Endpoint Integration Guide › Endpoint Hardening › General Hardening Recommendations › Preventing Man-in-the-Middle Attacks

Preventing Man-in-the-Middle Attacks

CA Data Protection endpoints rely on network communication between the CA Data Protection Infrastructure Services to exchange data (such as events, or policies) with their parent server. This network communication makes the endpoint server subject to a possible ‘man-in-the-middle’ attack: In such an attack, the endpoint is not communicating with its real parent, but with a rogue server.

CA Data Protection uses various combinations of proprietary UDP, and encrypted Java RMI TCP-based protocols for its communications.

1. Before a communication session exchanges data, the protocols verify the identity of the server and client. If the identity is incorrect, the protocol terminates the session and logs the termination.
2. In sessions where important policy data is synchronized, the installation code of the CA Data Protection system is also verified. The verification helps ensure that the sessions contact the same CA Data Protection network of clients and servers.

What do realistic and likely attacks look like?

• It is possible (but, due to the proprietary nature of the communications, unlikely) that attackers develop custom software to spoof the behavior of a parent server. The most realistic form of ‘attack’ would come from a real CA Data Protection server which is configured to be a rogue server.
• The most likely attack is the reconfiguration of the endpoints ‘hosts’ or ‘lmhosts’ files: Attackers attempt to map the parent server to a rogue server, or to an invalid IP address, to stop communications with a parent server.

  By default, Administrator rights are required to edit these files. Depending upon the actual communications being performed, this reconfiguration can be sufficient to fool an endpoint into certain communications with a ‘rogue’ server.

If this level of protection is insufficient, configure CA Data Protection to run in Advanced Encryption Mode (FIPS 140-2). This mode uses TLS and certificates to provide the ultimate protection for communications between the endpoint and its parent. Manufacturing a ‘man-in-the-middle’ attack is near-impossible without having first compromised the security of either the endpoint or parent server.

Important: You have to deploy CA Data Protection in Advanced Encryption Mode from the start. You cannot convert an existing CA Data Protection deployment to Advanced Encryption Mode.

For CA Data Protection to be compatible with FIPS 140-2, you deploy it in Advanced Encryption Mode. This section describes the deployment procedure.

Follow these steps:

1. Designate a secure server that is separate from your intended CA Data Protection enterprise.
2. Generate the self-signed root certificate.
3. Generate the Key Store and Revocation List.
4. Deploy your CA Data Protection servers and client machines.
   1. Create new administrative installation source images.
   2. Customize the new source images.
   3. Install the servers and client machines from the appropriate source image.
5. Confirm that encryption is correctly configured in the machine policy for all your CA Data Protection servers and client machines.
6. Secure the critical Advanced Encryption files on your CA Data Protection servers and client machines so that they can only be accessed by the CA Data Protection infrastructure.

Note: See the ‘Advanced Encryption Mode’ chapter in the Platform Deployment Guide for further details as part of the CA Data Protection deployment procedure.