- 12 myths about how the Internet works
- Smartphone smackdown: Storm vs. iPhone
- IETF: Should we ignore the Kaminsky bug?
- Top 10 wicked cool algorithms
- How to recession-proof yourself
The U.S. military's years-long effort to deploy DNS Security is a good example of how difficult it is for enterprises to retrofit their networks with security fixes to the Internet's underlying protocols.
An early and ongoing participant in the development of DNS Security, the Defense Department has worked both directly and through contractors to prepare .mil to be the Internet's first domain to deploy DNS Security. Yet despite efforts going back at least five years, .mil remains vulnerable to hackers who want to spoof one of its Web sites by exploiting well-known holes in DNS.
DNS Security adds digital signatures and public key encryption to the DNS' hierarchical, distributed database system to verify that a domain name matches a corresponding IP address. Developed by the Internet Engineering Task Force, DNS Security was issued as a proposed standard in November, 2000.
Since then, the Defense Information Systems Agency has been working to deploy DNS Security across the thousands of applications servers in use today on .mil that provide Web, e-mail and other services. The upgrade involves migrating all of these servers to the latest version of Berkeley Internet Name Domain (BIND) software, 9.2.1, which supports DNS Security.
DISA officials say they are deploying DNS Security in two phases. First they are rolling out the Secret Key Transaction Authentication for DNS, dubbed TSIG. TSIG provides transaction-level authentication for the dynamic updates coming from DNS clients as well as the responses sent by DNS servers. Next, DISA will deploy Signed Zones, which uses digital signatures to verify information for a particular spot in the DNS hierarchy.
Together, TSIG and Signed Zones will ensure that the .mil ``domain name information and transactions are genuine,'' a DISA spokesman says. ``DISA plans to implement both Transaction Authentication and Signed Zone as soon as technically feasible.''
DISA is rolling out TSIG on DNS servers under its control at the highest levels of the .mil hierarchy, a process that will be completed by the end of the calendar year. DISA then plans to coordinate with the military's Joint Staff to address TSIG deployment on DNS servers under the control of various military services and agencies.
Rss FeedRss Feed
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 The Leader in Network Knowledge© 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comment