Enabling effective security for government private cloud
DNS Security and Cloud Network Automation are becoming security imperatives to support government agencies in their cloud ambitions, writes Cherif Sleiman of Infoblox
Government agencies in the Middle East today are putting a lot of investments into two technology areas — security and cloud computing. On the security front, the bottom line is that attackers, in the era of the internet now called cyber criminals, will always look at new ways to breach IT systems.
Unfortunately, even the most robust security technologies cannot guarantee 100% protection. That being said, we’ve done a good job as an industry — we’ve fortified the desktop with endpoint security solutions, then we moved to the network and built our firewalls and intrusion prevention systems, and now as the attack vectors have moved into the application layer, we’ve seen an entirely new security industry emerge with web-application firewalls, next-generation firewalls etc.
To meet the demands of the new generation, both developed and developing economies are investing heavily in creating a robust e-governance infrastructure to simplify access and consumption of services. That said, analysis shows that the road to e-governance is not simple, and it requires the combination of political will, infrastructure, understanding and resources for executing an e-governance plan to perfection.
Recently, the weak-point being exploited, independent of the region and the specific technologies that have been deployed, has been the foundation of the internet itself. And if we look at this foundation, we’re talking about Domain Name Service (DNS).
DNS fundamentally allows people and organisations to communicate, transact and conduct business in the most intuitive way possible. Because of its critical role in establishing all forms of connectivity across the internet, DNS traffic is always allowed to pass through firewalls. This has not escaped the attention of criminal elements who increasingly are exploiting the lack of defences for DNS infrastructure in the past 18 months, DNS has become the latest target and has rapidly become one of the most severe points of exposure in service provider networks. Beyond simple and sophisticated denial of service attacks, various additional exploits also target DNS, including cache poisoning (as in the case of the Etisalat website hacking), reflection and amplification attacks.
There is currently only one effective way to address these DNS threats — directly from within the DNS servers themselves. DNS attacks cannot be handled by any of the traditional security technologies including Firewalls, intrusion technologies, etc. Purpose-built products that provide carrier-grade Advanced DNS Protection (ADP) can address such attacks.
Importance of Cloud Network Automation
Government agencies in the region are under pressure to do two things — one is to respond faster to market innovations and citizen demand, the other is to cut costs. This is forcing them to upgrade their legacy networks and data centres. They have found private cloud to be the answer and are embarking on a journey to centralize and consolidate services. They have begun to adopt server virtualization and cloud technologies to reduce footprint of their architectures and networks and then are tying these into orchestration and cloud management platforms in order to bring more agility and help them provide on-demand services.
However, this transition throws up lots of challenges. Virtualization and cloud are disruptive technologies and organisations have to change the way they operate. Visibility and manageability of the network is lost. In a traditional IT world there was a 1:1 mapping between the service that you were using and the hardware it was running on. Although it was not an efficient world, it was a simple world. You could point to a router, or server, and you understood its IP address and location and you managed that by logging into its management platform.
In a world where you are virtualizing network functions and the functions transition from the physical space to the virtual space the lines become blurred and questions arise — where are these functions? How do I track and manage them? How do they get networked? So there has to be a re-tooling of the organisation and also the thought process.
The journey to the cloud and SDN that government agencies are undertaking is absolutely necessary. At the same time a lot of the technologies that are taking them on this journey leave so much to be desired in terms of providing control, visibility and manageability of various network functions.
A good cloud network automation solution erases all of these challenges. A solution that delivers critical network services for the cloud, including DNS, DHCP, and IP address management. A highly automated cloud infrastructure solution that provides greater visibility into virtual machines and tenants, empowering administrators to get a real-time view into cloud resources as they are provisioned and enabling service providers to roll out applications faster without human latency and to deliver more reliable business services.
• The cloud network automation solution should include:
• Topology-aware network device discovery vDiscovery for virtualized network environments
• Automated device change detection and notification
• Automated configuration tracking and bulk device provisioning with rollback and audit trails
• Policy enforcement and workflow initiation and scheduling
• Automated compliance reporting to internal or external standards
• Automated IP address provisioning to VMware server stacks
• Support for emerging protocols and techniques including IPv6, Dual Stack, and DNSv6
High-Volume Provisioning and Reclamation of Bulk IP Addresses
While virtual servers can be spun up in seconds, with manual network support and management processes it may still take days, or even weeks to assign IP addresses to those servers. A Cloud Network Automation solution should include advanced IP Address Management solutions that automate the high-volume provisioning and reclamation of bulk IP addresses to and from VM-based server through seamless and thorough integration with cloud management and orchestration platforms from VMware, MSFT, Cisco Systems and others in addition to full support for Open Stack.
Cherif Sleiman, is general manager, Middle East at Infoblox, with more than 20 years of sales, technical and business experience with some of the world’s leading networking and telecommunications technology companies.