While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
The debate over creating a single, multivendor patch to shore up Domain Name System servers appears likely to continue into the fall. Meanwhile, agencies have begun Phase Two of the cutover of networks to Internet Protocol Version 6. So how can federal IT staffs keep their agencies secure from DNS vulnerabilities?
IPv6 Phase 2 began in July, after agencies proved that they had basic IPv6 capabilities to send and receive IPv6 traffic internally and externally.
According to Peter Tseronis, chairman of the Federal IPv6 Working Group, a chief action item during Phase 2 focuses on development of operational guidance for secure deployment of IPv6. But he also points out that agencies need to craft enterprise security plans that support end-to-end security: “Securing IPv6 not only depends on the protocol but also on integration planning and implementation.”
Given the revelation earlier this year that DNS servers can expose users to attacks (cache poisoning, malicious redirect and denial of service) and the lack of a singular solution, agencies must apply fixes to keep their data and IT assets safe. Government security organizations and standards bodies have issued some suggestions.
The U.S. Computer Emergency Readiness Team provided tips on how to stymie cache poisoning and redirect attacks. (By introducing forged DNS information into the cache of a caching nameserver, the attacker can gain control of a system to download malware or to redirect a client to a fake site.)
For starters, US-CERT offers these recommendations:
The Internet Engineering Task Force has created a draft server configuration to help deflect a denial-of-service attack using a recursive nameserver. The main line of defense calls for providing recursive name look-up service only to the intended clients. IETF suggests several ways to authorize clients: