Vulnerability Assessment, DNS vuln and SaaS…..

Posted on August 5th, 2008 by Drazen Drazic

By Amit Deshmukh

The DNS vulnerability recently discovered by Dan Kaminsky allowed researchers and vendors from across the world to collaborate over fixing the issue. (Details available here: http://news.cnet.com/8301-1009_3-9998906-83.html). Old news but……

Since then a number of security solution vendors have jumped onto the bandwagon of the week. (There seem to be so many of them of late!) and have provided their own versions of how best to identify and solve the problems.

Many vulnerability detection solutions now have begun detecting the DNS issue and have updated their signatures to verify the existence of the problem. However, it is critical that a company assessing its infrastructure for this vulnerability understands their DNS environment before they begin to audit their systems for this flaw, as this article very rightly points out: http://blog.tenablesecurity.com/2008/07/but-i-patched-o.html

It was good to read this coming from Tenable. Reason being, Tenable – Nessus is a software based solution, and requires organizations to install, and maintain the software and database in-house. In such a scenario, deploying a scanner to audit your DNS systems can be challenging.

A scanning solution deployed within a DMZ network can make life very difficult for a network security administrator because the scan traffic has to usually pass through proxy servers, firewalls, load balancers etc, before it can get to the public IP address of the device to be audited. And then, the response has to go all the way back!

Sounds simple but in practice, many organisations struggle to get this going and working correctly. To allow this to happen, more likely than not, you may have to make complex routing decisions just to be able to allow the scanner to scan the public facing IP addresses, or alternately deploy a separate Internet link for your auditing requirements making sure that there are a minimum number of filtering devices between the scanner and target.

Organizations deploying software based solutions have to be very careful about where they place their scanners in order to be able to comprehensively audit external public facing systems. If you are deploying a software solution, it is highly recommend that you also analyze the network traffic flow to ensure the validity of your results, else you will end up with false positives and a false sense of security as per the blog entry above.

The Qualys SaaS model means that perimeter devices are always scanned from over the Internet. This ensures that to the maximum extent possible, the results obtained are a true representation of the situation as visible to hackers. Customers do not need to spend time and resources to develop an effective perimeter scanning platform themselves when it is automatically available as part of the subscription model!

Now in the past, the Qualys competition has always taken the position that this is an insecure model for conducting vulnerability assessments because the data has to leave the organizations perimeter network, but lets face it.. organizations get scanned every day by the bad guys and not too many companies have the ability to detect (and certainly no ability to prevent) vulnerability scanning via the Internet.

I wouldn’t be very surprised if the likes of McAfee Foundstone, nCircle and Tenable – Nessus aren’t already thinking about a SaaS based offering right now

The bottom line: ensure that you audit your systems the way the bad guys would. Else you will end up not looking at the real picture and eventually get compromised.

(DD Note: Securus Global has been a partner of Qualys for many years. We believed then it was the best solution and we believe now it is far and away the best solution for an enterprise. For more information or to trial QualysGuard, go to our website).