Transcription
Protecting ExternalDNS servers againstattacksthe global IPAM companyConfidential-Property of EfficientiP- All rights reserved-Copyright 2012
AgendaIntroduction & Reminders to DNSDNS Attacks and VulnerabilitiesPrevention & Best PracticesState-of-the-art Stealth DNS SMART ArchitectureDNSSECConfidential-Property of EfficientiP- All rights reserved-Copyright 2012
Introduction & Reminders to DNSConfidential-Property of EfficientiP- All rights reserved-Copyright 2012
Why is DNS is so critical ?DNS is a nice target for hackersAll Internet applications rely on DNSDNS is invisible to end usersDNS is considered as reliable and highlyavailableDNS is concentrated on one or two servers, andcan be cached on almost every Internet DNSservers.Confidential-Property of EfficientiP- All rights reserved-Copyright 2012
Internet DNS ArchitectureThe Domain Name System is a hierarchicaland distributed databaseRoot ServerTop Level tial-Property of EfficientiP- All rights reserved-Copyright 2012
Internet DNS ArchitectureComponentsStub Resolver (client)DNS clientDNS Recursive ResolverRecursive ResolverCaching Name ServerCaching Name ServerAuthoritative Name ServerAuthoritative Name ServerConfidential-Property of EfficientiP- All rights reserved-Copyright 2012
Internet DNS ArchitectureRootAuthoritative Name ServerCaching Name Server.comAuthoritative Name ServerDNS clientRecursive Resolverefficientip.comAuthoritative Name ServerConfidential-Property of EfficientiP- All rights reserved-Copyright 2012
DNS Attacks and VulnerabilitiesConfidential-Property of EfficientiP- All rights reserved-Copyright 2012
Two ways DNS hackingBy using the protocol attacksDNS protocol failure and limitation.By using the attacks based on the DNSimplementationAttacks based on bugs or flaws of the programs(including the DNS engine).Attack based on the OS hosting the DNS server.Attack based on the architecture including thenetwork and the OS.Confidential-Property of EfficientiP- All rights reserved-Copyright 2012
DNS Attacks & VulnerabilitiesDenial of ServiceHarm and block DNS trafficData ModificationQuery/Request RedirectionDNS cache poisoningDNS ID hackingZone EnumerationTunnelsConfidential-Property of EfficientiP- All rights reserved-Copyright 2012
Denial of Service (DoS)DNS is an effective DOS attack vector for a fewreasons:DNS usually uses the UDP as its transport.Most of autonomous systems allow source-spoofedpackets to enter their network.There is a lot of Open DNS Resolvers on the Internet.Type of Attacks to block DNS from respondingOverload the system by using:DNS reflectors, amplification, botnetDDOS, recursive malformed requests, impersonationConfidential-Property of EfficientiP- All rights reserved-Copyright 2012
Data ModificationQuery/Request RedirectionUsing Man-In-the-Middle positionBreak of the chain of trustDNS Spoofingforge a fake answerDNS ID Hackingsucceed in impersonating a DNS serverDNS Cache PoisoningSending user to malicious siteFamously known with the Kaminsky bugConfidential-Property of EfficientiP- All rights reserved-Copyright 2012
Zone EnumerationNot really considered as an attackMost considered as a threat as it allowsattackers to gather informationPrecedes an attempt at an attackConfidential-Property of EfficientiP- All rights reserved-Copyright 2012
TunnelsUses DNS TCP transport mechanismDNS TCP is used forFailover transport: switch from UDP to TCPSecondary zone transferDNSSEC and IPv6 trafficEDNS is often badly supported by customernetworkAttacks use TCP channel to tunnel otherprotocol and run malicious softwareConfidential-Property of EfficientiP- All rights reserved-Copyright 2012
Prevention & Best PracticesConfidential-Property of EfficientiP- All rights reserved-Copyright 2012
PreventionUse Best Practices configurationsRun software in secure environmentIdentify data flowACLsStealth ArchitectureEnable DNSSECMonitor DNS TrafficShort term analysis (peak detection)Long term analysis (abnormal behavior)Confidential-Property of EfficientiP- All rights reserved-Copyright 2012
Server Secure EnvironmentRunning up-to-date software versionCheck that the Operating System is alsohaving all security fixes!EfficientIP comes into an appliance formatwith a single upgrade process that updates:Operating SystemServicesSoftwareConfidential-Property of EfficientiP- All rights reserved-Copyright 2012
Secure EnvironmentData Flow IdentificationThe server that you will be running is:Caching server?Resolver?Authoritative?Separate the functions as possible.Disabling unwanted features will help intopreventing attacks! A public authoritativeserver should never be recursive.Confidential-Property of EfficientiP- All rights reserved-Copyright 2012
Access Control ListACLs are used to control what information willbe publishedWith Data Flow Identification, you can choosewho will be able to:Allow query (server and zone level)Allow query cache (server level)Allow transfer (server and zone level)Allow update (zone level)Blackhole (server level)Negative Cache (zone level)Confidential-Property of EfficientiP- All rights reserved-Copyright 2012
State-of-the-art Stealth DNSSMART ArchitectureConfidential-Property of EfficientiP- All rights reserved-Copyright 2012
Protecting External DNS ArchitectureGood way to do so is to:Hide information from the Internet: privateDNSSEC keys, DNS architecture, flows.Protect Master DNS server against attacksAnswer is: Stealth DNS ArchitectureConfidential-Property of EfficientiP- All rights reserved-Copyright 2012
Ease of DeploymentAutomate DNS architecture deploymentLibrary of SmartArchitecture DNS templatesAutomated configuration of all DNS serversaccording to selected SmartArchitectureBest practices enforcementDNS Stealth: State of the Art Internet DNS architectureMost secure Internet DNS architectureHidden DNSmasterA DNS slave server is published toDNS clients as the Master DNS serverDNS Pseudo Master(Slave)DNS Master server is hidden toDNS clients behind firewallsDNS Slave serverConfidential-Property of EfficientiP- All rights reserved-Copyright 2012
DNSSECConfidential-Property of EfficientiP- All rights reserved-Copyright 2012
DNSSECDNSSEC is used to protect againstquery/request redirectionDNSSEC creates a chain of trust betweenthe client and the authoritative serverBased on key exchange inside specificsigned resource recordsConfidential-Property of EfficientiP- All rights reserved-Copyright 2012
DNSSECConfidential-Property of EfficientiP- All rights reserved-Copyright 2012
Automatic signature of zonesKSK and ZSK key creationAutomatic NSEC3 resource records creationRollover management of keysGlobal DNSSEC validation checkingConfidential-Property of EfficientiP- All rights reserved-Copyright 2012
EfficientIP solutionsPlease feel free to contact us for more informationor a presentation of EfficientIP solutions:By email: info@efficientip.comOr via our website: www.efficientip.comConfidential-Property of EfficientiP- All rights reserved-Copyright 2012
the global IPAM company Protecting External DNS servers against . Running up-to-date software version Check that the Operating System is also having all security fixes! . Please feel free to contact us for more information or a presentation of EfficientIP solutions: