Page 57 - Cyber Warnings
P. 57
Building a Secure DNS Architecture for NFV
By now it's been well established that Network Functions Virtualization (NFV) provides important
benefits to service providers. Not only does it provide cost savings by reducing operational costs
and truck rolls to deploy new hardware, but it also improves the speed with which new network
services can be introduced. Along with that flexibility, however, there are important
considerations for companies to keep in mind, particularly when moving Domain Name System
(DNS) infrastructure to an NFV implementation.
Security is one area in which moving DNS architecture to NFV raises unique security
considerations. With software managing more of the networking functionality than ever before, a
rethink of traditional protection should accompany the change. Many operators are still running
open source or commodity software to protect the virtualized environment, but that entails risks
they may be unaware of. Here are a few concerns that highlight the need for an intelligent
approach to security in NFV.
Traditional firewalls and intrusion detection systems aren't designed for securing DNS ,
especially in the NFV environment. The same flexibility that allows software to provide a
higher degree of flexibility and configuration than a traditional architecture also means
that there are more ways to potentially misconfigure network functions. This opens new
avenues for attack, even as other aspects of NFV improve protection, such as
centralization visibility and VM-level security. Even where security isn't compromised,
configuration issues can cause a cascading effect that impairs the network's overall
functionality, giving the appearance of a security issue where in fact none exists.
Attacks such as DNS-based distributed denial of service (DDoS) can quickly overwhelm
network resources by generating too many resolution requests for the DNS system to
handle, effectively shutting down the network by preventing legitimate requests from
being resolved. Other attacks replace valid IP addresses with those directing the
requestor to malicious websites or use tunneling to attack individual virtual machines,
encrypting and stealing information through channels not normally analyzed by
traditional security software.
Virtual machines provide network operations with centralized control over resources and
enable the rapid deployment of on-demand resources. But just as with physical
hardware, VMs are susceptible to malware infection. Once a machine is infected and
isn't rapidly quarantined, the infection can spread to other machines throughout the
network and disrupt functionality from within. Monitoring the virtualized environment
requires a different set of tools from traditional network security.
57 Cyber Warnings E-Magazine – May 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
