Once I ensure security out of the building, am I safe from Man in the Middle attacks?

Question

Say I want to engage in an action that can be compromised through a man-in-the-middle attack (like key exchange). I've done my best to secure my end of the communication up until the point the network leaves the building: I make sure my machine is not compromised, there's no unrecognized devices on my LAN, I verify that my DNS has not been compromised etc. My partner also does the same on their end and we're both confident that a man in the middle attack can not be conducted from within the building.

How motivated would an attacker have to be to successfully compromise the network between us in order to conduct a man in the middle attack? I'm assuming the US government, with the co-operation of the ISPs would be able to do it. But what about doing it without the permission of the ISP?

If I'm using DSL, could someone break into the local DSLAM and insert a proxy?

Could they dig up the wire in somebody's front yard & compromise it?

Is it possible to remotely hack into backbone routers and have them act as a proxy?

Most discussions about securing against man-in-the-middle attacks focus on the local network with the implicit assumption that once it gets out of your building, it's secure. How true is this in theory & practice?

Answer 1

The general security answer is that some information, for example shared secret or other key, must be exchanged "out of band". That information is then used to encrypt the connection between the end-points and also to provide some degree of authentication. If everything passes over a particular connection, then neither end-point can be confident in any aspect of the connection, as either or both end-points can be spoofed by a man-in-the-middle.

Even for some seemingly in band connections, like SSL connections, there is information being exchanged outside the SSL connection - the certificates for CAs (Certificate Authorities) are packaged with your browser when you install it, out of band of the eventually SSL connection between you and your bank (hopefully).

As for the usual security discussions, I think the implicit assumption is opposite of the described "once it gets out of your building[or network segment or host machine], it's secure". Once the data is out of your building, you have no control over it, and the data and connection are implicitly insecure. That's why you create VPNs between buildings - so that if an attacker tampers with the connection, you might have a chance of knowing it.

Perhaps what you have noticed about end-point security discussions is that an attacker has an easier time attacking a specific target if the attacker is near one of the end-points. Once a connection is multiplexed into the Telco's core network, it can be difficult to distinguish one connection from another. Perhaps what you have noticed about end-point security discussions is that many companies do less to security their local networks than the ISP does to secure its data center, and therefore the end-point is easier to attack.

If you really want to delve into the paranoia of securing network connections, take a look at the military's Rainbow Series of books/reports on security (superceeded by the Common Criteria for Evaluation and Validation, and Rainbow Series is a catchier nickname).

Answer 2

"Once I ensure security out of the building, am I safe from Man in the Middle attacks?"

In a word, no. You are not safe just because you made it safely out of the building.

MITM examples tend to revolve around a LAN or host compromises because those are the most likely vehicle for a MITM attack.

Exploiting any router between you and your peer, in any number of ways (some of which you have mentioned), an attacker could gain the ability to perform a MITM attack.

Answer 3

All the items you've suggested are possible albeit unlikely.

Using SSL with properly verified certificates is by far the best idea.