Interview: NSN's Sue Spradley on LightSquared's Wholesale Mobile Data Paradigm
by Sue Spradley
Topics: Main | Core | Edge | Access | MPLS | Packet Voice | Softswitch | Session Border Controllers | OSS | Software | Security | Test Systems | IPv6 | SANs | P2P | Enterprise | Home Networks | Carrier Ethernet | Archive
Nominum Defends Against DNS Cache Poisoning Nominum has released a security update to its Vantio caching DNS server platform, adding multi-layer intelligent defenses that defeat DNS cache poisoning and other attacks, including the recently publicized Kaminsky vulnerability. Vantio, which is an alternative to open-source DNS, enables broadband providers to deliver new services by leveraging DNS as a key control point in the network . Nominum's many ISP and carrier customers support an estimated 120 million broadband subscribers.
Key benefits of new Vantio DNS security features include:In the recent cache poisoning threat, Nominum said its customers were instrumental in implementing and deploying UDP SPR. However, UDP source port randomization is only a first-step response to the new vulnerability, and network operators need additional deterministic defenses to address important exploits.
- Resists and stops all forms of cache poisoning attacks
- Defends automatically against query response spoofing and takes attackers out of loop
- Prevents hijacking of subscriber traffic, or "pharming" attacks
- Identifies perpetrators and records attack attempts
- Provides protection in Enterprise and Service Provider networks that use network address translation (NAT), which can undermine UDP SPR (NAT devices include server load balancers and firewalls)
- Reduces the chance of poisoning answers for valuable domains (www.mybank.com) to zero.
"Literally one day after details of the Kaminsky cache poisoning attack were revealed, UDP Source Port Randomization was defeated in 10 hours by security researchers using brute-force spoofed responses," said Dr. Paul Mockapetris, Chairman and Chief Scientist at Nominum and inventor of the DNS. "Nominum's multi-layered approach eliminates the risk of a successful attack."
Vantio features the following four security layers with key security features highlighted:
- Deterrence Layer: Includes Nominum's UDP Source Port Randomization implementation, the recommended industry response to the Kaminsky threat
- Defense Layer: Incorporates Nominum's "Detect and Defend" capability to detect spoofing attempts and automatically switch the resolution to a secure connection in response to an attack attempt.
- Resistance Layer: Employs Query Response Screening with a set of features that intelligently screen DNS answers to ensure malicious data in DNS responses is not used to answer valid user queries.
- Remediation Layer: Sends alerts when an attack is under way and incorporates a new feature that records the attack, allowing the attacker to be identified, and real-time remedial action to be taken by the network operator.
http://www.nominum.com
27-Aug-08
Search
this site
Search
the Web
Interview: NSN's Sue Spradley on LightSquared's Wholesale Mobile Data Paradigm
by Sue Spradley
Mobile Backhaul Transition Requires New Testing
by Joe Zeto
Cybersecurity Requires Public/Private Coalition
by Greg Oslan
A Rethinking of Cloud Services and Network Architecture
by Jim Theodoras
Delivering Scalable Video Solutions <br><i> Advantages of SVC-Optimized QoS</i>
by Andy Singleton
Does Network Neutrality Impact DPI?
by James Brear
