DNS Security (DNSSEC) With BIG-IP Global Traffic Manager

4,456 views

Published on

This slideshow gives an overview of how F5's BIG-IP Application Delivery Controllers protect customers' DNS infrastructure against various attacks by implementing a unique dynamic security signing policy.

Published in: Technology
1 Comment
0 Likes
Statistics
Notes
  • Be the first to like this

No Downloads
Views
Total views
4,456
On SlideShare
0
From Embeds
0
Number of Embeds
20
Actions
Shares
0
Downloads
151
Comments
1
Likes
0
Embeds 0
No embeds

No notes for slide

DNS Security (DNSSEC) With BIG-IP Global Traffic Manager

  1. 1. DNS Security (DNSSEC)With BIG-IP Global Traffic Manager<br />
  2. 2. DNS Infrastructure is VulnerableSpoofing and cache poisoning allow hijacking of domains<br />Example.com<br />www.example.com?<br />www.example.com?<br />GSLB<br />123.123.123.123<br />012.012.012.012<br />App Servers<br />LDNS<br />012.012.012.012<br />Cache poisoning<br />Spoofing with first response<br />Problem<br />Need to secure DNS infrastructure<br /><ul><li>Cache poisoning and spoofing can hijack DNS records
  3. 3. Need a method for trusted responses
  4. 4. Need to meet US Government mandate for DNSSEC compliance</li></ul>Hacker<br />
  5. 5. What is DNSSEC?<br />DNS protocol extensions ensure the integrity of data returned by domain name lookups.<br />Incorporates a “chain of trust” into the DNS hierarchy using public key cryptography (PKI).<br />Each link in the chain consists of a public-private key pair.<br />Provides origin authenticity, data integrity, and secure denial of existence.<br />Origin authenticity: Resolvers can verify that data has originated from authoritative sources.<br />Data integrity: Can also verify that responses are not modified in-flight.<br />Secure denial of existence: When there is no data for a query, authoritative servers can provide a response that proves no data exists.<br />
  6. 6. How Does DNSSEC Work?<br />Each DNSSEC zone creates one or more pairs of public/private key(s)<br />Public portion put in DNSSEC record type DNSKEY<br />Zones sign all sets with private key(s) and resolvers use DNSKEY(s) to verify sets<br />Each set has a signature attached to it: RRSIG<br />So, if a resolver has a zone’s DNSKEY(s) it can verify that sets are intact by verifying their RRSIGs<br />
  7. 7. Securing the DNS InfrastructureDynamic and secure DNS with Global Traffic Manager<br />Example.com<br />www.example.com?<br />www.example.com?<br />BIG-IP GTM<br />123.123.123.123<br />+ public key<br />123.123.123.123<br />+ public key<br />App Servers<br />LDNS<br />Client gets signed, trusted response<br />BIG-IP Global Traffic Manager with DNSSEC<br />Solution<br />Secure and dynamic DNS<br /><ul><li>Ensure users get trusted DNS queries with signed responses
  8. 8. Reduce management costs – Simple to implement and maintain
  9. 9. Meet mandates with DNSSEC compliant solution</li></ul>Hacker<br />
  10. 10. Drop-in DNSSEC Compliance<br />Example.com<br />site.example.com?<br />BIG-IP GTM<br />Existing<br />DNS Servers<br />172.16.124.1<br />+trusted SSL key<br />BIG-IP Global Traffic Manager with DNSSEC<br />Simple DNSSEC compliance<br />Drop GTM in front of existing DNS servers<br />GTM signs requests without changes to DNS configuration<br />
  11. 11. Find Out More on DNSSEC<br />Video: DNSSEC in Five Easy Steps<br />Blog: It’s DNSSEC not DNSSUX<br />Tech Tip: Configuring GTM’s DNS Security Extensions<br />

×