1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

my network topology

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by soparanoid, Sep 4, 2008.

  1. soparanoid

    soparanoid Addicted to LI Member

    Here is my network.

    My question is this: is it possible to perform a "man in the middle" attack between the WAN interface and the external server?

    please, advise


    Attached Files:

  2. ifican

    ifican Network Guru Member

    Anytime a packet leaves your network unprotected it is always possible to intercept.
  3. soparanoid

    soparanoid Addicted to LI Member

    This is bad news.
  4. soparanoid

    soparanoid Addicted to LI Member

    New question is this: what measures does one take to protect the packets leaving a network?
  5. soparanoid

    soparanoid Addicted to LI Member

    this is happening to me and i do not like it. i am trying to stop this invasion/interception. all help is appreciated.
  6. robertcarmel

    robertcarmel Addicted to LI Member

    You need to look into a firewall that will do Packet sequencing. This is something that that Cisco ASA's do. Some of the Linksys's are capable of SPI (Stateful Packet inspection) but I am not totally sure that it sequences the packets as it leaves your network (Outside Interface).

    Hope that helps you!
  7. ifican

    ifican Network Guru Member

    The ASA does not completely protect you from man in the middle attacks. The only way that you can 100% protect your data is to send and receive all traffic over an encrypted connection (anything stronger than 3des will do). Outside of that it is always possible, however not very likely. You are at a much greater risk of having information stolen from online vendors than you are of having a man in the middle attack take place.

    What makes you believe you even need to be concerned with this?
  8. soparanoid

    soparanoid Addicted to LI Member

    You have been a tremendous help.
  9. soparanoid

    soparanoid Addicted to LI Member

    the 3000 dollar ASA 5510 supports Stateful Packet Inspection (SPI) with 3DES • AES encryption over vpn.. will this 100% protect the data passing thru my cable modem? i have my doubts... unfortunately i've mixed up with a resourceful crowd who know their programming and networking ****. the problem with encryption is the man in the middle intercepts the key. how does one establish an encrypted connection to online services (such as a bank) that may not support vpn?
  10. soparanoid

    soparanoid Addicted to LI Member

    from what i've read, SSL shares a public key but the keys are verified and passed-on by a trusted 3rd party, so a MITM attack is not effective at obtaining passwords or usable data that is sent over SSL.

    also hard-wiring the MAC address of your routers next hop should prevent the man in the middle from attacking from that point of the connection -- im not sure what else can be done.
  11. robertcarmel

    robertcarmel Addicted to LI Member

    In ragards to the ASA how can the packet sequencing info be spoofed from outside the interface if that information in stripped and changed on the inside of the Firewall ? Authentication and Encryption are all part of keeping your data YOURS !!! ;)

  12. soparanoid

    soparanoid Addicted to LI Member

    is there a way to positively identify that a man in the middle attack is taking place on your router interfaces?

    what clues are found when sniffing the line during the attack?


    are there any clues or ways to prove your data is being stolen out side of your private network?

    is it safe to assume that most core routers between two internet hosts are NOT susceptible to MAC address spoofing?

    does this mean we need only be concerned with A) the internal LAN and B) the WAN interface that connects to the service providers equipment?

    once your network traffic reaches the providers equipment i would like to believe that the data will pass thru these servers away from the reach of 99% of "hackers".

    this would mean that hard wiring your gateway MAC address would in theory eliminate an MITM attack from your side of the host-host connection.

    the problem with defending yourself against experienced middle-aged "hacker" types is that their attacks will be unknown to 99% of the "average" network person. it is hard to seek help in this area when the only people who know how to prevent an attack are the people doing the attacking.
  13. ifican

    ifican Network Guru Member

    This has actually turned into a great discussion. Other than an end to end encrypted connection you can only truly protect yourself on your network. Once the data leaves your network you have no control over it. You rely on you ISP to do their job and protect your data streams, and you rely on the servers on the far side to protect your data stream. The only place you really need to be concerned with MITM attacks is when you are accessing or sharing financial data i,e, bank account info, credit card purchases etc. As long as you keep your machines patched and take active measures to protect your host, also as stated, maintaining a SPI firewall you have done your part as most of your web surfing is meaningless web data. Do your do diligence when needed and you will be fine.
  14. robertcarmel

    robertcarmel Addicted to LI Member

    You can pick up an ASA 5505 for about $350.00 if you look around.

    Also you can do MAC Filtering, and Radius Authentication and limit your DHCP pool to only the amount of IP addresses needed. The Radius will GREATLY help make a MITM attack hard enough to possibly discourage the attacker to go else where.

  15. ifican

    ifican Network Guru Member

    This is great advice for things on your network but has nothing to do with what happens when the data leaves your network.
  16. HennieM

    HennieM Network Guru Member

    I dunno how you can detect a MITM attack. However, for MITM to succeed, an attacker needs to get in between VPN endpoint A and B, impersonate B when talking to A, and impersonate A when talking to B. To prevent it, I do this:

    1) Set up both ends of your VPN on your own private LAN, with direct access to the machines. Don't go sending certificates and the likes over e-mail or other means.

    2) Use your own CA, and generate the endpoint certificates via that CA (still on your own LAN). If possible, include something unique, like the MAC address of the LAN interface of the respective machines in the certificates; i.e. certificate A for machine A. Certificate B, even though near-identical to certificate A, will contain a special string somewhere that makes it unique.

    3) Install the CA certificate and the respective client certificates directly onto the endpoint machines. Use private keys protected by passwords of sufficient length.

    4) This is the most important part: Make machine A connect only to a machine with certificate B, and vice versa.

    5) An SSL encrypted VPN goes without saying....

    The above can be accomplished by OpenVPN. I don't know if the VPNs on RVs and the likes run OpenVPN, or perhaps another VPN where the above is possible.

    Edit: Forgot to mention: Protect the respective endpoint machines, so certificates, etc. cannot be stolen from the machines...
  17. soparanoid

    soparanoid Addicted to LI Member

    lots of great help, thanks.

    some good links here:




    the first link, the pdf, really clarifies many details, i recommend.

    google's shopping sight has ASA's in the 3-5 hundred dollar range, i saw later

    incidentally, when browsing a new computer/networking shop in my area, the owner gave me the number of an individual who deals in cisco routers and i may get an even better deal.
  18. HennieM

    HennieM Network Guru Member

    @soparanoid: It seems not all ASAs can do everything, so check.
    Just to be clear on the phrase "100% protected": Nothing is ever 100% protected; the trick is to make breaking your system/encryption so difficult that it would take an attacker long enough to crack it so he/she gets disinterested.

    @robertcarmel: What's this "packet sequencing" in ASAs? I can find nothing about that. All TCP traffic is sequenced - is this perhaps what you are referring to? If so, that is not unique to Cisco stuff, it's part of the TCP protocol suite, so it's present in all TCP traffic.
    Or perhaps the sequencing in some of the IPSec protocols (as used in an IPSec VPN)? If so, once again, this is part of the IPSec protocol suite, and not a Cisco or ASA thing.

    Could you clarify perhaps?
  19. robertcarmel

    robertcarmel Addicted to LI Member

    I had rewrote some of this post. The first sentence that I accidentially deleted should have said that within your network these are things that can help secure your data. Thank you for pointing that out. ;)
  20. robertcarmel

    robertcarmel Addicted to LI Member

    I was not saying that is was Cisco proprietary, I was just using a name of the equipment that I am familiar with. Sorry for the ambigouity. :(
  21. robertcarmel

    robertcarmel Addicted to LI Member

    There is a WORLD of difference between a Cisco Router, and a Cisco ASA, just make sure you know what you are getting.... ;)

    Good luck,

  22. HennieM

    HennieM Network Guru Member

    O OK. I thought the sequencing was perhaps some new thing Cisco had in the ASAs. No damage ;-)

Share This Page