X

Experts criticize Microsoft network design

As the software giant repairs the problems affecting its Web sites, experts begin criticizing one aspect of the company's network design that may have allowed the problems to occur.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
See full bio
Robert Lemos
2 min read
Microsoft managed to get its Web sites back online after a lengthy outage Wednesday, but some security experts say one aspect of the software giant's network design could lead to similar interruptions in the future.

The focus of their concern is that Microsoft may have placed key domain name servers on a single network, making them vulnerable to a directed attack. If these servers are disabled, a surfer's browser cannot locate a specific Web site.

"Someone should really be embarrassed," said Paul Robertson, director of vulnerability assessment at security service provider TruSecure, who examined Microsoft's network configuration using security tools.

Although Microsoft blamed the outage on an unrelated problem, experts still questioned Microsoft's unusual DNS (domain name service) configuration.

Other major networks, including America Online, Yahoo and Disney, have backup servers on different networks, minimizing the threat from a single Internet attack or outage.

In a statement issued Wednesday, Microsoft explained that a "router configuration error" had caused requests for access to the company?s Web sites to go unanswered. Routers are critical pieces of the Internet that direct data between a company's network and the Internet.

After replacing the misconfigured files at about 5 p.m. PST Wednesday, traffic to and from the affected Web sites returned to normal, Microsoft spokesman Adam Sohn said.

Still, experts indicated that because Microsoft's servers share the same physical network they are a security flaw waiting to be exploited, Robertson said. "It is a poor design choice to not hand out server addresses on different network blocks."

Microsoft declined to comment on its network design.

DNS specialist Stuart Bailey, founder and chief technology officer of DNS server maker InfoBlox in Evanston, Ill., agreed with Robertson.

"The domain name system is the most widely deployed distributed database," he said. "It is recommended to spread around the different copies of your data. We don't see customers of that size putting all their servers on the same (network) segment."

Bailey's company produces DNS servers for corporations and large organizations that need to have guaranteed service.

Added Robertson, "If a major security incident happened today, this would have been a disaster."