DOHA: As enterprises in Qatar gear up to handle the barrage of increasingly targeted and sophisticated cyber attacks, security architects must take advantage of the visibility that each IT asset can provide. DNS is an excellent example of a scalable and pervasive network infrastructure protocol that offers unmatched visibility into network traffic patterns, malicious and otherwise, according to an expert.
If used optimally, DNS can provide an affordable and scalable first line of defence for detection and mitigation of the vast majority of known threats. Behavioural analysis of DNS traffic can also serve as an “early warning system,” flagging potential zero-day threats in the network, said Ashraf Sheet (pictured), Regional Director Middle East & Africa at Infoblox.
When it comes to DNS security, many organizations are interested in cloud-based SaaS-only solutions, which they think will be easier to implement and provide sufficient functionality to identify infected devices and protect against threats like malware and phishing attacks. SaaS for DNS security can be effective, but only when integrated with on-premise systems.
The way most SaaS-only DNS security solutions work is to enable businesses to forward their DNS traffic to the cloud, where DNS queries are processed and potential malicious activity is detected and flagged. In order to identify the infected end host, these solutions require the deployment of DNS forwarding proxies (running on virtual machines) deep inside the enterprise network or the use of endpoint agents. As enterprises move their workloads into private and public clouds, deploying and managing these proxies can become even more complicated.
Most enterprise DNS servers support the ability to block access to domains via configuration of response policy zones. By directing all DNS traffic to the cloud, SaaS-only solutions fail to leverage these existing security capabilities, which allow an enterprise to block the most egregious threats at the very first DNS server that detects it.
Further, because overlay solutions do not integrate with the incumbent enterprise DNS architecture, they leave enterprise administrators stuck with operating two separate and siloed management systems and having to manually correlate data between the two. Beyond the inefficiencies of managing two separate DNS systems, an even more significant drawback is that you sacrifice visibility and security context. Specifically, overlay solutions are unable to leverage the rich contextual data available in the enterprise DNS, DHCP, and IP address management systems (DDI). This context can help with prioritisation of security threats, a key requirement for security analysts who are swamped with alerts they can’t keep up with.
