Table o Contents

Editor’s Corner

Featured In This Issue

New Partnerships

Best Practices For Securing Your DNS Architecture

The Problem and Growth of Spyware

Cipher Trust’s IronMail Spam Profiler Tool

Five Steps to Enforcing Your Endpoint Security

The Costs of Managing Internal Passwords

Case Study

Akibia Partners

Contact Akibia

 

 

 

Best Practices for Securing Your DNS Architecture
By Cricket Liu
VICE PRESIDENT OF ARCHITECTURE

Since 1997, when the first high-profile attack against name servers was carried out, Domain Name System (DNS) infrastructure has become a favorite hacker target. For example, denial-of-service (DoS) attacks directed at name servers have become frustratingly common. One massive DoS attack in October 2002 cut off half of the Internet’s root name servers for several hours, and these are some of the hardiest and most important servers on the Internet.

And, in June 2004, Akamai reported that a “global DNS attack” caused outages at several customer Web sites like Yahoo! and Google. Similarly, in July 2004, Double-Click attributed a disruption in service at many top web sites to DNS issues. MSN’s and Hotmail’s DNS problems have been widely reported in the press. And many of us are all too familiar with the “404 Not Found” error message, which much of the time is the result of compromised or mis-configured name servers.

Unfortunately, many organizations aren’t aware of, or overlook, the inherent vulnerabilities in their current DNS implementations. Because DNS has become so critical to daily network and application usage, attacks like these can have disastrous results.

DNS’s Evolution to a Core Network Service
Riding TCP/IP’s coattails, DNS has become the de facto standard naming service since its introduction in the early 1980s. Nearly all networked applications, from enterprise resource planning (ERP) to salesforce automation software, now depend on DNS. With the introduction of Active Directory, even the corporate desktop depends on DNS. Without stable DNS, business grinds to a halt.

And, DNS dependence will only increase over time. The Internet Engineering Task Force is working on new applications for DNS, including using it to deliver call completion information to voice-over-IP (VoIP) phones. When the ability to make a VoIP call depends on name resolu-tion, DNS must be as reliable as a dial tone.
The Security Risks of Traditional DNS Infrastructure

Unfortunately, most enterprises continue to use legacy solutions—which typically include BIND or other DNS software running on general-purpose operating system server platforms such as Windows—to deliver DNS services. The “open” nature of these operating systems can introduce a multitude of vulnerabilities that can leave networks susceptible both to downtime and attacks. And, when exploited by an ever larger and increasingly sophisticated community of hackers, enterprises can pay dearly.

Just a few examples of these vulnerabilities include the following:

  • The name server software may allow an intruder to compromise the server and take control of the host; this often leadsto further compromise of the network.
  • Denial of service attacks, even those directed at a single DNS server, may affect an entire network by preventing users and customers from translating hostnames into the necessary IP addresses.
  • Spoofing attacks can induce a name server to cache false resource records that then lead unsuspecting users to a hacker’s replica of the real site, where their personal information can be captured.
  • Information leakage from a seemingly innocent zone transfer could expose internal network topology information that can be used to plan further attacks.
  • A name server could even become an unwitting participant in attacks on other sites.

I n addition, installing, securing, patching, and upgrading legacy solutions – functions that add up over the dozens of name servers on a typical enterprise network – introduce significant administration overhead and cost. DNS is a critical service that has become very complex to implement and manage on an enterprise scale. This challenge is compounded by increasing security risks.

Imbalanced Risk to Protection Investment Ratio
Despite TCP/IP networks’ heavy dependence on DNS, most organizations chronically under-invest in it. This neglect encompasses more than the direct, financial cost of a DNS infrastructure. Within many companies, there is no clear accountability for DNS. Either several organizations share responsibility for supporting the service or no one has explicit responsibility for it, which can jeopardize stability and security and swallow IT resources throughout the organization.

Enterprises need to begin thinking of DNS in the same way they view routing and switching: as core network infrastructure. As such, they must find a way to deploy DNS that provides the reliability expected from core network infrastructure services and takes security risk into consideration, which calls for a fundamental change in the way domain name services are delivered.

Alleviating Risk with Secure DNS Appliances
To address these issues, enterprises are looking for a complete solution that combines the best features of IP management software in an easy-to-manage, secure, and reliable platform.
The appliance model is inherently secure. For example, the Infoblox DNS One appliance, out of the box, has no unnecessarily exposed network ports. It also provides no shell access—access that can easily be parlayed into unauthorized administrative rights to the box.

D NS appliances allow administrators to standardize on a make of name server in a DNS architecture, eliminating interoperability problems while reducing the expense associated with maintaining name services with fragmented DNS implementations running on multiple platforms.

Appliances also simplify the patching process. For example, whenever an upgrade is available, Infoblox notifies companies via email, describing the nature of the upgrade, including its criticality. The “one-button” upgrade makes applying this patch painless. This makes it easy for an organization to ensure that its name servers run the latest name server code, while ensuring the highest levels of security and reducing administrative overhead. Organizations also can benefit from single vendor accountability for the service.

In closing, to protect network resources, enterprises need to consider quickly shifting toward consolidating the enterprise-wide DNS architecture into hardened, secure appliances that can be owned and managed by a single group, and for which a single vendor can be relied upon for easy upgrades and patches.

These “locked-down” devices, such as Infoblox’s DNS One, eliminate the vulnerabilities and administrative overhead associated with DNS approaches based on general “open” operating systems, and can dramatically reduce a hacker’s ability to wreak havoc on an organization by penetrating its mission-critical DNS architecture. Don’t let your network become a victim!

For more information about Infoblox DNS One products, visit:
www.infoblox.com