Reset Search
 

 

Article

KB13903 - Mitigating SSLStrip attack methods on the Pulse Connect Secure

« Go Back

Information

 
Last Modified Date5/16/2017 8:33 PM
Synopsis
SSLStrip is a tool that assists attackers in Man in the Middle attacks against SSL connections that begin with an HTTP connection.
Problem or Goal
When an attacker can sit on the wire between your user and your PCS they can potentially gain Man in the Middle (MITM) status when using SSLStrip. This is not a vulnerability in SSL or the PCS, but an issue with the way HTTPS connections begin.  Web sites will often use a HTTP to HTTPS redirect--this is the issue.

By default the PCS will redirect port 80 (HTTP) connections to port 443 (SSL) for ease of use. With a combination of ARP spoofing or other traffic diversion methods an attacker can use SSLStrip to rewrite the SSL pages as HTTP which allows for traffic sniffing. While gaining layer 2 access along with spoofing ARP is quite complex it is possible to exploit this.
Cause
Solution
Starting in 8.1R12 / 8.2R6 and above, support was added for HTTP Strict Transport Security (HSTS).  This is a web mechanism to help protect websites against downgrade attack similar to SSLStrip.  For more information, please refer to KB40348 - Support for HTTP Strict Transport Security (HSTS) with Pulse Connect Secure and Pulse Policy Secure.

To mitigate this type of attack for other releases, we recommend that you block port 80 (HTTP) access to your PCS in your firewall. This will break SSLStrip's ability to rewrite SSL pages as HTTP as the pages are always encrypted with HTTPS. SSLStrip's rewriting engine preys on HTTP to HTTPS redirects so without this redirect it will essentially block SSLStrip attacks from occurring.

Another solution is to configure your firewall to port forward users who connect to the IVE on port 80 to another web server that will present an instruction page. The instruction page could be used to educate users about the requirement to type in https://PCS.com instead of just PCS.com.
Related Links
Attachment 1 
Created ByData Deployment

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255