DNS is critical to any security posture because it is the door that most people use to get into an environment. Guarding that door used to be simple when we didn't have hundreds or (depending on the environment) thousands of doors. Those are being moved around every day, so how do we know that the door we are about to open leads us to the right place?
DNS and the open doors
The recent Microsoft Subdomain Takeover Domain is a very good example of how a simple DNS misconfiguration can lead to a huge open door for malicious actors. While automation and standard configuration are answers, how we get there is more important.
Having access to a clean repository that can be used as a source of truth for addresses increases reaction time during a breach. When a host is generating excessive network traffic having the ability to pin point the switch port it is connected to, the VLAN it is on and triangulate that device is the only way to really do network access control (NAC) reliably and quarantine a compromised machine.
DNS at the security layer is something that is still a great first step in security strategy. However, DNS security has to go beyond just list curating and it has to extend to the DHCP and IPAM. Many organizations still struggle with keeping that information updated and still rely on outdated technologies that don't scale or easily integrate with today's automation tools.
Getting automation right
Furthermore, NIST includes DHCP fingerprinting as part of their CSF Cyber Security Framework, which is defined as the use of DHCP request packet to “fingerprint” the device and enrich IP data with device type, physical location and OS/application running on the device, in addition to network configuration data (IP address, host name, network gateway, netmask, switch port, and VLAN).
Automating true quarantine with a network access control solution like Cisco ICE or Aruba Clearpass requires an integration with a DDI provider. NAC solutions can use the information provided by a solution like Infoblox to get context and better prioritize threats and take more immediate action.
The complexity and importance of DNS only goes up with cloud management. Having a good DDI solution will speed up the provisioning of new environments. Even more important is a combined view of both on-prem and cloud DNS servers.
Most cloud providers tells you that DNS will automatically be taken care of for you, but when you are trying to troubleshoot an environment that scales, not having access to that information removes you from being able to do network security on that environment. You have to configure your DNS correctly, and applying policy to your network requires you to have visibility to your inventory.
Now you have a set of doors, not only on-prem but also on multiple cloud providers, and how those doors are organized should be figured out before you start handing out keys to them. The public cloud providers tell you that it is alright to let them take care of things, but removing visibility from whoever manages your network creates lots of attack vectors.
Back to the DNS basics
SD-WAN is helping organizations streamline the communication for their sensitive data and extending networking into the public cloud, but those not in that journey still have a lot of connectivity traveling through the public cloud. The quality of that connectivity, as well as the security, is in someone else’s hand unless you make it part of your architecture.
When choosing a cloud provider to host your applications, it should be no different than architecting a new data center. You need to truly understand what options you have for managing your assets and DNS is one of those assets. You can turn DNS into a tool for intelligent response for security and performance if you have control over what door opens and what door leads where.
So as you move to the cloud and get a whole new set of keys that you are then responsible for handing out, don’t overlook the complexity of keeping track of them. Make sure you're keeping track of who has the keys, where the doors lead and who is knocking on what door.
Ready to start discussing your architecture? Request a workshop with our team of automation and security experts.