RE: [suse-security] What to do against ARP-Poisoning?
Roland,
1) All connections to my server can be redirected through an attacking system by using ARP-poisoning techniques
Yes. And arp poisoning isn't your only worry. They could DoS your system, then steal your MAC address, too. ARP poison countermeasures won't help against that, only proper authentication of communicating parties will.
2) I can try to notice if something happens to the ARP-table but I can not prevent things from happening without having a secure switch at Puretec ;-)
And remember that switches aren't security enforcement devices and shouldn't be expected to be.
3) All unencrypted traffic can thus be read by the attacker
<nitpick> Oh, even encrypted traffic can be read by the attacker. He shouldn't be able to read the plaintext, though. </nitpick>
4) Even if I use a VPN to transfer all data between my internal network and my server at Puretec (thus being protected), Emails (i.e) will be exchanged with other systems on the internet and it is highly improbable that this traffic will be encrypted too.
That depends entirely on the other systems and the level of influence you have on them.
5) That way all emails will be readable to an attacker no matter what I do to protect them
Plaintext Internet traffic can be read while its underway and you have no assurance of the path that traffic will take. Neighbours of your server in the ISP's rack aren't the only ones capable of capturing 'your' traffic, though it is relatively easy for them. Don't forget, though, that what matters is not so much the possibility of this happening or its probability, but rather the risk you're taking. I.e. how much of a problem would it be if someone captured your traffic? This will dictate how much effort you should put into attempts to (perhaps partially) fix the problem. One easy method to solve the arp poison issue is to place the server in an environment under your own physical control. That won't help defend against hackers 0wn1ng the mail exchangers of the people you send email to, which may well be well-known ISP machines. Tobias
Am Dienstag, 19. März 2002 11:05 schrieb Reckhard, Tobias:
Roland,
1) All connections to my server can be redirected through an attacking system by using ARP-poisoning techniques
Yes. And arp poisoning isn't your only worry. They could DoS your system, then steal your MAC address, too. ARP poison countermeasures won't help against that, only proper authentication of communicating parties will.
Oh yes I know - This was just a starting point...
2) I can try to notice if something happens to the ARP-table but I can not prevent things from happening without having a secure switch at Puretec ;-)
And remember that switches aren't security enforcement devices and shouldn't be expected to be.
Pure OSI-Level 2 Switches certainly aren't ecurity enforcement devices but they could improve security a bit by blocking false ARP-Packets
3) All unencrypted traffic can thus be read by the attacker
<nitpick> Oh, even encrypted traffic can be read by the attacker. He shouldn't be able to read the plaintext, though. </nitpick>
And even then there are SSL-Proxies and the like...
4) Even if I use a VPN to transfer all data between my internal network and my server at Puretec (thus being protected), Emails (i.e) will be exchanged with other systems on the internet and it is highly improbable that this traffic will be encrypted too.
That depends entirely on the other systems and the level of influence you have on them.
None, I suppose :-(
5) That way all emails will be readable to an attacker no matter what I do to protect them
Plaintext Internet traffic can be read while its underway and you have no assurance of the path that traffic will take. Neighbours of your server in the ISP's rack aren't the only ones capable of capturing 'your' traffic, though it is relatively easy for them.
You said it: it's _very_ easy for the neighbours, maybe _too_ easy. At least it costs a little more effort to enter a foreign mailserver than to use your own ;-) And I suppose you didn't take a look at those neighbours yet :-/ Open to everybody and everything including unprotected phpMyAdmin aso.
Don't forget, though, that what matters is not so much the possibility of this happening or its probability, but rather the risk you're taking. I.e. how much of a problem would it be if someone captured your traffic? This will dictate how much effort you should put into attempts to (perhaps partially) fix the problem. One easy method to solve the arp poison issue is to place the server in an environment under your own physical control. That won't help defend against hackers 0wn1ng the mail exchangers of the people you send email to, which may well be well-known ISP machines.
Yeah, I just evaluated the possibility of using such a rootserver for company purpose since it is _much_ cheaper than the leased line neccessary for ones own server. And I have to admit: you get what you pay for - in this case nothing (with respect to security).
Tobias
I'm feeling like fighting Medusa: Each threat i try to cut grows several more threats to show up! It's either frustrating or an interesting challenge - it depends on the angle of view you have... Thank you and your honest input Roland Hilkenbach
On Tuesday 19 March 2002 12.32, Roland Hilkenbach wrote:
I'm feeling like fighting Medusa: Each threat i try to cut grows several
You mean the hydra :) Medusa was the girls with snakes for hair
more threats to show up! It's either frustrating or an interesting challenge - it depends on the angle of view you have...
If I've understood things correctly (not likely, I admit) IPv6 is designed to counter many of the worries you have. For instance, I understand that IPv6 will have built-in encryption. does anyone know when IPv6 is scheduled to be fully implemented/rolled out? //Anders
On Tuesday 19 March 2002 11:05 am, you wrote:
1) All connections to my server can be redirected through an attacking system by using ARP-poisoning techniques
Yes. And arp poisoning isn't your only worry. They could DoS your system, then steal your MAC address, too. ARP poison countermeasures won't help against that, only proper authentication of communicating parties will.
2) I can try to notice if something happens to the ARP-table but I can not prevent things from happening without having a secure switch at Puretec ;-)
And remember that switches aren't security enforcement devices and shouldn't be expected to be.
The 3com switches that we have (SuperStack II) certainly have some active security measures. Enabling "Port Security" on a port makes the switch remember the first MAC address it receives and locks that MAC address to that port until overridden by manual intervention. Although unfortunately they cannot perform any kind of ARP poison countermeasures. Andy -- Andy Spiers - internet developer, consultant and sysadmin email: andy@spiers.co.uk - mobile: +34 686 050 318
participants (4)
-
Anders Johansson
-
Andy Spiers
-
Reckhard, Tobias
-
Roland Hilkenbach