​Maintaining security when migrating from DNS architecture to NFV

Author: Bruce Bennie, ANZ Country Manager, Infoblox

During the past couple of years, network function virtualisation (NFV) technology has delivered some significant benefits for service providers around the world.

As well as providing cost savings by reducing the number of truck rolls needed to deploy new hardware, it has also increased the speed with which new network services can be introduced.

However, while such benefits are enticing, operators should remember there are also important security implications to consider when moving an existing Domain Name System (DNS) infrastructure to a new NFV implementation.

With software managing more network functionality than ever before, a rethink of traditional protection should accompany any shift to NFV. Many operators are still making use of open source or commodity software to protect the virtualised environments, however this can create risks that will require rectification. Some of the concerns that need to be addressed when migrating to NFV include:

  • Firewalls: Traditional firewalls and intrusion detection systems were not designed for securing DNS, especially in an NFV environment. The same flexibility that allows software to provide a higher degree of flexibility and configuration than a traditional architecture also means that there are more ways to potentially misconfigure network functions. This opens new avenues for attack, even as other aspects of NFV improve protection.
    Even where security isn’t compromised, any configuration issues can cause a cascading effect that impairs the network’s overall functionality. This may give the appearance of a security issue where in fact none exists.

  • External attacks: Attacks such as DNS-based distributed denial of service (DDoS) can quickly overwhelm network resources by generating too many resolution requests for the DNS system to handle. This effectively shuts down the network by preventing legitimate requests from being resolved.
    Other attacks replace valid IP addresses with those directing the requestor to malicious websites or use tunneling to attack individual virtual machines, encrypting and stealing information through channels not normally analysed by traditional security software.

  • Virtual machines: Virtual machines provide network operations with centralised control over resources and enable the rapid deployment of resources. However, just as with physical hardware, VMs are susceptible to malware infection. Once a machine is infected and isn’t rapidly quarantined, the infection can spread to other machines throughout the network and disrupt functionality from within. Monitoring the virtualised environment requires a different set of tools from traditional network security.

With DNS-related security issues requiring additional attention as carriers shift to an NFV platform, they should ensure their security meets certain specific requirements including:

  • Built-in security: Security for NFV should be built into the DNS architecture instead of bolted on. A higher degree of integration through the use of a DNS-specific protection helps minimise gaps in coverage that may be left by add-on solutions and can easily be exploited by attackers.

  • Rapid scalability: To minimise the impact of an attack as it happens and address it as quickly as possible, the virtualised network needs to be able to rapidly scale resources by spinning up new machines without the need for operator involvement. Automatically adding capacity while the attack is managed prevents service interruption. In return, this reduces lost revenue and productivity.

  • Continuous analysis: Faced with dangers such as zero day vulnerabilities, NFV based security should have the capacity to detect previously unknown threats by continuously analysing network behavior, while also defending against established threats such as off-the-shelf attack toolkits designed for a specific kind of attack.

  • Resource tracking: A DNS security strategy for NFV should include internal as well as external analysis and resource tracking. While many threats such as DDoS attacks may be external, malware on existing VMs is just as dangerous. The virtualised infrastructure needs the ability to track virtual machines that are provisioned, analyze their IP addresses, and monitor all traffic to detect suspicious behavior on virtual machines in real time. Additionally, it should have the ability to quarantine VMs to prevent the infection from spreading.

  • Network discovery: Because configuration issues lead to security and performance problems, security in the NFV environment should include network discovery and automation tools that determine what network functions are properly configured and identifies potential problems.

With each new generation of technology, network planning has had to work to manage risks while gaining the rewards. NFV is simply the next step in creating tomorrow’s highly dynamic, automated networks.

When service providers proactively address security during the implementation process rather than as an afterthought, the result will be a flexible, transparent network that meets immediate and future needs while keeping valuable resources safe.

Read more: US DHS: cyber attacks on Ukraine power firms hit 225,000 customers

Join the CSO newsletter!

Error: Please check your email address.

Tags hackersfirewallsddosNFVDomain Name System (DNS)Bruce BennieinfobloxCSO Australianetwork securityDNS architectureExternal attacks

More about Built

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bruce Bennie

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts