I was actually thinking about this earlier this morning and it was brought up at work - but what do you do with domain names of non-trusted sites? If you work at a large ISP that does hosting or supplies access to customers, how do you differentiate your corporate assets from your customer assets? This came to me a while back reviewing some GPO changes to allow ActiveX to run in a less secure setting and the initial request to allow any site with the second level domain to run at this permission level. Then I realized our customers share that domain name. Now, granted DNS isn't what you should depend on for security, but you can't go around very well and allow everything by IP either, and I do trust to relatively good extent our internal DNS servers.
So what exactly am I talking about? At my company, we have customer who have an IP say at 128.128.128.128 and based on their location and customer ID number we might give them a DNS name of c123456srv01x.stl.company.com. Now we also have a portal site for our customers which is at portal.company.com. Now our wonder ful developers in the past have implemented javascript and other mobile code that might require people to set looser permissions in their browser than desired. With that, if done improperly, and if their tricked into visiting a hostile customer address, could be infected, XSS or other such means to get information.
So now, we ask, what do we do? Well there are a few courses of action:
- Use a different second level domain for your customers
- Ensure that the security folks are adding the FQDN in for the sites that need the extended permissions to prevent the customer asset from allowing them to attack
- Train your TAC/NOC/Helpdesk to know when this type of an attack, might be going on (although this might not be 100% effective)
- Cross your fingers (ok, this really provides no effective defense, but could give that feelgood vibe to upper management)
I'm sure there are other options out there, post a few that you have that others might want to know. The few that I mentioned aren't always the easiest, but I'm one who likes a good defining line of seperation.
Good luck defending your network assets.
Subscribe to:
Post Comments (Atom)
3 comments:
I have a mission that I’m just now working on, and I have been at the look out for such information 2000 company names
Hey, great blog, but I don’t understand how to add your site in my rss reader. Can you Help me please? click here
Three are usually cheap Ralph Lauren available for sale each and every time you wish to buy. click here
Post a Comment