Security inside an Ethernet LAN

Discussion in 'privacy technology' started by oopsminded, Apr 18, 2006.

Thread Status:
Not open for further replies.
  1. oopsminded

    oopsminded Registered Member

    Joined:
    Apr 18, 2006
    Posts:
    21
    Hello

    I've been visiting sporadically Wilders for a few months now but I spent the last few nights reading for up to 4-5 hours topic after topic in the hope of finding an ideal solution to my problem. I just gave up and I decided to register and to ask you directly for help:

    I'm part of a big, switched Ethernet LAN, with 100+ members. I don't know much about the architecture of this network, but I can tell you that 1. we have DHCP assigned IPs, 2. we all have one external IP and 3. the "internal" IPs are not within the typical LAN ranges, instead they are in the 86.106.x.x form.

    Now, my problem: I do not trust either my LAN members or the LAN administrator. Therefore I am in the search for a software solution(s) that can protect me from potential "hackers" within this network - I am convinced that more than one of the people in my network are using packet sniffers and probably other hobbyist-hacker tools.

    Could you please recommend me then a combination of softwares than would cover these aspects of my security and privacy:

    - firewall protection (is there a type of software firewall recommended for LAN node PCs?) with port scan detection, (automatic) IP banning, good logging, etc
    - detection and/or prevention of packet sniffers
    - privacy from the network administrator, if possible

    I really appreciate any help you could offer me, thanks.
     
  2. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    Well, CHX-I found at www.idrci.com (free for home use, don't know if you qualify), has the best logging out there, and you can filter practically anything with it. Should work very well in your situation.

    However, since it is geared towards a power user, any other rulebased firewall will suit your needs, such as any version of Kerio, sygate, look'n'stop, etc.

    Cheers,

    Alphalutra1
     
  3. oopsminded

    oopsminded Registered Member

    Joined:
    Apr 18, 2006
    Posts:
    21
    Well, I qualify, but isn't this sort of a problem? I do know that CHX is not a beginner's firewall and although this can be a problem, I'm pretty sure that with some help I would be able to set it up. But I read on this forum that this firewall, as well as 8Signs (Visnetic) and InJoy are more suited to servers than personal desktop PCs, isn't it?

    I see that you recommend rule-based firewalls. Could you please tell me why this would be more suitable in my situation? For instance, (the) one firewall that I know that protects from IP spoofing, ARP scanning and ARP flood is Outpost which isn't in the same category.
     
  4. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    I would agree here - none of these products can restrict access on a per-application basis so are best deployed on proxy servers or used in conjunction with other software that can control application network access. In addition, CHX-I does not appear to offer any Ethernet/ARP filtering which would be desireable for a user on a large untrusted LAN.
    Look'n'Stop provides ARP filtering (via a plugin) so should be worth reviewing also. However there are a few issues with your situation and requirements list:
    • port scan detection, (automatic) IP banning, good logging
      Outpost handles the first 2 via its Attack Detection plugin which is highly configurable. Its Ethernet filtering options are not as flexibile though (e.g. you can't set an "acceptable" level of ARP traffic before the ARP flooding warning kicks in) so may cause problems with your environment - however the key feature (SmartARP) is all that is really needed, the other options just provide an indication of possibly unusual behaviour.
    • detection and/or prevention of packet sniffers
      No firewall offers this - there is specialised software (like AntiSniff) that can detect other network cards running in "promiscuous mode" (necessary for a sniffer to function) but ultimately, any data you send or receive is going to be visible to others on the same LAN cable segment. The only way to counter this is to encrypt your traffic.
    • privacy from the network administrator, if possible
      For legitimate use, the administrator should be your friend not your enemy. If you wish to keep certain activities private, then do them at home where you have more control over the network environment (though your ISP can still monitor what goes on). If you wish assistance in circumventing acceptable use policies set by your administrator, then that is outside the Terms of Service for this forum.
    • the "internal" IPs are not within the typical LAN ranges, instead they are in the 86.106.x.x form
      This is certainly a problem since such a setup will prevent you from accessing any Internet sites hosted in this address range. Internal networks should use a "private" address range like 10.x.x.x or 192.168.x.x as defined in RFC 1918 which should never be used on the Internet itself. It is possible that your company is using a validly assigned address range for its internal network (in which case there should be no problems) but given the current public address shortage, this seems unlikely.
     
  5. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Hello Paranoid2000,

    Does the LooknStop ARP plugin only have a customized display of logged ARP packets, or does it allow you to block unrequested ARP replies like SmartARP in Outpost? It's that one feature that stops ARP cache poisoning dead in its tracks, is it not?
    http://www.looknstop.com/En/plugin_loggedevent_use.htm

    I haven't seen this topic discussed on Wilder's much and how to protect against it, so...sorry for all the upcoming questions :)
    Recently, Steve Gibson published an article on ARP cache Poisoning http://www.grc.com/nat/arp.htm. ( He's also has an informative series of SecurityNow episodes lately. http://www.grc.com/SecurityNow.htm )
    In the article, Gibson mentions 802.1x for authenticating connections, but there is no hardware that supports it now.
    But it seems like all you need is Outpost with the SmartARP on.
    http://dl2.agnitum.com/Ethernet_Attacks_Protection.pdf
    Then the hacker would only be able to alter the ARP table of the router. So now you have two computers on the LAN (the hacker controlled computer and the innocent computer). The hacker tries to alter the ARP table of the router so the MAC address entry for the innocent computer IP points to the Hacker's MAC address. He/She is unable to modify the ARP table of the innocent computer because it is protected by SmartARP.
    But what happens when the innocent computer tries to connect out to the internet? Does the router still think the hacker's computer is the innocent computer? Or is the ARP table in the router corrected by the access from the innocent computer? Or is there just chaos now because there is one IP with two MAC addresses?

    So if you have only the Windows XP SP2 Firewall, you basically have no protection from ARP cache poisoning?
    If you are in a possibly hostile environment as mentioned by the original poster, is there anything one can do until one can download and install Outpost?
    Are there no registry tweaks that can harden the ARP table?

    Are there specific wired router features that could help?

    Would static IPs within the LAN be better than DHCP as you could create more specific rules in the firewall for this purpose?

    Would specifying the Primary and Secondary DNS server IP addresses rather than the gateways IP help? Perhaps this could prevent intraLAN pharming (like substituting Agnitumspoofed.com for Agnitum.com)?

    Is this just another Windows vulnerability, or are the ARP tables in Linux just as vulnerable?
    How do they deal with this in the Linux World?


    Thank you!
     
  6. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Devinco,

    Quite a few questions there!

    The first point to make is that ARP-related exploits can only be carried out within a Local Area Network (specifically on another computer on the same Ethernet cable segment) so they should not concern the vast majority of home users who only have one computer connected - even those with multiple computers need not worry assuming that they are all properly secured. The only situation where ARP should be a concern is when you connect via a LAN shared with untrusted computers (e.g. university/college).
    I don't know enough about LnS to comment on its ARP plugin and would suggest you post a question in that forum for more details. For Outpost 3.0 onwards, the "Smart ARP" feature is the important one in that it blocks all ARP responses except those that can be matched to a previous ARP request. This should indeed prevent flooding and make spoofing harder (but not impossible - if the spoofed reply arrives before the real one, it will be accepted as valid).
    SmartARP makes it harder but not impossible to add a false entry to the host computer - it cannot add any means of authentication (this is a problem with ARP generally). Routers may implement a similar feature where only the first ARP response for an IP address is accepted and subsequent ones discarded - however they rarely document this and it can often only be checked by experimentation (i.e. changing your PC's MAC address to see how the router reacts).
    Depends on the router - the most typical answer is that it would ignore subsequent packets from the "innocent" computer until rebooted or its ARP table is flushed.
    AFAIK, Windows' Firewall does not cover this but it is not an Internet threat - i.e. you cannot use ARP poisoning on a system if there is a router inbetween.
    Most ARP attacks would result in a loss of connection rather than any system compromse and the worst that could happen would be a man-in-the-middle attack (MitM) where a third party could monitor (and modify) all traffic between your system and the outside world. Even with Outpost installed, an ARP attack could still cause a connection loss if the router's ARP table is affected. MitM attacks are best countered by using an encrypted connection using public/private keys (many of the anonymising proxy services discussed elsewhere could fulfil this role).
    Static IPs would make no difference - ARP handles the IP-to-MAC address translation needed to send data across Ethernet networks so is unaffected by IP address assignment. DNS settings would similarly make no difference.
    ARP is implemented in a similar way in Linux with similar issues and solutions.
     
  7. oopsminded

    oopsminded Registered Member

    Joined:
    Apr 18, 2006
    Posts:
    21
    Thank you Paranoid for the detailed reply.

    I have a few subsequent questions and clarifications.

    1. You say Outpost's "Ethernet filtering options are not as flexible..." but is this the maximum any software firewall can and/or has at the moment?

    2. In regard to AntiSniff (which seems a dead link and an old soft from what I can find with google) and other promiscuous mode detectors: Microsoft has it's own tool, Promqry but I wasn't able to install it - although I have .NET Framework 2.0 the installer checks for version 1.1 and fails. The only working Windows XP software that I could find was Promiscan. What I don't understand is why any of these hasn't been implemented in a comprehensive firewall-like application. Just knowing who's network card is in promiscuous mode helps only so much.

    3. Once a man-in-the-middle attack is successful and running, is there any way for me, the victim, to know?

    4. I was asking about "privacy from the administrator" not for a malicious purpose but because I have the feeling that, depending on how the network is setup, the admin can monitor/log all my traffic without resorting to any illegal/suspicious methods that a software on my PC could detect. That's why when I use my Credit Card online I use JAP. Again, I'm curious, are there any security solutions that include a firewall that have this type of local proxy + encryption as part of their plugins/features?

    5. In regard to the type of IPs that we have. Where I live, this type of network is pretty common - they are similar to college/universities LANs/WANs, covering a few square miles of residential buildings. My provider seems to have reserved this IP range 80.96.109.0 - 80.96.109.255 (the result of an IP lookup done of DNS Stuff, inputing my external IP) but inside my LAN they range from 86.106.0.0 to 86.106.255.255 (my gateway for example is 86.106.2.x and my internal IP is 86.106.5.x).
     
    Last edited: Apr 19, 2006
  8. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,654
    Location:
    Sydney, Australia
    Hello oopsminded,

    I'd break down your problems into two chunks. The easier of the two is to protect your computer from the potential "hackers" assuming that you have administrative control over your box, and you're not part of a domain where an admin can override your settings.

    In this case, select security tools and firewall products that match your experience and learn how to use them. Do this from a rebuilt machine so you are assured you are starting from a clean slate. This will keep out network-based attacks from the non-admins. ( As an aside, if you have trust issues with your admin - my advice would be to get off the network if practical. )

    Secondary to this you have other attacks - for example, someone tricking you into running something which gives them access to your PC. This is harder to defend against from a pure technology perspective - you will need to learn a few things and learn to use the tools at your disposal (they are many and varied and frequently discussed here) until you find a set you are comfortable with.

    Defending against a network admin that you do not trust - there is only one way to do it - encryption - and this is only really possible in the case where you are able to secure your own machine.

    For example, if your admin runs a proxy server and controls the internet gateway then pretty much anything you do online could be viewed or tracked to some degree or another. There's no way around that, but you can limit what he can see by using secured sites, encrypted email or chat products.

    In the real world, this situation is similar to a building where there is only one exit and the admin is a security guard. Unless you put what you don't want him to see in a locked container, he's going to be able to see it as you walk out that door. (Whether or not he's actually interested is another story). The administrator has the "keys" to the ingress and exit point of the network. He can control it. He can see it. Encryption is your friend.

    Taking email as an example - all POP3, SMTP and IMAP traffic is plaintext. If your mailserver is controlled by the admin, then forget it. Unless your messages are encrypyted with PGP (which likely means nobody can receive them, as not everyone uses PGP) your admin could view them "at rest" in the mailstore. As a result, this is not a mailserver you should use.

    For more private mail, you should try and locate a webmail provider that will let you connect via SSL - it's probably the easiest way. You could also find one that uses the secure versions of POP and SMTP, but the webmail approach may be easier.

    You should balance the approach you take based on a realistic assessment of the risks. How much effort is someone likely to go to in order to get your data? Really? What is the value of the data? Can you (for example) use another machine on a trusted network for the critical stuff? Do you have evidence that the admin cannot be trusted?

    In theory, if the admin has enough resources, time, and patience they could get you. They are in a position of trust and control and you are using their resources of which they have almost full control.

    There are some tools which can help, but nothing beats being able to trust the guys that manage your network.

    Mike
     
  9. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Thank you for all the answers!

    Is there a way the "innocent" computer could remotely flush the router's ARP table? Or would the router need to be manually rebooted to flush it?
    Or with programs like Cain and Abel, it would make no difference since it would be repoisoned after being reset?

    Not directly, but a LAN neighbor may have been remotely compromised by RAT or Rootkit which would then be the launching point for the ARP attack.

    Programs like Cain and Abel mention that they can look into SSL and even SSH1 connections. So if the innocent computer (whose ARP table is poisoned because no Smart ARP was used) uses an SSH2 client to connect through the hacker's computer (because it thinks it is the router), will an alert pop up saying that the SSH2 key has changed?

    In the future, I would like to move to Linux.
    Outpost is only available for Windows.
    Is there anything that would provide similar a "Smart ARP" function in Linux?
     
  10. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    CHX-I does have arp filtering, and also can block unsolicitated ARP reply. Also, the user can create rules to filter it ;) . However it can be a bit tricky to set up, but with the filtersets from the website it is not very hard at all. So if the original poster would like to try it out, I would be willing to help(V_C probably would too).

    Devenico, Outpost is also a rule based firewall, but it is coming with more features to make it easier to setup as of late. I just think that a rule based firewall would help you because you can create a rule to explicitly block ip ranges, and certain traffic, which some firewalls such as ZoneAlarm free, won't let you do.

    Also to Devenico, I don't know much at all about linux, however, I think there is a built in firewall in many of the distros. Also, firestarter is a great front end gui to help you set up a firewall in linux without any command line junk, which is nice. Others could probably help you out much more with that.

    Cheers,

    Alphalutra1
     
  11. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Thanks Alphalutra1! :)
     
  12. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Thanks for the correction - I couldn't find any reference to ARP on their website so did assume that it was not addressed.
    The Linux firewall (iptables) does lack the ability to restrict access by application - the only application I have seen that appears to address this is TuxGuardian.
    Depends on the router's administration facilities - some may offer a web or command-line interface including the option of reviewing/clearing their ARP table.
    This is possible (hence my previous statements about having secured PCs in your LAN) but is not a threat on the scale of direct Internet-based attacks and would only likely happen with a targeted attack (where the attacker is specifically aiming at your system) - 99% of attacks currently are random/opportunistic.
    An interesting utility - thanks for the pointer. It does however work by manipulating certificates (HTTPS)/downgrading security (SSH) so its effect would be visible - as such, an encrypted connection (using a public/private key algorithm) is still an effective counter.
    If public/private key encryption is used, then any attempt at a MitM would be detectable since the attacker would have to inject their own public key. Whether you receive an alert or whether you have to check keys manually depends on the SSH client you use and the options you set. Cain's example used only password (not public key) authentication which is the weakest option available (see OpenBSD ssh Manual page for more details) - MitM would not be detected in this case. In addition, Cain works by trying to switch the protocol used from SSHv2 to SSHv1 - SSH clients can be configured to use SSHv2 only (SSHv1 is known to be weak and is only available for compatibility purposes).
    I can't give a definitive answer since I don't know enough about all the personal firewall products available. However ARP configuration is a specialised area, getting it wrong typically results in total loss of connectivity and it addresses an issue not relevant to most home-based Internet users which should explain why few personal firewalls offer it (and IMHO, Outpost's options here should be disabled by default since there are several cases where they can cause problems). However if you consider MitM to be a real threat, the proper countermeasure is to use SSH (or something similar) to encrypt all your connections.
    Sniffer detection requires active probing of every other system on your network - that is clearly outside the remit of a firewall and such probing could be considered a breach of your network administrator's Acceptable Use Policy.
    Assuming that you are only giving CC details to encrypted (https) connections, then you have no cause for concern. The traffic is encrypted and includes authentication checks to ensure that the site you are connecting to is the right one (as discussed above, any attempt at MitM would result in a browser certificate warning). Adding JAP to the mix provides an extra level of encryption for all your web traffic.
    This feature is also outside the remit of a firewall whose role should be to act as a network filter. That doesn't rule out a company introducing a security suite (firewall + anonymising proxy + ...) but if you check discussions in other threads about commercial proxies, you will find that there are very few good ones and even these offer less anonymity than free systems like Tor/JAP simply due to the fact that your payment has to be linked to your account and usage history.

    As MikeNash has posted, you need to assess your risks before deciding on appropriate measures. If your network admin really wanted to get your credit card details, there are far more effective measures than MitM attacks (software and hardware keyloggers for example) so if you don't feel you can trust them, then don't use their equipment for anything private/confidential.
     
  13. oopsminded

    oopsminded Registered Member

    Joined:
    Apr 18, 2006
    Posts:
    21
    OK, I'm going to start reading the documentation and if I understand 1/2 of it, I'm coming back for help :)

    @Paranoid2000 - could you clarify this for me please: I read that SSH can even be used for generally browsing the web through an encrypted proxy connection, using the SSH server as a proxy. In my case that SSH server should be located outside my LAN, correct? If so, my easiest solution are still JAP/Tor, no?
     
  14. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Correct - an SSH tunnel to an outside server would provide better performance but would require more work to set up (and would provide less anonymity also). JAP/Tor do use certificates so should be effective against MitM but the only way to be sure is to try this exploit yourself (if you have a couple of PCs to spare).
     
  15. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Thank you. I'll check into the router control panel with this new info.

    I'll keep the basics a priority. If I can also learn new security techniques while creating an ARP attack resistant computer within my LAN, it's a win win situation.

    With this utility acting as the router in a MitM LAN situation, can it create an "IP captive portal" that would substitute the requested IP (from the "innocent" comp.) with the local hacker's computer within the LAN?
    This would cause the "innocent" computer's Primary and Secondary DNS requests to redirect to the bad computer as well as other IP requests.

    What do you do about Windows Automatic Upates? They connect directly without even using a browser. Would you turn off the Automatic Updates, or is there a way to force them to go through the SSH2 Proxy?

    With my SSH proxy service, I can't even use the regular windows update website (or MS update) through the tunnel. It just shows me this message:
    When I connect directly, it works fine. Maybe I should just download the manual updates through the SSH tunnel?

    Learning fast! The SSH Manual was very useful too. I've already improved my SSH client's security by forcing it to use SSH2 only.

    I appreciate all the help!! :)

    FYI: Thanks to helpful member Kush who tried the LnS pluginARP. On the surface, it appears to be an ARP logging and display plugin with no configuration or control options currently.
     
  16. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    If an attacker is able to use ARP/MitM to masquerade as your PC's gateway then they will receive every IP packet sent by your system, whatever the higher-level protocol used (DHCP, DNS, TCP, ICMP, etc).
    Are you using a Mac for your SSH proxy? If so, just use web filtering software to alter its browser User-ID to match that of IE (the same will apply with a Linux proxy also). Another option could be to try WindizUpdate which allows Netscape/Opera browsers to access Windows Updates via a plugin (see Why use WindizUpdate?).
     
  17. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    I think I understand now. Grazie!
    I don't know for certain if it's a mac, but it appears that way.
    Windiz looks like a good alternative, will check into it further. There are always the manual updates as well.

    So then it would appear that if you want to further reduce the "ARP exposure" (things that connect outside of an SSH tunnel) within the LAN (taking into account that this is very unlikely and maybe a 1% chance of a directed hacker attack), one could turn off the Automatic Windows Updates that runs every time Windows loads in the background and instead use the Windiz or manual updates. Antivirus like NOD32 can also be made to check for updates through the SSH proxy as well.
     
  18. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Paranoid2000,

    Well I thought I understood until the above statement made me recall two older grc.com articles:
    http://www.grc.com/nat/nat.htm and http://www.grc.com/nat/nats.htm about multi NAT router LAN setups.
    In the articles, Gibson explains how you can chain 2 routers together to create a trusted LAN sub network behind the 2nd router, on which only one trusted computer would be, and a less trusted LAN behind the 1st router.

    And in this Q&A http://www.grc.com/sn/SN-032.htm episode, a listener asked:
    To which Gibson replied:
    So would a second chained router effectively block the ARP reply MitM attack?
    Or is it merely shifting the ARP reply attack to the WAN side of the 2nd router?
    Does this mean that a router has 2 ARP tables? One for the LAN side and one for the WAN side and that both ARP tables can be poisoned?

    Thanks
     
  19. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    The only point of doing this would be if your own LAN had to be shared with untrusted users - obviously better solutions would be not to allow such users on your network in the first place or to ensure that they are properly secured. Those using a router to connect to a college/workplace LAN (with its own router for Internet access) would effectively be doing the same thing. A more convincing argument can be made for segmenting wireless LANs since these cannot be considered as secure but enabling WEP encryption (128-bit or better) is a better step to take.
    It is just breaking your network up into more segments - ARP foolery can be practiced within any segment so, at best, it may limit the scope of such attacks. The key thing is to make sure that PCs in your LAN are secure - routers cannot do this for you on their own.
    "Commercial" routers (or bridges) will usually maintain a separate MAC address list for each port. "Home" routers often do not - it's easy enough to check just by looking at their ARP table (where available), if there is no mention of a per-port/interface list, then you can assume that it is just one list.

    It is worth noting that ARP-based MitM can be used on any Ethernet network - so if your network traffic crosses several on the way to its destination then it could be hijacked at any of these points. In practice though, only your ISP or the ISP of a specific website (e.g. a bank or other financial site) would be feasible targets and only if their networks had a vulnerable PC (or compromised router) at the right point. Of course, there is no way for an end-user to know if this was happening, let alone prevent it, so following the rule about not giving sensitive details to non-secure (e.g. non-HTTPS) websites is the key defence. Unless your traffic is encrypted, you should assume that it is public.
     
  20. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Thank you for removing much of the mystery surrounding this topic! :cool:
     
  21. robfrost495

    robfrost495 Registered Member

    Joined:
    Jun 4, 2006
    Posts:
    1
    oops,

    If you're concerned about someone reading your online communications or stored files you can try www.mysecuremessage.com they have free encrypted email service and data file encryption system.

    Hope this helps - rob
     
Loading...
Thread Status:
Not open for further replies.