Chapter 10 Security issues In this chapter include: • Electronic spoofing and domain name query. Electronic spoofing can make D N s servers believe that an unreliable host is a legitimate secondary server. Unmthical hackers use this technique to obtain a copy of the domain area file, and when the address of the internal computer is known, it is easily attacked. • Reject service. A large number of service requests flock to a machine to make it unfortunately, this is the first step in some attack forms. In this case, protection is an exercise for maintaining high availability services. Several D n s related configurations will help in this regard. • Use D n s and firewalls. Firewall is a computer or special device that runs specialized software, which limits one or more networks with their access. The firewall has a large change in configuration, from a dedicated hardware, router solution, multiple machine schemes to only one machine with two or more NIC. There is a connection to I N t e R n e t and a connection to the internal network or D M Z, D N S is a special configuration according to resolution and public needs. • Service Notice. More knowledge about the goals usually helps attackers explore their weaknesses. Problems related to host protection and published namespaces are often resolved by restricting access to these published content. D n s and n e t b i o s name space is very concerned, but the increase in service records and L D A P services is brand new. • Dynamic D D n s, this new ability has a lot of promises, there are many dangers. During this dynamic update mechanism, the problem with Windows 2000 operating system is simple and refurbished. • Mail security: S M t p, p o p, I m a p and e x c h a n g E-mail server may suffer a variety of attacks. Introduce a number of severe security risks, and it is recommended to reduce the possibility of attacks using DNS MX records and messages. • w w w security. Because WE B servers and browser functions are getting stronger and more common, it is increasingly possible, it is increasingly possible in the entrance to the safety. Describe certain WE B security issues, as well as some technologies available to defense. • f T p security. The F t p server is very useful for transmitting software and electronic documents, or you can implement and publish in the WE B server. Describe the security issues associated with F T. This chapter does not override all security issues that should be considered when setting the network to i n t e R n e t. The purpose of this chapter is to help readers understand the relationship between these security issues and D n s services. Some people say safety should begin with the design. Unless it is designed, safe weakness is always layered, or by redesign. In fact, cyber security is not a thing, but is commonly promoted by many fine configuration parts. In explaining the needs of the public network connection and its risk, this chapter places the focus on D N s. Many risks must be inside. For example, in addition to the selected, the internal ports of the F T P and TE L N e T serve are extracted. Filtering all other things is not very good. Big companies can benefit from the internal, logically divided in the security field, and in these cases, some of the problems faced during processing public networks can also be applied inside. When handling security issues, you should ensure that all new security bulletins, patches, and B U g are processed. In addition to maintaining contact with your provider, you should also stay in contact with other companies, which don't necessarily put the focus on D N s, but also issues a warning and consultation. 10.1 Electronic spoofing and domain name query D N S Electronic spoof is a hacker entering the system and changing the host's I P mapping makes it point to false hosts. The possibility of such electron deception is present, but it is difficult to succeed. The maximum hazard of hackers on D N S server attack is the integrity of the field area information and may indicate the query request to other hosts. Fortunately, this type of attack is relatively easy to defense and correct. Application of N S L O O K U P, P i N g, T R A C e R O U TE, can be used to determine if the information of the computer is modified (especially the I P address that does not belong to this node or this domain).
If there is a problem, you can query other authorized servers and check results. If the attack occurs at a certain period of time, the error message may already be cached in the network, but this information will expire and return to the normal working status. If you can't be sure if there is an error message in your server, use N S L O K K u P to query and check its results. To determine that the broken data comes from the cache or enters the domain zone data, you can use advanced mode in the DNS management console in the DNS management console, or use DNSCMD. EXE check, if the problem is in the buffer, you can refresh the server's cache, re-re- After each tool. You can stop, restart the domain or server, forced to read domain information from its storage. The corresponding measures should be taken after the analysis is analyzed. Of course, these conditions should not happen, but if it happens, you need to correct it immediately. Place a monitor in a suitable place, especially the big domain zone is important. However, if earlier probes can be performed, the trail of the attack is new and the possibility of blocked the attack will increase. In some cases, monitoring can be successfully achieved, such as observing server performance and unpredictability of the network more easily than the data or errors that are corrupted in the observation domain area. Do not ignore D N S C M d. E X E, which can draw the transmission of the domain zone data, can perform periodic comparison with the standard data at a certain point. It is difficult to determine how hackers or where to invade the system to make the first revision. Using intrusion detection packages or monitors can help to trace hackers. There are many books and materials to discuss and deal with this problem. The benefit of hackers can be obtained from the transform domain is the machine that can lead the user to them. The hacker then uses this setting to get the user registration information and mail account information he wants to intercept, and use this information to invade other hosts on the network. When a hacker operates an unauthorized machine as an authorized server, he can pollute the cache of other name servers on I N t e R n e t by intercepting and answering queries. Although some protection methods are against this, the Windows2000 DNS server can protect its cache. One way to reduce this intrusion is to verify using reverse lookups. If a host wants to dress up to another server, the reverse lookup can verify that this I P address can return to the same host. In fact, some F t p and h t p servers have verified using this method before allowing or liability. In order to use this protection in your environment, your D N S server must configure the function of reverse find the domain area. One of the best strategies to set the domain server is to make it safe as possible. Do not use many users log in to or have many interactive services as domain name servers. Many security experts suggested that if traffic allows for best to run a separate service on a separate machine. Some people even suggested that all remote access or cancel or strictly control it, only access to private networks or similar access to other mechanisms can be accepted. Another problem to note is that hackers can transmit the address from the domain name server through the domain area. Preventing the best way to send data to an illegal secondary server is to list all legitimate D N s servers in the ZONE TR A N S F e R (Domain Terminal Transfer) tab of the D n S management console. In Figure 1 0 - 1 Select Allow Zone Tr Ansfer (allowed domain zone transmission), then select the entry "Only to the Following Servers", and add the server's IP, then use the Notify tab to give Server supporting this feature configures N otify options (see Figure 11 - 8). This is also a good way to make this information is not a dangerous condition, which provides an efficient performance, even in chapter 10 security issues 105.
Unhappy, adversely providing protection. Due to security issues, we have to see the human bad aspects, or have to consider the possibility of it, it is too bad. Figure 10-1 Control Domain Zone is transmitted to the specified machine 10.2 Refused service Refusal service attack Sometimes it is used in a deceptive means, sometimes due to malicious damage. This attack method utilizes the recognized security issues in the T c P / I P / i P / I of the server, or only the ability of the machine is limited. By sending a large number of files containing erroneous or special formats, the server cannot answer or completely paralyzed. If a machine on the router and the appropriate subnet is invalid, it is open to the replacement method. The most obvious preventive measures are maintenance and only minimize services. For D N S servers, some special methods can be used to solve it, just like the D n S server is used to provide public namespace. If you have to respond to request, set the D n S service to refuse recursive queries (see Chapter 11), which not only expands the capacity of the machine, but also limits the transfer path of the D n S server code used. It is difficult to detect when using the operating system knowledge and the installed server-level denial, and it is difficult to detect when they only need one or several special formats. If the signals of these attacks are easy to monitor, it will block this vulnerability, on the other hand, if it is based on a large number of packets, there is a significant feature. The other of the other with the D N S server is that the main server is not necessarily necessary to provide services in public space, preferably internally or placed in D M Z. This makes it easy to establish a good monitoring system that periodically checks if the D n S server is normal. The ability to monitor monitoring can also be achieved in the M o N i T O R I n g tab of the D N S server property page, unless it needs to point to a specific remote server through the public interface, it will issue an alert as needed. 10.3 Use D N S with the firewall as D N s and firewalls, or when D N s is used through the firewall, you must first consider two things: nodes or enterprise security policies and types of firewalls will be used. First, you must consider the security policy to determine which traffic allows through the firewall. The type of firewall will determine how the data is derived between the dedicated network, D M Z, and I n t e R n e t. 106 Part II uses Windows 2000 DNS Server
The firewall can have several functions, including packet filtration, proxy, status detection, and alarm. Status detection is to check the storage, the packet information of the firewall, to determine the mechanism of the session state. This status will determine whether this packet is allowed to pass through the firewall. The combination of authentication, encryption, and heights can be provided with a number of strong security tools. Many firewall solutions can directly support DNS; or provide templates for settings, allowing the request for domain names to pass through the other side. For administrators who want to design nodes, at least two considerations: • Enable all resources to access, but to make backups. • All accessible access is limited, only allowed to pass the traffic to your network. In the first solution, the filter is not used even the router of the gateway as the I N t e R N e t. The second solution, only allows some ports, protocols, and some machines that specify the name, and these machines on the same network will further defense each other. Only a particular machine access is a very important feature. To protect these machines, at least you need to set different administrator accounts and different passwords for each machine. The purpose of doing this is to make these machines independently as possible, in case hackers invade a machine, he cannot use the same account and password to invade other systems in the domain area. As a class ratio, it is like a military aircraft to disperse the aircraft and fuel to reduce the loss caused by one of the objects. Different accounts for different machines are not easy to invade many machines simultaneously. The trust relationship between these machines is not completely removed, and at least seriously restrictions. This means that the defensive belt outside the active directory forest, the result of doing this limits the friendliness of legitimate users. Remember, if it is a trusted machine, you can use to check the structure of the group and register the trust domain. The firewall can have a variety of settings, and D N S can also have a variety of processing methods. The key is to pay attention to two things, one is to make the external world to access a licensed domain name server to resolve the public hosts from local; the second is the internal host should access the external domain name server (through a mechanism, As the forward server or proxy server) to find the host of other domains. The best protection for domain name servers is periodically backup domain and configuration information, and should ensure that these backup information is available immediately when requested to recover files. It is of course a good protection for a domain to be hidden to the outside world, but it is inconvenient for users who want to access the external world. One way to backup domain area information is to specify a backup D n S server that uses it as a legitimate secondary server on the primary server, and each domain area on the primary server can be quickly mapped to the secondary server. This method can be used to reduce the load of a large load time to reduce backup time, and in some U N i x solutions, the technology can reinjective these domains from the secondary server without moving files, etc. One domain can be set such that its primary domain server is within the firewall (guaranteedly secure), and set the secondary server to the firewall to process the external host. If the administrator does not care about the entire world to see the entire domain, this will be a good arrangement. Then there is a concept of split D N s, that is, two fields, one is used outside, and the other is used interior. This will further run two sets of DNS servers more and more actually, where the common lookup secondary server is set on the external network, remember to carefully check the configuration of these secondary servers to determine the movable risk factors, such as the non-legal TE LNET Or master the ability of the domain area. For most companies today, the users on its network are at least to access the WE B node and using emails through I N T E R N e t. In this case, it is not a good solution to hide the domain.
If you are self-esteem, the administrator should limit access to the domain, and the method of split D N s or other restrictions on the external public host may be the best solution. Chapter 9 describes the split D n s and its settings. Chapter 10 Security Problem 107
Traditional split D N s requires two primary servers: one in the firewall, another outside the firewall. There is only a small number of entries outside the domain area of the firewall, and only the domain M x record, the record of the W W W and F TP servers. In addition, these entries depends on the type of firewall, and some entries are for reverse lookups for external hosts during session created by users within the firewall. Some firewalls use address translation to reassign the list of identified I P addresses. In order to make these I P addresses can be used in some processes, they need to be mapped to a valid host name. These hostnames can only be processed by an external domain name server without being parsed by the internal domain name server. The internal primary domain server will contain entries (including external hosts) of each host in the domain. The internal D n s will be set to the external D n s, which is from the external D n S. The external transponder can be an external public D N S server, or a server specifically used as a transponder, depending on the capacity, budget, security extension and security policy. The result is that when the domain name server cannot answer the client's query, the query is turned to an external domain name server. Because the internal domain name server is set to the slave server of the external domain name server, the internal server will not perform queries, but waiting for an external server to provide the answer. If the firewall is set to only the domain name server query is transferred between these hosts, it can prevent the query of the external host from reaching the internal domain name server. What is needed is that the internal forwarding machine is a completely slave cache or contains internal domain data. If there is no internal information, there is no customer, only other DNS servers, you can use it directly, if there is internal domain data, Contains all internal domain data, only from I NTERNET names. Forwarding machines should forward all queries that cannot provide authority answered, and even provide reference to another internal D n S server. Therefore, it should contain a complete domain area file, which also leads to the hope that the budget, network size, and load, the level of concern will also limit the selection, remember forwarding Functional as a checkpoint is also a bottleneck in the design. Since the internal and external domain names at this time are primary servers, there is no domain zone transmission to pass the firewall. The difficulty of this arrangement is that the administrator must maintain the two sets of area area files. If there is a secondary server on both sides of the firewall, the maintenance work will increase. This may also have human error and chaotic naming results in the name conflict, because the internal domain and external domain look the same. If you use different internal and external domain names, you can solve this problem with just a small change, but there is a certain limit on the development of the future name space. Setting the key steps for D n s servers operating through the firewall: 1) Create internal primary D n s servers and secondary servers. 2) Establish an external primary D n S server and auxiliary server. 3) Decide which hosts in the domain are subject to outside. 4) Decide how external customers will parse the outside and how to configure internal servers to provide these features. 5) Make only a domain name service for the specified host to pass through the firewall. 6) Test the design to ensure that its work and expectations are the same. The purpose of the last step is very clear. Be sure to ensure that design can work normally, especially from an external node to determine if only information that administrators allow publications can be used. Similarly, it is also necessary to determine if the firewall has been appropriately set, and whether the user inside the firewall can parse the external domain. The requirements for large-scale resolution of the external domain may require a parallel path to the requirements of capacity and reliability. A good configuration method of D N s through the firewall is that there is a primary server in the firewall or D M Z inside, with an external name space, and there is an auxiliary server outside it. For the whole world, the external server can be a primary server because the difference is only where to consider who owns the primary domain file. All maintenance operations can be performed on the internal server, and external service 108 second part uses a Windows 2000 DNS server
The server will update the domain area as required, which may need to run three servers, but this is sure to be more secure than allowing access to the primary server from the outside. Moreover, if the domain area is destroyed, the primary server domain area can also be controlled internally. If you want to use this technology, make sure the firewall is only used for communication (vice versa) only for the firewall. Some experts also recommend that in order to ensure safer, it is necessary to communicate with a high-port that has not been used instead of the standard D N s 5 3 port. This only involves some optional options for D N S and some of the features of some firewall products. This is a big topic and additional resources can be used directly to firewall type and capabilities, and can be used in applications. 10.4 Service Notification Wi N D O W S Group has been aware that it is a good precaution to filter N e t b i o s port when entering and exiting a park network. The problem that mainly considered is similar to the reasons seen by most D n s administrators, that is, there is no need to make everyone have the ability to receive domain regions. Knowledge is power, at least in this case, it can map where to get power. The information obtained from the D n S domain area is different from the information obtained from the W i N s database, and both give the machine and the company provide a considerable mapping in certain aspects of the structure. But N et Bios names can be attached with information, such as what type of service that is running on different machines, which is a domain controller, which is the supervisor WE B service, which supervisor database, etc. It is given a bigger "power" for everyone. With the introduction of S RV records, D N s data is not exceeded, and at least at least equivalent to N e t b i o s, providing a notification service to position other hosts. This is a function of multi-aspects of Windows 2000 available with help of domain positioning services (understanding the structure of Windows 2000 SRV record). S RV Record does not use traditional usage, nor N e T B I O S namespace. The difficulty is that the notice increases the burden on the system administrator, and the administrator has to further strengthen the management of the machine. Security is obtained by additional efforts, sometimes it is improved by a blurry thing that you don't need everyone know. Try to hide is not true security, but further strengthen is difficult. The bottom line is if the S RV record does not need to be announced, then don't announce, this will result in two-way names and split design, but this is because the external world has been isolated, while the internal network is still using this information. LDAP and DNS have no direct relationship, but for the namespace, LDAP collection about Wi NDOWS machine (whether it is an upgrade of NT 4.0 or Windows 2000 machine), its service, group, account, etc., etc. It should be ignored. Active Directory and its directory services are built on the L D a P, and the target of the Active Directory is to help a legitimate user discover and access resources. This accessibility itself is not bad, what is "legal user". The implementation method is strengthened until hidden, there are many combinations therein. 10.5 Dynamic D n s security is always a balance between the power provided and the extent to which the sealing is desired. Dynamic update capabilities in D N s provide unprecedented opportunities for robbery names. Conversely, it can contribute to spoofing and intermediaries, and generally malicious destructive attacks. This is not what it has to be, but what problems are it possible. As the industrial D n S provider uses this technique, and the addition of the basic key exchange support, this technology is applied to the public name space to a large extent to increase security. It should be clear that the limitations of the security feature achieved by the dynamic update mechanism in Windows 2000 are clear, and the user uses the limitations of different safety means. The discussion in Chapter 7 should be referred to in Chapter 7, which involves the configuration available in the initial version of Windows 2000. Under most conditions, the ability to dynamically update is not required in the publicly released namespace.
If your configuration will affect the directory application and service of the public network, you need to carefully check the options, whether you use dynamic updates, and the security, and the current development. Chapter 10 Security Problem 109
For most applications, there is no need to provide dynamic update capabilities for each public access point. The combination of enterprise external network and private network technology, including enterprise external network technology running on open network, enabling the activity directory technology to be explored outside the internal network. The implicit strategy here is to lock the dynamic update until the extent they want, and maintain its use and benefits, this technology is best called "Internal use", there is a trusted user group. In the implementation of the released Windows 2000, only the domain zone data is integrated into a dynamic directory to ensure the security of dynamic D N S update mechanism, and offline Wi N D O W S users cannot send secure updates to the non-Microsoft D N S server in R f C. When using a security update mechanism on the Windows 2000 DNS server, the default, each member is allowed to create a new record. After creating, create an account becomes the owner, and only it can change and delete this record. Except for administrators and system privileges. D N S u P D A T E P R O x Y group is a specially specified group, which has different behavioral ways. When a member in this group created a D n S record, the owner of the record is not a creating an account, but the first change or refresh the record. The Windows 2000 security mechanism defined by the previous definition can change this default behavior, but this default behavior is a very reasonable compromise between weakening or preventing dynamic update processes and ensuring security. 10.6 Mail Security: S M T P, P O P, I M A P and E X C H A N g E Safety Consults always warn on the possibility of destroying S e n d M a I l, e x c h a n g e and I m a p servers. The process of mail in the domain is largely dependent on the setting of the domain name server and firewall. Generally, P O P and I M a P service should be within the firewall to protect the user's mail, directory, especially password, prevent the outside world from using this information to invade nodes. As long as the P O P (unless A P O P) is used to send a password, anyone can secretly destroy a router between the user and the server, so that people who monitor the transfer path can get the username and password. It is best to use the authentication server process, it does not need to send a password in a clear text. It is best to use a server other than the firewall as a relay in practical applications, then send mail to the primary server. This must have an output worth trustworthy server outside the firewall. You may want to be a simple server or swap server outside. If you really want to be safer, you can install a monitoring program to further confirm that there is no big change on this external server. Once a change has changed, you should copy from "Sources / CD / Some Uncontaminateds O U R. Don't take special care when using the swap server because it is like any mail server. If you are more concerned with your server, you can monitor the connection between the 2 5th port. In general, a host in the domain should be used as a relay of the internal or external mail. To use the relay of internal mail, you can put the actual mail system within the firewall and configure to allow only email connections within the domain. Similarly, relay can be used for external messages to hide the internal machines, and use a special address rule to make all external mails in user @ the. Domain as the send address, ie only domain names CPU name. This approach enables the address of the reconciling to a message response to a domain response and helps protect the identity of the machine that sends an email within. Of course, the full display of the message header will also display the path passed, but if the original host is hidden within the firewall, there will be no problem with the company's D n S server. If there is a problem, you can also use the resend program to overcome.
The best resend procedure is a program that is written for your specific environment. If you want to hide the initial source, remove all the heads in the header before retransmission. The M X record of the internal domain name server can point for any non-local address from the internal host to the repeater. Repeater 110 second part uses Windows 2000 DNS Server
After receiving the email, another lookup is performed by an external domain name server to send the message to the destination on its I n t e R n e t. The repeater can also be set to transfer the domain's internal mail to a dedicated host in the firewall, and then send the mail to the internal user or subdomain. In addition, M x records can also be used to transfer messages to internal hosts of the domain. 10.7 WWW Security When you talk about W W W, it seems that everyone has a WE B site today. What is important is how to guarantee the security and protection of the WE B server. The problem is that there is a WE B site exists, that is, a machine that everyone can see (if this machine can't be seen, why also set the WE B server?). One exception is the target for the enterprise network (I N T R a N e t) site for the internal employee of the enterprise. There are many products and technologies to ensure the security of information on your computer, where the maximum usage is packet filtration. Administrators can place a filter on the machine to protect the WE B server, so that only WE B communications can only pass the server, others can not. From the machine blocking services such as TE L N e t, f T p, email, you can limit the attacks that may be attached to these services. For the protection of WE B nodes, the proxy server is also useful, because the remote user will never actually enter the WE B server. Request for remote users is intercepted by the proxy server and then query the WE B server by the proxy server. The proxy server returns the information to the user who requests data from the remote. Various redirection techniques can also be used, and the WE B server name is parsed into a virtual I P address by D n s. When the request is loaded into this virtual I P address, it can be redirected to the corresponding actual server. In this case, the remote user does get information from the actual WE B server, but the actual I P address of the WE B server is hidden by the user. These redirected technologies can also provide highly flexibility of load balancing and high availability solutions. Typically, D N S can be loaded to balance, or at least to randomize the path to one target, which can be a WE B server or it can be their proxy server. When there are many legitimate services to be transferred, there will be many problems and need to be accessed directly to components and data services. These are gradually deviating from pure package filtration schemes, but all programs require coordination between D n s, WE B, and firewall administrators. Combine with the previously mentioned DNS attacks may be affected by the "middleman" attack. If hackers can re-specify the request to a specific We b address to his own machine, and there is a change in his machine. Server, the hacker can use his machine to send back the request service for your WE B client and monitor all the reactions of this node. That's why there is a security server to ensure that it is not attacked by D N s. 10.8 FTP Security The f TP server has its own weaknesses in terms of security, one of the methods of helping to increase F TP server security is through the reverse lookup of the user. Many F TP servers are connected by remote hosts known to their host name and I P address. Reverse lookups can be used to verify the host name and i p address of the established host. Although this does not seem to have much effect on improving security, at least it can indicate whether to use a real I P address and host name to log in, that is, whether it is a legal F t p server login. By the way, many H t t p servers find information registration methods, and use reverse lookup. The purpose of the reverse lookup is to confirm whether the I P address and hostname are fully consistent. If the host name and the I P address do not match, the F t p server will reject the connection requirements. Filters can also be used while using reverse lookups to prevent other types of access to the F TP host. Being friendly, the server in the same room, can also consider using this safety method, Chapter 10 Security issues 111