Aug 13

The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

The original design of the Domain Name System (DNS) did not include security; instead it was designed to be a scalable distributed system. The Domain Name System Security Extensions (DNSSEC) attempts to add security, while maintaining backwards compatibility. RFC 3833 attempts to document some of the known threats to the DNS and how DNSSEC responds to those threats.

DNSSEC was designed to protect Internet resolvers (clients) from forged DNS data, such as that created by DNS cache poisoning. All answers in DNSSEC are digitally signed. By checking the digital signature, a DNS resolver is able to check if the information is identical (correct and complete) to the information on the authoritative DNS server. While protecting IP addresses is the immediate concern for many users, DNSSEC can protect other information such as general-purpose cryptographic certificates stored in CERT records in the DNS. RFC 4398 describes how to distribute these certificates, including those for email, making it possible to use DNSSEC as a worldwide public key infrastructure for email.

What is the vulnerability in the DNS?

The efficient work of storing a response that functions as a mid-way point between an end user’s computer and an authoritative server is performed by a caching name server, usually operated by an ISP (Internet Service Provider). The DNS was designed to allow this caching server to accept the first response it receives. It is possible, without the verification provided by DNSSEC authentication, for a malicious user to flood this caching name server with a spoofed response that is, most often, intended to dupe the end user into providing personal and or financial information to what appears to be his or her intended destination.

How does DNSSEC work?

DNSSEC works through a system of keys. At each stage in supplying a DNS query response through the chain that takes it back to the initiator’s machine, a known key and a private key must be matched. In this way, the response to the query is authenticated and the response validated.

Tags: , , ,

Jul 23

A NAT 3 situation is connecting trough a router and not having the required ports opened or not connected trough the DMZ.

If your ISP (Internet Service Provider) is DSL, it’s essential to have your modem bridged. Using the DMZ of the DSL modem with your network router is also not a guaranteed solution. Your ISP should assist in bridging the modem.

D-Link DIR series routers(DIR-615,DIR-655,DIR-660) are UPnP enabled. If your game console is also UPnP enabled, the router will permit opening ports with the auto configuration from the console.

When the device is not UPnP enabled, manual port setup is required.

Xbox Live requires ports:
· TCP 80
· UDP 88
· UDP 3074
· TCP 3074
· UDP 53
· TCP 53

PS3 requires ports:
· TCP 80
· TCP 443
· TCP 5223
· UDP 3478
· UDP 3479
· UDP 3658 should also be opened for voice chat.

Step 1: Assign your console a Static IP Address on the Network settings. You may chose the IP – 192.168.0.253 / 255.255.255.0 / 192.168.0.1

Step 2: Open a web browser and type the IP address of the wireless router in the address bar (default is 192.168.0.1). Press Enter.

Step 3: Navigate to the Port Forwarding page in the Advanced tab.

Step 4: Enable and name the rule and type in the IP address of the console. Include the ports with commas and dashes when in range. Or you may create additional rules.

Step 5: Click on Save Settings to apply the rule.

Step 6: Run the Network test in your console.

If Port Forwarding fails, set the IP address of the console in the DMZ page, but remove the previously configured ports.

Tags: , , , , ,

Jul 23

NAT stands for Network Address Translator.

Network address translation (NAT) is the process where a network device, usually a firewall, assigns a public address to a computer (or group of computers) inside a private network. The main use of NAT is to limit the number of public IP addresses an organization or company must use, for both economy and security purposes.

It is proposed and described in RFC-1631 and is used for solving the IP address depletion problem. Basically, each NAT box has a table consisting of pairs of local IP addresses and globally unique addresses, by which the box can “translate” the local IP addresses to global address and vice versa. Simply put, it is a method of connecting multiple computers to the Internet (or any other IP network) using one IP address.

The most common form of network translation involves a large private network using addresses in a private range (10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, or 192.168.0 0 to 192.168.255.255). The private addressing scheme works well for computers that only have to access resources inside the network, like workstations needing access to file servers and printers. Routers inside the private network can route traffic between private addresses with no trouble. However, to access resources outside the network, like the Internet, these computers have to have a public address in order for responses to their requests to return to them. This is where NAT comes into play.

Internet requests that require Network Address Translation (NAT) are quite complex but happen so rapidly that the end user rarely knows it has occurred. A workstation inside a network makes a request to a computer on the Internet. Routers within the network recognize that the request is not for a resource inside the network, so they send the request to the firewall. The firewall sees the request from the computer with the internal IP. It then makes the same request to the Internet using its own public address, and returns the response from the Internet resource to the computer inside the private network. From the perspective of the resource on the Internet, it is sending information to the address of the firewall. From the perspective of the workstation, it appears that communication is directly with the site on the Internet. When NAT is used in this way, all users inside the private network access the Internet have the same public IP address when they use the Internet. That means only one public addresses is needed for hundreds or even thousands of users.

D-Link´s broadband routers (ie: DI-604) support NAT. With proper configuration, multiple users can access the Internet using a single account via the NAT device.

Tags: , ,

css.php