Wednesday, March 31, 2010

Protecting against Session Hijacking



  1. Use Encryption

  2. Use a secure protocol

  3. Limit incoming connections

  4. Minimize remote access

  5. Have strong authentication.
Countermeasure
When practical, limit successful sessions to specific IP addresses. This usually only works when dealing within an intranet setting, where the IP ranges are predictable and finite.

Countermeasure
Re-authenticate the user before critical actions are performed. If possible, try to limit unique session tokens to each browser instance (e.g. generate the token with a hash of the MAC address of the computer and process id of the browser, etc.) Configure the appropriate spoof rules on gateways (internal and external). Monitor for ARP cache poisoning, by using IDS products or ARPwatch.

Countermeasure
Use x.509 certificates to prevent more traditional types of TCP hijacking.

Countermeasure
Use encryption. This can be done by one or more of the following.

  • Forcing all incoming connections from the outside world to be fully encrypted.

  • Forcing all connections to critical machines to be fully encrypted.

  • Forcing all traffic on the network to be encrypted.

  • Using encrypted protocols, like those found in the OpenSSH suite. The OpenSSH suite includes the ssh program which replaces rlogin and telnet, scp which replaces rcp, and sftp which replaces ftp. Also included is sshd which is the server side of the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keygen and sftp-server.

Countermeasure
Use strong authentication (like Kerberos) or peer-to-peer VPN's.

0 comments:

Post a Comment