When IPS isn’t enough (Windows DNS zero day)
Yesterday I blogged about how useful IPS tech is and today I’m going to blog about how it isn’t enough. How’s that for being conflicted!
Microsoft is warning folks of a DNS Vulnerability with a twist; port 53 isn’t vulnerable. The attack vector is RPC, which according to Erratasec puts a kink in IPS inspection.
Until a patch is released, Microsoft has a few broke-arounds listed in the ‘Suggested Actions’ section of their advisory.
Again, common sense and best practices will help limit your exposure, mainly through firewall control. Something to consider for future protection would be to segment your network with firewalls or VLANS with strong defensive ACLs. For example, your workstation subnets don’t need access to the ephemeral ports of a DNS server.
DNS is a core service and thus should be aggressively protected. Local firewalls and HIPS are definitely indicated. Plan now and you’ll be happy you did.
I forgot to mention that split DNS will likely save your bacon here. Put BIND servers out on the wild-wild-internet with only UDP:53 open and have your internal Windows DNS servers forward out to your external servers. That way any worm that hits you has to ride in on email or a laptop or some other secondary vector that’s hopefully already well protected.
Very nice set of mitigations going over and above the usual “Turn it off, firewall it, wait for the patch” that most of those you linked to have already mentioned.
I do have to somewhat disagree on your first point though. I also love my IDSs and while detection will be difficult with one it’s not impossible. Certainly there will be limited Microsoft DNS RPC specific signatures for awhile but most IDS vendors do provide a plethora of more generic signatures that could be useful. Shellcode detected signatures firing on traffic to port 3207/udp from an IP address in South East Asia should still send up a red flag. At least it’s something until this exploit hits Milw0rm and we can do some controled traffic analysis of our own.
By Scott J. Roberts on 04.13.07 9:36 am
[...] The reading… When IPS isn’t enough Yesterday I blogged about how useful IPS tech is and today I’m going to blog about how it isn’t enough. How’s that for being conflicted! [...]
[...] RPC exposed. Hosts on your protected LAN should also be protected as much as possible. As I said yesterday, protect your core assets with defensive VLAN ACLs, firewalls and other choke-points so that you [...]