No one questions the critical role of IP networks in today’s business environment. Few organisations can function without e-mail, to say nothing of the integrated applications powering front-end and back-end processes.
The emergence of new technologies further consolidates our dependence on IP networks. Radio frequency identification tags will extend IP networks for identifying and tracking physical objects - moving towards a global "internet of things". The economic advantages of voice over IP technology also put it firmly on many enterprises’ long-term communication plans.
Although these innovations promise efficiencies, they depend on the legacy technologies of IP networks and, as the news so frequently tells us, IP networks are far from perfect. Distributed denial of service attacks targeted at key internet infrastructure points such as Akamai or WorldPay disrupt websites and online payments for thousands of users.
Worms bring internet traffic to a crawl or halt by overloading the ability of networks to handle the increased traffic volumes. So is it a good idea to increase our dependence on IP networks without addressing the underlying security issues?
You might hope to protect services from internet-based attacks by isolating them on separate IP networks. And many VoIP implementations use different equipment than data networks, with separate packet routing.
Despite these challenges, convergence is inevitable. Analyst firm Gartner has suggested it is not a matter of if but when convergence will happen. If history shows us anything, it is that voice, data and multimedia will tend to converge, not remain separate. Just look at today’s mobile phones. We want it all.
With that in mind, enterprises need to plan for handling tomorrow’s network services. Start by looking at the security flaws in
today’s IP networks. Any weaknesses in an IP data network will be more pervasive and threatening in a converged future.
The logical network infrastructure is a weak link in today’s IP networks. The Domain Name System (DNS) is a key component of that logical infrastructure.
DNS presents an easy and ubiquitous target, which is reflected in its ranking as the most commonly exploited vulnerability in Unix and Linux by consecutive Sans FBI reports. And yet, the majority of global DNS servers are based on open source Bind software.
DNS faces ongoing threats from distributed denial of service attacks, which can bring name servers to a halt by the sheer quantity of queries that are generated. Subsequently, all internet-based transactions are affected, including e-mail, RFID look-ups and VoIP call placements.
Adding to the security woes are worms or viruses that often do damage not through the payload itself but by the enormous amounts of traffic they generate.
By implementing a few best practices for DNS services, you can protect your organisation’s logical infrastructure from a wide range of attacks. Always run the latest version of your DNS software. If you are using Bind, make sure you have updated to the latest version release from the Internet Software Consortium.
Many communication service providers diversify the code running their DNS services. Diversifying the code base insulates services from attacks targeting specific, well-known problems in open source or Microsoft DNS services.
Telewest learned the value of diversification during a major disruption of the transatlantic network when an undersea cable was severed in 2003, causing enormous problems for IP networks across the UK. Telewest’s Bind servers were completely overloaded and essentially inaccessible as a result of traffic disruptions, but other DNS servers were still running and available. By reconfiguring those servers on the fly, Telewest was able to reroute DNS requests. Companies must maintain adequate DNS performance "headroom" to handle huge increases in demand.
Those organisations that are most concerned with network availability typically run well below available capacity as general best practice.
DNS specification RFC 2870 suggests that the root DNS servers should always have the capacity to handle three times
the current peak load in normal situations. By maintaining the ability to absorb dramatic increases in DNS request traffic, the root servers have resisted many DDoS attacks. Verisign, which runs the .com domain, takes this even further by regularly running at well under 15% of capacity.
The .com domain has never been brought down.
By running DNS servers with performance headroom, you gain the ability to absorb tremendous increases in demand, whether caused by worms, DDoS attacks or accidental traffic. This will allow your network to continue answering legitimate requests while under attack.
The priority should be on server consolidation and simplification, rather than throwing additional and costly DNS servers into your infrastructure.
So why undertake this planning now if convergence is still down the road? Because by doing so solves the problems you face today. You will gain the ability to experiment with new services on your existing network and also enhance the security of data networks, improve service levels and reduce risks to IP-based communications.
Chris Risley is chief executive at IP address infrastructure software provider Nominum