Virtual Domain Name System (DNS) Secures the Heart of ... · DNS is the ‘Beating Heart’ of all...

Networks & Service Platforms

www.strategyanalytics.com

Virtual Domain Name System (DNS) Secures the Heart of Service Provider Networks

Updated for 2019

Author: Sue Rudd, Director Networks and Service Platforms

email: [email protected]

August 2019

Report Snapshot

Domain Name System (DNS) has become a critical function in all Mobile Broadband Networks. As Mobile Network Operators (MNOs) and Communications Service Providers (CSPs) move to Network Function Virtualization (NFV) and Software Defined Networking (SDN), scalable and reliable service discovery is paramount for business operation. Evolving DNS from a utility appliance to a scalable and secure virtualized platform ensures secure, and agile control for managing service selection. Service Providers can now utilize powerful Virtual DNS to secure and grow profitable subscriber services in next generation networks that demand unique capabilities not available on legacy DNS platforms.

Networks and Service Platforms


Copyright 2019© Strategy Analytics | www.strategyanalytics.com 2 of 24

Executive Summary DNS is the ‘Beating Heart’ of all IP networks that makes the core functions of the Internet and mobile broadband work. The number of connected devices is growing exponentially and the traffic they generate grows by 10x every five years or so. Mobile network operators (MNOs) and other communications service providers (CSPs) struggle to provide solutions that scale as needed to meet demand without ‘missing a beat’ at an ever decreasing cost per GB (Gigabyte). The Domain Name System (DNS) is the network service that translates all the user and device requests for domain names or URLs to the Internet Protocol (IP) addresses where the desired resources can be found. DNS directs most user access and service requests to the Web and Cloud services via the 4G packet core network today. Soon 5G will usher in a range of Machine to Machine (M2M) and Internet of Things (IoT) that will be directed to a diverse range of network and datacenter destinations. DNS has become the ‘beating heart’ at the core of IP networks to map flows to available resources.

As MNOs and CSPs move to cloud native network function virtualization (NFV) and eventually 5G service-based architecture (SBA) to accelerate their response time for ‘on demand’ resources, DNS can no longer be just a ‘telephone directory’ that looks up names to find fixed resource addresses. DNS must dynamically and instantly map all user and internal service function ‘application name’ requests and interact with the control plane mechanisms that allocate or instantiate Virtual Machines (VMs), virtual network functions (VNFs) or 5G service functions (SFs) to instances of geographically located physical resource IP addresses.

As communications service providers (CSPs) move to next generation networks and 5G DNS will control critical address ‘look up’ functions for instant scalability, fast response and real time activation of seamless services.

DNS already plays a key role in MNO Service Gateway Selection. In the mobile environment as mobile broadband users shift location continuously, DNS already takes on the critical role of dynamically identifying the right Internet access gateway and providing the address for IP access in milliseconds (ms). DNS is an embedded mechanism that supports all mobile broadband and Internet access today.

Virtualization demands new DNS capabilities that legacy DNS does not deliver. In the transition to NFV/SDN and ‘cloud native’ SBA, DNS must evolve from a ‘utility’ network role to: § Manage dynamic mobile access and traffic loads with IP address management (IPAM) § Support instant access for diverse ‘mobile ‘apps’ to pools of service and network resources with dynamic

service selection § Automate and monitor both virtual and physical resource activation and activity in real time § Deliver synchronized updates across a virtualized scalable DNS infrastructure § Provide very fast updates on evolving threats to both users and the virtualized network itself § Block, pre-empt or mitigate attacks on user devices, network services and the network infrastructure

itself including the Orchestrator and even the Hypervisor.

Attacks on the IP and DNS network infrastructure itself have escalated. Now more than ever, DNS plays a critical security role in intercepting and blocking incoming threats to the IP network to mitigate attacks. Unlike legacy DNS, Infoblox virtual Secure DNS solution makes it easy to monitor and block or redirect attacks directed at: § Legacy network functions § Critical NFV functional elements i.e. Hypervisor or Orchestrator § DNS itself.



It is imperative that DNS itself not be ‘hijacked’ either to become an unwitting partner in DDoS attacks or a source of ‘defacement’ that redirects a query to an imposter site or other malicious domain, or changes the visual appearance of a web site or web page and jeopardizes revenue.

Virtual Secure DNS meets the escalating needs of Service Providers. Infoblox Virtual Secure DNS solution now delivers an NFV compliant solution that dramatically reduces the risk, complexity and OPEX of NFV networking with: § Internal network and access security § Pro-active threat monitoring and blocking § Agile service gateway selection at the edge § Instantaneous mapping of network resources § Dynamic IP management to support rapid VM and service creation § Automated real time network monitoring and reporting § Operator visibility of customer service flows on an end to end (E2E) basis

Virtual Secure DNS is fully functional for NFV networking. Infoblox has already established and demonstrated working use cases with Nokia and leading operators that deliver: § Secure DNS to protect the MNOs Radio Access Network (RAN) infrastructure from DDoS and DNS Reflection or

Amplification. Such attacks could also threaten the Gn/Gp/S5/S8 Border Gateway or Gi/SGi Service Selection § Elastic Scalability to enable automatic instantiation of additional Secure DNS VMs upon detection of an

overload condition or a sudden spike in DNS traffic § Cloud Network Automation to trigger the Orchestrator to spin up new VM instances and assign them

automatically to appropriate secure IP domains in the ‘Telco Cloud’.

Virtual Secure DNS creates new value-added service opportunities. DNS also offers new opportunities to leverage MNO revenues by enabling important new value-added capabilities for consumers, enterprises, B2B wholesale cloud services and MVNO customers. These include: § End User Value Added Services § Managed security as a service (SaaS) for enterprise § Differentiated capabilities for secure cloud hosting § Creation and monitoring of next generation 5G ‘Network Slices’

Virtual Secure DNS (vSDNS) captures the full benefits of NFV. MNOs and other CSPs will see immediate benefits from the adoption of a truly virtualized solution. Specifically: § Improved scalability and reliability with both DNS virtualization and IP address management § Reduced OPEX from automated configuration and non-intrusive real time monitoring § Improved customer experience management (CEM) from E2E service and applications monitoring § Enhanced security threat management, redirection and even absorption - for both hosted and end user

customers

Virtual Secure DNS scales at minimal incremental cost to protect operator margins. Virtual Secure DNS costs scale at a fraction the rate of the traffic that the system supports, due to highly automated distributed domain management. The adoption of vSDNS will accelerate OPEX savings and allow operators to massively scale their IP network capacity without margin erosion for next generation networks and 5G.



Contents Executive Summary 2

DNS is the ‘Beating Heart’ of all IP networks that makes the core functions of the Internet and mobile broadband work. 2

DNS already plays a key role in MNO Service Gateway Selection. 2 Virtualization demands new DNS capabilities that legacy DNS does not deliver. 2 Attacks on the IP and DNS network infrastructure itself have escalated. 2 Virtual Secure DNS meets the escalating needs of Service Providers. 3 Virtual Secure DNS is fully functional for NFV networking. 3 Virtual Secure DNS creates new value added service opportunities. 3 Virtual Secure DNS (vSDNS) captures the full benefits of NFV. 3 Virtual Secure DNS scales at minimal incremental cost to protect operator margins. 3

Contents 4 I. Challenges to Fixed and Mobile Service Providers on the Path to Network Virtualization 5

Internet & Mobile Device Growth Demand Real Time Scalability 5 Network Virtualization and NFV/ SDN Architecture have become critical for CSP Networks. 5 Service Providers need NFV to reduce CAPEX and OPEX per Gigabyte (GB) 5

II. Virtualized DNS must go beyond Utility DNS Capabilities to Scale and Manage CSP Networks. 7 1. Enhanced IP Address Management (IPAM) 7 2. Dynamic Service Selection 8 3. Traffic Awareness and Routing Policy Enforcement 10 4. DNS Automation for Scalability and Control 10 Example: How Network-wide management and Orchestration delivers DNS scalability 11 5. Virtual Networks demand Inherently Secure DNS 12

III. Infoblox Virtualizes DNS to Capture Benefits of NFV 15 Infoblox lowers CAPEX and OPEX for NFV while achieving ‘5G Ready’ Performance 15 Three Use Cases 15 A. Secure Software Based DNS for RAN and Core NFV Infrastructure 15 B. Use Case ‘Elastic Scalability for DNS in NFV Environments’. 16 C. Use Case ‘Cloud Network Automation’. 17 Infoblox delivers Strong DNS Protection for CSPs in an NFV environment 17 Key Use Case Benefits 18

IV. Virtual DNS Creates New Value Added Service Opportunities for Service Providers 19 DNS enables new End User Value Added Services 19 Managed Security as a Service for Enterprise 19 Differentiator for Secure Cloud Hosting Service 20 Two Future Services that DNS could leverage on a massive scale. 21

Strategic Benefits to CSPs from Infoblox Virtual Secure DNS 23 Overall virtual Secure DNS captures the full strategic benefits that NFV brings. 23 Virtual Secure DNS significantly lowers the cost of network expansion 23 Summary 23 Contact 23



I. Challenges to Fixed and Mobile Service Providers on the Path to Network Virtualization Internet & Mobile Device Growth Demand Real Time Scalability Dramatic growth in Internet devices and data traffic continues to demand dramatic increases in mobile network capacity and on-demand scalability. Nearly 22 billion IoT and connected devices were deployed worldwide by the end of 2018, and a further 17 billion will be added by 2025. Enterprise IoT has been the major driver of growth in recent years but longer term projections suggest that the connected home will shortly overtake mobile/computing, as well as enterprise, which will have important implications for future network deployments, including 5G.

Chart A. Global Connected and IoT Devices Installed Base continues to increase dramatically

Source: Strategy Analytics ‘Global Connected and IoT Device Forecast Updated’

DNS must scale to support the vast number of IP addresses and application specific subnets that this growth implies but a key mechanism that allows service providers to scale to meet this demand with dynamically shared resources is NFV.

Network Virtualization and NFV/ SDN Architecture have become critical for CSP Networks. Network virtualization is defined as the creation of logical, service networks decoupled from specific underlying physical network hardware. In an NFV/SDN architecture, software-based compute, storage and connectivity resources are assigned and reassigned logically based on user applications and service requirements quite separately from the process of actually allocating and scaling physical network resources. As a result - provided that a physical network resource can support the required performance for a given service - the same platform can be reallocated dynamically to provide processing, storage or connectivity for multiple services. ‘Silos’ of proprietary hardware optimized for one function alone disappear in favor of multi-service platforms that are dynamically reassigned and reused more efficiently.

The NFV/SDN architecture also separates the data forwarding plane that carries actual data and content from the control plane that orchestrates and manages the assignment of resources and communications connectivity to deliver that content. The separation of the control plane allows for secure end-to-end (E2E) traffic direction, and load management as well as automated control of VNFs and SFs. Most importantly it facilitates very high performance DNS transactions.

Service Providers need NFV to reduce CAPEX and OPEX per Gigabyte (GB) Operators face declining revenues per GB around the world - as indicate in the chart below.

45

40

35

30

25

20

15

10

5

0

Billion

s



Chart B. MNO $ Revenue per GB Continues to Decline Globally as Traffic Escalates

Source: Strategy Analytics Service Provider Group

MNO revenues per GB are projected to continue to decline in every region of the world. In 2018 all regions including North America fell below $10 per GB. By 2023 Revenue per GB is expected to be just below $5 per GB in North America. And only just above $2 per GB in Western Europe with a global average under $1.25 per GB However, the rates of decline are projected to slow after 2020 as 5G becomes available. With revenues per GB declining by a factor of 10 every 4 to 6 years, Savings from virtualization are essential to reduce CSP Total Cost of Operations (TCO). A primary goal is to reduce their costs at the same rate that Revenue per GB is declining to preserve margins. To achieve this both Capital Expenditures (CAPEX) and Operating Expenses (OPEX) must fall.

NFV CAPEX savings come partially from better capacity utilization. For example if a ‘Silo’ based platform is utilized at only 40% capacity and a virtualization increases that to 60% - there is a 50% improvement in capacity utilization. As a result, investment in future capacity will deferred until that extra 50% capacity is used up resulting in significant long run CAPEX savings.

Significant OPEX savings are expected to come from automation both at the Network Operations Center (NOC) which is now able to dynamically configure and manage shared ‘pools’ of network resources, and from the Service Operations Center (SOC) as service representatives are able to see E2E service quality in real time. Strategy Analytics estimates that overall the full adoption of NFV/SDN could lower MNO’s TCO by 33% to 42%.

Getting ready for 5G operators are accelerating the full adoption of containerized ‘Cloud Native’ microservices to replace monolithic VMs. Under some scenarios by 2023, this will decrease Total Cost of Operations (TCO) per GB by a factor of 10 to match the projected decline in Revenue per GB and stabilize Service Provider margins.



II. Virtualized DNS must go beyond Utility DNS Capabilities to Scale and Manage CSP Networks.

Network Virtualization demands the ability to instantiate new virtual and physical resources in real-time as traffic demands. DNS must both create local service domains and assign actual network element IP addresses in real time. To fully achieve this, traditional DNS must not only add new service and control capabilities but also itself become a virtual, scalable, secure Virtual Network Function (VNF).

Traditional utility DNS systems are often based on the legacy ‘BIND’ software stacks that require frequent patching and updating of both the core DNS and the recursion and authoritative server software, as well as all the underlying Linux OS and server-based appliance components and services. These updates are not only time consuming, but lead to multiple potential points of failure and broaden the ‘attack surface’ for potential tampering. Over time, premium DNS vendors such as Infoblox have added significant value to the original utility DNS platforms by optimizing DNS process performance, extending dynamic address management, mobile service selection and traffic control capabilities, while at the same time massively automating the associated configuration, monitoring and control functions. Without this type of automation for geographically distributed functionality optimized across multiple platform instances, it will be almost impossible to manage DNS in a fully virtualized ‘5G ready’ environment.

Five types of functionality are required for DNS to operate well in such Networks. These are: 1. Enhanced IP Address Management (IPAM) 2. Dynamic Service Selection 3. Traffic Awareness and Routing Policy Enforcement 4. DNS Automation for Scalability and Control 5. Inherently Secure DNS

We discuss each in turn below.

1. Enhanced IP Address Management (IPAM) As the number of devices escalates - smartphones, Internet of Things (IoT) etc. - and logical network functions proliferate with NFV, static IP management solutions, manual update processes and unsynchronized spreadsheets are no longer practical.

This massive pool of IoT devices creates a new playing field for attackers. The potential for harm was demonstrated in October 2016 when a Mirai botnet delivered the largest DDoS attack in history leveraging a relatively small number of ‘dumb’ devices. Attackers have begun to explore IoT vulnerabilities as part of the ‘Weaponization of IoT devices’. Isolation of unauthenticated IoT subnets with DNS can dramatically reduce the number of attacks. Without better automated address management, network operations costs increase for managing the huge numbers of access devices and troubleshooting takes too long. Configuration errors turn into network failures, customer churn and revenue losses. Tracking and management of these complex rapidly changing IP networks demand a new approach to IP Address Management (IPAM).

Dynamic Host Configuration Protocol (DHCP) is the client/server protocol that automatically provides an Internet Protocol (IP) host with its IP address and other related configuration information such as the subnet mask and default gateway. To ensure performance new IPAM functionality must be ‘built-in’ and tightly integrated with both DNS and DHCP functions, not just ‘bolted-on’ as it has been in the past. At the same time IPAM must grow to support multiple functions for address allocation, management, and reporting.



These functions include: § Web Based Graphical User Interfaces with dashboards, customizable program functions or ‘widgets’,

network mapping and IP address space ‘views’ and interfaces for bulk provisioning tools. § Role based Administrative Workflows with appropriate permissions for multiple IT functions § Network Discovery to find information about connected User Equipment(UE), MAC addresses, NetBIOS

names, operating systems and network element status e.g. ’time last discovered’ to allow an Administrator to: • Add new user devices or network elements to the IPAM Database • Resolve conflicts between the IPAM system and actual network state • Discover unauthorized devices or elements in the network • Reclaim unused IP Addresses • Find device and network connectivity information

IPAM is essential in an NFV environment not only to ensure rapid discovery, automate high-volume provisioning and manage the enormous IP address spaces for service providers but also to correlate critical service specific metadata for rapid problem isolation and correction. For large network operators it is critical that IPAM automatically issue IP addresses across multiple domains and even entire networks since NFV depends on the ability to instantaneously issue, reclaim and track valid resources, DNS must track individual IP addresses and IP network blocks.

2. Dynamic Service Selection Mobile subscribers demand fast, always available, highly secure network communications. To achieve this Mobile Network Operators (MNOs) service selection functions must not only support use cases defined by 3GPP with carrier-grade performance, but also guarantee availability and a superior subscriber experience. To achieve this, the Infoblox solution dynamically monitors element status and supports almost instantaneous assignments in microseconds (µs) to truly available nodes. As operators deploy ‘5G ready’ microservices and containers such high performance service selection becomes critical. In addition Infoblox and Google have been instrumental in the creation of CoreDNS as the default mechanism for DNS-based service discovery in Kubernetes. As of December 2018 CoreDNS is now the default DNS Server for Kubernetes container discovery. When a mobile subscriber device either initiates a request to the network or moves to a different cell coverage area, the mobile network must discover and select the appropriate network gateways to maintain Internet access for the user. DNS is the mechanism that handles the selection of the Packet Data Network Gateway (PGW), Serving Gateway (SGW), Mobility Management Entity (MME) or Serving GPRS Support Node (SGSN) in 3G and 4G networks to ensure that mobile users remain connected.

When the UE submits a service request to the eNodeB, the MME sends a DNS query message to the authoritative DNS server for a list of available gateways. The MME selects an available gateway to serve the UE usually based on network topology and location of resources in the network. The discovery and selection process supports a variety of intra-operator and roaming use cases as users move between cells.



Chart C. DNS Plays a critical Role in 5G and 4G Gateway selection

Source: Infoblox

Fast, dynamic connections to available PGWs and SGWs in the resource pool and to all Evolved Packet Core (EPC) or virtual EPC (vEPC) elements - especially the MME are at the heart of high performance mobile networking. DNS is a critical element in delivering that performance for Mobile Broadband Internet access. And virtualizing the required DNS functions allows operators to scale that performance instantly across their entire networks. Three critical trends are making DNS role in Service Selection even more critical.

Virtualization of the RAN

First as the Radio Access Network (RAN) is virtualized with Cloud (CRAN) or virtual RAN (vRAN), HetNets, smaller cells and on-demand Carrier Aggregation (CA) across multiple radio channels, the role DNS Service Selection is moving to the edge to meet the requirement for very low latency almost instantaneous response.

Fixed Mobile Convergence

Second as more and more user devices/UEs switch seamlessly between Mobile Broadband and Wi-Fi access via fixed Broadband, operators are beginning to create ‘transport independent’ access that leverages NFV/SDN. Several SDN leaders - AT&T and Telefonica - are already merging transport networks for fixed home Broadband, Mobile Backhaul and soon even ‘Fronthaul’ from the base station to the antenna site. Within a couple of years as 3GPP 5G release 16 is deployed, Wi-Fi offload and ‘local breakout’ to the nearest fixed broadband connection will become routine. Dynamically linking to the right gateway in microseconds is key.

As mobility grows and bandwidth expands with 5G, user service requests will need ever faster access to new VNF instances, 5G Service Functions (SFs) and associated packet core elements. DNS Service Selection and Authentication with processing located close to the mobile core will play a strategic role in connecting diverse virtualized access networks to the right Internet gateways and resources in real time.

5G Evolution to Service Based Architecture

In 5G Stage 2 as Service Based Architecture (SBA) is implemented the Service Selection function will evolve to include a new Network Repository Function (NRF) for service selection and a new Network Slice Selection Function (NSSF) for Slicing. These new functions and the PKI that underpins the new SBA HTTP/2



communications for the message bus, are dependent on a fully automated DNS architecture. Existing Infoblox 4G NFV DNS deployments meet these requirements and can be quickly scaled for 5G use.

3. Traffic Awareness and Routing Policy Enforcement Traditional traffic load management today is often performed by dedicated standalone solutions that are inserted into the traffic flow at key points in the network. In addition to being expensive, these platforms fit poorly into an NFV architecture where the Control Plane can dynamically assign and reassign any service flow to any physical resource across the network. NFV Management and Network Orchestration (MANO) deal only with the Virtualised Infrastructure Manager (VIM) and only the Hypervisor knows what physical resources are actually assigned. So there is no ability - within the original ETSI standard - for Network Operations personnel in real time to associate applications requests for Virtual Network Functions (VNFs) directly with the activity on Physical Network Functions (PNFs) and real network compute and storage resources.

DNS is uniquely positioned as part of the control plane to monitor the automatic flow of network traffic in a virtualized environment. DNS simultaneously observes in real time both the application service requests for domain names and the associated ‘hits’ on the network IP addresses. DNS also already automatically monitors network node status today for other functions e.g. to instantly provide the MME with a selection list of available healthy nodes in a geographic area. In the NFV environment one key missing capability that an advanced DNS system can offer is non-interruptive capture of both application/domain name and node/IP address traffic statistics. These can be used not only for DDoS detection but as inputs for instantaneous load balancing, redirection and traffic optimization. Just like route optimization at Layer 3 of the OSI network stack, DNS can support web traffic routing. Service aware load balancing can even be achieved as part of the DNS solution so that Internet traffic is routed to the most available web resource for each application. By combining DNS statistics with policy parameters and routing logic at layer 3, decisions as to which resources should be used to route traffic are taken instantaneously. For example when Network Operations Center (NOC) personnel sense congestion or see that certain network assets or data centers are receiving excessively large numbers of requests, they can set policies that use the DNS layer to reroute web traffic to more available resources. They can also modify traffic patterns to comply with certain rules such as data residency or other types of regulatory requirements.

DNS has the potential to become far more than a mechanism for mapping IP addresses and domains; it can now add functionality to capture NFV information for VM assignment and intelligent routing as it simultaneously captures statistics on both virtual (application layer) and physical (network layer) activity.

4. DNS Automation for Scalability and Control In a Virtualized Network, DNS automation is not only desirable, it becomes essential. Virtual Machine (VM) and Containerized microservice instances that inhabit and enable the ecosystem must be able to grow on demand from thousands to millions and even billions. NFV inherently introduces a level of complexity that only automation can solve and which DNS must instantly scale to support. Automation of virtual DNS Scalability and IP Address Management are now pre-requisites for NFV deployment.

Automating Virtualized DNS Scalability

While the core DNS address look-up functionality can be virtualized, distributed and scaled elastically, the DNS server architecture itself, the allocation of DNS server domains, maintenance and the synchronization of updates is not easy to virtualize. Legacy DNS infrastructure often depends on manual processes that do not



scale cost effectively to support the magnitude of NFV networks since the operations costs increase directly with volume. To scale without enormous increase in OPEX two key capabilities are required:

• Management of DNS on a network wide basis • Automation of DNS configuration and network operations tasks.

Example: How Network-wide management and Orchestration delivers DNS scalability Infoblox Grid™ architecture exemplifies how automatic configuration, performance monitoring, load balancing and software updates across an entire network of DNS servers, multiple data centers and regional PoPs create a truly scalable DNS infrastructure. Managed from a centralized Infoblox Grid master, the architecture allows operators to implement DNS as an elastic, on-demand service in their environment as opposed to dispersed functionality deployed across disparate, unconnected servers. The table below shows the difference in labor cost between a manual process whose costs scale linearly and an automated process that applies a solution across a network of any size and scope.

Table 1. Labor Cost Savings Analysis for Integrated Automation

Source: Infoblox

Now with the addition of virtualized DNS appliances, the Grid architecture must take on even more resilience and elasticity. In situations where an operator might detect high volumes of DNS traffic, possibly due to sudden bursts in traffic demand, or a DDoS attack, the platform automatically spins up new virtualized DNS instances to absorb the influx of requests. Similarly, it deploys DNS servers on the fly - first to balance loads across global DNS zones, and then to eliminate references to unneeded VM instances and free up their underlying compute resources as conditions return to normal or baseline levels.

Chart D. Infoblox Grid architecture for Elastic DNS Scalability

Source: Infoblox

BIND Example Infoblox GridUpdates Per Month Single Update 1 to N Updates

Hours Required 3.5 Hrs Per Server 3.5 HrsCost Per hour $85 $85

Cost Per Server $297.50 Falls as No. Increases

No. Servers 120 N

Total $35,700.00 $297.50

At Scale



Automated IP Address Management (IPAM) is essential to ensure that the Service Provider NOC can control and reuse huge IP Address Spaces. IPAM capabilities that must be automated include: § Next Available IP and Next Available Network to avoid duplicate assignment of IP addresses and

networks § Data Consistency Checking to prevent entry of invalid data § Shared Record Groups to simplify and expedite the administration of resource records § Templates for Name Server Groups, Network DHCP configurations, Ranges and Fixed Addresses

Operators need to adopt high levels of automation to achieve the full NFV benefits of dynamic scaling of both VM and VNF instances and to manage the highly dynamic IP address space. As important as the ability to scale up new instances is the creation of an audit trail for troubleshooting that tracks which VM is operating on which compute server and the IP address of the physical resource when problems occur. Automation is essential not only to achieve true economies of resource utilization from NFV, but also to maintain network integrity, synchronize software resource allocation and ensure system consistency and recoverability. NOC operations people are taught to avoid risks to the network at all costs. Robust tools that make NFV as safe, transparent and statistically reliable as the legacy CSP network are a pre-requisite for successful NFV deployment.

5. Virtual Networks demand Inherently Secure DNS Network Attacks have been escalating

NETSCOUT who acquired Arbor Networks continues to report ‘Attack’ statistics from its customers around the world - many of whom are service providers for both cloud and telecoms Services. According to the NETSCOUT survey “95 percent of respondents reported they experienced (either inbound or outbound DDoS) attacks in 2018. That represents a 10 percent increase from 2017, which could speak to an increase in attack frequency, or in service provider visibility and detection capabilities. Inbound DDoS attacks alone were the number one threat, as experienced by 66 percent of the service providers. Attacks on publicly exposed service infrastructure were reported by 38 percent of service providers, while 22 percent experienced large-scale malware outbreaks.” And “Looking ahead, DDoS attacks are the primary concern for 2019, according to 88 percent of the service providers. The continued use of reflection/amplification techniques and the continued exploitation of vulnerable IoT devices have many worried about a greater frequency in high volume attacks. Large-scale malware outbreaks were also found to be a significant concern for 37 percent of the service providers in the coming year.” The number of attacks on the DNS itself is increasing dramatically too. One primary DNS attack mechanism is the Reflection or Amplification attack that uses open recursive servers (open resolvers) on the Internet to unwittingly participate in attacks. These types of attacks use reflection and amplification techniques to spoof their identity and increase the magnitude and effectiveness of an attack.

DNS as a software application is the top target of attacks and also the most common protocol used for Reflection amplification attacks. It is critically important that DNS not only to be able to detect and respond instantly to block attacks on other services and applications but it must also identify and respond to handle attacks on the DNS service itself.



Chart E. 2018 Targets of Application-Layer Attacks % Service Providers reporting each time

Source: NETSCOUT (acquired Arbor Networks) ‘Worldwide Infrastructure Security Report’ No. !4. 2019

Attacks on HTTP have long been a major target. But the percentage of attacks on DNS has been steadily rising over the last few years and as the chart above shows DNS attacks are now comparable in frequency to the other two major targets – HTTP and HTTPS.

DNS as a software application and the most common protocol used for Reflection amplification attacks is now one of the top targets of attacks. Cisco notes in a June 2019 article ‘DNS Firewalls Could Prevent Billions in Losses to Cybercrime’ that “more than 91% of malware uses DNS to gain command and control, exfiltrate data, or redirect web traffic.”

It is therefore critically important that DNS not only to be able to detect and respond instantly to block attacks on other services and applications but it must also identify and handle attacks on the DNS service itself. For example to prevent DNS itself from being used as pathway for ‘data exfiltration’ - i.e. theft or relay of confidential data, Infoblox has developed Threat Insight a solution that uses machine learning and real-time streaming analytics on live DNS queries to automatically detect and block communications to destinations associated with data exfiltration attempts, Then Threat Insight instantly add these destinations to a blacklist for RPZ-based mitigation. NFV creates new DNS Security Requirements

Virtualization creates new security requirements. Operators now require DNS platforms to provide security mechanisms for the network to maintain the security of the DNS platform itself. Security must therefore be inherent in the architecture of a DNS platform. In an NFV environment, DNS performs a critical function to isolate both users from network threats and the network from user application based threats.

NFV is a ‘double edged sword’

By making addresses ‘logical’ for VMs and VNF instances, user service requests no longer deal directly with physical network elements and can no longer see their IP Addresses. Only the Hypervisor directly assigns the physical resources. Unfortunately, the new layer of abstraction creates new opportunities for attacks. For example ‘Phantom VM requests’ can now be created to allocate multiple un-needed VM instances across an entire network or even to deliver a DDoS attack on the Hypervisor itself. A well architected DNS platform is notified by security applications of an originating threat source and uses that information to instantaneously block the source or redirect traffic from the source to thwart such ‘out of control virtual network attacks. As the virtualized infrastructure provisions VMs, the DNS platform should analyze their IP addresses, and monitor all traffic to detect suspicious behavior on the VMs in real-time. DNS



can then quarantine illicit VM query traffic to mitigate any attack. NFV automation also is essential to immediately reduce the risk that configuration issues lead to security and performance problems. The addition of DNS network discovery and automation tools in an NFV environment will ensure that network functions are properly configured and working within their authorized boundaries.

When correctly architected from the ground up a virtualized DNS can therefore • Provide security mechanisms to protect key virtual network service and control functions • Provide DDoS protection for Critical NFV control plane functions including the Hypervisor and

Network Orchestrator • Not allow DNS VNF itself to be easily hacked and become part of a virtual network attack • Not allow NFV to exacerbate vulnerabilities of the network

In an article on ‘How Virtualization Can Bolster Service Provider Security’ Dilip Pillaipakam, Infoblox Vice President and GM of Service Provider Business noted that with inputs from DNS “in the event of an attack, an NFV-based network can be architected to add more capacity on demand in response to the attack. This can help ensure that networks are not over-provisioned for attacks, thus helping reduce both Capex and Opex while also providing the flexibility to grow on demand”…In addition DNS “can help providers automate the allocation/de-allocation of IP addresses and DNS host names, cutting down the manual processes for IPAM most providers still rely on. In turn, this boosts efficiencies and lowers costs -- all key benefits of the new NFV paradigm as providers transition from legacy non-dynamic deployments to virtualized ones.”



III. Infoblox Virtualizes DNS to Capture Benefits of NFV Infoblox lowers CAPEX and OPEX for NFV while achieving ‘5G Ready’ Performance As discussed above, CAPEX and OPEX reduction are major drivers for NFV deployment by operators. A robust highly automated DNS infrastructure is critical to avoid linear CAPEX investment escalation and Network Operations Center OPEX cost increases. One virtual DNS solution that delivers scalability of service activity and live resource use capture alongside automation of configuration and monitoring without proportional increases in cost comes from Infoblox.

Below we describe three use cases that exemplify how Infoblox’s scalable virtual Secure DNS lowers costs per GB while adding value for MNOs and Telecom service providers. All use cases include the value added capabilities provided in the Infoblox NiOS software platform - DNS traffic control, Advanced Reporting and Analytics, and Grid management and control and DNS Firewall. The virtual solution from Infoblox delivers these DNS functions as software based VNFs today and eventually as 5G cloud native Service Functions for services that can depend on low latency controls for Ultra Reliable Low Latency Communications (URLLC), massive scalability for massive Machine Type Communications (mMTC) and Content Filtering for secure delivery of consumer enhanced Mobile Broadband (eMBB) .

Three Use Cases A. Secure Software Based DNS for RAN and Core NFV Infrastructure MNOs face increasing threats to their RAN and core infrastructure including the DNS.

DDoS and DNS Reflection/Amplification Attacks are increasingly likely in two key domains:

1. Gn/Gp/S5/S8 Domain where the DNS shares the IP based interface between SGSN and other SGSNs (or MMEs) and either the internal PGWs (S5) or external PGWs (S8)where there is also a firewall and Border Gateway (BGW).

2. Gi/SGi Domain where the DNS, responsible for Service Selection on the Gn as described earlier, can also intercept attacks from the Gi/SGi and provide additional traffic control functions.

Infoblox already offers CSPs an optimized Advanced DNS Protection (ADP) solution on the Infoblox 4030 series appliance that can process millions of DNS queries per second with redundant RAID hard disks, hot-swappable power supplies, and hardware-based DNS attack detection and protection.

Infoblox has also partnered with Nokia to provide a secure DNS solution as part of Nokia’s ecosystem for end-to-end security solutions for mobile networks. The chart below illustrates the threat vectors in each security domains in the mobile network and highlights where DDoS, amplification and reflection attacks can be generated at the DNS and the Gi interface.

Nokia Networks has now verified Infoblox virtual solution compatibility with its Telco Cloud application solution in the virtualized/cloud environment. Certification testing of the product included tests for compliance with Nokia documentation, other cloud environment requirements and quality criteria, as well as tests for potential defects, failures etc. (See details of Nokia’s ‘Telco Cloud’ solution.)



Chart F. Mobile Operator DNS Security Domains

Source: Infoblox

Attacks on the domains shown in the chart above, if not intercepted, could expose MNOs to DNS Amplification attacks, service outages, degradation of service quality or of internet performance, access to unlawful internet content, harm to customers, loss of customer privacy, loss of revenue and fraud.

The ability to integrate real time statistics and reporting with network-wide management can mitigate many of the limitations of the incomplete NOC solutions for NFV today.

B. Use Case ‘Elastic Scalability for DNS in NFV Environments’. The advent of IPv6, globalization of voice and the proliferation of data services as well as millions of IoT applications in the ‘Telco Cloud’ will dramatically increase network complexity; and these services all demand massively increased DNS scalability in an NFV environment. In the CSP network, virtualization requires far more than data center platform replication. To become virtual the DNS architecture must be able to exploit NFV across a global distributed network and scale geographically across domains, zones and networks.

In Chart D shown previously, DNS runs as a Cloud Service platform not only to monitor traffic loads and to notify the network Orchestrator when new VMs are needed, but also to protect the DNS itself against ‘Phantom Domain’ and Reflection or other DoS/DDoS attacks. This architecture is key to DNS ‘elastic scalability’. Infoblox virtual Secure DNS Solution meets the requirements for DNS scalability in the NFV environment described above. It provides the instant scalability that is required for NFV - both locally and geographically - across an operator’s entire network to support instant traffic surges. Such ‘Elastic Scalability’ enables automatic instantiation of additional secure DNS Virtual Machines (VMs) upon detection of an overload condition or a sudden spike in DNS traffic.

Equally as important, it makes the DNS itself less vulnerable to any DDoS attack since DNS instances can scale up to absorb attacks for the minutes that it may takes to isolate and block a threat. The DNS platform runs on Commercial off the Shelf (COTS) Intel x86 64 hardware and extends native OpenStack functionality (Heat, Ceilometer) to support ‘Elastic Scaling’ for the built-in KVM/libVirtd Hypervisor. The Infoblox DNS VNF also



supports enhanced Response Policy Zone (RPZ) security and extends anti malware and anti-tunneling capabilities to the NFV environment through intelligent threat feeds and analytics.

C. Use Case ‘Cloud Network Automation’. Secure Scalable Cloud for Telco Services. Communications Service Providers (CSPs) including MNOs are anxious to deliver new services from the new NFV/SDN enabled ‘Telco Cloud’. Anchor NFV enterprise services like AT&T’s ‘Network on Demand’ require not only initial configuration and instantiation of bandwidth, VPNs, virtual firewalls etc. but also intelligent tools to ensure instant service activation and Service Level Agreement (SLA) monitoring that can operate seamlessly across fixed or mobile access networks.

Cloud Network Automation The Infoblox solution also provides Cloud Network Automation for these service provider NFV and SDN environments. Cloud Automation facilitates rapid IP provisioning for any VM. The solution manages the full lifecycle of IP address management with DNS resource records, and associated metadata. The Infoblox solution integrates with the NFV Orchestrator using RESTful APIs or various supported plugins - Openstack, Microsoft and VMware™ - to allow real time assignment of IP addresses and seamless setup of DNS in a fully automated manner.

Chart G. Cloud Network Automation

Source: Infoblox

Infoblox delivers Strong DNS Protection for CSPs in an NFV environment Infoblox has a growing portfolio of capabilities that deliver strong DNS protection for CSPs as they move to NFV. The unique ability to integrate real time statistics and reporting with network-wide management can help overcome the limitations of the incomplete NOC solutions for NFV today.

Infoblox DNS provides intelligent detection and mitigation of DoS and DDoS attacks to protect service quality and availability for mobile subscribers based on:



• Built-in intelligent attack protection that keeps track of source IP addresses for all DNS requests, as well as the DNS records requested.

• Identification of excessive DNS requests from the same IP address for reporting and threat analysis • Mechanism to intelligently block problem addresses or drop requests that save resources to respond

to legitimate requests. • Dedicated network packet inspection hardware and automated threat intelligence rules that stop

protocol-based attacks such as DNS Amplification, Reflection, and Cache Poisoning. • Ongoing Monitoring of any DNS-based vulnerabilities to ensure that the solution provides the best

available protection. These Use Cases show how Infoblox virtual Secure DNS supports resource scaling for NFV with better CAPEX utilization, service agility and lower OPEX as well as additional benefits for NFV operators through:

• Continuous protection against evolving threats • Automated application of updated security policies • Reduced administrative costs for maintaining large quantities of legacy BIND servers • Scalable detailed Real Time DNS statistics for the NOC (and potentially the Enterprise IT Managed

Service customers) • Infoblox new platform provides Highly Automated Support for Virtualization • Open interfaces to enable integration with multiple orchestrators

Key Use Case Benefits Above we have reviewed three strategic Use Cases for virtual secure DNS. Each has its own specific benefits as shown in the table below.

Table 2. Benefits by Use Case No. Use Case Key Benefits

1 Secure DNS for RAN and Core Infrastructure

Detects and Mitigates Attacks on the Mobile Access and Core Infrastructure - Gi/SGi-LAN, PGW and SGW

Reduces Service Outages Minimizes Degradation of Service Quality/Internet Performance Blocks access to Unlawful Internet Content and malicious domains Protects Customers from Harm and Loss of Privacy Inhibits DNS Reflection/Amplification Attacks Avoids Revenue Loss and Fraud

2 Elastic Scalability for DNS in NFV Environments’

Supports DNS scaling needed for traffic surges and heavy loads Triggers automatic instantiation of additional secure DNS Virtual Machines (VMs) Makes the DNS itself less vulnerable to any DDoS attack by scaling up to absorb

attacks. 3 ‘Cloud Network

Automation’. Simultaneously Updates Protection across the network, as new Threats emerge Automates Security Policy updates Reduces Administrative costs of maintaining large quantities of legacy BIND servers Provides Real Time DNS Statistics for the NOC/Managed Service IT customers Supports NFV Scaling



IV. Virtual DNS Creates New Value Added Service Opportunities for Service Providers In today’s increasingly competitive environment, Communication Service Providers (CSPs) are looking not only to reduce costs but to add increased value and generate additional revenues. DNS offers some opportunities to turn core DNS networking capabilities into enablers for new sources of revenue. Advanced DNS platforms can support new end user services as well as Managed DNS Security ‘as a Service’ and even Secure Cloud Hosting.

DNS enables new End User Value Added Services DNS servers create an ideal platform for CSPs to experiment with new value-added services. The platform minimizes the start-up cost and the risk of launching an unsuccessful service, but scales cost effectively as a service takes off with a pay-as-you-grow infrastructure. In June 2018 Infoblox launched ‘Subscriber Services’ for telecommunication providers that allowed them to harness their network intelligence to deliver personalized services driven by their DNS data. This approach makes it possible for service providers to offer differentiated and personalized services with a uniform set of service functionality across both wireless and wireline networks. Key Subscriber Services announced were:

• Content Filtering/Parental Control: Provides parents with the ability to block access to certain websites or content categories, putting the control and choice in the hands of the subscriber

• Policy Enforcement: Helps reduce risks and vulnerabilities by providing the ability to select and enforce security policies on a per subscriber basis

• Subscriber Engage: Enables service providers to engage directly with their customers based on their habits and preferences (e.g. the provider can notify customers when they are running out of credit on a data plan and provide them options to upgrade or add additional capacity)

• Subscriber Insight: Provides security analysts with subscriber information in order to augment threat incident data to protect against malware

These services uniquely leverage existing DNS capabilities and the platform provides an agile alternative for differentiated highly personalized services without adding expensive hardware or new components that are complex to use and scale.

Managed Security as a Service for Enterprise Managed Security Services (MSS) is already an established market of about $10 Billion annually for service providers who deliver remote monitoring and management of IT and network security functions via shared access to a remote Security Operations Center (SOC) that supports network security services outsourced by enterprises and others. Typical services today include management and monitoring of:

• Firewalls including multifunction firewalls • Unified Threat Management (UTM) technology • Security Gateways for messaging, Internet and Web traffic • Security Threat Tracking • Events collected from IT infrastructure logs, devices and incident reports • Scans of Network, Servers, Databases or Applications • Distributed Denial of Service (DDoS) protection • Customer Security information • Advanced Threat Updates and Defense options

Service providers who are already key players in the MSS market include AT&T, BT, CenturyLink, NTT, Orange Business Services and Verizon alongside platform vendors who operate remote services based on their own technology such as Dell, HPE, IBM and Symantec. As the DDoS attacks change rapidly, secure DNS will play an ever more important role in this burgeoning market. Providers of MSS should appreciate the value of enhanced DNS capabilities.



Differentiator for Secure Cloud Hosting Service Service Providers are well positioned to offer the MSS services described above as an add-on differentiator for their standard data center Cloud services such as IaaS or PaaS. For hosting web services it is an advantage to have a secure, advanced DNS platform as close to the origin server or hosted platform as possible.

CSPs and network operators have ventured into cloud service provisioning to compete directly with providers such as Amazon (AWS), Google and Microsoft (Azure) with mixed success for ‘vanilla hosting'.

Service providers succeed better with customers where they offer specialized, bundle cloud hosting and network connectivity services. Operators will have an even greater advantage with customers wanting to combine the network ‘pipe’ and the network cloud platform, if they include DNS based security. Security-sensitive customers such as financial institutions, health care firms, and government agencies are likely to be especially interested in a packaged, turnkey solution with SLAs that includes security guarantees.

In a Cloud or Data Center environment if one hosted tenant receives a DDoS attack - or even just a large traffic spike - in a shared availability zone, other tenants’ access to resources may be negatively affected. DNS must therefore play a critical role in the detection and mitigation or orchestration of these ‘noisy neighbor’ situations that could undermine hosted Cloud performance and SLA guarantees.

DNS is therefore a critical value-added component for Secure Cloud Hosting services that helps service providers to create a higher value alternative at a competitive price.



Two Future Services that DNS could leverage on a massive scale. Network Slicing

In 5G networks Operators will be deploying End – to End (E2E) Services as ‘Network Slices’. ‘Network Slices‘ are defined as “Multiple independent and dedicated virtual sub-networks...created within the same infrastructure to run services that have completely different requirements for latency, reliability, throughput and mobility” Each virtual sub-net or ‘Network Slice’ will have its own Service Level Agreement (SLA) with guarantees for latency and Quality of Service (QoS) etc. including security parameters that are comparable to those of a physically separate VPN.

Appropriate DNS namespaces will need to be created to create, manage and secure each ‘Network Slice’, similarly to the way that service providers offer Virtual Private Network (VPN) domains. These namespaces are relatively static in today’s 4G networks but will become highly dynamic as 5G evolves.

Policy applications for the DNS will manage and enforce end user access to service specific domain names and addresses. Eventually service providers could offer ‘Application Domains’ for new ‘Network Slices’ that would allow third party Mobile Virtual Network Operators (MVNOs) to set their own Security, Class of Service (CoS) and Service Level Assurance (SLA) parameters for their VPN-like ‘Network Slices’ e.g. for vertical IoT markets. These ‘slices’ must be logically isolated from other services by DNS name and address management and associated policies.

Services at the Edge

Already in 2019, prior the deployment of 5G many service providers are looking to add compute and storage resources at ‘the Edge’ of their Mobile and even Cable and Fixed networks. The specifications for Multi-Access Edge Computing (MEC) have already been approved by ETSI. MEC seeks to offer an environment characterized by ultra-low latency and high bandwidth with real-time access to radio network information that can be leveraged by application developers and content providers as an IT service environment at the edge of the network.

In the RAN compute resources could be initially at the P/GW in a metro area data center (DC) or at the vEPC or the Edge Router; and eventually they could share a ‘µicro data center’ alongside a pool of baseband radios. In fixed broadband networks computing could be located at a former central office that is now a Cloud DC or even in the ground at an optical termination point, where a DSLAM used to be. Service Providers are looking not only to distribute their own internal optimization processes to the edge – e.g. Video Delivery Optimization or dynamic Wi-Fi offload - but also to ‘host’ third party vertical market 5G URLLC services and Over the Top (OTT) cloud apps. that require low latency ‘at the edge;’ to capture an additional source of revenues. Frequently cited third party use cases include:

• Public Safety – e.g. First Responder Traffic light control or Drone Video • Navigation Control for connected/autonomous cars • Location based services e.g. In Mall dynamic Ad promotion • Internet-of-Things (IoT) – Multiple factory and Outdoor Apps. • Virtual Reality and Interactive Gaming

Key benefits of processing at the edge include not only very low latency response times but also dramatic backhaul cost savings for data intensive traffic that is only used locally or pre-processed before upload.



Role of DNS

Network slicing will increase the number of namespaces each network operator must maintain. Manual processes will be unable to keep up. Automated creation of DNS namespaces and appropriate records will replace the manual processes in place today and enable network operators to onboard network slices on demand. Similarly, policy enforcement over DNS can be tuned to meet the specific needs of the slice and can be optimized for slice specific needs like URLLC or IoT.

Services ‘at the Edge’ will trigger a massive increase in both the number of end-points to be managed and the magnitude of the ‘threat surface’ that could attack the service provider’s network. DNS has a major to play in both. DNS can automate address management with IPAM; and Authoritative DNS with automated Grid and DNS Traffic Control can reduce the administrative burden of updating and maintaining accurate records and supporting efficient node assignment while improving network visibility of the massively distributed edge computing resources.

In parallel DNS can block attacks ‘at the edge’ before they advance further, It is well known that application-layer DDoS attacks are best remediated at the network edge where they first occur. According to one source at Infoblox “there are 60 times fewer hits on the network security layer firewall after implementing DNS based Security for network access.” DNS itself is an excellent candidate for a ‘Service at the Edge’ located for example at the P/GW where traffic moves between the fixed and mobile networks.



Strategic Benefits to CSPs from Infoblox Virtual Secure DNS Overall virtual Secure DNS captures the full strategic benefits that NFV brings. MNOs will see immediate benefits from the adoption of a truly virtualized Secure DNS solution. Specifically:

• Improved scalability and reliability with both DNS virtualization and IPAM • Reduced OPEX from automated configuration and non-intrusive real time monitoring • Improved customer experience management (CEM) from E2E service and applications monitoring • Enhanced security threat management, redirection and even absorption - for both hosted and end

user customers

Virtual Secure DNS significantly lowers the cost of network expansion Scales at minimal incremental cost to protect operator margins.

The cost of Virtual Secure DNS scales at a fraction of the rate of growth of the traffic that the system supports, due to its highly automated distributed domain management. As a result the adoption of vSDNS will contribute significant OPEX savings while allowing Operators to massively scale their IP network capacity without margin erosion.

Summary Service Providers have long underestimated the role of DNS in managing, monitoring and protecting their networks. As networks become virtualized with highly dynamic cloud native microservice instantiation and distributed 5G Service Functions as well as Unstructured Data Storage Functions (UDSF) for real time state event capture, they require a new level of scalability, performance and security that DNS can help deliver. As Service Providers look to add future services such as Network Slicing and MEC they should look again at the applicability of DNS as they seek to massively scale and distribute their networks geographically with large scale automation at minimal cost.

Contact To explore this topic in more detail or to hear how Infoblox DNS solutions can support you please visit www.infoblox.com/sp. If you have questions please contact David Ayers, Senior Product Marketing Manager for Infoblox at email [email protected] or call: 1.240.581.1689.

www.strategyanalytics.com

Strategy Analytics Ltd Milton Keynes Bank House, 171 Midsummer Boulevard Milton Keynes, MK9 1EB, United Kingdom Tel: +44 1908 423600 Fax: +44 1908 423650 Strategy Analytics Inc. Boston MA 199 Wells Avenue Suite 108 Newton MA 02459 USA Tel: +1 617 614 0700 Fax: +1 617 614 0799

Offices in: Japan | Korea | China | France | Germany

Virtual Domain Name System (DNS) Secures the Heart of ... · DNS is the ‘Beating Heart’ of all...

Documents

Transcript of Virtual Domain Name System (DNS) Secures the Heart of ... · DNS is the ‘Beating Heart’ of all...