Solved

How to stop MiM attack in cisco firewall ids/ips

Posted on 2013-06-20
12
112 Views
Last Modified: 2016-07-06
Hi all cisco security experts,i am having some doubts which i want to get it cleared. can MIM attack can be stopped in firewall or IDS/IPS
0
Comment
Question by:pawanopensource
  • 4
  • 3
  • 2
  • +1
12 Comments
 
LVL 61

Accepted Solution

by:
btan earned 250 total points
ID: 39264952
Actually I will say the Catalyst switch should already be doing it...not really needing FW or IPS but since they comes and stop at L2 they would have this native e.g. IPS has L2 detection

You cannot really "prevent" it unless you are in the chain of traffic but if there is always end to end encrypted it make it tougher even if they are in intercepting (see nothing).

e.g. securing Remote Access (where data is sent through an encrypted tunnel to secure transmission and integrity of data. Both ends authenticate users and ensure secure file transfer and copying.)
e.g. Cisco TrustSec provides switch-port-level encryption based on IEEE 802.1AE (MACsec).

Overall, MitM attacks and what Cisco Catalyst Switch mitigating measures

• DHCP Snooping-A per-port security mechanism used to differentiate an untrusted switch port connected to an end user from a trusted switch port connected to a Dynamic Host Configuration Protocol (DHCP) server or another switch. It can be enabled on a per-VLAN basis.

• Dynamic ARP Inspection-Used to prevent man-in-the-middle attacks by not relaying invalid or gratuitous Address Resolution Protocol (ARP) replies out to other ports in the same VLAN. Dynamic ARP Inspection intercepts all ARP requests and replies on the untrusted ports. Each intercepted packet is verified for valid IP-to-MAC bindings (which are gathered through DHCP Snooping).

• IP Source Guard-Used to mitigate IP spoofing. IP Source Guard provides per-port IP traffic filtering of the assigned source IP addresses at wire speed. It dynamically maintains per-port VLAN ACLs based on IP-to-MAC-to-switch port bindings. The binding table is populated either by the DHCP Snooping feature or through static configuration of entries. IP Source Guard is typically deployed for untrusted switch ports in the access layer.

e.g. Cisco Catalyst 6500, 4500, 3750/3560 series

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper0900aecd8015f0ae.html
0
 

Author Comment

by:pawanopensource
ID: 39264995
Thx, can u plz explain it with the config and can  firewall has the capability to stop MITM attack.
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 39265128
MITM = Man in the Middle
Firewalls/IDS/IPS will not protect you. if your dns is subverted then nothing you can do about it.  Some employers do it, some isp's do it. Public 'free' wifi is notorious for this.

lets say you want google.com
dns returns 172.123.123.123 your network connects to 172.123.123.123
the rogue site at 172.123.123.123 then goes to google and then sends the data to you and everything you send to 172.123.123.123 then gets passed onto google.. and so forth.

https stops this because they cannot spoof the google certificate and you will get a certificate error or will not connect via https as the certificate will not be assigned to google and a check of the certificate chain will show this. To be truly secure you should check the certificate and its chain on every https connection.

That is one reason why banking and other sites use https
0
 

Author Comment

by:pawanopensource
ID: 39265154
So the conclusion is that firewall can't stop MITM attack. To stop MITM attack we have to check manually our network
0
 
LVL 78

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 125 total points
ID: 39265192
It doesn't even have to exist in your network. Within your network as stated the catalyst managed switches use encryption for all of the traffic from switch to switch and can detect if a rogue switch has been installed. If I really want I can plug in network tap and then wait until I can intercept a key transfer sequence.. then I can then attempt to decrypt the encrypted data. But at some point you are going to go outside of your network.. and if my tap is between your router and the isp then by intercepting dns calls and returning faster than the legitimate dns provider I now can route all of the traffic through my system. I may have to wait a while for the dns ttl to expire and a new dns query goes out..  A firewall prevents unwanted traffic.. an ips/ids look for suspicious behaviour and standard traffic i.e. http/smtp is not suspicious traffic and won't be flagged... Only end to end encrytion will defeat an MITM attack or at least make it detectable.  The only true method to stop a man in the middle attack is by using quantum cryptography  where any change also changes source which then breaks the crypto in that it turns the data into gibberish.
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 25

Assisted Solution

by:Cyclops3590
Cyclops3590 earned 125 total points
ID: 39265550
there is only one type of MitM that I can think of that a firewall could be part of (because it can run routing protocols is why).  MitM is all about the attacker injecting themselves between the two nodes that are talking; either listening or modifying the message along the way.  This can happen in two ways:

1) Layer 2 via MAC-to-IP (ARP) cache corruption which should be handled by switches as noted above and is pry the most common as its the easiest to do
2) Layer 3 via routing protocol corruption which is handled by routers/firewalls etc. running routing protocols.

In this case a firewall could be running a dynamic protocol like OSPF, BGP, EIGRP, etc.  To defeat this you should use authentication with your routing protocols to make it more difficult for an attacker to inject themselves into the routing path.  They can fool your network into forwarding to them and then they relay to the real destination.  This happened several years ago with BGP when I believe it was Pakistan tried to "block" Youtube traffic by advertising a better route.  The entire world's youtube requests went there after that change.

However, I want to point out, this is not an attack that IDS/IPS or a firewall (how we traditionally think of it) can prevent.  It has to do with router functionality and hardening it.  As has already been stated.  Firewalls or even IPS/IDSes can't determine if a MitM attack is taking place, only inspect the traffic and see if it should be allowed; not determine its repudiation level.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 250 total points
ID: 39265619
Yap agree with the folks. I dont see FW/IDS/IPS defense that nor deter the attack - it can be address at the L2 level as earlier mentioned in the postings. actually MiTM is wide category - there is also MiTB (Man in the browser) ... but not relevant in cisco context ...

Check this step by step taking MITM (ARP Poisoning) Attack as example
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/white_paper_c11_603839.html

Another is this STP MiTM
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/white_paper_c11_605972.html
0
 

Assisted Solution

by:pawanopensource
pawanopensource earned 0 total points
ID: 39267640
Yap agree with the folks. I dont see FW/IDS/IPS defense that nor deter the attack - it can be address at the L2 level

thx for the answer----> Firewall or IDS/IPS can not protect from MITM attack.
0
 
LVL 61

Expert Comment

by:btan
ID: 39267659
"Too many way to skin a cat" - maximize your arsenal set :) thanks!
0
 
LVL 61

Expert Comment

by:btan
ID: 41693246
The conclusion is FW and IDS does not prevent Mitm attack but may mitigate if known attack packet is injected into the traffic and picked up by FW and IDS content inspection. Otherwise, it is back to L2 capability which not all traditional FW or IDS may be capable of detecting.

Proposed the solution for
ID: 39264952
ID: 39265192
ID: 39265550
ID: 39265619
1

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now