[4304] in WWW Security List Archive
Re: Access Logfile Question
daemon@ATHENA.MIT.EDU (Phillip M Hallam-Baker)
Sun Feb 9 03:25:57 1997
From: "Phillip M Hallam-Baker" <hallam@ai.mit.edu>
To: <dennis.glatting@plaintalk.bellevue.wa.us>
Cc: "Paul F. Haskell" <phaskell@skyserv1.med.osd.mil>,
<www-security@ns2.rutgers.edu>
Date: Sun, 9 Feb 1997 01:01:26 -0500
Errors-To: owner-www-security@ns2.rutgers.edu
>
> In other words, they make stupid name choices. If an
> organization is concerned about confidentiality, as you
> suggest, I recommend they amend their security policy,
> assuming they have one, and address the naming issue.
I only ever put trust in a policy that is both auditable and
regularly audited. The principle of security is that there is
no such thing as paranoia.
I cannot economically audit machine name choices. Nor is
it necessarily a good thing to do so. If the Black project is
known about in a company the best name for the Web server
with information on it is probably black.foo.com. It is not a
good thing however for outsiders to know that 128.34.xx.yy
is the black.foo.com machine.
I look for a security policy that is economic to implement. If
you want to offer a facility to the outside world I want to see
an economic case for that facility being made available and
a cost code to charge the cost to.
> Placing their hosts behind a firewall would be a valuable step
> too. With a firewall, such as CheckPoint's, the internal hosts
> need to be registered in the externally visible DNS.
Fire walls are not a panacea. The main idea of a firewall is
to allow control of the information going _out_ of a company.
They do not provide the catch all security solution many
imagine. All they really do is provide the security officer with
a convenient choke point at which security policies can be
audited and enforced. If I had a security policy that Java be
disabled on company browsers I would instrument the firewall
to see who was breaking the policy.
> Obviously there is good reason to place dynamic addresses into
> DNS; otherwise, dynamic update would not be on the IETF's
> agenda.
That is generally for long leases on the IP address so that people
with cable dialup can run Web servers from their home. In the longer
term the idea is to drive the entire Internet from DHCP and avoid most
of the tedious reconfiguration required. It also smoothes the path for
IPng.
At present however many people have systems where DNS lookup is
simply irrelevant. Their machine has no individual personality and there
is no need to give it a name. Indeed to do so is unnecessary.
> Often internal DNS servers access external ones requiring a
> return path. Packet filtering offers no protection from
> spoofing or denial of service attacks against those servers.
That's why I would have a DNS proxy on the firewall so that a denial
of service attack was stopped dead at the moat so to speak. I
would not make the internal lookup servers the same as the authoritative
name servers and I would not make the authoritative name servers
reachable from the outside world.
> > Then again, you probably don't deal with sites that have quite
> > the number of hackers out to bring them down as I do :-)
> >
>
> Not placing hosts into DNS has an opposite effect, as it did
> here: it makes people curious. The value of registering or not
> registering is debatable. Regardless, one are not protected
> from the curious or scan searches.
> If an attacker is interested in an organization, there are
> other avenues to learn their addresses such as searching the
> rwhois database, searching for archived e-mail and news
> articles across the Internet and examining their headers, or
> simply monitor the organization's route points.
True, the point of counter espionage is to drive up the adversaries
cost of doing operations so that resources limit the amount of
information gathered.
Phill
