Beyond Standard Perimeter (FW-UTM-IDS-IPS) Security
Garret Grajek, CISSP
President and Chief Operating Officer
An issue that is not being addressed by traditional “fw-utm-ids-ips” infrastructure is identity theft and specifically identity theft that occurs in transit to the target application or resource.
This type of identity theft is characterized by a man-in-the-middle or replay attack. These attacks often utilize simple reverse proxies to “replay” the credential information to a particular web site or network resource.(Diagram 1) In this manner, the attacker does not have to build an elaborate web site or network page to create the “look-feel” of the target site – the proxy does the work for him.
Traditional firewalls and/or IDS systems cannot trace or detect these types of attacks. The attacker is utilizing valid credentials to enter into the system resource. (Thus a standard signature or anomaly-based detection system will not detect this type of intrusion.)
These attacks are perpetrated by luring the end user to a different web or network resource than the legitimate target and then redirecting to the legitimate target, but with the sessioning information now replayed by the attacker. In this manner the attacker now has “hijacked” the session and can digest and modify the session in whatever method he wishes to utilize the communication. Often the session itself can be held and then replayed, with the attacker himself starting a new request; masquerading the identity of the originator.
The attacker lures the user to the attacker site through commonly used attacker methodologies, including mass-e-mail phishing attacks, DNS attacks… host file attacks and Trojans planted on the end users device. The commonality of all the attacks is that the user is directed to the attacker’s site with the user believing he/she is being directed to the legitimate target.
It is important to note that standard one-time-passwords, such as RSA, VeriSign or Vasco tokens do NOT solve this problem. These one-time-token codes can be replayed just as easily as a static password. (The 60 second time-out is a lifetime in today’s internet speeds.)
What is needed to protect against these attacks is a system or methodology that forces the end user to verify that the network device or the web server is the legitimate target. This is known as bi-lateral or mutual authentication. That is – it’s not enough for the user to authenticate to the site, but the site needs to authenticate to the end user.
Initially this type of 2-way authentication was supposed to be conducted by a public-key-infrastructure (PKI) system.(Diagram 2) In this scenario, the end user has a certificate that is chained to a root CA who also has issued a certificate to the destination host or network device. In this manner, the end system is validated by the 2-way trust system before the user conducts a transaction – thus mitigating the man-in-the-middle attack.
The difficulty in this solution has been the delivery/storage/manageability of the certificate to the end user. These difficulties have been met by the Multi-Factor Authentication SecureAuth™ system (Diagram 3) which uses a patent-pending unique blend of:
· Off-site hosted web services
· Telephony/SMS out-of-band registration services
· Deployable client side certificate verification modules for the server side
· Light-weight client side certificate storage/retrieval modules
All deployed in a manner that does not use CRLs (Certificate Revocation List) or an Online Certificate Status Protocol (OCSP) infrastructure, which traditionally has been an obstacle to these solutions.)
In summary, the Multi-Factor Authentication SecureAuth authentication system provides the bi-lateral authentication needed by enterprises today to thwart man-in-the-middle identity theft attacks. These attacks are not mitigated, today by the standard “fw-utm-ids-ips” security infrastructure, and can only be secured with an authentication system such as Multi-Factor Authentication’s SecureAuth.
(Garret Grajek is a certified security engineer and co-founder of MultiFactor Corporation, http://www.multifa.com/)
Please join the conversation at the MultiFactor discussion group.