Protecting Against Session Hijacking

Previous page
Table of content
Next page
 < Day Day Up > 

Session hijacking is tricky business, and IDS monitoring is only a calculated guess based on assumptions of traffic patterns. The Cisco IDS did a good job of monitoring T-Sight session hijacking, but in several cases, alarms were missed and a few attacks went completely unnoticed. For example, if the original client never communicated during the hijacking or if a client connection was reset before ACK storms occurred, the 3250 signature would never be triggered, and the attack would go through unnoticed. This is not the fault of IDS; it is just that not enough suspicious traffic is sent to provide a reliable detection. Prevention is the only true protection, and IDS or a super-human watching Ethereal packet sniffing traffic like the Matrix screen saver are too unreliable for all possibilities.

Preventing session hijacking is quite difficult because of the nature of TCP and how easy it is to take over Layer 4 communication. However, by implementing encryption or signing protocols, you can affectively increase the difficultly level you need to accomplish successful hijacking. Table 6-2 shows several different solutions that you can use to help prevent or assist you in making hijacking more difficult.

Table 6-2. Preventative Solutions to Session Hijacking

Issue

Solution

Notes

Telnet, rlogin

OpenSSH or ssh (Secure Shell)

Use SSH to send encrypted data. If the session is hijacked, the attacker will have difficulty sending the correctly encrypted data.

FTP

sFTP

Using secure FTP can help minimize successful hijacking.

HTTP

SSL (Secure Socket Layer)

Using SSL can help minimize successful hijacking.

IP

IPSec

IPSec is an effective way to prevent hijacking. You should use it on an internal LAN whenever possible.

Any remote connection

VPN (encrypted)

Using PPTP, L2TP, or IPSec will always help dramatically and should always be used for remote connections.

SMB (Server Message Block)

SMB signing

The Microsoft-based system can enable signing of traffic, which can help minimize successful hijacking and should be turned on whenever possible.

Hub networks

Use switches

This provides only mild protection because attackers can employ ARP spoofing. Therefore, you should use port security in addition to switches, which maps your ports to specific MAC addresses and mitigates the risk of ARP spoofing.


Even implementing all the precautions in Table 6-2, a best practice is to limit the remote access and number of connections to your servers or clients whenever possible. Go by the rule of thumb, "If you don't think you need it, turn it off until someone screams." Basically, if you are locking down a system or firewall, open and provide permission to open only what you specifically need and from specific hosts. Do not allow all traffic from just any host. That does not prevent hijacking, but it lowers the likelihood.

Note

IPSec encryption has been around for quite some time, and Microsoft Windows 2000 and later fully support IPSec connections, which limits most hijacking attempts. However, people who are new to IPSec usually feel that its implementation is too cumbersome or difficult to roll out to all clients, thus leaving their underlying networks completely insecure, and a dream for hackers.


     < Day Day Up > 

    Previous page
    Table of content
    Next page
    Penetration Testing and Network Defense
    Penetration Testing and Network Defense
    ISBN: 1587052083
    EAN: 2147483647
    Year: 2005
    Pages: 209
    Authors: Andrew Whitaker, Daniel Newman
    BUY ON AMAZON
    Crystal Reports 9 on Oracle (Database Professionals)
    Cisco IP Telephony (CIPT) (Authorized Self-Study) (2nd Edition)
    The Complete Cisco VPN Configuration Guide
    PMP Practice Questions Exam Cram 2
    Quantitative Methods in Project Management
    Special Edition Using FileMaker 8
    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net
    Privacy policy