I've just been forwarded the following link by a colleague. Whilst light hearted, it has a lot of serious points.
John
John
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
The Six Dumbest ideas in computer security 1
- Thread starter jrbarnett
- Start date
cyberspace
Technical User
An enjoyable read, some very good points!
Excuse me if this is a silly question, but in the statement:
• "We don't need a firewall, we have good host security" - no, you don't. If your network fabric is untrustworthy every single application that goes across the network is potentially a target. 3 words: Domain Naming System. "
What is the relevance of DNS in this case?
Excuse me if this is a silly question, but in the statement:
• "We don't need a firewall, we have good host security" - no, you don't. If your network fabric is untrustworthy every single application that goes across the network is potentially a target. 3 words: Domain Naming System. "
What is the relevance of DNS in this case?
- Thread starter
- #4
If DNS goes down, especially at a high level on the internet, communications outside your own network will be very restricted as your own network will be unable to locate higher up DNS Servers to locate IP addresses of domains outside your own. DNS cache answers are only good for about an hour or so before they are considered stale and a new answer from an authoritiative server is required.
There are only about 13 top level DNS servers (that hold the entries for the .COM, .NET, .ORG, .INFO, .BIZ and country top level domains such as .UK, .AU and .CA) across the planet; it is the nearest thing to a single point of failure on the internet.
John
There are only about 13 top level DNS servers (that hold the entries for the .COM, .NET, .ORG, .INFO, .BIZ and country top level domains such as .UK, .AU and .CA) across the planet; it is the nearest thing to a single point of failure on the internet.
John
cyberspace
Technical User
I see, thats an interesting point...so if that happened it would just be utter chaos? Is that likely to happen?
While I understand what you have just explained, I still don't get the connection with the point made in the article...
While I understand what you have just explained, I still don't get the connection with the point made in the article...
- Thread starter
- #6
I don't think its likely to happen as it would disrupt any hacker (or so) wanting to use the internet for malicious purposes as well, but it could do.
The connection with the point made is that when the DNS protocol was originally designed, the Internet was a much friendlier place. While modern DNS servers have far stronger security, it is a classic example of the need to strengthen security as a result of the increasing risks of being accessible via the Internet.
John
The connection with the point made is that when the DNS protocol was originally designed, the Internet was a much friendlier place. While modern DNS servers have far stronger security, it is a classic example of the need to strengthen security as a result of the increasing risks of being accessible via the Internet.
John
-
1
- #7
I think the issue with DNS is actually, your own internal DNS and DNS poisioning.
Imagine this.
Your company (or yourself) banks online.
has an IP on 20.20.20.20.
So your proxy doesn't know the IP address, so out it goes and has a look, and bingo it gets the name of the higher DNS server.
No imagine this:
Someone gets in and does one of the following:
Gets to your internal DNS servers, adds a fixed DNS entry of to 30.30.30.30, and hey presto you go to mr thieving lowlifes website, login and then they display an error saying that there is an internal error proccessing the login and try again later. How many users would think they've been done? After all, they typed in the correct name, the Virus scanner and antispyware can find nothing wrong, nope, definitly a problem with the banks website. We'll try again tomorrow.
If they report the problem to the bank, the bank check out the account and see nothing wrong, they log in from an external machine, nope no problems, must be a problem with the users proxy server or machine.
The same can be done on the firewall, requests for IP 20.20.20.20 get NAT'd to 30.30.30.30, same difference.
Stu..
Only the truly stupid believe they know everything.
Stu.. 2004
Imagine this.
Your company (or yourself) banks online.
has an IP on 20.20.20.20.
So your proxy doesn't know the IP address, so out it goes and has a look, and bingo it gets the name of the higher DNS server.
No imagine this:
Someone gets in and does one of the following:
Gets to your internal DNS servers, adds a fixed DNS entry of to 30.30.30.30, and hey presto you go to mr thieving lowlifes website, login and then they display an error saying that there is an internal error proccessing the login and try again later. How many users would think they've been done? After all, they typed in the correct name, the Virus scanner and antispyware can find nothing wrong, nope, definitly a problem with the banks website. We'll try again tomorrow.
If they report the problem to the bank, the bank check out the account and see nothing wrong, they log in from an external machine, nope no problems, must be a problem with the users proxy server or machine.
The same can be done on the firewall, requests for IP 20.20.20.20 get NAT'd to 30.30.30.30, same difference.
Stu..
Only the truly stupid believe they know everything.
Stu.. 2004
cyberspace
Technical User
Thanks for that jrbarnett/Stu, makes sense now!
Happo, nothing wrong with the display to be fair, perfectly readable. Excellent contribution however, thanks!
Happo, nothing wrong with the display to be fair, perfectly readable. Excellent contribution however, thanks!
Happo
Open white on black page.
move cursor over the 'T' in 'The' at the top of the page
Hold down left mouse button and drag cursor down to bottom of page.
Hey Presto.
This is also useful where some idiots put, for example red writing on a black page, or even red on brown.
Apologies for that it must be Monday.
Steve: Delphi a feersum engin indeed.
Open white on black page.
move cursor over the 'T' in 'The' at the top of the page
Hold down left mouse button and drag cursor down to bottom of page.
Hey Presto.
This is also useful where some idiots put, for example red writing on a black page, or even red on brown.
Apologies for that it must be Monday.
Steve: Delphi a feersum engin indeed.
- Status
Similar threads
