Knowledge Center Search


 

Mitigating SSLStrip attack methods on the Secure Access SSL VPN

  [KB13903] Show KB Properties

  [KB13903] Hide KB Properties

Categories:
Knowledge Base ID: KB13903
Last Updated: 11 Jun 2010
Version: 3.0

Summary:
SSLStrip is a tool that assists attackers in Man in the Middle attacks against SSL connections that begin with an HTTP connection.

Problem or Goal:
When an attacker can sit on the wire between your user and your SSL VPN they can potentially gain Man in the Middle status when using SSLStrip. This is not a vulnerability in SSL or the IVE, but an issue with the way HTTPS connections begin.  Web sites will often use a HTTP to HTTPS redirect--this is the issue.

By default the SSL VPN will redirect port 80 (HTTP) connections to port 443 (SSL) for ease of use. With a combination of ARP spoofing or other traffic diversion methods an attacker can use SSLStrip to rewrite the SSL pages as HTTP which allows for traffic sniffing. While gaining layer 2 access along with spoofing ARP is quite complex it is possible to exploit this.

Solution:
To mitigate this type of attack we recommend that you block port 80 (HTTP) access to your SSL VPN in your firewall. This will break SSLStrip's ability to rewrite SSL pages as HTTP as the pages are always encrypted with HTTPS. SSLStrip's rewriting engine preys on HTTP to HTTPS redirects so without this redirect it will essentially block SSLStrip attacks from occurring.

Another solution is to configure your firewall to port forward users who connect to the IVE on port 80 to another web server that will present an instruction page. The instruction page could be used to educate users about the requirement to type in https://ive.com instead of just ive.com.

Purpose:
Troubleshooting

Related Links:

 

 

ASK THE KB

Question or KB ID:


 


 

 
Copyright© 1999-2012 Juniper Networks, Inc. All rights reserved.