DNS Security: New Threats, Immediate Responses, Long Term Outlook. 2007 2008 Infoblox Inc. All Rights Reserved.



Similar documents
A Best Practices Architecture for DNSSEC

DNS Architecture Case Study: Resiliency and Disaster Recovery

Reliable DNS and DHCP for Microsoft Active Directory

TECHNICAL WHITE PAPER. Infoblox and the Relationship between DNS and Active Directory

The Importance of a Resilient DNS and DHCP Infrastructure

WHITE PAPER. Best Practices DNSSEC Zone Management on the Infoblox Grid

DNS Risks, DNSSEC. Olaf M. Kolkman and Allison Mankin. and 8 Feb 2006 Stichting NLnet Labs

Reliable DNS and DHCP for Microsoft Active Directory Protecting and Extending Active Directory Infrastructure with Infoblox Appliances

Beyond Quality of Service (QoS) Preparing Your Network for a Faster Voice over IP (VoIP)/ IP Telephony (IPT) Rollout with Lower Operating Costs

Securing Your Business with DNS Servers That Protect Themselves

F5 and Infoblox DNS Integrated Architecture Offering a Complete Scalable, Secure DNS Solution

DNS Appliance Architecture: Domain Name System Best Practices

DNS security: poisoning, attacks and mitigation

DNSSEC in your workflow

Grid and Multi-Grid Management

Infoblox vnios Software for CISCO AXP

DNS at NLnet Labs. Matthijs Mekking

F5 Intelligent DNS Scale. Philippe Bogaerts Senior Field Systems Engineer mailto: Mob.:

DNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008

DNSSEC - SECURE DNS FOR GOVERNMENT. Whitepaper

DNSSEC Practice Statement (DPS)

Challenges in Deploying Public Clouds

Automated Network Control for

Infoblox Grid TM. Automated Network Control for. Unifying DNS Management and Extending the Infoblox Grid TM to the F5 Global Traffic Manager

Secure and Hardened DNS Appliances for the Internet

DNSSEC Applying cryptography to the Domain Name System

Simplifying Private Cloud Deployments through Network Automation

Securing Your Business with DNS Servers That Protect Themselves

STARTER KIT. Infoblox DNS Firewall for FireEye

Infoblox Inc. All Rights Reserved. Securing the critical service - DNS

Part 5 DNS Security. SAST01 An Introduction to Information Security Martin Hell Department of Electrical and Information Technology

Use Domain Name System and IP Version 6

Defending your DNS in a post-kaminsky world. Paul Wouters <paul@xelerance.com>

Installing and Using the vnios Trial

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

American International Group, Inc. DNS Practice Statement for the AIG Zone. Version 0.2

DNSSEC: A Vision. Anil Sagar. Additional Director Indian Computer Emergency Response Team (CERT-In)

DNSSEC - Why Network Operators Should Care And How To Accelerate Deployment

DNS SECURITY TROUBLESHOOTING GUIDE

DNSSEC Policy Statement Version Introduction Overview Document Name and Identification Community and Applicability

Domain Name System Security (DNSSEC)

The Domain Name System from a security point of view

Infoblox Grid Technology

WHITE PAPER. Infoblox IPAM Integration with Microsoft AD Sites and Local Services

TCPWave IP Address Management

The Continuing Denial of Service Threat Posed by DNS Recursion (v2.0)

Deployment Guide A10 Networks/Infoblox Joint DNS64 and NAT64 Solution

Security in the Network Infrastructure - DNS, DDoS,, etc.

An Intrusion Detection System for Kaminsky DNS Cache poisoning

CHOOSING A RACKSPACE HOSTING PLATFORM

Deploying DNSSEC: From End-Customer To Content

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Infoblox Education Services Course Catalog

Infoblox Core Network Services solution

Infoblox Inc. All Rights Reserved. Talks about DNS: architectures & security

PROJECT SUMMARY ROWAN UNIVERSITY REQUIREMENTS

Defending your DNS in a post-kaminsky world. Paul Wouters <paul@xelerance.com>

Infoblox Integrated IP Address Management Solution Built-in, Appliance-based DNS/DHCP/IPAM for Real-time Data and Services Delivery

DNSSEC Root Zone. High Level Technical Architecture

WHITE PAPER. How to Get the Most out of DNS in an Active Directory Environment

WHITEPAPER. Designing a Secure DNS Architecture

DNSSEC Deployment a case study

DNSSEC. Introduction. Domain Name System Security Extensions. AFNIC s Issue Papers. 1 - Organisation and operation of the DNS

Virtualized Domain Name System and IP Addressing Environments. White Paper September 2010

This framework is documented under NLnet Labs copyright and is licensed under a Creative Commons Attribution 4.0 International License.

USING THE DNS/DHCP ADMINISTRATIVE INTERFACE Last Updated:

Internet-Praktikum I Lab 3: DNS

Infoblox Education Services Course Catalog

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Cyber Security for NERC CIP Version 5 Compliance

Global Service Loadbalancing & DNSSEC. Ralf Brünig Field Systems Engineer r.bruenig@f5.com DNSSEC

Web Drive Limited TERMS AND CONDITIONS FOR THE SUPPLY OF SERVER HOSTING

BMC s Security Strategy for ITSM in the SaaS Environment

page 1 DNS Rate Limiting W. Matthijs Mekking matthijs@nlnetlabs.nl 28 Feb 2013 Stichting NLnet Labs

DNSSec Operation Manual for the.cz and e164.arpa Registers

FortiBalancer: Global Server Load Balancing WHITE PAPER

F-Root's DNSSEC Signing Plans. Keith Mitchell Internet Systems Consortium DNS-OARC NANOG48, Austin, 24 th Feb 2010

Securing DNS Infrastructure Using DNSSEC

Step-by-Step DNSSEC-Tools Operator Guidance Document

A Review of Administrative Tools for DNSSEC Spring 2010

DNS Caching Krytyczna infrastruktura operatora i ostatni element układanki

The F5 Intelligent DNS Scale Reference Architecture.

Global Server Load Balancing

BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE

Public-Root Name Server Operational Requirements

Transcription:

DNS Security: New Threats, Immediate Responses, Long Term Outlook 2007 2008 Infoblox Inc. All Rights Reserved.

A Brief History of the Recent DNS Vulnerability Kaminsky briefs key stakeholders (CERT, ISC, major vendors), who agree on interim fix CERT issues DNS cache poisoning advisory urging users to patch; Many vendors have patched code available; Exploit details not released; Kaminsky offers to reveal on 8/7 at Black Hat March, 2008 July 8, 2008 July 21, 2008 TODAY Dan Kaminsky discovers new way to exploit a longknown DNS vulnerability caused by poor randomization Providers of DNS servers (ISC, Microsoft, Cisco, Infoblox, etc.) patch their code Nearly all DNS implementations (BIND, Microsoft) are vulnerable Halvar Flake s public speculations on the nature of exploit are confirmed, details widely distributed Less than 50% of DNS servers are patched. DNS cache poisoning attacks are in the wild

What Do I Do? 1 Upgrade to the latest (patched) version of your name server That is, the newest version that includes a patch for the new vulnerability ISC has a new version of BIND Microsoft has a new version of the Microsoft DNS Server Infoblox has a new version of NIOS And so on The patch actually addresses some other known vulnerabilities, too Concerned about patching (labor, DNS outages, errors, etc.)? Understandable, but do it anyway! It s important, and it works >600 Infoblox customers have downloaded patched code since July 8, most have upgraded and are in production today 2 Restrict or disable recursion wherever possible 1 Note: There can be issues with recursive DNS servers behind NAT/PAT firewalls 3 Monitor and act quickly when attacks are ongoing 4 Start working on a plan for DNSSEC

DNS Best Practices Architecture is the Start: Redundancy, Resiliency, Serviceability 2008 Infoblox Inc. All Rights Reserved. 2007

Modern Approaches Make it Easier to Implement and Manage Best Practices DNS Architectures DNS Appliances Appliance Grid Admins, Help Desk, Security, etc. Hardened, secure platforms Integrated core network services: DNS, DHCP, IPAM, RADIUS, FTP/TFTP/HTTP, FTP, more Built-in high availability Centralized management, visibility & control One-touch disaster recovery One-touch patching & upgrades with no downtime

Serviceability and Security go Hand in Hand Serviceability needs to start becoming a more important purchasing metric. Serviceability is, ultimately, the measure of software flaw survivability Dan Kaminsky Infoblox Grid Technology makes upgrading groups of DNS servers easy, fast and reliable The Ultimate in serviceability Ok, that was too easy. Much better than upgrading BIND. Thanks!!!! - Michael L Hershberger, Armstrong 2007 Infoblox Inc. All Rights Reserved.

Implementing a Hardened Forwarding Tier Provides a DNS Firewall, Protecting Internal Servers Attacker Company1.com Company2.com Company3.com < Authoritative DNS Servers Thwarted cache poisoning attack > DNS Firewall > < Recursive DNS Queries Hardened, patched DNS servers/appliances configured as forwarders protect internal systems HA pairs provide nonstop operation Internal Microsoft and BIND servers > One-touch upgrades with no downtime makes patching easy Microsoft DNS/DHCP Server ISC BIND DNS Server Microsoft DNS/DHCP Server ISC BIND DNS Server < DNS queries for public Internet < Internal Clients

Infoblox DNS Security Features Provide Visibility & Response DNS Protocol Monitoring Real-time reporting Attack in Progress Attack alerts Email/trap when attack profile thresholds exceeded Attack Threshold Alert Trigger Attack mitigation Limit DNS query rate by source address and other parameters X

Free Tools are Available to Support DNS System Testing and Assessment DNS Vulnerability Test http://www.doxpara.com DNS Advisor (External) & DNS Advisor Pro (Internal) http://www.infoblox.com/services/dns_advisor.cfm DNS Audit Guidelines http://www.infoblox.com/library/dns-security-center.cfm

Looking Forward: The Path to roll-out DNSSEC 2004-2005: Infoblox trials DNSSEC with US Government agencies Project put on hold because of lack of Interest 2007-2008: Infoblox re-connects with DNSSEC pioneers Steve Crocker www.dnssec-deployment.org Olaf Kolkman www.nlnetlabs.nl Staffan Hagnell www.iis.se Cricket Liu, www.infoblox.com, Author of O Reilly s DNS and BIND Some end-users (primarily finance sector) Today: Infoblox works on a phased approach for practical DNSSEC rollout DNSSEC in the Internet resolver (cacher/forwarder) Infoblox Grid as the front end DNSSEC authoritative server (secondary) Infoblox key management Most challenging area in DNSSEC, together with last-mile and NSEC3 problem Key distribution difficult (will be better when root and TLD s sign their zones) Current tools store the key online and lack monitoring/logging and scalability DISI, ZKT and DNSSEC-tools

Why is deployment rate of DNSSEC <1% DNSSEC is to complex to deploy The weapon with which to shoot oneself in the foot is not a pop-gun but a military grade full automatic The root will never get signed There is no economy to push deployment Cache poisoning can be mitigated by correctly implementing random query ports and proper query ID The specification is still a moving target New technology; chicken and egg Zone walking possibility Automation for key rollover and distribution is not fully available Yes,.se TLD is signed, but what about my.com zone than?

Implementing DNSSEC Requires a Complete Set of Standards, Tools and Processes RRsets signing algorithm? (RSA/SHA1 or DSA or ) TTL for all records in a RRset? How to store your private key? Signature (RRSIG) expiration time? (determines frequency of re-signing) Key Management tools? (DISI, DNSSEC-tools or ZKT - none scale well) Process for key certification by parent zone (DS) records? Certification of.com zone? Chain of trust? DNSSEC-capable resolvers configured to ask for signed responses first? Handling of queries that don t request signed responses? Application checks for DNSSEC signed responses (AD bit set)? Will resolvers configured to only accept signed responses? How to roll back to unsigned zones?.????

The role of DNS solution manufacturers Don t just howl with wolfs Be smart, do research and develop a practical solution and process together with early adopters! Define a technology roadmap that could deliver key elements of a practical DNSSEC solution and process. These elements include: Implementation of a DNS protocol engine that completely complies to all DNSSEC standards. RFC 4033, 4034, 4035 (eg. BIND 9.3.2, NIOS 4.2) Improved management tools to performing the administrative tasks related to DNSSEC Development of high-powered, high-capacity hardware platforms that handles the cryptographic DNSSEC computations.

Summary New threats can arise for vulnerabilities once believed impractical to exploit News of a new exploit (and fix) can happen at any time serviceability (fast updates) is crucial to close vulnerability windows Best practices architecture can reduce risk Automated systems speed patching and eliminate downtime Everyone should do the following: Limit/disable recursion Don t let internal devices directly query the Internet Ensure sufficient DNS capacity Update your software whenever a known vulnerability is found and patched Organizations like ISACA and ISSA can take a leading role in developing, promoting and verifying DNS best practices

References CERT Advisory VU800113 http://www.kb.cert.org/vuls/id/800113isc ISC www.isc.org DNS Cache Poisoning Test www.doxpara.com DNS Best Practices White Paper http://www.infoblox.com/library/whitepapers.cfm DNS Advisor, Advisor LE, and Advisor Pro http://www.infoblox.com/services/dns_advisor.cfm DNS Audit Guidelines http://www.infoblox.com/library/dns-security-center.cfm

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information