Presentation is loading. Please wait.

Presentation is loading. Please wait.

A CSCE 548 presentation: Trusting Network Name Resolution

Published byAntony Hunter Modified over 6 years ago

Similar presentations

Presentation on theme: "A CSCE 548 presentation: Trusting Network Name Resolution"— Presentation transcript:

1 A CSCE 548 presentation: Trusting Network Name Resolution
By:- Ajay Kumar Koduri Source:- 24 deadly sins of software security programming flaws and how to fix them. By; Michael Howard, David LeBlanc, John Viega

2 Contents Overview of the problem. Spotting the sin pattern.
Spotting the sin during code review. Redemption steps. References and other resources. Conclusion.

3 OVERVIEW OF THE PROBLEM
What is Name Resolution? DNS or WINS (Windows Internet Name Service) are used for name resolution. Possible types of attacks. The sin in detail

4 Overview of the problem
Source:-

5 Overview of the problem
Source:-

6 SPOTTING THE SIN pattern
This sin applies to any application that behaves as a client or server on a network. Check if your browser is standard or not. (i) Standard browsers provide most low-level security. (ii) If it is not a standard browser SSL/TLS checks must be performed in the code. SSL can be used to authenticate the client to the server.

7 Spotting the sin during code review
There’s no security checklist to check off because the defects are built into the architecture of the application. Unlike other sins, this sin of trusting name resolution is completely independent of the programming language you use. The infrastructure relied on is the problem. Checking which network protocol is used for communications . Avoiding UDP as a transport as it is more vulnerable than TCP.

8 TESTING TECHNIQUES TO FIND THE SIN
Build an evil client and evil server Approach: create a way to proxy the information between the client and server. Checking by attacker-controlled server.

9 REDEMPTION STEPS Ensure the connections are running over SSL and the code is performing all the appropriate PKI (Public Key Infrastructure). Use IPSec (Internet Protocol Security). Use public key cryptography. Mapping DNS names to IP addresses using a “hosts file” (easiest way).

10 MORE redemption steps Not to trust DNS information as its not reliable. Specifying IP Sec for the systems on which your application will run on.

11 CONCLUSION This problem if overlooked can harm the client severly. So, using the redemption steps mentioned to mitigate the possible vulnerabilities is a good practice especially if high security is desired.

12 REFERences and Other resources
Building Internet Firewalls, Second Edition by Elizabeth D. Zwicky, Simon Cooper, and D. Brent Chapman (O’Reilly, 2000). 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them. By; Michael Howard, David LeBlanc, John Viega. Threat Analysis of the Domain Name System (DNS) RFC 3833: archive.org/getrfc.php?rfc=3833 DNS Security Extensions: DNSSEC Deployment Initiative: Oz impact_of_rfc_on_dns_spoofing.pdf

Download ppt "A CSCE 548 presentation: Trusting Network Name Resolution"

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
Information Networking Security and Assurance Lab National Chung Cheng University Guidelines on Electronic Mail Security

Information Networking Security and Assurance Lab National Chung Cheng University Guidelines on Electronic Mail Security
Investigations into BIND Dynamic Update with OpenSSL by David Wilkinson.

Investigations into BIND Dynamic Update with OpenSSL by David Wilkinson.
Hands-On Microsoft Windows Server 2003 Networking Chapter 1 Windows Server 2003 Networking Overview.

Hands-On Microsoft Windows Server 2003 Networking Chapter 1 Windows Server 2003 Networking Overview.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.

Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.
LINUX Security, Firewalls & Proxies. Course Title Introduction to LINUX Security Models Objectives To understand the concept of system security To understand.

LINUX Security, Firewalls & Proxies. Course Title Introduction to LINUX Security Models Objectives To understand the concept of system security To understand.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Web Server Administration Chapter 10 Securing the Web Environment.

Web Server Administration Chapter 10 Securing the Web Environment.
Lecture#2 on Internet and World Wide Web. Internet Applications Electronic Mail (email) Electronic Mail (email) Domain mail server collects incoming mail.

Lecture#2 on Internet and World Wide Web. Internet Applications Electronic Mail ( ) Electronic Mail ( ) Domain mail server collects incoming mail.
IST 210 Web Application Security. IST 210 Introduction Security is a process of authenticating users and controlling what a user can see or do.

IST 210 Web Application Security. IST 210 Introduction Security is a process of authenticating users and controlling what a user can see or do.
Chabot College ELEC 99.08 Ports (Layer 4).

Chabot College ELEC Ports (Layer 4).
1 Apache. 2 Module - Apache ♦ Overview This module focuses on configuring and customizing Apache web server. Apache is a commonly used Hypertext Transfer.

1 Apache. 2 Module - Apache ♦ Overview This module focuses on configuring and customizing Apache web server. Apache is a commonly used Hypertext Transfer.
Csci5233 Computer Security1 Bishop: Chapter 11 An Overview of Cipher Techniques (in the context of networks) (11.1-11.3)

Csci5233 Computer Security1 Bishop: Chapter 11 An Overview of Cipher Techniques (in the context of networks) ( )
Grid Chemistry System Architecture Overview Akylbek Zhumabayev.

Grid Chemistry System Architecture Overview Akylbek Zhumabayev.
Module 8: Planning and Troubleshooting IPSec. Overview Understanding Default Policy Rules Planning an IPSec Deployment Troubleshooting IPSec Communications.

Module 8: Planning and Troubleshooting IPSec. Overview Understanding Default Policy Rules Planning an IPSec Deployment Troubleshooting IPSec Communications.
Module 5: Designing Security for Internal Networks.

Module 5: Designing Security for Internal Networks.

Similar presentations

Ads by Google