Cover V14, i08

Article

aug2005.tar

syslog

The scope of security vulnerabilities seems to get bigger every day. Various Web sites and lists (e.g., SANS Top 20) frequently identify the most common areas of weakness. These vulnerabilities include databases, Web servers, wireless networks, misconfiguration of enterprise services, and (topping the SANS list) the BIND Domain Name System. (See http://www.sans.org/top20/ for the complete list of both Unix and Windows vulnerabilities.)

Within these varied topics, the threats range from simple to sophisticated, and the configuration complexities are infinite. Recently, however, a specific threat known as "pharming", which exploits weaknesses in DNS software, has received a lot of media attention.

A pharm attack redirects a user's request for a legitimate URL to a false Web site set up by the hacker. "Pharming is possible because all URLs have to be translated into IP addresses, which is the job of the DNS. A hacker who poisons a DNS server will cause that server to answer a correct URL request with a phony IP address and hijack a user's Web interaction, usually for nefarious purposes," says Mark Leon in "The Looming Threat of Pharming" for InfoWorld (http://www.infoworld.com/article/05/06/06/23FEpharm_1.html).

Hacking into a DNS server's cache memory and adding those false IP addresses is called DNS "cache poisoning." One good way to protect against such attacks is to make sure you (and your ISP) are running BIND Version 9. Leon says "the first, best defense is to make sure you have all the latest DNS software and all security patch updates in place. The best, most succinct advice: If you're running BIND, upgrade to Version 9 because it's pretty much impossible to poison compared with earlier versions."

Another weapon to use against pharming attacks is DNSSEC. According to Leon's article, "most experts agree that DNSSEC, the DNS security protocol hammered out by the IETF 10 years ago, would make DNS close to bulletproof." Implementing DNSSEC, however, is easier said than done. For a good introduction, see "The Basics of DNSSEC" by Ibrahim Haddad and David Gordon at OnLAMP.com (http://www.onlamp.com/pub/a/onlamp/2004/10/14/dnssec.html). For more detailed information about DNSSEC, see http://www.dnssec.net/.

Pharming may be the threat of the week, but the vulnerabilities that allow such attacks to occur should not be underestimated. Sys admins need to understand how these various attacks occur and take steps to eliminate as many weaknesses as possible. This issue of Sys Admin includes articles on using Nessus and Nmap to conduct vulnerability assessments and tuning SELinux for your specific security needs.

Please consider submitting an article detailing your own experiences solving a tricky problem or implementing a useful tool. We're currently looking for articles within the topics of Networking, Software Tools, Open Source, and Security.

Sincerely yours,

Amber Ankerholz
Editor in Chief

 
© 2005 CMP Media LLC. All Rights Reserved.
www.sysadminmag.com