Information Technology Reference
In-Depth Information
Basically the idea is to achieve communication by bouncing the information off a
DNS server on which certain hosts (SecSyslog clients, the sources of information)
may write the data to be sent by modifying the tables on a particular area managed by
the server. Meanwhile, the real destination—the SecSyslog server—makes a number
of queries to obtain records from the DNS server which in turn will answer these by
forwarding the data originally transmitted by the client.
The first problem to be addressed is to ensure that the requests sent to the DNS
server reach their destination, i.e., to guarantee the integrity of the transmission. DNS
is based on UDP but it can also answer TCP requests. In the DNS communication
mechanism the client tracks all UDP requests and waits for the answer 'task ex-
ecuted.' If no answer is forthcoming within a given timeframe the client sends a
second identical request through a TCP session.
At the moment of writing we have demonstrated that, in any case, if the dimension
of the packet containing the request is higher than 512 octets, it is immediately sent
via TCP. In this way the problem is resolved by the DNS service protocol itself.
5 . 8
A u t h e n t i c a t i o n o f C l i e n t s
Interaction with the DNS server involves modifying its tables, but we cannot allow
a situation where the DNS server is open to editing by anyone. Basic principles of
security require that we look at a way to authenticate and authorize specific subjects
to make the necessary changes.
In solving this problem implementation of the Dynamic Update mechanism on the
domain name servers can be of use to us. By configuring the system accordingly (us-
ing allow-update{} inside the zone definition) we can declare that, among the various
queries received from the clients, only update requests with specific signatures may
be successfully executed. In effect, the DNS server defines, for each zone managed,
who can alter the tables and who cannot.
We can also use the allow-query{} construct to define which hosts may request
to read records for a specific zone and get their queries answered. Such mechanisms
(or DNS server equivalents other than BIND, which we use) allow us to control who
can send and who can receive SecSyslog messages.
5 . 9
A u t h e n t i c i t y a n d I n t e g r i t y o f M e s s a g e s
In order to guarantee the legal validity of the logs transmitted, we must be able to
guarantee the authenticity and integrity of the
syslog
messages received through the
covert channel. SecSyslog provides these guarantees via DNS Security Extensions,
using asymmetric key cryptography and various hashing algorithms. Encryption also
