: In message <
[email protected]> "Roland Hall"
:
: >: Personally, I don't see the harm in having this information publicly
: >: available -- In most cases an attacker will already be able to perform
: >: DNS lookups within your network by the time they get far enough in to
do
: >: any damage.
: >
: >So why make it available without having to break in to get it? A hacker
: >should not be allowed to perform a zone transfer nor should she be able
to
: >engineer internal informaton externally.
:
: I didn't say anything about zone transfers, just that there is little
: (to no) harm in allowing DNS lookups.
I threw that in to strengthen my argument but I disagree with your
statement. Unless you're a network security professional you may not
realize how all information gained can and will be used against you. BTW...
I have found numerous DNS zones completely open. I've even seen OWA fully
exposing a companies private information with a link on their main web page.
The identity theives would have peed their pants to get it.
: In general, by the time someone is far enough along that they can make
: use of the knowledge of internal IPs they can likely just do resolution
: anyway.
:
: It might not be best practice, but it's not generally harmful either.
If I know the name of your users logon or system or their name for that
matter, or even the name of the main DC, I can use that to social engineer
your users. I'm generally an optimist, except with it comes to network
security. I trust nobody, including myself.
Whether you can perceive it to be harmful or not is not the point. The
point is there is no reason to expose it.
Have you ever ordered pizza over the phone for delivery and paid by credit
card that you gave to them over the phone? Did you hear them repeat it, so
as to make sure it was correct? Didn't they also take your address and
phone number so they could verify you were who you said you were and so they
could deliver it? At the time... did you feel it not generally harmful?
: >: All that being said, my DNS is in private name space. I use a
: >: internal.example.com nomenclature where everything under internal is
: >: only resolvable internally, externally most of it points to NXDOMAIN,
: >: although a few hosts have valid external IPs (the VPN server being a
big
: >: one -- Some people VPN internally too, so it makes everybody's life
: >: easier)
: >
: >Any door you create into your private network is another door for a
: >potential hacker to exploit. Doors should be kept at a minimum. MSFT
was
: >hacked twice through a VPN into the private network. How? The user on
the
: >other end was not secure and while conned into downloading a soon to be
: >released version of a game, also downloaded a trojan which gave the
hackers
: >the ability to traverse the internal network through the tunnel. All
they
: >had to do was wait until he opened the door and then they just walked
right
: >in.
:
: Agreed. My VPN is relatively secure since there are a limited number of
: users with access, and an even smaller number of them know their own VPN
: credentials (so they can't just walk into an internet cafe and VPN from
: there)
And who setup their end? Nobody mentioned an internet cafe. I'm talking
about the system they're on at home. How secure is it? Do their kids use
their system? Do they download applications from the Internet? When did
they last update their antivirus software? Is it enabled at all times? How
much spyware do you think they have on their system? If the spyware can get
in, just how secure are they? How many ports do they expose to the
Internet? Do they even have a firewall? Do they use file sharing like
eDonkey or Kazaa? Are they running host-based IDS? When is the last time
they checked their log files, for the OS, the personal firewall, IDS, border
firewall? How many Windows updates have they downloaded that have yet to be
installed? I was on a system the other day. All patches were downloaded
and none were installed and these were on Windows 2000. He had almost 600
spyware instances. You couldn't hardly do anything with all the popups.
Removing one removed part of Winsock. Winsock registry entries had to be
removed and TCP/IP reinstalled before connectivity could be restored.
BTW... he was running antivirus and sitting behind a firewall.
: The VPN doesn't completely bypass the firewall either, it just gives you
: access to some internal resources that are otherwise inaccessible.
You have internal resources outside your firewall? How is that possible?
How can something internal be outside? What exactly is an incomplete
bypass?
: It
: would be a good place to start and attack, but the attacker had better
: get the password within three tries if they want to go anywhere other
: then to a syslog somewhere.
It doesn't work that way. If your user is compromised, they just wait for
the user to unlock the door. You are logging successful and unsucceful
attempts right? Do you run a packet sniffer to log all traffic?
: While this doesn't protect against a compromised user, that's not a huge
: concern here, I trust all of the VPN-enabled users to maintain their
: PC's security.
You're very understanding. So, how do you protect your network from your
users? You do realize they are more dangerous than others, don't you?
: >: I walked into a bar the other day and ordered a double.
: >: The bartender brought out a guy who looked just like me.
: >
: >Cute. (O:= I like silly tags. One of my favorites is:
: >Two cannibals are eating a clown.
: >One turns to the other one and asks, "Does this taste funny to you?"
:
: I like...
:
: --
: If you've had half as much fun reading this as I've had writing it,
: I've had twice as much fun as you.
It's nice to see you don't take disagreements with your philosophy personal.
I always like to hear the other side. To date, I have not been on a network
that was not lacking in security somewhere.
C-ServerNameGoesHere