Naming and Directory Services (Building Internet Firewalls, 2nd Edition)

2.7. Naming and Directory Services

A naming service translates between the names that people use and the numerical addresses that machines use. Different protocols use different naming services; the primary protocol used on the Internet is the Domain Name System (DNS), which converts between hostnames and IP addresses.

In the early days of the Internet, it was possible for every site to maintain a host table that listed the name and number for every machine on the Internet that it might ever care about. With millions of hosts attached, it isn't practical for any single site to maintain a list of them, much less for every site to do so. Instead, DNS allows each site to maintain information about its own hosts and to find the information for other sites. DNS isn't a user-level service, per se, but it underlies SMTP, FTP, Telnet, and virtually every other service users need, because users want to be able to type "telnet fictional.example" rather than "telnet 10.100.242.32". Furthermore, many anonymous FTP servers will not allow connections from clients unless they can use DNS to look up the client host's name, so that it can be logged.

The net result is that you must both use and provide name service in order to participate in the Internet. The main risk in providing DNS service is that you may give away more information than you intend. For example, DNS lets you include information about what hardware and software you're running, information that you don't want an attacker to have. In fact, you may not even want an attacker to know the names of all your internal machines. Chapter 20, "Naming and Directory Services", discusses how to configure name service in order to make full information available to your internal hosts, but only partial information to external inquirers.

Using DNS internally and then relying on hostnames for authentication makes you vulnerable to an intruder who can install a deceitful DNS server. This can be handled by a combination of methods, including:

Using IP addresses (rather than hostnames) for authentication on services that need to be more secure.
Authenticating users instead of hosts on the most secure services, because IP addresses can also be spoofed.

Windows 2000 networks use DNS in conjunction with the Active Directory service to locate resources. Clients access the Active Directory service via the Lightweight Directory Access Protocol (LDAP), which is a widely used standard for access to directory information.

Older Microsoft Windows networks use Windows Internet Name Service (WINS) to map NetBIOS hostnames to IP addresses. The name is unintentionally misleading; WINS is not an Internet name service (one intended to function on the worldwide Internet) but an internet name service (one intended to function on an internet, a collection of local area networks). The service that WINS extends, NetBIOS name service, functions only on a single local area network. Popular terminology has changed since the service was named, and now it might more appropriately be called Windows Intranet Name Service.

As WINS has evolved, the interrelationship between it and DNS has become ever more complex and confusing. WINS servers can consult DNS servers, and Microsoft DNS servers can consult WINS servers. The important things to remember about WINS are:

WINS is designed as a purely internal protocol for a single organization.
There are scaling issues using WINS on large and complex networks, even for a single organization.
Microsoft is phasing out use of WINS in favor of DNS.
WINS is less secure than DNS.

WINS has all the security issues that DNS has, and then some. First, WINS contains more information than DNS does. While DNS contains information, like hostnames, that you might not want an attacker to have, WINS contains information, like valid usernames and lists of running services, that you definitely don't want an attacker to have. Second, WINS is designed around dynamic registration; not only does it accept queries from hosts, it accepts new data from the network. This makes it much more vulnerable than DNS to hostile clients. Making WINS visible to the Internet is highly dangerous and not at all useful.

Some sites use Sun's Network Information Service (NIS), formerly known as Yellow Pages (YP) to distribute hostname information internally. It is not necessary to do this. You can use DNS clients instead on any platform that supports NIS, but NIS may be more convenient for configuring your internal machines. It is certainly neither necessary nor advisable to provide NIS service to external machines. NIS is designed to administer a single site, not to exchange information between sites, and it is highly insecure. For example, it would not be possible to provide your host information to external sites via NIS without also providing your password file, if both are available internally.


2.6. Real-Time Conferencing Services		2.8. Authentication and Auditing Services