By Fergal Murray, Director of Business Development, AEP Networks
It's no surprise that the U.S. government's reliance on the Internet to disseminate
and provide access to information has significantly increased over the years.
While the use of technology has grown, so have the risks associated with potential
unauthorized use, compromise and loss of the .gov domain space.
After a major vulnerability in the Domain Name System (DNS) was discovered
last summer, the Office of Management and Budget responded by issuing a mandate
for deploying Domain Name System Security Extensions (DNSSEC), the recently
defined security standard, to all federal systems by December 2009.
DNS is a core Internet service that translates human-friendly computer names
(such as whitehouse.gov) into IP addresses. While it has always been known that
there have been flaws in the DNS system, it wasn't until security researcher
Dan Kaminsky discovered a significant attack on the domain-name system that
the U.S. government committed to deploying DNSSEC. By migrating from DNS to
DNSSEC, agencies would be able to ensure the integrity of Internet names and
DNSSEC is a secure version of DNS that uses digital signatures and public-key
encryption that provides assurance that domain names are being mapped to the
correct IP address. While all federal systems must comply by the end of the
year, deploying DNSSEC is difficult and requires hardware and software components
from multiple vendors. It also creates new operational duties related to key
generation, zone file signing, and key management. Although organizations are
expected to comply and meet the fast-approaching deadline, few have the specialized
skills and technical expertise required for a successful migration.
This article examines the operational and administrative requirements organizations
need to consider as they migrate from a traditional DNS infrastructure to one
based on DNS Security Extensions (DNSSEC).
DNSSEC provides security in internet communications
It has always been possible for criminals to use the DNS to masquerade as trustworthy
online entities using a technique known as DNS cache poisoning. The Kaminsky
exploit increases the danger of cache poisoning attacks by making them easier
to launch and almost impossible to detect.
Faced with the threat of large-scale disruption, identity theft and fraud,
DNSSEC has become widely recognized as not only the solution to such forms of
attack, but a way to provide additional security-in-depth for the Internet.
In addition, deployment of DNSSEC will enable new services and security applications
as a result of validated and authenticated data from the DNS.
Because DNSSEC deployments are relatively new, there are few operational DNSSEC
signed zones worldwide and a general lack of technical expertise, making the
migration difficult. DNSSEC deployment may require limited effort, or it may
require large-scale changes in the maintenance of DNS zones and servers. The
specifics of the changes required depend on the current hardware, software,
security requirements, traffic load, and zone management processes that apply
to the agency.
Within each agency, authoritative server configuration, zone file structure,
and server interactions must be mapped clearly. DNS software on authoritative
and recursive name servers may need to be upgraded to new versions that support
DNSSEC, and DNSSEC must be enabled and configured correctly. To ensure proper
configuration and eliminate points of failure, all network infrastructure must
be tested to verify that it supports DNSSEC.
As agencies become increasingly reliant on digital communications, the importance
of a robust security system becomes apparent in addressing concerns of privacy
and security on the Internet. In addition to having the technical expertise
required for implementation, it is also important to consider the risks associated
with identity, integrity, privacy, authentication and access control.
Keeping everything under lock and key
DNSSEC uses public key cryptography -- the science of analyzing and deciphering
codes -- to digitally sign DNS messages and places new computational loads on
servers that sign DNS zones. These digital signatures guarantee the validity
of response to queries because a digitally signed version makes it impossible
for cyber crooks to masquerade as another entity.
In public key cryptography, a user has a pair of cryptographic keys -- a public
key and a private key. The private key is kept secret, while the public key
may be distributed. A message signed with a sender's private key can be verified
by anyone who has access to the sender's public key, thereby proving that the
sender had access to the private key (and therefore is the person associated
with the public key used).
DNSSEC digitally signs DNS responses using the domain owner's private key.
However, without a HSM, that private key could be easily found, and if the private
key ever falls into the hands of a fraudster, then security is completely compromised.
When DNSSEC is fully deployed, there is a key associated with every zone of
the DNS hierarchy: a key for the root zone, a key for each top-level domain
(e.g. .com and .org) and a key for each enterprise level.
HSMs are a critical component of any encryption-based security solution because
they safeguard cryptographic keys and protect applications, transactions, and
information assets. In DNSSEC, HSMs are used to generate, store and manage the
cryptographic keys that sign DNS records and zones.
The whole point of hardware security modules is that they keep private keys
private and ensure information isn't vulnerable to misuse or theft. A HSM is
a physical device that is designed to generate and store cryptographic keys.
Without a HSM, cryptographic key material is easy to find by hackers with malicious
intent. When stored on a general purpose computer, key material can be readily
copied by a legitimate user or stolen by an attacker in a wide range of ways.
Agencies that deploy DNSSEC without integrating a hardware security module
into their infrastructure open themselves up to risk of exposure. Relying on
a general purpose computer to store cryptographic information is like putting
an expensive padlock on the front door to your home but leaving the keys outside
where someone can see them, copy them and walk away with them for use whenever
they choose. As with cryptographic keys, once somebody has that key, they can
impersonate and act with your authority without warning and without your knowledge.
With a HSM in place, cryptographic and sensitive data material is protected
from non-authorized use and potential adversaries.
However, not all HSMs are created equal. When evaluating HSMs, be sure to look
for a solution that has received Level 4 certification in the Federal Information
Processing Standards (FIPS) program, FIPS 140-2. FIPS validation ensures that
a device meets the high level of physical security required when protecting
private keys on a HSM. This includes tamper resistance, data security, physical
security and access control.
Due to the silent nature of cyber crime, security breaches can go undetected
for an extended period of time. With a physical HSM device protecting sensitive
data and applications, agencies can prevent hackers from compromising the integrity
of their information. By integrating a HSM with FIPS 140-2 Level 4 certification
into DNSSEC deployment, agencies will have the security of strong encryption
technology that offers the highest degree of protection to keep employees and
citizens protected from fraudulent DNS responses that could be used for serious
frauds or attacks.
Meeting the deadline
Partnering with a security consultant can help ensure federal agencies select
the best validation level suited to their application and ease the process of
deploying DNSSEC. Some of the issues around cryptography, security policy, key
management, and operational procedure may be new to DNS administrators. Deploying
DNSSEC in accordance with NIST (National Institute of Standards and Technology)
guidelines and FISMA (Federal Information Security Management Act) reporting
will be a significant undertaking. It will require effort analysis, planning
and testing, and likely new hardware, software and processes to assure the mandated
operational capability. A partner with experience in DNSSEC deployment can assist
with auditing the current infrastructure and provide a plan for a successful
Integrating hardware security modules as part of the DNSSEC deployment process
is essential in generating, storing and guarding private keys and in providing
the highest level of security possible. As agencies look to protect information
and applications from DNS threats and meet the December deadline, cryptographic
hardware solutions can protect the system and keep citizens and employees safe
from cyber attacks.
About the Author
Author Fergal Murray is the director of Business Development for Somerset, N.J.-based AEP Networks, a company offering secure communications, networking and application access for government, enterprise and carriers. More information can be accessed at www.aepnetworks.com.