DNS security and cloud network automation – Two imperatives for Middle East service providers today!

Service Providers in the Middle East today are putting a lot of investments into two technology areas – Security and Cloud Computing.

Cherif, Sleiman, General, Manager, Middle, East, at, Infoblox, DNS, security, and cloud, network, automation, Two, imperatives, for, Middle, East, service, providers, today,

Author: Cherif Sleiman, GM, Infoblox ME

The DNS Server- a Frequent Target of DoS and other Attacks

On the security front, the bottom line is that attackers, in the era of the internet now called cyber criminals, will always look at new ways to breach IT systems. Unfortunately, even the most robust security technologies cannot guarantee 100% protection. That being said, we’ve done a good job as an industry- we’ve fortified the desktop with endpoint security solutions, then we moved to the network and built our firewalls and intrusion prevention systems, and now as the attack vectors have moved into the application layer, we’ve seen an entirely new security industry emerge with web-application firewalls, next-generation firewalls etc.

Recently, the weak-point being exploited- independent of the region and the specific technologies that have been deployed- has been the foundation of the internet itself. And if we look at this foundation, we’re talking about Domain Name Service (DNS). DNS fundamentally allows people and organizations to communicate, transact and conduct business in the most intuitive way possible. Because of its critical role in establishing all forms of connectivity across the internet, DNS traffic is always allowed to pass through firewalls. This has not escaped the attention of criminal elements who increasingly are exploiting the lack of defences for DNS infrastructure In the past 18 months, DNS has become the latest target and has rapidly become one of the most severe points of exposure in service provider networks. In mobile networks, for example, DNS servers were identified as the #1 exposure in 2014. Beyond simple and sophisticated denial of service attacks, various additional exploits also target DNS, including cache poisioning (as in the recent case of the Etisalat website hacking), reflection and amplification attacks.

Internet Services Providers (ISPs), mobile operators and cloud providers all rely heavily on DNS, partly as an essential connectivity component and partly as a service they offer their customers, either implicitly or explicitly. As a result it is critical that service providers protect this vital asset – for the sake of their reputations, as well as for the sake of their customers who rely on stable, always-on internet connectivity.

Two critical areas that require protection inside the provider’s network are authoritative DNS servers and the DNS caching servers.  Authoritative DNS servers in various locations inside the provider’s network provide the authoritative responses to DNS queries and connectivity requests from their subscriber base. Authoritative servers enable web presence, e-commerce functions, and location of multiple network components for mobile IP connectivity, especially roaming and gateway location in LTE networks. The DNS caching layer, which is key to establishing a rapid response to DNS queries – and therefore key to acceptable response times – holds cached query responses for commonly accessed websites and other URLs, all of which are critical to a smooth Internet connectivity for customers.

There is currently only ONE effective way to address these DNS threats – directly from within the DNS servers themselves. DNS attacks cannot be handled by any of the traditional security technologies including Firewalls, intrusion technologies, etc.  Purpose-built products that provide carrier-grade Advanced DNS Protection (ADP) can address such attacks.

Importance of Cloud Network Automation for Private Cloud, Hosting, and Managed Services at Service Providers

Service providers in the region are under pressure to do two things – one is to respond faster to market innovations and user demand and specifically around differentiation. Today as we know the average revenue per subscriber from voice is declining. So service providers have to rely on more innovative services in the data space and bundling offers to be able to attract more subscribers. The other area is the increased user demand for bandwidth and applications. This is forcing SPs to upgrade their networks and data centers. With declining budgets and margins, they have to do something different to maintain profitability and cut costs.

Service Providers have found Private Cloud to be the answer and are embarking on a journey to centralize & consolidate services. They have begun to adopt server virtualization and Network Functions Virtualization (NFV) technologies to reduce footprint of their architectures & networks & then are tying these into orchestration & cloud management platforms in order to bring more agility and help them provide on-demand services.

However, this transition throws up lots of challenges. NFV and virtualization are disruptive technologies and organizations have to change the way they operate. Visibility and manageability of the network is lost when Service Providers adopt NFV technologies. In a traditional IT world there was a 1:1 mapping between the service that you were using and the hardware it was running on. Although it was not an efficient world, it was a simple world. You could point to a router, or server, and you understood its IP address and location and you managed that by logging into its management platform.

In a world where you are virtualizing network functions and the functions transition from the physical space to the virtual space the lines become blurred and questions arise – Where are these functions? How do I track and manage them? How do they get networked? So there has to be a re-tooling of the organization and also the thought process.

The journey to NFV, the cloud and SDN that service providers are undertaking is absolutely necessary. At the same time a lot of the technologies that are taking service providers on this journey leave so much to be desired in terms of providing control, visibility & manageability of various network functions.

A good Cloud Network Automation solution erases all of these challenges. A solution that delivers critical network services for the cloud, including DNS, DHCP, and IP address management. A highly automated cloud infrastructure solution that provides greater visibility into virtual machines and tenants, empowering administrators to get a real-time view into cloud resources as they are provisioned and enabling service providers to roll out applications faster without human latency and to deliver more reliable business services.

The cloud network automation solution should check all the boxes below:

  • Topology-aware network device discovery vDiscovery for virtualized network environments
  • Automated device change detection and notification
  • Automated configuration tracking and bulk device provisioning with rollback and audit trails
  • Policy enforcement and workflow initiation and scheduling
  • Automated compliance reporting to internal or external standards
  • Automated IP address provisioning to VMware server stacks
  • Support for emerging protocols and techniques including IPv6, Dual Stack, and DNSv6

High-Volume Provisioning and Reclamation of Bulk IP Addresses

While virtual servers can be spun up in seconds, with manual network support and management processes it may still take days, or even weeks to assign IP addresses to those servers. A Cloud Network Automation solution should include advanced IP Address Management solutions that automate the high-volume provisioning and reclamation of bulk IP addresses to and from VM-based server through seamless and thorough integration with cloud management and orchestration platforms from VMware, MSFT, Cisco Systems and others in addition to full support for Open Stack.