Endpoint Integration Guide › Endpoint Hardening › General Hardening Recommendations › Preventing Man-in-the-Middle Attacks
Preventing Man-in-the-Middle Attacks
CA DataMinder endpoints rely on network communication between the CA DataMinder Infrastructure Services to exchange data (such as events, or policies) with their parent server. This network communication makes the endpoint server subject to a possible ‘man-in-the-middle’ attack: In such an attack, the endpoint is not communicating with its real parent, but with a rogue server.
CA DataMinder uses various combinations of proprietary UDP, and encrypted Java RMI TCP-based protocols for its communications.
- Before a communication session exchanges data, the protocols verify the identity of the server and client. If the identity is incorrect, the protocol terminates the session and logs the termination.
- In sessions where important policy data is synchronized, the installation code of the CA DataMinder system is also verified. The verification helps ensure that the sessions contact the same CA DataMinder network of clients and servers.
What do realistic and likely attacks look like?
- It is possible (but, due to the proprietary nature of the communications, unlikely) that attackers develop custom software to spoof the behavior of a parent server. The most realistic form of ‘attack’ would come from a real CA DataMinder server which is configured to be a rogue server.
- The most likely attack is the reconfiguration of the endpoints ‘hosts’ or ‘lmhosts’ files: Attackers attempt to map the parent server to a rogue server, or to an invalid IP address, to stop communications with a parent server.
By default, Administrator rights are required to edit these files. Depending upon the actual communications being performed, this reconfiguration can be sufficient to fool an endpoint into certain communications with a ‘rogue’ server.
If this level of protection is insufficient, configure CA DataMinder to run in Advanced Encryption Mode (FIPS 140-2). This mode uses TLS and certificates to provide the ultimate protection for communications between the endpoint and its parent. Manufacturing a ‘man-in-the-middle’ attack is near-impossible without having first compromised the security of either the endpoint or parent server.
Important: You have to deploy CA DataMinder in Advanced Encryption Mode from the start. You cannot convert an existing CA DataMinder deployment to Advanced Encryption Mode.
For CA DataMinder to be compatible with FIPS 140-2, you deploy it in Advanced Encryption Mode. This section describes the deployment procedure.
Follow these steps:
- Designate a secure server that is separate from your intended CA DataMinder enterprise.
- Generate the self-signed root certificate.
- Generate the Key Store and Revocation List.
- Deploy your CA DataMinder servers and client machines.
- Create new administrative installation source images.
- Customize the new source images.
- Install the servers and client machines from the appropriate source image.
- Confirm that encryption is correctly configured in the machine policy for all your CA DataMinder servers and client machines.
- Secure the critical Advanced Encryption files on your CA DataMinder servers and client machines so that they can only be accessed by the CA DataMinder infrastructure.
Note: See the ‘Advanced Encryption Mode’ chapter in the Platform Deployment Guide for further details as part of the CA DataMinder deployment procedure.
Copyright © 2014 CA.
All rights reserved.
|
|