Ensuring DNS security in the NFV environment

Service providers are becoming increasingly aware of the benefits offered by network function virtualisation (NFV). Not only does it deliver savings by reducing operational costs and the need for truck rolls to deploy new hardware, but it also improves the speed at which new network services can be introduced.

Along with this flexibility, however, come unique security considerations, particularly when a company moves its Domain Name System (DNS) infrastructure to an NFV implementation. With more network functionality being managed by software than ever before, extra thought will need to be given to the protection in place when planning the transition.

Open source or commodity software is still being used by many operators to protect their virtualised environment, although this can entail risks which they may be unaware of. Security around NFV requires a more intelligent approach.

Security considerations

Traditional firewalls and intrusion detection tools aren't designed to secure DNS, particularly in the NFV environment. While other aspects of NFV, such as centralisation, visibility and virtual machine (VM)-level security can improve protection, the increased flexibility and higher degree of configuration that it offers can also lead to more ways of potentially misconfiguring network functions, opening new avenues for attack.

And even if configuration issues don’t compromise security, they can cause a cascading effect that impairs the overall functionality of a network, giving the appearance of a security issue where there is none.

Genuine malicious actions, such as DNS-based distributed denial of service (DDoS) attacks, can quickly overwhelm network resources. By generating too many resolution requests for the DNS system to handle, these attacks will prevent legitimate requests from being resolved, and effectively shut down the network.

Other attacks will replace valid IP addresses with those directing the requestor to a malicious website. More still will use tunnelling techniques to attack individual VMs, encrypting and exfiltrating information through channels not normally analysed by traditional security software.

Finally, as with physical hardware, it’s worth considering that VMs are susceptible to infection by malware. VMs provide network operations with centralised control, enabling the rapid deployment of on-demand resources.

Should a machine become infected and isn’t quarantined in time, the infection can quickly spread to other machines throughout the network and disrupt functionality from within.

Built-in, not bolted on

These examples alone demonstrate how DNS-related security issues require additional attention, and why monitoring the virtualised environment requires a different set of tools to those used in traditional network security. As service providers adopt NFV, they should ensure their security environment is sufficiently robust.

Security for DNS should be built into the NFV architecture rather than bolted on. A higher degree of integration through the use of DNS-specific protection will help minimise gaps in coverage that may be overlooked by add-on solutions, and that may be easily exploited by attackers.

When an attack inevitably occurs, its impact needs to be minimised as quickly as possible. The virtualised network must be able to rapidly scale resources by spinning up new machines without requiring any operator involvement. Automatically adding capacity while managing the attack will prevent any service interruption which, in turn, will reduce the risk of lost revenue and productivity.

Additionally, as well as defending against established threats, NFV-based security should be capable of continuously analysing network behaviour to detect previously unknown threats, such as zero day vulnerabilities.

It’s also worth noting that, while many threats such as DDoS attacks may come from outside the firewall, malware on existing VMs can be just as dangerous. For this reason, any DNS-based security strategy for NFV should include internal as well as external analysis and resource tracking. Virtualised infrastructure should be able to track provisioned VMs, analyse their IP addresses, and monitor all DNS traffic to detect any suspicious behaviour in real time. At the same time, it should be able to quarantine VMs to prevent the spread of infection.

Furthermore, we’ve seen that configuration issues can lead to security and performance problems, so it’s important that security in the NFV environment should include network discovery and automation tools that can determine which network functions are properly (and improperly) configured, and identify potential problems.

Technology evolution

NFV is the next step in creating tomorrow’s highly dynamic, automated networks. As technology evolves, network planning has to work to manage the risks while gaining the rewards of each iteration. By proactively addressing security during the implementation process rather than seeing it as an afterthought, service providers will enjoy a flexible, transparent network that meets immediate and future needs, while keeping valuable resources safe.

Dilip Pillaipakam, VP of service provider strategy and products at Infoblox

Image Credit: Shutterstock/hywards