?
Solved

How to stop MiM attack in cisco firewall ids/ips

Posted on 2013-06-20
12
Medium Priority
?
188 Views
Last Modified: 2016-07-06
Hi all cisco security experts,i am having some doubts which i want to get it cleared. can MIM attack can be stopped in firewall or IDS/IPS
0
Comment
Question by:pawanopensource
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
12 Comments
 
LVL 64

Accepted Solution

by:
btan earned 1000 total points
ID: 39264952
Actually I will say the Catalyst switch should already be doing it...not really needing FW or IPS but since they comes and stop at L2 they would have this native e.g. IPS has L2 detection

You cannot really "prevent" it unless you are in the chain of traffic but if there is always end to end encrypted it make it tougher even if they are in intercepting (see nothing).

e.g. securing Remote Access (where data is sent through an encrypted tunnel to secure transmission and integrity of data. Both ends authenticate users and ensure secure file transfer and copying.)
e.g. Cisco TrustSec provides switch-port-level encryption based on IEEE 802.1AE (MACsec).

Overall, MitM attacks and what Cisco Catalyst Switch mitigating measures

• DHCP Snooping-A per-port security mechanism used to differentiate an untrusted switch port connected to an end user from a trusted switch port connected to a Dynamic Host Configuration Protocol (DHCP) server or another switch. It can be enabled on a per-VLAN basis.

• Dynamic ARP Inspection-Used to prevent man-in-the-middle attacks by not relaying invalid or gratuitous Address Resolution Protocol (ARP) replies out to other ports in the same VLAN. Dynamic ARP Inspection intercepts all ARP requests and replies on the untrusted ports. Each intercepted packet is verified for valid IP-to-MAC bindings (which are gathered through DHCP Snooping).

• IP Source Guard-Used to mitigate IP spoofing. IP Source Guard provides per-port IP traffic filtering of the assigned source IP addresses at wire speed. It dynamically maintains per-port VLAN ACLs based on IP-to-MAC-to-switch port bindings. The binding table is populated either by the DHCP Snooping feature or through static configuration of entries. IP Source Guard is typically deployed for untrusted switch ports in the access layer.

e.g. Cisco Catalyst 6500, 4500, 3750/3560 series

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper0900aecd8015f0ae.html
0
 

Author Comment

by:pawanopensource
ID: 39264995
Thx, can u plz explain it with the config and can  firewall has the capability to stop MITM attack.
0
 
LVL 82

Expert Comment

by:David Johnson, CD, MVP
ID: 39265128
MITM = Man in the Middle
Firewalls/IDS/IPS will not protect you. if your dns is subverted then nothing you can do about it.  Some employers do it, some isp's do it. Public 'free' wifi is notorious for this.

lets say you want google.com
dns returns 172.123.123.123 your network connects to 172.123.123.123
the rogue site at 172.123.123.123 then goes to google and then sends the data to you and everything you send to 172.123.123.123 then gets passed onto google.. and so forth.

https stops this because they cannot spoof the google certificate and you will get a certificate error or will not connect via https as the certificate will not be assigned to google and a check of the certificate chain will show this. To be truly secure you should check the certificate and its chain on every https connection.

That is one reason why banking and other sites use https
0
Get MySQL database support online, now!

At Percona’s web store you can order your MySQL database support needs in minutes. No hassles, no fuss, just pick and click. Pay online with a credit card.

 

Author Comment

by:pawanopensource
ID: 39265154
So the conclusion is that firewall can't stop MITM attack. To stop MITM attack we have to check manually our network
0
 
LVL 82

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 500 total points
ID: 39265192
It doesn't even have to exist in your network. Within your network as stated the catalyst managed switches use encryption for all of the traffic from switch to switch and can detect if a rogue switch has been installed. If I really want I can plug in network tap and then wait until I can intercept a key transfer sequence.. then I can then attempt to decrypt the encrypted data. But at some point you are going to go outside of your network.. and if my tap is between your router and the isp then by intercepting dns calls and returning faster than the legitimate dns provider I now can route all of the traffic through my system. I may have to wait a while for the dns ttl to expire and a new dns query goes out..  A firewall prevents unwanted traffic.. an ips/ids look for suspicious behaviour and standard traffic i.e. http/smtp is not suspicious traffic and won't be flagged... Only end to end encrytion will defeat an MITM attack or at least make it detectable.  The only true method to stop a man in the middle attack is by using quantum cryptography  where any change also changes source which then breaks the crypto in that it turns the data into gibberish.
0
 
LVL 25

Assisted Solution

by:Cyclops3590
Cyclops3590 earned 500 total points
ID: 39265550
there is only one type of MitM that I can think of that a firewall could be part of (because it can run routing protocols is why).  MitM is all about the attacker injecting themselves between the two nodes that are talking; either listening or modifying the message along the way.  This can happen in two ways:

1) Layer 2 via MAC-to-IP (ARP) cache corruption which should be handled by switches as noted above and is pry the most common as its the easiest to do
2) Layer 3 via routing protocol corruption which is handled by routers/firewalls etc. running routing protocols.

In this case a firewall could be running a dynamic protocol like OSPF, BGP, EIGRP, etc.  To defeat this you should use authentication with your routing protocols to make it more difficult for an attacker to inject themselves into the routing path.  They can fool your network into forwarding to them and then they relay to the real destination.  This happened several years ago with BGP when I believe it was Pakistan tried to "block" Youtube traffic by advertising a better route.  The entire world's youtube requests went there after that change.

However, I want to point out, this is not an attack that IDS/IPS or a firewall (how we traditionally think of it) can prevent.  It has to do with router functionality and hardening it.  As has already been stated.  Firewalls or even IPS/IDSes can't determine if a MitM attack is taking place, only inspect the traffic and see if it should be allowed; not determine its repudiation level.
0
 
LVL 64

Assisted Solution

by:btan
btan earned 1000 total points
ID: 39265619
Yap agree with the folks. I dont see FW/IDS/IPS defense that nor deter the attack - it can be address at the L2 level as earlier mentioned in the postings. actually MiTM is wide category - there is also MiTB (Man in the browser) ... but not relevant in cisco context ...

Check this step by step taking MITM (ARP Poisoning) Attack as example
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/white_paper_c11_603839.html

Another is this STP MiTM
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/white_paper_c11_605972.html
0
 

Assisted Solution

by:pawanopensource
pawanopensource earned 0 total points
ID: 39267640
Yap agree with the folks. I dont see FW/IDS/IPS defense that nor deter the attack - it can be address at the L2 level

thx for the answer----> Firewall or IDS/IPS can not protect from MITM attack.
0
 
LVL 64

Expert Comment

by:btan
ID: 39267659
"Too many way to skin a cat" - maximize your arsenal set :) thanks!
0
 
LVL 64

Expert Comment

by:btan
ID: 41693246
The conclusion is FW and IDS does not prevent Mitm attack but may mitigate if known attack packet is injected into the traffic and picked up by FW and IDS content inspection. Otherwise, it is back to L2 capability which not all traditional FW or IDS may be capable of detecting.

Proposed the solution for
ID: 39264952
ID: 39265192
ID: 39265550
ID: 39265619
1

Featured Post

Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question