Great Circle Associates Firewalls
(December 1995) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: Session hijacking?
From: mckenney @ smiley . mitre . org (Brian W. McKenney)
Date: Thu, 21 Dec 95 12:46:57 EST
To: vic @ cd . com (Vic Serbe x237)
Cc: Firewalls @ GreatCircle . COM 
Lots of other vendor products can thwart network hijacking, especially
those products that support IP-level encryption.  These products include
COTS "all-in-one" firewall products that support IP-level encryption or
router devices that support IP-level encryption.  Hence, you are leaving
out a lot of vendor products.

Note that network hijacking can be prevented between two nodes that employ
IP-level encryption.  The tunnel (Virtual Private Network) between the two
nodes is protected (for node-to-node communications).  An attacker cannot
hijack a connection that is flowing between these two nodes (unless they
break the encryption mechanism).  They may be able to spoof a packet but
the decryption process will fail on the packet, the packet will be dropped.
With some products, integrity checking (e.g., MD5) can be employed along
with IP-level encryption.  This ensures that the packet received from a
given device actually came from that device.

In summary, you need a device at each end of the tunnel to protect
connections across the tunnel.  This does not protect connections that are
outside of this tunnel.  For example,  nodeA has an encryption device to
communicate with nodeB (who also has an encryption device).  NodeA also
accepts connections from other nodes, nodes that do not have encryption
devices.  These "other" connections (especially session-oriented protocols)
are vulnerable to network hijacking attacks.

I would read the CERT Advisory (CA 95:01) on IP Spoofing and Network
Hijacking for background information.


   -Brian

>> From: frankw @
 in .
 net (Frank Willoughby)
>> Date: Wed, 20 Dec 95 14:58:20 -0500
>> Subject: Re: re Shiva / SecureID
>>
>>>[ I lost track of who said what .... ]
>>>>>> I humbly disagree with the last sentence. To my knowledge, only 3
>>>>>>firewall
>>>>>> vendors (out of 69+) are able to stop session hijacking:
>>>>>>
>>>>>> o V-ONE's SmartWall firewall
>>>>>> o Raptor's Eagle firewall
>>>>>> o DEC's IP Encryption Tunnel
>>>
>>>  I believe that FW-1 2.0 prevents session hijacking as well. Am
>>>I wrong?
>>>
>>
>> Yes
>>
>> Frank
>> Fortified Networks Inc. - Management & Information Security Consulting
>> Phone: (317) 573-0800   - http://www.fortified.com/fortified
>
>What's session hijacking (if this is in a FAQ someplace, please forgive me
>and simply point me to the FAQ. Thanks)?
>
>--
>Vic Serbe (vic @
 cd .
 com), Applications Engineer/Webmaster
>Central Data Corp. - Makers of the scsiTerminal Server
>800/482-0315 or (+1) 217/366-9237 (MAIN 359-8010) (FAX 359-6904)
>WWW: http://www.cd.com    Ftp: ftp.cd.com
Indexed By Date Previous: Re: Firewall-1, any hints or gotcha's in it's installation??
From: Craig Anderson <craiga @ Ipsilon . COM>
Next: Re: Proxy v. Packet Filter
From: wbunting @ ch . inri . com (Bill Bunting)
Indexed By Thread Previous: Re: Session hijacking?
From: Brain21 <brain21 @ montag33 . residence . gatech . edu>
Next: Re: Session hijacking?
From: Craig McLellan <mclelcl @ onto . network . com>
Google
 
Search Internet Search www.greatcircle.com