[unisog] Preventing Dsniff/Arpspoofing

Gary Flynn flynngn at jmu.edu
Fri Jun 14 13:29:17 GMT 2002

> -----Original Message-----
> From: Mark Brochu [mailto:mbrochu at mail.hartford.edu] 
> Any random thoughts :)

Heh. Those I have plenty of :)

1) I put up an experimental stunnel box with mixed results. It
   was primarily for email sessions. I tunneled IMAP, SMTP,
   IMSP, and NNTP. Results were mixed.

   a) Netscape 4.x and 6.x clients worked fine for all protocols.
   b) Outlook 2000 and Outlook Express had problems with SMTP and
      sending email. (If this gets through, Outlook XP may have
      resolved the problems. I just got a new computer and I'm
      still using Outlook. :)
   c) My limited testing with Mulberry seemed to work.

   We're going to get a new email server with native SSL support
   so I didn't pursue the tunnel approach.

2) There is a program, I think its called arpwatch, that will monitor
   arp traffic and alert you on storms and other activity which may
   indicate attempted use of arp poisoning tools. I suspect you'd have
   to have it on every segment for it to be useful though which limits
   its practicalities. Similar functionality may be provided through
   monitoring of router and switch arp and MAC tables through SNMP and
   be more scalable.

3) Hard coding of ARP tables in routers and critical hosts and allowed 
   MAC addresses in switches where it is maintainable for sensitive 
   areas may be another possibility.

4) VPN protection for critical apps may be a possibility too if the
   will only talk to servers with certain certificates.

I'm not familiar with Banner as we use PeopleSoft. Depending upon the
particular applications in use, PS sessions are protected by:

1) Oracle encryption
2) Tuxedo encryption
3) SSL web sessions

I'm surprised Banner doesn't have something similar.

If you get static about your push to encrypt applications, load
up ettercap on a segment and show people the passwords flying by.

We had a box compromised and a similar tool was installed. The log
files we found on that box convinced a lot of people of the necessity
of encryption and the lack of protection provided by switched networks.

You also need to include a blurb about not ignoring SSH and Web 
certificate warnings in your security awareness program. Ettercap,
for one, will hijack SSH and web sessions although the client will
display a certificate or key mismatch message when the attempt
is made.

Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.

More information about the unisog mailing list