Page 587 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 587

Mitigating or resolving these attacks is not always simple or
               straightforward. There is not an easy patch or update that will prevent

               these exploits from being waged against a client. This is due to the fact
               that these attacks take advantage of the normal and proper
               mechanisms built into various protocols, services, and applications.
               Thus, instead of a patch to fix a flaw, the defense is more of a detective
               and preventive concern. Generally as a start, keep operating systems
               and applications current with patches from their respective vendors.
               Next, install both host-IDS and network-IDS tools to watch for abuses

               of these types. Regularly review the logs of your DNS and DHCP
               systems, as well as local client system logs and potentially firewall,
               switch, and router logs for entries indicating abnormal or questionable
               occurrences.

               Organizations should use a split-DNS system (aka split-horizon DNS,
               split-view DNS, and split-brain DNS). A split-DNS is deploying a DNS
               server for public use and a separate DNS server for internal use. All

               data in the zone file on the public DNS server is accessible by the
               public via queries or probing. However, the internal DNS is for
               internal use only. Only internal systems are granted access to interact
               with the internal DNS server. Outsiders are prohibited from accessing
               the internal DNS server by blocking inbound port 53 for both

               Transmission Control Protocol (TCP) and User Datagram Protocol
               (UDP). TCP 53 is used for zone transfers (which includes most DNS
               server to DNS server communications), and UDP 53 is used for
               queries (which is any non-DNS system sending a query to a DNS
               server). Internal systems can be configured to only interact with the
               internal DNS servers, or they may be allowed to send queries to
               external DNS servers (which does require the firewall to be a stateful

               inspection firewall configured to allow responses to return to the
               internal system from an approved outbound query).
   582   583   584   585   586   587   588   589   590   591   592