Re: Router filtering not enough! (Was: Re: CERT advisory )

[cwe () it kth se (Christian Wettergren)]

| > TCP Sequence Numbering attacks are based on the ability of knowing a 
| > sessions initial sequence number (ISN); a "random" number incremented 
| > every X (time...
| 
| Not necessarily....If you can see the traffic go by on the net, you
| have the sequence numbers and can go right ahead and hijack the
| session in-progress.
| 
| This can be done with a routing redirect attack anywhere on the path
| between the telnet client and the skey login machine (firewall), and
| does not require IP spoofing.
| 
| The filtering router techniques that are being discussed will NOT
| provide 100% protection against this sort of attack. If you really
| need to be absolutely safe from this kind of attack, you must not run
| skey or any other unencrypted interactive login at all.
| Application-level encryption can substantially decrese the risk  
| of intrusion in this case, reducing the attack to a denial of service
| (you lose your connection.) Gauge your own risk.

At least they have to go for the end-points, and either attack the
application or try to get at the keys. Of course one should not
use an unsecure external endpoint either.

(One could also argue that even if one uses encrypting-IP, many
cryptoanalytical attacks might be possible. But that due to become
a problem after five years, so lets assume it wont be one! :-))

/Christian Wettergren, cwe () it kth se