The hidden security hole; how to protect the network - Guest Column - Column

The defense mechanism of choice against virus and hacker attacks is the firewall. It protects the front door of the network, much like humans throwing furniture in front of the doors on the main floor to keep out the zombies in all those horror films. Yet, just as in those films, there is a back door no one even bothers to lock. It is the domain name service, or DNS, one of the foundation blocks of network infrastructure, websites, IP-based applications and e-mail.

DNS sits outside the firewall, quietly acting as the Internet's phone book. It takes text addresses like www.redcross.org and converts them into digital IP addresses, such as "207.168.0.50," allowing one computing device to find another and interact over the network.

Most organizations use the Berkley Internet name domain (BIND) convention to run their DNS. BIND is an open source server code, which has to be configured by each organization or ISP in order for information to pass from one device to another. This lack of central control creates an inherent weakness that hackers find easy to exploit, because there is no quick, universal fix.

When the SANS Institute and the FBI come out with their yearly list of top security risks, BIND is invariably on it. This list becomes a virtual menu for hackers who want to cause problems. Imagine if the local police published a list in the newspaper of all the ways to break into a house. Could a homeowner fix all the problems before the thieves started breaking in?

In the case of BIND, it is open season, because every organization has to create its own solution based on its specific implementation. By the time many enterprises receive and read the CERT Alerts from the CERT Coordination Center at Carnegie Mellon University, figure out which version they have and what they need to upgrade, and then free up the resources to create the solution, their data is well on its way to a server somewhere in China. Or their multimillion-dollar network is producing "404 File Not Found" messages in huge volume.

This, incidentally, is the benefit of the server appliance model. The code is developed by the manufacturer and incorporated as part of a complete software/hardware/OS product, rather than being developed individually at the user level. This is important because DNS is such a background system that most organizations do not notice it until something goes wrong.

CERT estimates that 80% to 90% of companies are using BIND versions that leave them open to serious security breaches. So, what can be done to protect a network? There are several steps that can be taken today.

Admit vulnerablility. Ignorance is probably the single greatest enemy. Remember those zombies--guard the back door, as well as the front one.

Keep up with upgrades. Letting upgrades slide in the crush of other tasks is easy--but risky. Keep BIND software up to date, especially all security patches.

Monitor CERT alerts, then take action. Remember the menu for hackers? They are licking their chops waiting to be told where anyone is vulnerable. Servers that host multiple services, in addition to DNS, are particularly vulnerable. Beat them to the punch by checking frequently for new discoveries, and then implementing the solution immediately.

Shut the door on open ports. Because external DNS servers reside outside the firewall, they are often the first point of attack for hackers conducting a port scan to look for those that are open. Either close all ports on the current server, or buy dedicated solutions that eliminate extraneous ports.

Explore other solutions. The cost of purchasing a complete system, rather than "rolling your own" BIND application, is often a wash. Yet, they are often more secure and reliable. Server appliances that have prewritten software and updates developed by their manufacturers take the burden off internal staff, and are often automatically pushed out as they become available. Other alternatives exist, as well.