台湾电脑网路危机处理中心暨协调中心台湾电脑网路危机...

yaqi001
2 ℃
2016-06-03

整理文档很辛苦，赏杯茶钱您下走！

还剩 ... 页未读，继续阅读 >>

免费阅读已结束，点击下载阅读编辑剩下 ... 页

阅读已结束，您可以下载文档离线阅读编辑

资源描述

1台灣電腦網路危機處理中心暨協調中心台灣電腦網路危機處理中心暨協調中心TaiwanTaiwanComputerEmergencyResponseTeam/CoordinationCenterComputerEmergencyResponseTeam/CoordinationCenterTWNICDNS網路安全研討會安全問題之解決對策(DNSSEC)TWCERT/CC陳宗裕台灣電腦網路危機處理中心暨協調中心台灣電腦網路危機處理中心暨協調中心TaiwanTaiwanComputerEmergencyResponseTeam/CoordinationCenterComputerEmergencyResponseTeam/CoordinationCenterWhydoweneedDNSSEC?nManyapplicationdependonDNSnDNSisnotsecurenThereareknownvulnerabilitiesnDNSSECprotectagainstdataspoofingandcorruptions2台灣電腦網路危機處理中心暨協調中心台灣電腦網路危機處理中心暨協調中心TaiwanTaiwanComputerEmergencyResponseTeam/CoordinationCenterComputerEmergencyResponseTeam/CoordinationCenterOutlinenIntroductionnDNSSECmechanismsntoauthenticatecommunicationbetweenhostsnTSIG/SIG0ntoestablishauthenticityandintegrityofdatanNewRRsnSigningasinglezonenBuildingchainsoftrustnKeyexchangeandkeyrolloversnNXTandwildcardissuesnConclusions台灣電腦網路危機處理中心暨協調中心台灣電腦網路危機處理中心暨協調中心TaiwanTaiwanComputerEmergencyResponseTeam/CoordinationCenterComputerEmergencyResponseTeam/CoordinationCenterDNS:KnownConceptsnKnownDNSconcepts:nDelegation,Referral,Zone,RRs,label,RDATA,authoritativeserver,cachingforwarder,stubandfullresolver,SOAparameters,etc.3台灣電腦網路危機處理中心暨協調中心台灣電腦網路危機處理中心暨協調中心TaiwanTaiwanComputerEmergencyResponseTeam/CoordinationCenterComputerEmergencyResponseTeam/CoordinationCenterDNS:DataFlowmasterCachingforwarderresolverZoneadministratorZonefileDynamicupdates12slaves345台灣電腦網路危機處理中心暨協調中心台灣電腦網路危機處理中心暨協調中心TaiwanTaiwanComputerEmergencyResponseTeam/CoordinationCenterComputerEmergencyResponseTeam/CoordinationCenterDNSVulnerabilitiesmasterCachingforwarderresolverZoneadministratorZonefileDynamicupdates12slaves3Serverprotection45CorruptingdataImpersonatingmasterUnauthorizedupdatesCacheimpersonationCachepollutionbyDataspoofingDataprotection4台灣電腦網路危機處理中心暨協調中心台灣電腦網路危機處理中心暨協調中心TaiwanTaiwanComputerEmergencyResponseTeam/CoordinationCenterComputerEmergencyResponseTeam/CoordinationCenterMotivationforDNSSECDNSSECprotectsagainstdataspoofingandcorruptionnDNSSEC(TSIG/SIG0)providesmechanismstoauthenticatecommunicationbetweenserversnDNSSEC(KEY/SIG/NXT)providesmechanismstoestablishauthenticityandintegrityofdatanDNSSEC(DS)providesamechanismtodelegatetrusttopublickeysofthirdpartiesnAsecureDNSwillbeusedasaninfrastructurewithpublickeysnHoweveritisNOTaPKI台灣電腦網路危機處理中心暨協調中心台灣電腦網路危機處理中心暨協調中心TaiwanTaiwanComputerEmergencyResponseTeam/CoordinationCenterComputerEmergencyResponseTeam/CoordinationCenterDNSSECMechanismstoAuthenticateCommunicationnTSIGnSIG05台灣電腦網路危機處理中心暨協調中心台灣電腦網路危機處理中心暨協調中心TaiwanTaiwanComputerEmergencyResponseTeam/CoordinationCenterComputerEmergencyResponseTeam/CoordinationCenterTSIGProtectedVulnerabilitiesZonefileslavesmasterCachingforwarderresolverZoneadministratorDynamicupdatesUnauthorizedupdatesImpersonatingmaster台灣電腦網路危機處理中心暨協調中心台灣電腦網路危機處理中心暨協調中心TaiwanTaiwanComputerEmergencyResponseTeam/CoordinationCenterComputerEmergencyResponseTeam/CoordinationCenterTransactionSignature:TSIGnTSIG(RFC2845)nauthorizingdynamicupdates&zonetransfersnauthenticationofcachingforwardersncanbeusedwithoutdeployingotherfeaturesofDNSSECnOne-wayhashfunctionover:nDNSquestionoranswern&thetimestampnSignedwith“sharedsecret”keynUsedinserverconfiguration,notinzonefile6台灣電腦網路危機處理中心暨協調中心台灣電腦網路危機處理中心暨協調中心TaiwanTaiwanComputerEmergencyResponseTeam/CoordinationCenterComputerEmergencyResponseTeam/CoordinationCenterSOA…SOASig...MasterAXFRTSIGexampleSlaveKEY:%sgs!f23fvKEY:%sgs!f23fvAXFRSig...Sig...SOA…SOASig...SlaveKEY:%sgs!f23fvverificationverificationQuery:AXFRResponse:Zone台灣電腦網路危機處理中心暨協調中心台灣電腦網路危機處理中心暨協調中心TaiwanTaiwanComputerEmergencyResponseTeam/CoordinationCenterComputerEmergencyResponseTeam/CoordinationCenterSummary:TSIGConfigurationstepsnConfiguringsecuretransfersbetweenserverswithTSIG1.Generateakeyusing“DNSSEC-keygen”2.Communicatekeywithyourpartner(off-band,PGP…)3.Configureyourservertorequirethekeyforzonetransfersn“key”statementtoconfigurethekeyn“allow-transfer”statementinthe“zone”statementntip:use“includefile_name”4.HaveyourpartnersconfiguretheirserverstousethekeywhentalkingtoyounUsingthe“server“statement7台灣電腦網路危機處理中心暨協調中心台灣電腦網路危機處理中心暨協調中心TaiwanTaiwanComputerEmergencyResponseTeam/CoordinationCenterComputerEmergencyResponseTeam/CoordinationCenterAuthenticatingServersUsingSIG0nAlternativelyitspossibletouseSIG0nNotwidelyusedyetnWorkswellindynamicupdateenvironmentnPublickeyalgorithmnAuthenticationagainstapublickeypublishedintheDNSnSIG0specifiedinRFC2931台灣電腦網路危機處理中心暨協調中心台灣電腦網路危機處理中心暨協調中心TaiwanTaiwanComputerEmergencyResponseTeam/CoordinationCenterComputerEmergencyResponseTeam/CoordinationCenterImportanceoftheTimeStampnTSIG/SIG0signsacompleteDNSrequest/responsewithtimestampntopreventreplayattacksn‘secondssinceepoch’ncurrentlyhardcodedat5minutesnOperationalproblemswhencomparingtimesnMakesureyourlocaltimezoneisproperlydefinedndate-uwillgiveUTCtime,easytocomparebetweenthetwosystemsnUseNTPsynchronization!!!8台灣電腦網路危機處理中心暨協調中心台灣電腦網路危機處理中心暨協調中心TaiwanTaiwanComputerEmergencyResponseTeam/CoordinationCenterComputerEmergencyResponseTeam/CoordinationCenterDNSSECMechanismstoEstablishAuthenticit