Georgia College & State University



Similar documents
DNS Best Practices. Mike Jager Network Startup Resource Center

Payment Card Industry (PCI) Data Security Standard

PAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ

DOMAIN NAME SECURITY EXTENSIONS

Lesson 13: DNS Security. Javier Osuna GMV Head of Security and Process Consulting Division

8. Firewall Design & Implementation

G/On. Basic Best Practice Reference Guide Version 6. For Public Use. Make Connectivity Easy

INFORMATION SECURITY REVIEW

Use Domain Name System and IP Version 6

BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE

Internet Security Firewalls

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Internet Security Firewalls

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

Network Layers. CSC358 - Introduction to Computer Networks

How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN

The memoq server in a Corporate Network

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

The memoq server in a Corporate Network

Copyright

STARTER KIT. Infoblox DNS Firewall for FireEye

The Importance of a Resilient DNS and DHCP Infrastructure

PCI Security Scan Procedures. Version 1.0 December 2004

Chapter 5 Customizing Your Network Settings

The Bomgar Appliance in the Network

DNS Security FAQ for Registrants

Configuring User Identification via Active Directory

Forouzan: Chapter 17. Domain Name System (DNS)

Recommended IP Telephony Architecture

Session 2: Self Assessment Questionnaire

Securing DNS Infrastructure Using DNSSEC

ICS 351: Today's plan. DNS WiFi

Application. Transport. Network. Data Link. Physical. Network Layers. Goal

What would you like to protect?

Public-Root Name Server Operational Requirements

Basics of Internet Security

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Firewalls, IDS and IPS

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

Introduction to Network Operating Systems

WIRELESS SECURITY. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Building Your Firewall Rulebase Lance Spitzner Last Modified: January 26, 2000

DNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008

Chapter 25 Domain Name System Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

FAQ (Frequently Asked Questions)

M2M Series Routers. Port Forwarding / DMZ Setup

Symantec Endpoint Protection 11.0 Network Threat Protection (Firewall) Overview and Best Practices White Paper

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

Firewalls. Steven M. Bellovin Matsuzaki maz Yoshinobu

DNS Architecture Case Study: Resiliency and Disaster Recovery

Internal Server Names and IP Address Requirements for SSL:

Presented by Greg Lindsay Technical Writer Windows Server Information Experience. Presented at: Seattle Windows Networking User Group April 7, 2010

Guidance Regarding Skype and Other P2P VoIP Solutions

Network Security Management

DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch

Firewall Configuration. Firewall Configuration. Solution Firewall Principles

How To Protect Your Network From Attack

Cisco Expressway Basic Configuration

Part 5 DNS Security. SAST01 An Introduction to Information Security Martin Hell Department of Electrical and Information Technology

FIREWALL POLICY DOCUMENT

Network System Management. Creating an Active Directory Domain

FIREWALL POLICY November 2006 TNS POL - 008

DNS. The Root Name Servers. DNS Hierarchy. Computer System Security and Management SMD139. Root name server. .se name server. .

Before the. Committee on Energy and Commerce Subcommittee on Communications and Technology United States House of Representatives

shortcut Tap into learning NOW! Visit for a complete list of Short Cuts. Your Short Cut to Knowledge

SECURING SAP NETWEAVER DEPLOYMENTS WITH SAFE-T RSACCESS

UNCLASSIFIED. BlackBerry Enterprise Server Isolation in a Microsoft Exchange Environment (ITSG-23)

2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008

Detecting rogue systems

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Installing DNS On Windows 2003

Application-layer protocols

UCIT INFORMATION SECURITY STANDARDS

Networking Domain Name System

How to Configure Split DNS

nappliance misa Server 2006 Standard Edition Users Guide For use with misa Appliances 2006 nappliance Networks, Inc.

Maruleng Local Municipality

Network Security Policy

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

DEPLOYMENT GUIDE Version 2.1. Deploying F5 with Microsoft SharePoint 2010

SKV PROPOSAL TO CLT FOR ACTIVE DIRECTORY AND DNS IMPLEMENTATION

Owner of the content within this article is Written by Marc Grote

Lecture 2 CS An example of a middleware service: DNS Domain Name System

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

This chapter covers the following topics:

F5 Intelligent DNS Scale. Philippe Bogaerts Senior Field Systems Engineer mailto: Mob.:

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

FIREWALLS & CBAC. philip.heimer@hh.se

Linux Network Security

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

How to Secure a Groove Manager Web Site

Working With Virtual Hosts on Pramati Server

TMS Phone Books Troubleshoot Guide

Incident Response Plan for PCI-DSS Compliance

Deploying ModusGate with Exchange Server. (Version 4.0+)

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak CR V4.1

Understand Names Resolution

Transcription:

Georgia College & State University Milledgeville, GA Domain Name Service Procedures

Domain Name Service Table of Contents TABLE OF REVISIONS... 3 SECTION 1: INTRODUCTION... 4 1.1 Scope and Objective... 4 1.2 Terms and Definitions... 4 SECTION 2: DOMAIN NAME SERVER (DNS) SYSTEM SECURITY... 5 2.1 Internal DNS Security Standards & Procedures... 5 2.2 External DNS Security Standards & Procedures... 6 2

Table of Revisions NU Original Date: May 6, 2013 Revision Number: Description: Date: Revised By: 3

Section 1: Introduction The Georgia College & State University s Division of Information Technology (DoIT) is the steward of the Georgia College domain. The domain is facilitated by Domain Name Servers (DNS) that translates Internet Protocol (IP) addresses into domain names. The servers are a critical part of the campus network infrastructure and Internet navigation. Because DNS data is meant to be public, preserving the confidentiality of DNS data pertaining to publicly accessible IT resources is not a concern. The primary security goals for DNS are data integrity and source authentication, which are needed to ensure the authenticity of domain name information and to maintain the integrity of domain name information in transit. Thus, the DoIT maintains DNS security procedures that regulates use and protects the DNS systems from associated threats. 1.1 Scope and Objective The DNS security procedures provide guidance for maintaining data integrity and performing source authentication. The procedures optimize and standardize practices concerning both internal and external DNS systems at Georgia College. They also improve Georgia College s security posture by reducing threats posed by attackers who could attempt to gain information about the network and subsequently use that information to compromise other services. By anticipating threats and utilizing a split DNS system, DoIT circumvents attacks such as unauthorized zone transfers, denial-of-service, and domain spoofing. 1.2 Terms and Definitions Domain- is most often used to refer to a domain zone, but it is also used to describe a zone or a domain name. Domain Name System (DNS) - an internet technology used to convert domain names to corresponding IP addresses. DNS Spoofing (cache poisoning) - occurs when an attacker sends a recursive query using a FALSE authoritative record to a victim server for resolution. The victim server caches the false or spoofed record. The victim s resolve continues to use the false record resulting in a potentially major security leak as information can be misdirected. Split DNS: Internal hosts are directed to an internal domain name server for name resolution, while external hosts are directed to an external domain name server for name resolution. DoIT (Division of Information Technology) 4

Section 2: Domain Name Server (DNS) System Security 2.1 Internal DNS Security Standards & Procedures Pursuant to USG Internal DoIT Procedure DNS Standard 5.9.1.4 (1) DoIT maintains an internal DNS system. 5.9.1.4 (2) DNS systems are physically secured, isolated from human traffic, and restricted to authorized personnel. The system locations are monitored to detect smoke, moisture, and temperature. Unauthorized users cannot gain access and there is no threat of casual interference. Authorized users are always logged out and server log on restrictions only permit access to identifiable systems. To mitigate single node failures, DNS server clients are configured to utilize primary, secondary, and tertiary servers. DNS servers are single purposed and preparations have been made to replace servers in the event of failure. 5.9.1.4 (3) The internal DNS consists of an internal host record. The addresses are monitored and defined by access control listing. 5.9.1.4 (4) DoIT utilizes Microsoft Active Directory (AD) environments which employs dynamic DNS as an integral part of the system architecture. Domain controllers register their network service types in DNS so that other computers in the Domain can access them. Updates are manually conducted so that the AD servicers can write back information. 5.9.1.4 (5) Microsoft products authenticate and authorize all users of Georgia College PCs and laptops. PCs and Laptops are not listed on the DNS automatically because they are on a Georgia College domain and must be listed by using Active Directory (AD). 5.9.1.4 (6) All internal applications refer to the DNS server. This is in anticipation of IP address changes on the server side, so it will not need configuration modification on client side. The DNS system structure mitigates the risk of domain spoofing and cache poisonings. 5

DNS System Security (continued) Pursuant to USG Internal DNS Standard 5.9.1.4 (7) DoIT Procedure The internal DNS server is located on LAN segment that is different than users. 5.9.1.4 (8) The internal DNS system does not access the Internet directly. The system does not query directly against root or external servers. 5.9.1.4 (9) Queries to the Internet domain are forwarded to an external DNS. 5.9.1.4 (10) The internal DNS cannot be accessed from an external DNS or the Internet. Table 1: Georgia College s Internal DNS Procedures Pursuant to USG Requirement 5.9.1.4 2.2 External DNS Security Standards & Procedures Pursuant to USG External DNS Standard DoIT Procedure 5.9.1.4 (1) DoIT maintains an external DNS located in a demilitarized zone (DMZ). 5.9.1.4 (2) The external DNS system is protected by firewalls, TCP 53, and UDP 53. 5.9.1.4 (3) The external DNS system does not contain any internal hosts. No exclusively internal name is listed in the external DNS. 5.9.1.4 (4) The external DNS system only contains host records that can be accessed by the Internet, such as a web server, Internet application, mail server, etc. 5.9.1.4 (5) Georgia College s DNS is able to access the Internet to perform a domain query. It has the capability to synchronize upon proper authorization. Table 2: Georgia College s External DNS Procedures Pursuant to USG Requirement 5.9.1.4 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information