How to stop MiM attack in cisco firewall ids/ips

Hi all cisco security experts,i am having some doubts which i want to get it cleared. can MIM attack can be stopped in firewall or IDS/IPS
Who is Participating?
btanConnect With a Mentor Exec ConsultantCommented:
Actually I will say the Catalyst switch should already be doing it...not really needing FW or IPS but since they comes and stop at L2 they would have this native e.g. IPS has L2 detection

You cannot really "prevent" it unless you are in the chain of traffic but if there is always end to end encrypted it make it tougher even if they are in intercepting (see nothing).

e.g. securing Remote Access (where data is sent through an encrypted tunnel to secure transmission and integrity of data. Both ends authenticate users and ensure secure file transfer and copying.)
e.g. Cisco TrustSec provides switch-port-level encryption based on IEEE 802.1AE (MACsec).

Overall, MitM attacks and what Cisco Catalyst Switch mitigating measures

• DHCP Snooping-A per-port security mechanism used to differentiate an untrusted switch port connected to an end user from a trusted switch port connected to a Dynamic Host Configuration Protocol (DHCP) server or another switch. It can be enabled on a per-VLAN basis.

• Dynamic ARP Inspection-Used to prevent man-in-the-middle attacks by not relaying invalid or gratuitous Address Resolution Protocol (ARP) replies out to other ports in the same VLAN. Dynamic ARP Inspection intercepts all ARP requests and replies on the untrusted ports. Each intercepted packet is verified for valid IP-to-MAC bindings (which are gathered through DHCP Snooping).

• IP Source Guard-Used to mitigate IP spoofing. IP Source Guard provides per-port IP traffic filtering of the assigned source IP addresses at wire speed. It dynamically maintains per-port VLAN ACLs based on IP-to-MAC-to-switch port bindings. The binding table is populated either by the DHCP Snooping feature or through static configuration of entries. IP Source Guard is typically deployed for untrusted switch ports in the access layer.

e.g. Cisco Catalyst 6500, 4500, 3750/3560 series
pawanopensourceAuthor Commented:
Thx, can u plz explain it with the config and can  firewall has the capability to stop MITM attack.
David Johnson, CD, MVPOwnerCommented:
MITM = Man in the Middle
Firewalls/IDS/IPS will not protect you. if your dns is subverted then nothing you can do about it.  Some employers do it, some isp's do it. Public 'free' wifi is notorious for this.

lets say you want
dns returns your network connects to
the rogue site at then goes to google and then sends the data to you and everything you send to then gets passed onto google.. and so forth.

https stops this because they cannot spoof the google certificate and you will get a certificate error or will not connect via https as the certificate will not be assigned to google and a check of the certificate chain will show this. To be truly secure you should check the certificate and its chain on every https connection.

That is one reason why banking and other sites use https
Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

pawanopensourceAuthor Commented:
So the conclusion is that firewall can't stop MITM attack. To stop MITM attack we have to check manually our network
David Johnson, CD, MVPConnect With a Mentor OwnerCommented:
It doesn't even have to exist in your network. Within your network as stated the catalyst managed switches use encryption for all of the traffic from switch to switch and can detect if a rogue switch has been installed. If I really want I can plug in network tap and then wait until I can intercept a key transfer sequence.. then I can then attempt to decrypt the encrypted data. But at some point you are going to go outside of your network.. and if my tap is between your router and the isp then by intercepting dns calls and returning faster than the legitimate dns provider I now can route all of the traffic through my system. I may have to wait a while for the dns ttl to expire and a new dns query goes out..  A firewall prevents unwanted traffic.. an ips/ids look for suspicious behaviour and standard traffic i.e. http/smtp is not suspicious traffic and won't be flagged... Only end to end encrytion will defeat an MITM attack or at least make it detectable.  The only true method to stop a man in the middle attack is by using quantum cryptography  where any change also changes source which then breaks the crypto in that it turns the data into gibberish.
Cyclops3590Connect With a Mentor Commented:
there is only one type of MitM that I can think of that a firewall could be part of (because it can run routing protocols is why).  MitM is all about the attacker injecting themselves between the two nodes that are talking; either listening or modifying the message along the way.  This can happen in two ways:

1) Layer 2 via MAC-to-IP (ARP) cache corruption which should be handled by switches as noted above and is pry the most common as its the easiest to do
2) Layer 3 via routing protocol corruption which is handled by routers/firewalls etc. running routing protocols.

In this case a firewall could be running a dynamic protocol like OSPF, BGP, EIGRP, etc.  To defeat this you should use authentication with your routing protocols to make it more difficult for an attacker to inject themselves into the routing path.  They can fool your network into forwarding to them and then they relay to the real destination.  This happened several years ago with BGP when I believe it was Pakistan tried to "block" Youtube traffic by advertising a better route.  The entire world's youtube requests went there after that change.

However, I want to point out, this is not an attack that IDS/IPS or a firewall (how we traditionally think of it) can prevent.  It has to do with router functionality and hardening it.  As has already been stated.  Firewalls or even IPS/IDSes can't determine if a MitM attack is taking place, only inspect the traffic and see if it should be allowed; not determine its repudiation level.
btanConnect With a Mentor Exec ConsultantCommented:
Yap agree with the folks. I dont see FW/IDS/IPS defense that nor deter the attack - it can be address at the L2 level as earlier mentioned in the postings. actually MiTM is wide category - there is also MiTB (Man in the browser) ... but not relevant in cisco context ...

Check this step by step taking MITM (ARP Poisoning) Attack as example

Another is this STP MiTM
pawanopensourceConnect With a Mentor Author Commented:
Yap agree with the folks. I dont see FW/IDS/IPS defense that nor deter the attack - it can be address at the L2 level

thx for the answer----> Firewall or IDS/IPS can not protect from MITM attack.
btanExec ConsultantCommented:
"Too many way to skin a cat" - maximize your arsenal set :) thanks!
btanExec ConsultantCommented:
The conclusion is FW and IDS does not prevent Mitm attack but may mitigate if known attack packet is injected into the traffic and picked up by FW and IDS content inspection. Otherwise, it is back to L2 capability which not all traditional FW or IDS may be capable of detecting.

Proposed the solution for
ID: 39264952
ID: 39265192
ID: 39265550
ID: 39265619
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.