How Do We Protect *our* Network From Clients Infections

[Cue]

How would you do this without having access to a computer inside my network?
Assuming you have control over my router, you cannot (I think) redirect packets to the router, out on the Internet to your computer and back, in order to MITM, can you?

Or do you mean that a single program can do all of this completely automatic?

Internet <-- Your gateway <-- ME Pretending to be your gateway <-- Your network/pcs

Sorry, I misread your question.

I would spoof your gateway. like a MITM attack, it would work like this

You sending;
Internet <-- Your gateway <-- ME Pretending to be your gateway <-- Your network/pcs

Receiving;
Internet --> Your gateway --> Me --> Your network/pcs

Now, I can also take a copy of your packets on the send and receive. Also, Now that I am pretending to be your gateway, and lets say you are going to www.chase.com to do some banking, I can put a redirect on it so go to a fake login page, or better yet just capture your data before it hits that spot. I can inject your packets in linux easily (in windows I am not sure it would be so easy because on winsock limitations), Once I am on your network, the possibilities are endless.

 

[Cue]

Having phishing enabled in ones browser would though efficiently prevent redirects would it not??
And how well is SSL immune to MITM?

 

[Cue]

Thank you for that informative text.
I have to translate at least parts of it and put up on some of the offices where I work, Its amazing how wireless access for example is many times a wide open gateway to a corporate network.
I don't trust windows server or windows domain well enough to have someone snooping around analyzing packets and poking at it.
(I look diffrently at my home network)

I was perhaps a little to sure of myself, my master and mentor when I started doing networks in general thought me this.

I think may be he just did not know enough about packets.
But he told me, and of course I could only see that as pure truth that ,,,

"There is practically no way to mess with a LAN network unless you get control of a computer inside that same network, and even then its very hard.
So his final word was to UPDATE Windows frequently!"

I have of course gotten into problems with windows updates causing problems, I can usually not fix it, but I can restore every time before the update.
So windows update has bean my best friend.

I still don't see how MITM and variants there of would work inside my LAN without a hacker having control over a computer inside my LAN, and I don't see how a hacker could compromise my computer without having at least LAN access.
But that just means that I don't know how its done, not that it cannot be done.

I guess I have to learn how to hack a network, that seems to be the best lesson, instead of learning network security.

 

[freythman]

While we're on the topic of security, how does Untangle perform in adding an addition layer of security to a network? Does it itself pose new security threats? Would it's built in "Remote Access Portal" be susceptible to attack? It seems that if that were compromised, then an entire network could be crippled very easily.

 

[sys-eng]

Reading this thread on the dangers of wireless security illustrates why BellSouth would fire anyone connecting a wireless device to the corporate network. A few tried and they had to find a new employer.

 

[Emockler]

They would have to be VERY determined, enough to hang around for a week or more to actually sniff a valid MAC. And all they would get is internet access, which is free in the freakin hallway. So I'm not too worried, the security more than meets the actual danger.

AND the way a pc gets access to YOUR network is by YOUR competitor bringing in HIS machine that is prepared to do whatever damage or discovery, supposedly for something stupid that requires internet access for you to fix. Then he pays the $50 for your "fix", after wrecking your network, credibility, or scarfing your customer list.

 

[sys-eng]

You need 3 routers to properly segment the routers (with consumer grade stuff)
1 router connected to the internet say 192.168.1.x
both other routers connected to that one (they both connect to that one via their "internet/wan" port)
say 192.168.2.x & 192.168.2.x or use different internal IP's for each so you can tell visually that you are on your network or the hostile one.

having each network your "internal" and the "client" network on different router protects both networks from each other.

That is what I was thinking too. The first "router" connected to the internet would be the cable or DSL modem - - right?

 

[allanc]

That is what I was thinking too. The first "router" connected to the internet would be the cable or DSL modem - - right?

I have been thinking a bit more about this topic.
In these configurations, all the in-house computers will be sharing the bandwith of one channel on the router. Can this be a issue in terms of applications with large amounts of data flowing through the internal network?

 

[MrUnknown]

That is what I was thinking too. The first "router" connected to the internet would be the cable or DSL modem - - right?

while I believe this would be technically true, these routers usually only push out 1 IP address which is directly routable from the internet and useless in this situation.

 

[sys-eng]

while I believe this would be technically true, these routers usually only push out 1 IP address which is directly routable from the internet and useless in this situation.

Why is it useless? If using three routers, #1 is the DSL router, #2 is the router for the business LAN, and #3 is for the LAN for customer PC's. Both #2 and #3 connect to #1 and share the internet connection. What is wrong with this?