[4302] in WWW Security List Archive
Re: Access Logfile Question
daemon@ATHENA.MIT.EDU (Phillip M Hallam-Baker)
Sun Feb 9 01:14:27 1997
From: "Phillip M Hallam-Baker" <hallam@ai.mit.edu>
To: <dennis.glatting@plaintalk.bellevue.wa.us>,
"Paul F. Haskell" <phaskell@skyserv1.med.osd.mil>
Cc: <www-security@ns2.rutgers.edu>
Date: Sat, 8 Feb 1997 22:38:11 -0500
Errors-To: owner-www-security@ns2.rutgers.edu
Preventing outside access to DNS servers is a very well established idea
and is in no way a breach of Internet regulations. I would always advise an
organization with a confidentiality need to take this step because machine
names can be very revealing, machines frequently end up being given
project names and there is a tendency for project names to reveal
information.
The general principle for securing a sensitive server is to disable every
facility that is not required. Telling the rest of the world your DNS names
is certainly not required. In fact it is not even necessary to have a DNS
address. My PPP dialup is bound to an address but there is no reason
why anyone would need it. If we used DHCP there would be no point in the
name at all.
I would generally employ router level filtering to prevent any access to
internal
DNS systems. Bringing down a DNS server is an effective denial of
service attack. If you are serious about security you have to justify every
facility the machine provides and provide an analysis of potential
vulnerabilities.
That costs a considerable amount of time and I don't think anyone would
want
to pay for it as far as reverse DNS goes.
Security through obscurity is a dangerous accusation to make. Five years
ago people were ridiculing the idea of shadow passwords in UNIX as
security through obscurity. Today programs like crack are far better known
and nobody would make the accusation. I've known as many people get
bitten by asinine pride in dismissing sensible precautions as obscurity
as have been fooled into thinking security alone would be sufficient.
Then again, you probably don't deal with sites that have quite the number
of hackers out to bring them down as I do :-)
Phill
