An example of trust exploitation is a system on the outside of a firewall that has a trust relationship with a system on the inside of a firewall. When the outside system is compromised, the attacker can leverage that trust relationship to attack the inside network.

You can mitigate trust exploitation-based attacks through tight constraints on trust levels within a network. Systems on the outside of a firewall should never be absolutely trusted by systems on the inside of a firewall. Such trust should be limited to specific protocols and, where possible, should be validated by something other than an IP address.

Port redirection attacks are a type of trust exploitation attack that uses a compromised host to pass traffic that would otherwise be dropped, through a firewall. Consider a firewall with three interfaces and a host on each interface. The host on the outside can reach the host on the public services segment (commonly referred to as a demilitarized zone [DMZ]), but not the host on the inside.

The host on the public services segment can reach the host on both the outside and the inside. If hackers are able to compromise the public services segment host, they can install software to redirect traffic from the outside host directly to the inside host. Though neither communication violates the rules implemented in the firewall, the outside host has now achieved connectivity to the inside host through the port redirection process on the public services host. An example of an application that can provide this type of access is Netcat.

Netcat is a featured networking utility which reads and writes data across network connections, using the TCP/IP protocol. Netcat is designed to be a reliable "back-end" tool that can be used directly or that can easily be driven by other programs and scripts. At the same time, Netcat is a feature-rich network debugging and exploration tool because it can create almost any kind of connection that you would need and has several interesting built-in capabilities.

Port redirection can be mitigated primarily through the use of proper trust models that are network specific. Assuming a system is under attack, a host-based IPS can help detect a hacker and prevent installation of such utilities on a host.

The possible uses of man-in-the-middle attacks are the following:
 

• Theft of information
• Hijacking of an ongoing session to gain access to your internal network resources
• Traffic analysis to derive information about your network and its users
• Denial of service
• Corruption of transmitted data
• Introduction of new information into network sessions.

An example of a man-in-the-middle attack is when someone working for your ISP gains access to all network packets transferred between your network and any other network. Man-in-the middle attackers take care not to disrupt traffic and thus set off alarms. Instead, they use their position to stealthily extract information from the network.

Man-in-the-middle attack mitigation is achieved, as shown in the figure, by encrypting traffic in an IPSec tunnel. Encryption allows the hacker to see only cipher text.

 - CITC - NTS Support Centre