Endpoint Integration Guide › Endpoint Hardening › Preventing Man-in-the-Middle Attacks

Preventing Man-in-the-Middle Attacks

CA DLP endpoints rely on network communication between the CA DLP Infrastructure Services to exchange data (such as events, or policies) with their parent server. This network communication makes the endpoint server subject to a possible ‘man-in-the-middle’ attack: In such an attack, the endpoint is not communicating with its real parent, but with a rogue server.

CA DLP uses various combinations of proprietary UDP, and encrypted Java RMI TCP-based protocols for its communications.

1. Before a communication session exchanges data, the protocols verify the identity of the server and client. If the identity is incorrect, the protocol terminates the session and logs the termination.
2. In sessions where important policy data is synchronized, the installation code of the CA DLP system is also verified. The verification helps ensure that the sessions contact the same CA DLP network of clients and servers.

What do realistic and likely attacks look like?

• It is possible (but, due to the proprietary nature of the communications, unlikely) that attackers develop custom software to spoof the behavior of a parent server. The most realistic form of ‘attack’ would come from a real CA DLP server which is configured to be a rogue server.
• The most likely attack is the reconfiguration of the endpoints ‘hosts’ or ‘lmhosts’ files: Attackers attempt to map the parent server to a rogue server, or to an invalid IP address, to stop communications with a parent server.

  By default, Administrator rights are required to edit these files. Depending upon the actual communications being performed, this reconfiguration can be sufficient to fool an endpoint into certain communications with a ‘rogue’ server.

If this level of protection is insufficient, configure CA DLP to run in Advanced Encryption Mode (FIPS 140-2). This mode uses TLS and certificates to provide the ultimate protection for communications between the endpoint and its parent. Manufacturing a ‘man-in-the-middle’ attack is near-impossible without having first compromised the security of either the endpoint or parent server.

Important: You have to deploy CA DLP in Advanced Encryption Mode from the start. You cannot convert an existing CA DLP deployment to Advanced Encryption Mode.

For CA DLP to be compatible with FIPS 140-2, you deploy it in Advanced Encryption Mode. This section describes the deployment procedure.

Follow these steps:

1. Designate a secure server that is separate from your intended CA DLP enterprise.
2. Generate the self-signed root certificate.
3. Generate the Key Store and Revocation List.
4. Deploy your CA DLP servers and client machines.
   1. Create new administrative installation source images.
   2. Customize the new source images.
   3. Install the servers and client machines from the appropriate source image.
5. Confirm that encryption is correctly configured in the machine policy for all your CA DLP servers and client machines.
6. Secure the critical Advanced Encryption files on your CA DLP servers and client machines so that they can only be accessed by the CA DLP infrastructure.

Note: See the ‘Advanced Encryption Mode’ chapter in the Platform Deployment Guide for further details as part of the CA DLP deployment procedure.