NetClarity have just posted a short 3 minute guide that illustrates the common threats faced by organisations today. If you have 3 minutes, it’s well worth a look!
The post Control Network Access with NetClarity appeared first on DNS, DHCP, IPAM (IP Address Management) | BYOD, NAC | Calleva Networks.
Efficient IP has released a new version of its IPAM, DNS-DHCP management software, SOLIDserver. The new features include:
More information on the latest Efficient IP SOLIDserver releases is available from the Efficient IP product portal.
The post Efficient IP releases SOLIDserver v5.0.1 appeared first on DNS, DHCP, IPAM (IP Address Management) | BYOD, NAC | Calleva Networks.
ISC BIND DNS 9.8.x through 9.8.4-P1 and 9.9.x through 9.9.2-P1, in certain configurations involving DNS64 with a Response Policy Zone that lacks an AAAA rewrite rule, allows remote attackers to cause a denial of service (assertion failure and named daemon exit) via a query for an AAAA record.
Please check the ISC knowledgebase for further information (opens in new window).The post CVE-2012-5689: BIND 9 with DNS64 enabled can unexpectedly terminate when resolving domains in RPZ appeared first on DNS, DHCP, IPAM (IP Address Management) | BYOD, NAC | Calleva Networks.
I’ve carried out two DNS migrations recently and both customers had one thing in common with their configuration – they both use the same zone name internally and externally for their main domain. There’s a different set of resource records in each version of the zone (with a slimmed down set of RRs in the external version), but still, with the same zone name.
I don’t think this is an uncommon configuration; I’ve done a number of previous implementations, migrating from some legacy DNS system to a DDI (DNS, DHCP, IPAM) management platform. However, only one of these involved implementing “traditional” BIND DNS views (aka split-horizon DNS) where the DNS server is authoritative for both versions of the zone and provides a different response depending on, generally, the source address of the request.
The majority of implementations using multiple versions of the same zone name usually deploy separate DNS server architectures internally and externally, following Best Practice Guidelines. So the DNS servers are not required to run DNS views (they are only authoritative for one version of the zone), but the DDI management platform must be able to handle multiple versions of the same zone name.
The two recent migrations I’ve performed, both to EfficientIP’s SOLIDserver DNS, DHCP & IPAM platform, highlighted a great feature with this product – that is, being able to define and manage multiple DNS zones with the same name WITHOUT having to define multiple DNS views in order to separate these zones in the management GUI. You can define the same zone name, multiple times; assign them to different DNS “Smart Architectures” without the need of adding the complexity of views.
Previous migrations to DDI platforms from other vendors have required either the creation of views to logically separate zones with the same name (example: “internal” and “external” views) or some kind of ‘Organization Unit’ (which meant total data segregation). It wasn’t possible to create this configuration without using views (or OUs), even though the DNS servers would not be using them.
Back then, I could see the benefit of this views “feature” – it provided a logical separation of the zones in the GUI; permissions could be applied to give DNS administrators access to either the internal or external view. But this can now be accomplished in EIP’s SOLIDserver without the added complexity of having to define views. You can easily assign permission to zones in order to grant access to admins and use filters (which can be saved as bookmarks) to quickly access the relevant version of the zone. Of course, if you really are using split-horizon DNS and require views, then the product supports them.
But does having to define views really add complexity? When I think about this, I go back to a call I received one evening a few years ago. It was from a customer and he opened with the following line “I’m calling from my mobile because the VOIP phones are down”. I quickly learnt that pretty much the entire internal DNS wasn’t resolving any internal names.
Why? Because of a really simple user error that had been made when adding a new zone and assigning DNS servers – the DDI product had created multiple views on the internal DNS servers which killed all internal zone resolution.
It was a simple mistake, and a relatively quick fix to return to service. Throughout the call, I thought the customer had sounded remarkably calm, considering the major outage that had occurred. I subsequently learnt they had been battling to restore service for 2 hours prior to calling me, so I guess that the initial panic and that “sick feeling in your stomach” that usually comes with a production outage (not that I would know, I’ve just heard about these things!) had already subsided into the acceptance of knowing the damage had been done.
Sure – things could have been done to limit the impact of user error here, such as defining a view’s match-clients ACL, but this is just another complexity to manage. I believe when you invest in a service management product it should simplify the administration for users.
I try and follow the adage: Keep It Simple … (forgotten the last bit!)
The post Two DNS Views? Thanks, but I’ll keep it simple appeared first on DNS, DHCP, IPAM (IP Address Management) | BYOD, NAC | Calleva Networks.
There are some great features in EfficientIP’s SOLIDserver product that not many people know about. One of these gems is the customisation available via the class studio.
Class studio enables the creation of many custom fields in numerous locations throughout the UI and the behaviour of these fields can be altered dependent upon other settings. While the class studio provides an incredible amount of flexibility, some of its more interesting features remain hidden, so I thought it might be useful to write a post about a little known feature that is the “$is_terminal” variable.
When defining subnets within the IPAM module of SOLIDserver, there is the concept of “imbricated” and “terminal” subnets. You can think of an “imbricated” subnet as simply being a “container” that contains smaller or “lower level” subnets within an address space hierarchy. Another way of thinking about it is may be as an IGRP/EIGRP summarisation.
A “terminal” subnet on the other hand is at the bottom of the address space hierarchy and is the subnet that contains the individual IP addresses. As it is at the bottom of the hierarchy it terminates that part of the tree, hence “terminal” subnet.
When defining subnets in SOLIDserver, you can specify whether they are terminal subnets or not via a simple tick box. But what anyone who has used the class studio might not realise is that if you have any custom fields (e.g. VLAN_ID), you can turn the display of these fields on or off simply by checking if the “terminal” tick box is checked or not.
As an example, let’s look at a couple of screenshots of a subnet addition page:
What we can see is that when “terminal subnet” is ticked or unticked, various standard fields are displayed or hidden, such as “gateway”, “number of pool” etc., but custom fields may not exhibit this behaviour. In our example above, regardless of whether “terminal subnet” is ticked or not, the “VLAN ID” field is continuously displayed. What if we only want to display the VLAN ID if it is a terminal subnet? We can use the class studio to modify the subnet class to hide the VLAN ID field, preceding comment and the green separator if the “terminal subnet” check box is NOT ticked (or if it is unticked).
First let’s look at the subnet class in class studio:
If we click on “vlan_id_demo” we can adjust the properties of this field by adding “$is_terminal” into the “Show if…” box:
Setting this variable is the secret to determining if this field will be displayed or not. By setting “Show if…” to $is_terminal we are simply saying display this field if the terminal subnet tick box is checked (i.e. if $is_terminal is true).
We now need to do the same for the comment and horizontal line that prefixes and suffixes this field:
With the “Show if…” field set, now when we untick the “terminal subnet” tick box, the VLAN ID field disappears along with the comment and horizontal line:
I am great believer in simplifying things and removing superfluous fields that may not be required in certain circumstances. Fewer fields = less chance of operator error and more efficient data entry. The company that produces SOLIDserver is called EfficientIP after all! 
The post Using the “$is_terminal” variable in SOLIDserver class studio appeared first on DNS, DHCP, IPAM (IP Address Management) | BYOD, NAC | Calleva Networks.
BOCM PAULS has selected EfficientIP’s SOLIDserver product to provide centralised, unified management of their distributed DHCP environment.
BOCM PAULS is the United Kingdom’s leading animal feed manufacturer and operates at numerous locations across the country. Due to the remoteness of some of these locations, and the fact that they are operating 24×7, local survivability is a key requirement, meaning that a DHCP server has to be installed at each location. BOCM PAULS utilise Microsoft Windows DHCP servers, but management of these remote DHCP servers can be problematic given the nature of the tools that Microsoft provide, hence BOCM PAULS’ decision to invest in EfficientIP SOLIDserver.
EfficientIP SOLIDserver is able to manage remote Windows DHCP servers utilising agentless technology, allowing all configurations and leases to be synchronised with a central IPAM database. In the event a remote DHCP server fails, its configuration will have effectively been backed up, meaning that a new server can be deployed and its configuration automatically deployed via SOLIDserver’s SMART Architecture capability. In addition, centralised management means that operators no longer have to use the MMC DHCP snap-in to connect to the correct DHCP server, they simply utilise the UI that SOLIDserver provides in order to deploy scopes and reservations and the configuration information is automatically pushed out to the correct DHCP server.
For more information regarding SOLIDserver, please visit our product information page here.
The post BOCM PAULS selects SOLIDserver to provide unified DHCP management appeared first on DNS, DHCP, IPAM (IP Address Management) | BYOD, NAC | Calleva Networks.
In this video, see how you can set up NetClarity’s Network Access Control solution and begin blocking devices from entering your network in minutes!
The post Blocking right out of the box with NetClarity appeared first on DNS, DHCP, IPAM (IP Address Management) | BYOD, NAC | Calleva Networks.
Calleva Networks will be partnering with EfficientIP this year at Networkshop 41 on stand EH23 between 9-11 April 2013.
Networkshop is the annual exhibition for the education sector with IT staff from many universities and colleges in attendance.
Feel free to come along to the stand to discuss your DNS, DHCP, IP Address Management requirements or any of the other solutions we can offer.
Paul Roberts, Director at Calleva Networks, will be a guest speaker at Networkshop on the topic of: DNS, DHCP & IP Address Management – time to get serious!
The post Calleva Networks to attend Networkshop 41 appeared first on DNS, DHCP, IPAM (IP Address Management) | BYOD, NAC | Calleva Networks.
Paul Roberts, CEO of Calleva Networks, will be speaking at Networkshop 41 on Wednesday 10th April at 11:55 on the topic of DNS, DHCP, IPAM – Time to get serious!
With the proliferation of IP enabled devices and increasing demand for resilient network services, DNS, DHCP and IP Address Management are critically important to the smooth running of today’s networks.
Paul’s session will discuss the challenges that people have traditionally faced when deploying open-source or free technologies and the advantages that can be gained by deploying a commercial off-the-shelf solution.
Networkshop is the annual event for IT staff to get up to speed on the latest trends and technologies within the IT market.
Paul will be on stand EH23 with Efficient IP and will be available to discuss how other educational establishments have benefited from the deployment of DNS, DHCP, IPAM solutions.
The post DNS, DHCP, IPAM – Time to get serious! Networkshop #41 appeared first on DNS, DHCP, IPAM (IP Address Management) | BYOD, NAC | Calleva Networks.
There’s been a lot of talk today about a massive DDoS attack that has been running for the past week or so. It has used DNS amplification in order to create a 300Gbps storm of traffic aimed at Spamhaus, the anti-spam site that distributes blacklists of known sites responsible for sending spam email.
What is incredible is the coverage that this attack has received in the media, with headlines such as:
“Global internet slows after ‘biggest attack in history‘” – BBC
“Web slows under ‘biggest attack ever’” – The Telegraph
Even “The Sun” got in on the act with:
“‘Biggest cyber attack in history” slows down worldwide web“
At it’s heart though is a very simple process that can be exploited by anyone due to the nature of the DNS protocol. Sending a DNS query normally only involves a few bytes of data, for instance 30-40 bytes, but the response is nearly always larger. For instance, just sending a query for www.bbc.co.uk results in a 75 byte response:
> dig www.bbc.co.uk
; <<>> DiG 9.9.1-P2 <<>> www.bbc.co.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3974
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.bbc.co.uk. IN A
;; ANSWER SECTION:
www.bbc.co.uk. 98 IN CNAME www.bbc.net.uk.
www.bbc.net.uk. 98 IN A 212.58.244.68
;; Query time: 23 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Wed Mar 27 20:38:44 2013
;; MSG SIZE rcvd: 75
So it is normal for a DNS query to be amplified. However, this can be taken to extremes by querying for a name that has much more data associated with it. In this case, the attacker used ripe.net, and because RIPE have enabled DNSSEC there is a lot more data being returned:
> dig any ripe.net
;; Truncated, retrying in TCP mode.
; <<>> DiG 9.9.1-P2 <<>> any ripe.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55219
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 23, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;ripe.net. IN ANY
;; ANSWER SECTION:
ripe.net. 3475 IN SOA pri.authdns.ripe.net. dns.ripe.net. 1364388301 3600 600 864000 3600
ripe.net. 3475 IN RRSIG NSEC 5 2 3600 20130426124732 201
30327114732 20877 ripe.net. gVrcxPAK38517Ys0LhVoYCLWB7hgadJhKk6CnL37Jjq6+FdDXnsS
nmya nHE9+u11J34LJ6xDipe6b6bGjvhdLfoXbuwx4Lfmjv0UEEymllm+RG2q bDmFe1iMTF9SyuayKy
5cF4ShEZF78aT9/Mu0wir9pcepgBtF1wpnummM KNI=
ripe.net. 3475 IN RRSIG DNSKEY 5 2 3600 20130426124732 2
0130327114732 60338 ripe.net. K7LOaSOKT3EqVOmRstt3AUSKhcsAtb66dZqXB95JFvL/er5oCO
swDfRG oI5QKcElKlYd1NaDPUBYgnYSMeoj6tELJkYgXvOVm2OBGqCEbz4otR2+ F4Vq3WE1PNHjCSqI
7r8uxpJ8LY4VQtv1ayBPewe2HVUF0RNVpjEL/Jfx K1ykH/KySBNzoVnOxdUuIXZCAl6UbcYRTUJvSjE
J4HJPwLk2SRR/UWIV H9DCH/B+Kfa9EPRkBdmI+RrxVb1eoX+xWPUnM23YYQApnraqk7+U6xqu MMxnW
Q0eT8fUFtTcwUt4LLvgePu1bu5BW38/8bx5xFnEWPs+leMYDLRg EDtuWA==
ripe.net. 3475 IN RRSIG SOA 5 2 3600 20130426124732 2013
0327114732 20877 ripe.net. eXKdSs28uekr/lVA/7kPmeGvqIJlgpx6ELc6SLn9gkPmUSl2AV/B4
X+R qvIYf2N6ypG6yoBjnIx9wZJordPoT+ytMmYlH6qrG17piCNSCU5TZHj0 e8C80J+IdlqDzJRA0HT
luglQOjyuw/PZAr1AxUEQT6tGlay7SMhgiptW XHI=
ripe.net. 175 IN RRSIG MX 5 2 300 20130426124732 201303
27114732 20877 ripe.net. dodhz97p8nc9iRawSswEA8ntNFo2pfutnO6Bkvxive6Ih4CdTkpsnSu
l YkAqg87avCCe4sQqlUEjWGwrvf7uMHGS6SLjzP66j/zqozQ8ws7HwAPI nHVMHA8AIUq9jBxS9kl7u
jy+3ppSWtTdkkGdXuHeBMNPPHZSza3O4Fp8 uQQ=
ripe.net. 3475 IN RRSIG NS 5 2 3600 20130426124732 20130
327114732 20877 ripe.net. Jx1r6kqPjttkTPtpidQQ/fEM63pfwboWT5Ze6Si6asds9Evf/VF8vU
c+ LaHDz33QjuQY1doGnhiLWg/ZTzLXHtPj52UecBeQ1/FQ/pC37+T8G8uf yLR+t6Vk0WVEHvfPdXNJ
bNGfugwkR2CGUgg2XLMno9xVtduFzD7y3Lrr o9k=
ripe.net. 175 IN RRSIG AAAA 5 2 300 20130426124732 2013
0327114732 20877 ripe.net. hCaB/KrvM7uV25T7IGpppgZZix1yNnq5ZVgy3YWfxVtsuimmkGzEU
2Ec W5iJYRIYNet4a96sN21FZTw/ZHkdQ4gYlFOamb7ZHNJ9HEQ318FcwK24 4BrdyWuZGIBdUoaKDML
3n4Yp7jJDzpHiuQ6l6ei3/dfJqd65N8oPv4cZ UKE=
ripe.net. 21475 IN RRSIG A 5 2 21600 20130426124732 20130
327114732 20877 ripe.net. A3Z/X+JsPKKf9CYyKTggzd13l3SNLZXPcvqujhYhznW6sKzTya0jiO
kK 97sKF8kW08zOYFkXdwOaKfqUC/421wtoXOYgHd5jMtj5QMdjEXTIWKZp b2bhssiqdLUmI6b3GQMw
rZerKmv+6EtNUjjybLpPl8kDB+7qCv9YA3k8 v/E=
ripe.net. 3475 IN NSEC 256cns.ripe.net. A NS SOA MX AAA
A RRSIG NSEC DNSKEY
ripe.net. 3475 IN DNSKEY 256 3 5 AwEAAY+/Zk7l+YLyBrqQYGIK
7vubCGf4Wj7OaazXiKhsYVuor2lx6HEx LD9im3wx+m+H0OJSkFGoypNGxm+iFSp0ySblqrYHI2xlT8V
pmGi5TCSw dqwgLsyDirONOEVSl6q6x0pdAXu8yBvgjk39U8V5KbHs25g+v+txbBiU bh59ouIv
ripe.net. 3475 IN DNSKEY 257 3 5 AwEAAXf2xwi4s5Q1WHpQVy/k
ZGyY4BMyg8eJYbROOv3YyH1U8fDwmv6k BVxWZntYtYUOU0rk+Y7vZCvSN1AcYy0/ZjL7cNlkc3Ordl2
DialFHPI6 UbSQkIp3l/5fSWw5xnbnZ8KA7g3E6fkADNIEarMI4ARCWlouk8GpQHt1 1wNW1c65SWB8i
958WZJ6LI0pOTNK+BIx8u98b+EVr7C08dPpr9V6Eu/7 3uiPsUqCyRqMLotRFBwK8KgvF9KO1c9MXjtm
JxDT067oJoNBIK+gvSO9 QcGaRxuGEEFWvCbaTvgbK4E0OoIXRjZriJj8LXXLBEJen6N0iUzj8nqy XS
Cm5sNxrRk=
ripe.net. 3475 IN DNSKEY 257 3 5 AwEAAYSPd7+AJXOT1k1d6eUK
RCsw5cSGpzsWIjVCDjbWdNomt4mCh5of SSnf60kmNCJgeCvPYwlOWX08TPLpCHqvBh8UERkaym8oT0U
2lKrOt+0W EyksYc5EnLp7HQVvH+KaF8XiuPsemLLNbhosGofv5v0Jj2TKxJI/sgf1 n9WtkMY1bCTTa
SUn5GmjKDv0XRPKkzA4RCQv8sl8pZ2pzJvIxpN0aBgx WtRjWXXJ27mUq6+PR7+zgBvLkmSV4F1bNXOg
ikeN5KBlutEKBKYYcYRb fR5kDYYJ0mV/2uTsRjT7LWNXAYAJ88xuZ4WcBV01EuMzsZU21iGhRO1N Z4
HFSr9jb3U=
ripe.net. 3475 IN DNSKEY 256 3 5 AwEAAYu6fDlb5CmcCtu5fl8V
c1q5ie9PaKW2+/HuM/0Cx1wCBJjPhK2Y 905asBZBErFgh2LoWqLX2bXN8gypLORkfeZLu6bZRCiQ6/n
IrHlO0S8l 9ajOChoh/kEQlHbEJETJ9Pw9OBW0oFRytjxjjhFIEpWeJ/c27JC8/ITs kGhvFByx
ripe.net. 175 IN MX 200 postgirl.ripe.net.
ripe.net. 175 IN MX 250 postlady.ripe.net.
ripe.net. 3475 IN NS tinnie.arin.net.
ripe.net. 3475 IN NS sec1.apnic.net.
ripe.net. 3475 IN NS sns-pb.isc.org.
ripe.net. 3475 IN NS ns3.nic.fr.
ripe.net. 3475 IN NS sec3.apnic.net.
ripe.net. 3475 IN NS pri.authdns.ripe.net.
ripe.net. 175 IN AAAA 2001:67c:2e8:22::c100:68b
ripe.net. 21475 IN A 193.0.6.139
;; Query time: 213 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Wed Mar 27 20:42:28 2013
;; MSG SIZE rcvd: 2509
So the response has grown from 75 bytes to 2509. With a 30 byte query that is an amplification factor of 83!
Now imagine if you had control of a botnet that could issue these queries and spoof the source IP address so that the replies go to your victim. That is your classic DNS Reflective Amplification (DNS RAMP) attack, and is something I have been lecturing and warning about for years whenever I have run a DNS training course, I am just surprised it has taken this long for a massive attack to come to the fore.
Unfortunately this is a side-effect of enabling DNSSEC. While DNSSEC is supposed to guarantee the authenticity of DNS replies (i.e. they are who
they purport to be and haven’t been tampered with), it make DNS RAMP attacks much easier to carry out.
So what can you do?
The truth is, “not a lot”.
One problem is the number of open DNS resolvers on the Internet. These are DNS servers that anyone can query. You might have heard of OpenDNS and Google Public DNS, and may be wondering why these aren’t implicated? Well they use rate limiting to prevent malicious use of their infrastructure, so you wouldn’t be able to generate much traffic if you used their servers as you would soon get blocked or severely limited. However, the Open DNS Resolver Project has counted at least 27 million open DNS resolvers, so you have quite a list to choose from that won’t be using any rate limiting!
If you operate a network then you could configure BCP-38 (ingress filtering) to prevent routing people that are spoofing their source IP addresses on your network, but this won’t prevent you from being attacked, merely prevent you from being the source.
If you operate a DNS server, then really make sure it is not acting as an open resolver, if you need to do recursion, then use an access list to ensure only your users/customers can perform lookups. And if possible implement rate limiting so that if your users/customers get infected with malware that attempts to abuse your DNS servers, then their traffic will be dropped or severely rate limited.
Also don’t forget to monitor your DNS servers and keep an eye on normal traffic patterns so you can spot when something suspicious is happening. There are products out there that will do high-water analysis and alert if the query traffic suddenly exceeds the high-water limit (I was product manager in a previous role for one such product).
Another option is to invest in a cloud-based DDoS protection solution – there are several out there, but it has to be done in the cloud so that your ingress connections are not saturated with this traffic.
The reality is that this is a difficult nut to crack, and unfortunately due to the publicity this attack has generated, similar attacks will probably become more prevalent.
If you are concerned about your DNS infrastructure and need some independent advice as to the best way to configure or protect your environment, please contact us and we will gladly help.
The post The biggest DDoS attack in history, all due to DNS appeared first on DNS, DHCP, IPAM (IP Address Management) | BYOD, NAC | Calleva Networks.
NetClarity has released a new update for their ‘NacWall’ solution with additional features that allow customers to have more seamless management of Network Access Control (NAC) – particularly in scenarios where there are thousands of endpoints to be managed. These additional features make building asset lists and managing those lists simple and straightforward within the user interface.
A summary of the features and benefits include:
End users with a large number of devices under management may use an inventory management system. They can now take the output of this system, in CSV format, and upload it to the appliance to include useful categories to enable grouping and filtering on the ‘Manage Assets’ screen. This can simplify the process of determining which assets are trusted, and in viewing what devices have access to your network.
Here’s a look at the ‘Manage Assets’ view, including the new filter features:
And this is the new ‘Asset Categories’ management view:
This NetClarity NacWall feature release includes:
About NetClarity: The leading provider of plug-’n-play Network Access Control (NAC) solutions for mid-sized businesses, announced their continued commitment to providing the world’s only plug-’n-play NAC solution by offering features that allow customers to have more seamless management of network access control.
Mantra: “For security to be practiced, it must be practical.”
The post NetClarity NacWall feature release – 9.0b11 appeared first on DNS, DHCP, IPAM (IP Address Management) | BYOD, NAC | Calleva Networks.
Efficient IP has released new SOLIDserver updates of its IPAM, DNS & DHCP (DDI) management software. The new patches available are SOLIDserver v5.0.1P3 and v4.0.2P8, released 4th April 2013.
SOLIDserver v5.0.1P3 new features include:
SOLIDserver v4.0.2P8 new features include:
More information on the Efficient IP SOLIDserver updates is available from the Efficient IP product portal.
Also, in a recent Efficient IP HQ newsletter, they mentioned that SOLIDserver v5.0.2 is still on track for a second quarter release. This release will include new features and a new module, so it will be interesting to get a look at it. Stay tuned!
Lastly, if you missed the recent webinars, you can download the presentations from the following links:
Protecting external DNS servers against attacks: External DNS servers deliver critical services to your company such as Internet visibility and accesses to network applications, including email. But they’re also very exposed to attacks (DDoS, cache poisoning) from the internet or used by hackers to build their attacks. Therefore, implementing protection mechanisms in your DNS infrastructure is essential to ensure service high availability and security.
The webinar covered the following points:
Choosing the right DNS architectures for the right environment: Master-Slave, Multi-Master, Stealth DNS… each DNS architecture model brings benefits but also limitations. For example, the Stealth DNS could be the most secure but that doesn’t mean it is the most appropriate for your environment. So, how do you choose? Get some insight into the different DNS architectures and their characteristics to help you choose and deploy the architecture model that fits your environment best.
The webinar covered the following points:
EfficientIP is a software editor that provides hardware and software appliances to manage IP addresses and DNS-DHCP services (DDI) into a fully integrated solution
The post Efficient IP releases SOLIDserver updates for v4 and v5 – April 2013 appeared first on DNS, DHCP, IPAM (IP Address Management) | BYOD, NAC | Calleva Networks.
Paul Roberts, CEO of Calleva Networks, presented at Networkshop 41 on the topic of DNS, DHCP, IPAM – Time to get serious!
With the proliferation of IP enabled devices and increasing demand for resilient network services, DNS, DHCP and IP Address Management are critically important to the smooth running of today’s networks.
Paul’s speech discussed the challenges that people have traditionally faced when deploying open-source or free technologies and the advantages that can be gained by deploying a commercial off-the-shelf solution.
Networkshop is the annual event for IT staff within the education sector to get up to speed on the latest trends and technologies.
You can download a PDF version of Paul’s presentation from here: DDI – Time to get serious.
The post Paul’s Networkshop #41 speech now available online appeared first on DNS, DHCP, IPAM (IP Address Management) | BYOD, NAC | Calleva Networks.
ISC BIND DNS 9.8.x through 9.8.4-P1 and 9.9.x through 9.9.2-P1, in certain configurations involving DNS64 with a Response Policy Zone that lacks an AAAA rewrite rule, allows remote attackers to cause a denial of service (assertion failure and named daemon exit) via a query for an AAAA record.
Please check the ISC knowledgebase for further information (opens in new window).The post CVE-2012-5689: BIND 9 with DNS64 enabled can unexpectedly terminate when resolving domains in RPZ appeared first on DNS, DHCP, IPAM (IP Address Management) | BYOD, NAC | Calleva Networks.
Calleva Networks will be hosting a technology showcase at Vinopolis, London on 13th June. Every delegate that attends will be treated to lunch and will then be able to enjoy a FREE wine tasting experience, enabling you to sample numerous wines of your choosing, all set in the beautiful arches of London Bridge.
During the technology showcase, we will be discussing how to deploy resilient core network services while at the same time discussing how to secure and protect the network from unauthorised access.
For more information, an agenda and event registration form, please click here.
The post Join us at Vinopolis for a FREE wine tasting experience! appeared first on DNS, DHCP, IPAM (IP Address Management) | BYOD, NAC | Calleva Networks.
The following DNS vulnerability alert has been announced by EfficientIP:
Details:
CERT VULNERABILITY ALERT
June 4, 2013
CVE-2013-3919: By sending a recursive resolver a query for a record in a specially malformed zone, an attacker can cause BIND 9 to exit.
EfficientIP specifics:
EfficientIP appliances automatically restarts their DNS engine if it hangs or fails. SOLIDserver 5.0.1.P4b updates all supported versions. SOLIDserver 4.0.2 version is not impacted by this vulnerability.
Customers with a current maintenance contract can access new releases and patches from the EfficientIP support portal.
For any support related question, please contact your usual support team.
Calleva Networks held an event at Vinopolis, London, on Thursday 13th June 2013 on the topic of “Implementing and securing a resilient network services infrastructure“. Video presentations and slide decks are now available to view at your leisure.
Slide decks in PDF format are available below:
DNS based amplification attacks are constantly in the news at the moment, but what are they and why are they so effective? Watch this short video by Paul Roberts for a quick explanation.
Nominet recently resurrected their plan to allow organisations to register second-level .uk domains. So instead of having to register under .co.uk, you could just have a domain name under .uk, like google.uk or yahoo.uk.
I don’t really have any strong thoughts on this either way. The advantage is that domain names will become shorter and easier to type (especially on a mobile phone) and it makes us consistent with many other countries. But on the downside, it adds additional cost and bureaucracy to the domain registration process, as organisations will effectively have to register their domain names under both .co.uk and .uk for fear of customers mistyping or not knowing whether the organistation resides under .co.uk or .uk. Add to this the domain squatting possibilities if you don’t register your brand name under .uk quickly enough, and now it seems the disadvantages outweigh the advantages, and I wonder whether this is really a money making exercise for Nominet as they would benefit enormously from the additional revenue .uk registrations would bring in.
But reading the Nominet announcement (as so eloquently quoted in The Register), it seems they have now dropped the requirement for these .uk domains to support DNSSEC. This after Nominet put so much effort into signing .uk and .co.uk. They are clearly trying to remove as many barriers as possible to enable people to register in .uk, but surely they should be advocating more DNSSEC, not less! If the UK’s domain registry is not promoting DNSSEC, then it will never take off, and we will be left with an antiquated DNS that is so so vulnerable to spoofing, tampering, cache poisoning etc.
DNSSEC not be the easiest thing to deploy and manage, but it’s gotta be better than nothing!
Now what about IPv6? Lots of news about RIPE running out of IPv4 addresses, but most organisations who have rolled out IPv4 addressing schemes based on RFC1918 are saying “So what?”. Then I was on the train coming back from London the other day, and I overheard an IT engineer on the phone to a colleague, I only picked up a few words here and there, stuff like “…monitoring…TE’s…LSR’s…layer 2 tunnel…MPLS…” then I latched onto something I did understand, “…couldn’t ssh into 10.160.36.4…”
It was the way he rattled off the IP address that struck me. We have all done it, we have a collection of IPv4 addresses in our brains that we remember. But how will you do this if they are IPv6 addresses? How on earth will you remember an address like 3ffe:1900:4545:3:200:f8ff:fe21:67cf ? The obvious answer is to use DNS, so why on earth do we insist on remembering and using IPv4 addresses when DNS is there to help us? It seems to me that people, mainly network engineers, do not trust DNS to be accurate. Maybe they have had a bad experience. But in an IPv6 world, DNS is going to be critical. It seems to me that there needs to be more focus and effort put into implementing a robust and accurate DNS environment so that people feel more comfortable quoting names rather than IP addresses.
This is where we can help! Contact us here and let’s have a chat!
Calleva Networks is pleased to announce it has reached agreement to act as a Value Added Reseller for Aerohive Networks.
Aerohive helps simplify networking by reducing the cost and complexity of distributed enterprise deployments with cloud-enabled networking solutions. These solutions, based on a unique distributed intelligence architecture, include enterprise-class Wi-Fi access points, state-of-the-art gigabit switches, and easy-to-deploy routers.
Paul Roberts, Managing Director of Calleva Networks said, “We have been looking for products that complement our core technology offerings and feel that Aerohive is a great fit. As people roam around a wireless network using their tablets or laptops, they will be utterly dependent upon having a resilient network services infrastructure, which is something that we can provide with our range of DNS, DHCP, IPAM appliances.”
Paul continued, “We selected Aerohive because it is totally controllerless, meaning there are no bottlenecks or additional pieces of hardware to install, reducing the cost and complexity of deploying an enterprise wireless network.”
For further information, Calleva Networks are hosting a webinar in partnership with Aerohive on 5th September. More details can be found here.
