Addressing Man-in-the-Middle Attacks in Linux Server Environments


APRIL 2021

By: Mohie Ahmed

The benefits of using Linux Servers are well known, and the advantages of leveraging a more open operating system and software that can be loaded onto any “bare metal” server have driven the adoption of Linux-based solutions across large enterprises and organizations in every industry.

The global Linux operating system market size stood at USD 3.89 billion in 2019 and is projected to reach USD 15.64 billion by 2027, exhibiting a CAGR of 19.2% during the forecast period, according to Fortune Business Insights.

A man-in-the-middle attack (MITM) is an attack against a cryptographic protocol, with an adversary sitting in the middle and negotiating different cryptographic parameters with the client and the server. As more Linux servers are in service, enterprise, cloud providers, and application providers must focus on protecting the data and sessions enabled by those servers from MITM attacks.

A MITM attack may allow the attacker to subvert the encryption and gain access to content, including passwords, then injecting commands into the session to modify data in transit, to steal the data, or to cause other harm.

Sophisticated tools for performing MITM attacks vary and are used by professional hackers and by cybersecurity experts for pen-testing.

To protect against MITM attacks, a comprehensive “trust stack” is required, and an important pillar of that stack is the use of Zero Trust Least Privileged Access Management.

Ironsphere provides privileged access security capabilities based on the MITM threat architecture to prevent credential theft of super-user accounts and ensures they are used only for legitimate business purposes.

Direct Access refers to the accidental or intentional access attempts from users’ computers to remote hosts/servers directly, and Ironsphere has developed an advanced solution that redirects attackers, forcing the sessions to go through our platform.

Privileged user direct access management can be approached in 4 different ways:

  1. Changing the owner of the privileged credentials (from users to Ironsphere)
  2. Blocking direct access at the network level
  3. Detecting and responding to direct access attempts
  4. Deploying Access Control Agents on Hosts/Servers

These options can be used individually or combined in a single deployment. This decision will be primarily driven by the nature of the infrastructure and the desired level of control/security.

Our new solution brief details how Ironsphere deploys Access Control Agents on Hosts/Servers – specifically as it applies to Linux Servers.

The Access Control Agents run on target hosts/servers (in this case Linux servers) and detect user remote console access attempts, regardless of the source or type of attempt.

Once the Access Control Agent detects a remote console access attempt on a Linux server, it manages whether or not the user is allowed to connect and limits the commands that the user will be allowed to execute, via a centralized server.

The access permission and application isolation policies are managed by the central Ironsphere server (i.e., Policy Decision Server) and enforced by the Ironsphere Access Control Agent (i.e. Policy Enforcement Point) on Linux servers.

All-access attempts, session details, and user activity are tracked by the Access Control Agent and sent to the central server, enabling unified visibility into user activity throughout all Linux servers in the organization’s technology infrastructure. 

Access Control Agent-based deployment provides the following direct access capabilities to manage such exceptional or edge use cases:

  1. Segregation of duties: central management of which users have direct access to which servers
  2. Single-Sign-On: enable users to log in to Linux servers with their personal accounts on Active Directory
  3. Multi-Factor Authentication: additional security layer to ensure the person accessing Linux server is who they claim to be
  4. In-Session Least Privilege Management: central management of which users can or cannot execute which commands on remote Linux servers
  5. Role-based Privilege Management
  6. Unified Visibility and Audit Trails of all user activities during direct access sessions

Learn more about the details of our PAM solution, which is the fastest and easiest to deploy in the market due to its agentless man-in-the-middle architecture, by downloading our new solution brief, specifically designed to support Linux server environments.

Similar Blogs

At The Crossroads of Risk Management and Privileged Access Management, Hyper-Automation Matters

At The Crossroads of Risk Management and Privileged Access Management, Hyper-Automation Matters

There are few things in business that come with no risk. In fact, the future truly belongs to the bold, and those enterprises who push themselves to innovate more and accelerate digital transformation across their offerings are winning. The greatest risk of all today may be doing nothing, hoping that the status quo will be enough to keep existing customers and win new customers.

read more