Mar 23 2016

Securing IT DNS Architecture for NFV

By now, it's well established that network functions virtualization (NFV) provides important benefits to service providers. But NFV also holds significant benefits for federal IT networks.

Not only does it save money by reducing operational costs and truck rolls to deploy new hardware, it also improves the speed with which new network services can be introduced.

With this flexibility come important considerations for federal agencies, particularly when moving Domain Name System (DNS) infrastructure to an NFV implementation.

Security is one area in which moving DNS architecture to NFV raises unique security considerations for government clients. With software managing more of the networking functionality than ever before, traditional protection should be rethought when NFV is implemented. Many agencies are still running open source or commodity software to protect the virtualized environment, but that entails risks they may be unaware of. Here are concerns that highlight the need for an intelligent approach to security in NFV.

Securing Openness

Traditional firewalls and intrusion detection systems aren't designed for securing DNS, especially in the NFV environment. The same adaptability that allows software to provide more flexibility and configuration than a traditional architecture also means there are more ways to misconfigure network functions. This opens new avenues for attack, even as other aspects of NFV improve protection, such as centralization visibility and VM-level security. Even where security isn't compromised, configuration issues can cause a cascading effect that impairs the network's overall functionality, giving the appearance of a security issue where none exists.

Attacks such as the DNS-based distributed denial of service (DDoS) can quickly overwhelm network resources by generating too many resolution requests for the DNS to handle, effectively shutting down the network by preventing legitimate requests from being resolved. Other attacks replace valid IP addresses, with those directing the requester to malicious websites, or use tunneling to attack individual virtual machines, encrypting and stealing information through channels traditional security software does not normally analyze.

Virtual machines (VMs) provide network operations with centralized control over resources and enable the rapid deployment of on-demand resources. But just as with physical hardware, VMs are susceptible to malware infection. Once a machine is infected and isn't rapidly quarantined, the infection can spread to other machines throughout the network and disrupt functionality from within. Monitoring the virtualized environment requires a different set of tools from traditional network security.

With DNS-related security issues requiring additional attention as organizations adopt NFV, they should ensure that their security environment meets these requirements.

Security for NFV should be built into the DNS architecture instead of bolted on. Greater integration through the use of DNS-specific protection helps minimize gaps in coverage that may be left by add-on solutions and can easily be exploited by attackers.

Flexible, adaptive technologies are a must

To minimize the harm of an attack as it happens and address it as quickly as possible, the virtualized network needs to be able to rapidly scale resources by spinning up new machines without involving the operator. Automatically adding capacity while the attack is being managed prevents service interruption. This reduces lost revenue and productivity.

With dangers such as zero day vulnerabilities, NFV-based security should be able to detect previously unknown threats by continuously analyzing network behavior, while also defending against established threats such as off-the-shelf attack toolkits designed for a specific kind of attack.

A DNS security strategy for NFV should include internal and external analysis and resource tracking. While many threats, such as DDoS attacks, may be external, malware on existing VMs is just as dangerous. The virtualized infrastructure needs to be able to track virtual machines that are provisioned, analyze their IP addresses and monitor all traffic to detect suspicious behavior on virtual machines in real time. Additionally, it should be able to quarantine VMs to prevent the infection from spreading.

Because configuration issues lead to security and performance problems, security in the NFV environment should include network discovery and automation tools that determine what network functions are properly configured and identify potential problems.

With each new generation of technology, network planning has had to work to manage the risks while gaining the rewards, and NFV is simply the next step in creating tomorrow's highly dynamic, automated networks. When organizations proactively address security during the implementation process rather than as an afterthought, the result is a flexible, transparent network that meets immediate and future needs while keeping valuable resources safe.

panumas nikomkai