| title | Protect yourself against man-in-the-middle attacks | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| hero | /images/posts/it-security/Man-in-the-Middle-Angriffe-abwehren.jpg | ||||||||
| description | Simple tips and tricks on how to protect yourself against man-in-the-middle attacks. | ||||||||
| menu |
|
||||||||
| date | 2021-01-27 | ||||||||
| categories |
|
||||||||
| tags |
|
In my last post - Understanding Man-in-the-Middle Attacks - I explained what Man-in-the-Middle attacks are and what exactly they mean. In this post, I would like to give you some tips and tricks to help you protect yourself against such attacks.
It should be noted that the protective measures presented here cannot be implemented in their entirety by you, as they naturally depend on the infrastructure you use. This means, for example, whether you have your own domain or which hardware components you use in your network.
In general, I can only advise you to invest a few dollars in a few components to protect your network not only from man-in-the-middle attacks, but also from other types of threats. I have listed some components that you may want to purchase at the end of this article.
Even though some of these links are affiliate links, they are not intended to enrich me with a commission from products you purchase (the sales price remains the same for you and you support this blog), but rather reflect a clear recommendation on my part as additional protection against attacks.
I only recommend what I use myself in the same or a similar form!
- Replace standard user data with secure passwords
- Make physical access to network components more difficult (lockable room or network cabinet)
- Mechanical locking of ports
- Antivirus protection
- Set up device locks for mobile devices
- Correctly configured firewall
- Correctly configured managed switch
- Patch management for endpoints, servers, and active network components
- Grant access rights as much as necessary and as little as possible
- No use of standard passwords
- Only enable or provide server services and services in general that are really necessary
- Protect unused USB ports
- Mechanical locking of ports
- Access control where possible
- Replace unmanaged switches with managed switches
- Divide the network into individual virtual subnetworks (VLANs)
- Use dynamic ARP inspection against MAC flooding and ARP poisoning
- Bind ports to specific MAC addresses
- Disable switch ports that are not needed
- Setting static ARP entries for the default gateway
- Blocking ICMP type 5 redirect messages
- Set up DNSSEC
- Secure network traffic with encrypted connections
- Use authentication (Radius server, Active Directory, etc.)
- Do not simply ignore certificate errors and accept them without hesitation
- Only use publicly resolvable top-level domain names for internal domains, as otherwise no certificates can be issued for internal domains that are certified by a public certification authority and will therefore always display a certificate error when an internal https domain is called up.title: "Schutz vor Man-in-the-Middle-Angriffe erhalten"
In this list (* affiliate links - this helps support this blog), I have compiled a list of components that I use myself and therefore consider useful. Of course, everyone has to decide for themselves an
d adapt to their own requirements! I would like to point out that not everyone uses 19" components in their network or wants to spend so much money on certain things.
- Mechanical protection to prevent unauthorized connection of network cables to open RJ45 ports on network components.
- Mechanical security to protect open USB ports from unauthorized use
IMPORTANT!!!
An absolute must before using manipulated USB sticks and modified charging cables from mobile devices. The use of such sticks and cables is the most common way to gain access to a network!!!
I personally use this network cabinet with a depth of 600 mm and 16U and am very satisfied with it, as the manufacturer also offers a wide range of accessories.
- TP-Link TL-SG2428P 24-port Gigabit Managed PoE Switch with 4 SFP slots Unlike switches from Ubiquiti, for example, this switch offers excellent configuration options for setting up security-related settings to protect against the attack scenarios described above. You also have the option of operating this switch standalone, i.e. without SDN. This switch is also available in a cheaper version without POE support.
- TP-Link TL-SG3428 24-port Gigabit L2 Managed Network LAN Switch with 4 SFP slots
Not required!!! These are just to give you an idea of which network components I am currently using, as I am often asked about this.
- TP-Link Access Point EAP683 UR I have used these access points throughout my house and outdoors. I run Unifi Controller as a virtual machine on my Proxmox server. What I like about these access points is that they can also be installed outdoors, making them an inexpensive alternative to the usually more expensive ACs from other manufacturers that offer comparable features. Furthermore, the support with new and up-to-date firmware has been really great so far. Before these access points found their way to me, I was using access points from Sophos. However, their proprietary use (only usable with Sophos firewall products) was a thorn in my side and they were simply too expensive for my requirements (including outdoor use).
For me, using a hardware firewall is a clear “yes, it's a must.” For anyone who uses smart home technology, KNX, or a home office and takes security seriously, there is no way around this component. I also live in a “smart home,” but everything is neatly separated in terms of network technology, and I can disconnect services that are homesick for their manufacturer,8iiiiiiiiii.
In my professional consulting work, including for larger projects in the construction industry (electrical engineering), I have seen technical electrical installations using KNX that were unsecured and located on the same network as the IT infrastructure, meaning that any attacker could have gained access to the building control system.
Personally, I use the hardware linked below and have been using OPNsense as my firewall distro for years.
As you have read, there are many ways to protect yourself against man-in-the-middle attacks. With these tips and tricks, you and your network are well protected, not only against sniffing and man-in-the-middle attacks, but also against other attacks on your network. This list of measures is quite comprehensive, but it is not exhaustive. However, other measures would require extensive knowledge of IT networks and security, so I have deliberately omitted them, as I believe these tips are sufficient for home use and in most companies. As always, I would love to hear your feedback!