[unisog] Preventing Dsniff/Arpspoofing
flynngn at jmu.edu
Fri Jun 14 13:29:17 GMT 2002
> -----Original Message-----
> From: Mark Brochu [mailto:mbrochu at mail.hartford.edu]
> Any random thoughts :)
Heh. Those I have plenty of :)
1) I put up an experimental stunnel box with mixed results. It
was primarily for email sessions. I tunneled IMAP, SMTP,
IMSP, and NNTP. Results were mixed.
a) Netscape 4.x and 6.x clients worked fine for all protocols.
b) Outlook 2000 and Outlook Express had problems with SMTP and
sending email. (If this gets through, Outlook XP may have
resolved the problems. I just got a new computer and I'm
still using Outlook. :)
c) My limited testing with Mulberry seemed to work.
We're going to get a new email server with native SSL support
so I didn't pursue the tunnel approach.
2) There is a program, I think its called arpwatch, that will monitor
arp traffic and alert you on storms and other activity which may
indicate attempted use of arp poisoning tools. I suspect you'd have
to have it on every segment for it to be useful though which limits
its practicalities. Similar functionality may be provided through
monitoring of router and switch arp and MAC tables through SNMP and
be more scalable.
3) Hard coding of ARP tables in routers and critical hosts and allowed
MAC addresses in switches where it is maintainable for sensitive
areas may be another possibility.
4) VPN protection for critical apps may be a possibility too if the
will only talk to servers with certain certificates.
I'm not familiar with Banner as we use PeopleSoft. Depending upon the
particular applications in use, PS sessions are protected by:
1) Oracle encryption
2) Tuxedo encryption
3) SSL web sessions
I'm surprised Banner doesn't have something similar.
If you get static about your push to encrypt applications, load
up ettercap on a segment and show people the passwords flying by.
We had a box compromised and a similar tool was installed. The log
files we found on that box convinced a lot of people of the necessity
of encryption and the lack of protection provided by switched networks.
You also need to include a blurb about not ignoring SSH and Web
certificate warnings in your security awareness program. Ettercap,
for one, will hijack SSH and web sessions although the client will
display a certificate or key mismatch message when the attempt
Security Engineer - Technical Services
James Madison University
More information about the unisog