3) All unencrypted traffic can thus be read by the attacker
<nitpick> Oh, even encrypted traffic can be read by the attacker. He
shouldn't be able to read the plaintext, though. </nitpick>
> 4) Even if I use a VPN to transfer all data between my
> internal network and
> my server at Puretec (thus being protected), Emails (i.e)
> will be exchanged
> with other systems on the internet and it is highly
> improbable that this
> traffic will be encrypted too.
That depends entirely on the other systems and the level of influence you
have on them.
> 5) That way all emails will be readable to an attacker no
> matter what I do to
> protect them
Plaintext Internet traffic can be read while its underway and you have no
assurance of the path that traffic will take. Neighbours of your server in
the ISP's rack aren't the only ones capable of capturing 'your' traffic,
though it is relatively easy for them.
Don't forget, though, that what matters is not so much the possibility of
this happening or its probability, but rather the risk you're taking. I.e.
how much of a problem would it be if someone captured your traffic? This
will dictate how much effort you should put into attempts to (perhaps
partially) fix the problem. One easy method to solve the arp poison issue is
to place the server in an environment under your own physical control. That
won't help defend against hackers 0wn1ng the mail exchangers of the people
you send email to, which may well be well-known ISP machines.
Tobias
> 1) All connections to my server can be redirected through an
> attacking system
> by using ARP-poisoning techniques
Yes. And arp poisoning isn't your only worry. They could DoS your system,
then steal your MAC address, too. ARP poison countermeasures won't help
against that, only proper authentication of communicating parties will.
> 2) I can try to notice if something happens to the ARP-table
> but I can not
> prevent things from happening without having a secure switch
> at Puretec ;-)
And remember that switches aren't security enforcement devices and shouldn't
be expected to be.
> 3) All unencrypted traffic can thus be read by the attacker
<nitpick> Oh, even encrypted traffic can be read by the attacker. He
shouldn't be able to read the plaintext, though. </nitpick>
> 4) Even if I use a VPN to transfer all data between my
> internal network and
> my server at Puretec (thus being protected), Emails (i.e)
> will be exchanged
> with other systems on the internet and it is highly
> improbable that this
> traffic will be encrypted too.
That depends entirely on the other systems and the level of influence you
have on them.
> 5) That way all emails will be readable to an attacker no
> matter what I do to
> protect them
Plaintext Internet traffic can be read while its underway and you have no
assurance of the path that traffic will take. Neighbours of your server in
the ISP's rack aren't the only ones capable of capturing 'your' traffic,
though it is relatively easy for them.
Don't forget, though, that what matters is not so much the possibility of
this happening or its probability, but rather the risk you're taking. I.e.
how much of a problem would it be if someone captured your traffic? This
will dictate how much effort you should put into attempts to (perhaps
partially) fix the problem. One easy method to solve the arp poison issue is
to place the server in an environment under your own physical control. That
won't help defend against hackers 0wn1ng the mail exchangers of the people
you send email to, which may well be well-known ISP machines.
Tobias
| < Previous | Next > |