Securing DNS for secure NFV

Dilip-Pillaipakam

Dilip Pillaipakam, VP of service provider strategy and products at Infoblox looks at the unique security considerations that network function virtualisation presents to business.

Network Functions Virtualisation (NFV) is increasingly being championed for its transformative potential for communication service providers (CSPs). Replacing dedicated network appliances, such as firewalls and routers, with software running on off-the-shelf, commercial servers provides CSPs with clear benefits when delivering network services.

Beyond purely generating savings, through the reducing of operational costs and the truck rolls needed to deploy new hardware, NFV also enables operators to improve the pace at which they introduce new services.

But, with software managing more network functionality than ever before, unique security considerations arise. And giving extra thought to the protection in place is particularly necessary for any organisation planning a transition of Domain Name System (DNS) infrastructure to an NFV implementation.

Many operators still use commodity or open source software, for instance, to protect their virtualised environments, which can potentially introduce risks they may be unaware of. That’s why a more intelligent approach to NFV security is so sorely needed.

Where traditional solutions fall short

From firewalls to intrusion detection tools, traditional security solutions are rarely designed with DNS protection in mind, and rarer still to secure an NFV environment. While some aspects of NFV, such as virtual machine (VM)-level security and centralisation, can improve protection, its higher level of configuration and increased flexibility can also introduce more ways for the network’s functions to be misconfigured, ultimately opening up new attack vectors.

While these configuration issues may not actually lead to security being compromised, the potential cascading effect could impair a network’s overall functionality by making it appear like there are security issues which do not in fact exist.

But there are, of course, also genuine malicious actions. By generating too many resolution requests for a DNS to handle, DDoS attacks can quickly overwhelm a network’s resources. This will ultimately prevent the resolution of legitimate requests and stop the network functioning.

Other attack vectors include replacing a valid IP address with one that redirects to another malicious website; or attacking individual VMs using tunnelling techniques which can then encrypt and exfiltrate data through those channels which traditional security software tends not to analyse.
What is more, similar to physical hardware, VMs are susceptible to malware infection. Machines which aren’t promptly quarantined after being infected can cause the infection to spread rapidly. This can then spread through the network to disrupt the functionality of other machines.

Building in security

These examples clearly demonstrate the importance of giving DNS-based security additional attention and why a different set of tools to those traditionally used to secure networks is required to monitor the virtualised environment.

DNS security must be built into NFV architecture, rather than approached as an add-on. Integrating DNS-specific protection will help to reduce any gaps in coverage that bolt-on solutions may overlook, and which can then be exploited by cyber criminals.

And when an attack does take place, immediate steps must be taken to minimise its impact.

Enabling the rapid scaling of resources in the virtual environment, for instance, by spinning up new machines without operator involvement adds capacity to help prevent interrupting service. This in turn reduces the risk of lost revenue and productivity.

As well as defending against known threats, NFV-based security should also be able to continuously analyse network behaviour to detect previously unknown threats such as zero-day vulnerabilities.

It’s also important to note that organisations must look beyond external threats, such as DNS-based DDoS attacks, to the dangers that existing malware on the network can pose. DNS-based security for NFV, for that reason, should also involve internal analysis and resource tracking.

By tracking provisioned VMs, analysing their IP addresses, and monitoring all DNS traffic, virtualised infrastructure should be able to detect suspicious behaviour as it happens. It should also, when necessary, be able to quarantine infected VMs to prevent infection from spreading across the network.

Finally, in order to address the potential security and performance problems that configuration issues can lead to, it’s important that NFV environments also include network discovery and automation tools which can determine correctly – and incorrectly – configured network functions, to identify potential issues before they arise.

While emerging as the next step in creating highly dynamic automated networks, NFV planning must evolve to ensure that the security risks are managed while reaping the rewards. Security must be a priority from the outset, addressed during the implementation stage rather than as an afterthought. Only then can service providers take advantage of a flexible and transparent network which meets both their current and future needs, while also ensuring that their most valuable resources remain protected.