SlideShare une entreprise Scribd logo

Building Trust into DNS: Key Strategies

SafeNet
SafeNet

DNSSEC represents a vital means with which to address many security threats, including cache poisoning, man-in-themiddle attacks, and more. But the DNSSEC infrastructure is only as secure as the cryptographic keys used to protect DNS records. This paper reveals important strategies for maximizing DNSSEC security, outlining the key role HSMs play and the critical requirements for successful HSM implementations.

Technologie
1  sur  5
Télécharger pour lire hors ligne
B Building Trust into DNS: Key Strategies W WHITE PAPER Introduction Executive Summary For all the benefits of an open Internet, there is a dangerous flip side. Domain name system DNSSEC represents a vital (DNS) servers are a perfect case in point. With no inherent security, DNS servers at a host of means with which to address organizations have been repeatedly compromised to enable a host of malicious endeavors, many security threats, including including cache poisoning (injecting incorrect/fraudulent data into a name server’s cache, cache poisoning, man-in-the- which then gets served to users), redirecting phone calls, man-in-the-middle attacks to steal middle attacks, and more. But passwords, rerouting email, denial of service attacks, and more. the DNSSEC infrastructure is only as secure as the To combat these threats, many organizations have implemented Domain Name Systems cryptographic keys used to Security Extensions (DNSSEC), the process of digitally signing DNS records in order to ensure protect DNS records. This paper that the messages received are the same as those that were sent. reveals important strategies By adopting DNSSEC, a range of organizations, including domain providers, online banks and for maximizing DNSSEC retailers, SaaS providers, and more, can realize a range of benefits: security, outlining the key role HSMs play and the critical • Boost security. DNSSEC can help guard against cache poisoning, redirected phone calls, requirements for successful HSM man-in-the-middle attacks, and more. implementations. • Ensure compliance. DNSSEC can help address ICANN, NSEC, and other mandates and guidelines. • Reduce costs. By safeguarding against a range of network based threats, organizations can reduce the time and cost associated with threat mitigation and post-attack forensics and reparation. Without Robust Security, DNSSEC Can Be Compromised In addition to several new concepts and operations for both the DNS server and the DNS client, DNSSEC introduces four new resource records (DNSKEY, RRSIG, NSEC, and DS) to DNS. What this means is that DNSSEC requires some new procedures such as key generation, signing, and key management. But, for all the potential DNSSEC benefits outlined above, the intended gains aren’t guaranteed because the resource records introduced by DNSSEC are kept in an unencrypted file. It is only when the entire DNSSEC infrastructure is fully and comprehensively secured that organizations can begin to fully enjoy DNSSEC’s benefits. To do so, they need capabilities to do the following: Building Trust into DNS: Key Strategies White Paper 1
• Secure digital signatures. DNS messages need to be digitally signed in order to ensure the HSM Advantages validity of DNS services. • Completeness • Control access. Organizations need to ensure only authorized customers and internal staff • Performance can access sensitive applications and data. • Compliant and Secure • Centralization of Key • Maintain application integrity. All associated application code and processes need to be Management secured to ensure integrity and prohibit unauthorized application execution. • Scale to accommodate high volume processing. Since DNS updates are very frequent, DNSSEC infrastructures need to deliver the performance and scalability required to ensure timely processing at all times. The Role of HSMs in DNSSEC As outlined above, it is only by ensuring security throughout the DNSSEC infrastructure that businesses can realize the benefits of DNSSEC. To ensure the validity of DNS services, DNSSEC employs public key cryptography to digitally sign DNS messages. To realize the security required, robust protection of private signing keys is vital. If the keys and their corresponding digital certificates are compromised, the chain of trust in the DNS hierarchy is broken, rendering the entire system obsolete. This is where hardware security modules (HSMs) come into play. HSMs are dedicated systems that physically and logically secure the cryptographic keys and cryptographic processing that are at the heart of digital signatures. HSMs support the following functions: • Life-cycle management, including key generation, distribution, rotation, storage, termination, and archival. • Cryptographic processing, which produces the dual benefits of isolating and offloading cryptographic processing from application servers. By storing cryptographic keys in a centralized, hardened device, HSMs can eliminate the risks associated with having these assets housed on disparate, poorly secured platforms. In addition, this centralization can significantly streamline security administration. DNS Root Server Cluster HSM Authoritative Server Cluster TLD Server Cluster *FIPS 140-2 Level 4 Validated Root zone records signed by private key in HSM 2 SafeNet HSM Enterprise level zone key signed by SafeNet HSM SafeNet HSM (www.mybank.com) SafeNet HSM stores the cryptographic TLD zone records signed by 3 4 keys that sign the DNS records: (DNSKEY, RRSIG, NSEC, and DS) private key in SafeNet HSM Recursive (Caching) Name Server 1 Client initiates query for www.mybank.com 5 ISP Caching name server starts recursive 2 search at root if no record found in cache. Recursive search referred to applicable 3 TLD by root. If record does not exist in TLD zone query referred to the Authoritative server. (Simplified example – additional 1 zone searches may be required to identify Authoritative Name Server.) Client-Side of the DNS DNS Query 4 Authoritative Server responds with signed DNS zone record Recursive server returns verified IP address 5 for “mybank.com” to DNS client The diagram above depicts the steps involved in securing DNS messages through the use of HSMs. By safeguarding digital certificates and cryptographic keys, organizations can maximize the security of their DNSSEC implementations. Building Trust into DNS: Key Strategies White Paper 2
The Advantages of HSMs SafeNet DNSSEC Benefits Compared to the process of storing cryptographic keys in software residing on general purpose • Enhance Security application servers, HSMs deliver several advantages: • Ensure Compliance • Optimize Operational Completeness Performance HSMs are fully contained solutions for cryptographic processing, key generation, and key storage. As purpose-built appliances, they automatically include the required hardware and firmware (i.e., software) in an integrated package. Physical and logical protection of the appliance is supported by a tamper resistant/evident shell; and protection from logical threats, depending on the vendor’s products, is supported by integrated firewall and intrusion prevention defenses. Some HSM vendors also include integrated support for two-factor authentication. Security certification is typically pursued by HSM vendors and positioned as a product feature. Software for these same functions is not a complete out-of-the-box solution. Server hardware is a separate purchase, unless unused servers are present, as is firewall, intrusion prevention, and two-factor authentication. Being tamper resistant is not a trait typically associated with general- purpose servers. Security certification encompassing the combination of hardware platform and software would be the responsibility of the user organization and can be a lengthy and very costly activity, especially if involvement with certification bodies is not standard operating practice for the organization using the software. Performance Cryptography is a resource intensive process that will introduce latency to any application that depends on it. Depending on the application and organization involved, the objective could be to minimize the latency introduced by cryptography. HSMs have an advantage over software as they are designed to optimize the efficiency of cryptographic processing. Compared to software running on general purpose servers, HSMs will accelerate processing; an outcome of being purpose-built. Compliant and Secure Frequently, cryptography is used to meet compliance mandates. Cryptography use, however, does not guarantee that information is secure. Further, there are no security guarantees (i.e., promises of no security instances ever) with any security solution so the objective becomes one of managing risk by reducing the number of vulnerabilities and the likelihood of vulnerabilities being exploited. The aforementioned completeness attributes of HSMs allow organizations that deploy HSMs to take efficient and simultaneous steps toward compliance and security. Centralization of Key Management An attribute of software is its portability; software can be installed on several servers. Consequently, cryptographic keys have greater likelihood to reside in several locations/software hosts. This multi-location characteristic will add to administrative complexity and potential lapses in the life-cycle management of cryptographic keys (e.g., rotation and revocation). In addition, if consistency in the protective layer of the software host (e.g., firewall, intrusion prevention, and access control) cannot be ensured, the risk of keys being compromised increases. With HSMs, the tendency is to store keys in a single unit. Not only does this streamline administration and reduce the potential for management lapses but it also supports a consistent layer of key protection. Building Trust into DNS: Key Strategies White Paper 3
By leveraging HSMs, organization The Benefits of DNSSEC with SafeNet can enjoy the utmost in security SafeNet offers a broad set of HSMs that are ideally suited to the demands of securing private of the cryptographic keys and signing keys. By employing SafeNet HSMs, organizations can realize a range of benefits: digital certificates that underpin Enhance Security the DNSSEC infrastructure. SafeNet HSMs deliver sophisticated security capabilities that enable businesses to enjoy maximum security of DNSSEC. SafeNet HSMs ensure the most rigorous control over keys and their corresponding digital certificate. As a result, organizations can eliminate the threats of DNS exploits, and the damage they can wreak. Ensure Compliance The Internet Engineering Task Force has published a comprehensive set of guidelines for ensuring DNSSEC security. For example, RFC 5011 outlines extensive standards for securing various points in the DNS tree, referred to as trust points. Each trust point must be validated by at least one associated public key. In addition, the guidelines specify a host of efforts for securely adding keys, rotating keys, and removing keys. With their robust encryption and policy management support, SafeNet HSMs enable organizations to ensure compliance with these guidelines. Further, ICANN DNSSEC requirements state that private keys must be generated and stored on FIPS 140-2 validated HSMs. Many SafeNet HSMs meet these demanding FIPS requirements and many are also Common Criteria certified. Optimize Operational Performance By leveraging SafeNet’s secure HSMs, organizations can realize significant gains in operational performance: • Improve staff efficiency. By centralizing keys and policy administration on a central, comprehensive platform, security teams can significantly streamline administrative efforts. Further, with an appliance that supports XML, SafeNet enables easier up-front HSM integration. • Ensure high performance. By managing cryptographic processing on purpose-built appliances, SafeNet HSMs deliver scalable, responsive performance, ensuring the timely, reliable response required in DNSSEC environments. • Optimize key storage. With its support for the Elliptic Curve Digital Signature Algorithm (ECDSA), SafeNet enables more efficient storage of cryptographic keys. • Enhance customer service and loyalty. SafeNet HSMs safeguard the DNS infrastructure, so organizations can eliminate the DNS exploits that put customers at risk. By ensuring high levels of security, organizations can foster greater trust and loyalty among their customer base. SafeNet’s Breadth of HSM Offerings SafeNet HSMs provide reliable protection for applications, transactions, and information assets by safeguarding the cryptographic keys that are at the heart of any encryption-based security solution. SafeNet HSMs are the fastest, most secure, and easiest to integrate application security solution for enterprise and government organizations to ensure regulatory compliance, reduce the risk of legal liability, and improve profitability. SafeNet offers these HSM products: General Purpose HSMs, Network Attached • Luna SA. Luna SA offers award-winning application protection through powerful cryptographic processing and hardware key management. Luna PCI for Luna SA 4.1 has received Common Criteria EAL4+ certification. Building Trust into DNS: Key Strategies White Paper 4
• Luna SP. The SafeNet Luna SP allows developers to securely deploy Web applications, Web By adopting DNSSEC services, and other Java applications in a protected, hardened security appliance. organizations can realize a range of benefits including: • Luna XML. SafeNet Luna XML is designed to secure next-generation XML Web services • Boost security and service-oriented architectures (SOAs). Other HSMs take months to integrate with • Ensure compliance new applications due to complex security APIs. Luna XML has zero footprint on the host application server, providing for rapid, independent, flexible, and highly scalable • Reduce costs deployments. • ProtectServer External. The SafeNet ProtectServer External is a network-attached HSM that connects via TCP/IP to a single machine or complete network (LAN) to function as a central cryptographic subsystem that delivers symmetric and asymmetric cryptographic services. All operations that would otherwise be performed on insecure servers are securely processed within the HSM, ensuring that sensitive keys are always protected from compromise. • Luna SX. The SafeNet Luna SX is a central management console for rapid HSM setup and easy remote administration for the SafeNet Luna SA and Luna SP. Using a simple GUI, SafeNet HSMs can be managed remotely and securely. General Purpose HSMs, Embedded • Luna CA4 HSM. The SafeNet Luna CA4 offers a complete hardware security solution for the protection of sensitive root keys belonging to certificate authorities used in public key infrastructures (PKI). • Luna PCI. SafeNet Luna PCI is designed to protect cryptographic keys and accelerate sensitive cryptographic operations across a wide range of security applications. • Luna PCM. SafeNet Luna PCM is a low-cost family of compact HSMs, offering hardware- based key management and hardware-accelerated cryptographic performance within a compact PCMCIA card. • ProtectServer HSMs. For server systems and support applications that require high performance symmetric and asymmetric cryptographic operations, ProtectServer Gold and ProtectServer Internal-Express provide tamper-protected hardware security. Conclusion Today, DNSSEC represents a critical approach for guarding against a range of threats to Internet- based communications. By leveraging HSMs, organization can enjoy the utmost in security of the cryptographic keys and digital certificates that underpin the DNSSEC infrastructure. Today, SafeNet offers a broad range of HSMs, solutions that accommodate the needs of a range of deployments, and ensure organizations enjoy maximum security in their DNSSEC environments. About SafeNet, Inc. Founded in 1983, SafeNet is a global leader in information security. SafeNet protects its customers’ most valuable assets, including identities, transactions, communications, data and software licensing, throughout the data lifecycle. More than 25,000 customers across both commercial enterprises and government agencies and in over 100 countries trust their information security needs to SafeNet. Contact Us: For all office locations and contact information, please visit www.safenet-inc.com Follow Us: www.safenet-inc.com/connected ©2010 SafeNet, Inc. All rights reserved. SafeNet and SafeNet logo are registered trademarks of SafeNet. All other product names are trademarks of their respective owners. WP (EN)-11.29.10 Building Trust into DNS: Key Strategies White Paper 5

Recommandé

IT Infrastrucutre Security
IT Infrastrucutre SecurityIT Infrastrucutre Security
IT Infrastrucutre Security
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid ThemInfoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
Jennifer Nichols
 
Cloudshield_DNS Tips_032014
Cloudshield_DNS Tips_032014Cloudshield_DNS Tips_032014
Cloudshield_DNS Tips_032014
Laura L. Adams
 
OMG DDS Security Standard
OMG DDS Security StandardOMG DDS Security Standard
OMG DDS Security Standard
Gerardo Pardo-Castellote
 
CDW Security Practice
CDW Security PracticeCDW Security Practice
CDW Security Practice
timmay0220
 
Protecting Your Key Asset – Data Protection Best Practices V2.0 Final
Protecting Your Key Asset – Data Protection Best Practices V2.0 FinalProtecting Your Key Asset – Data Protection Best Practices V2.0 Final
Protecting Your Key Asset – Data Protection Best Practices V2.0 Final
Vinod Kumar
 
More (Mis)adventures in Non-profit Web Design
More (Mis)adventures in Non-profit Web DesignMore (Mis)adventures in Non-profit Web Design
More (Mis)adventures in Non-profit Web Design
Melodie Laylor
 
Amphibians ppt 1-1 10-3 mila satchansky lewbina
Amphibians ppt 1-1 10-3 mila satchansky lewbinaAmphibians ppt 1-1 10-3 mila satchansky lewbina
Amphibians ppt 1-1 10-3 mila satchansky lewbina
MrJewett
 

Recommandé

IT Infrastrucutre Security
IT Infrastrucutre SecurityIT Infrastrucutre Security
IT Infrastrucutre Security
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid ThemInfoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
Jennifer Nichols
 
Cloudshield_DNS Tips_032014
Cloudshield_DNS Tips_032014Cloudshield_DNS Tips_032014
Cloudshield_DNS Tips_032014
Laura L. Adams
 
OMG DDS Security Standard
OMG DDS Security StandardOMG DDS Security Standard
OMG DDS Security Standard
Gerardo Pardo-Castellote
 
CDW Security Practice
CDW Security PracticeCDW Security Practice
CDW Security Practice
timmay0220
 
Protecting Your Key Asset – Data Protection Best Practices V2.0 Final
Protecting Your Key Asset – Data Protection Best Practices V2.0 FinalProtecting Your Key Asset – Data Protection Best Practices V2.0 Final
Protecting Your Key Asset – Data Protection Best Practices V2.0 Final
Vinod Kumar
 
More (Mis)adventures in Non-profit Web Design
More (Mis)adventures in Non-profit Web DesignMore (Mis)adventures in Non-profit Web Design
More (Mis)adventures in Non-profit Web Design
Melodie Laylor
 
Amphibians ppt 1-1 10-3 mila satchansky lewbina
Amphibians ppt 1-1 10-3 mila satchansky lewbinaAmphibians ppt 1-1 10-3 mila satchansky lewbina
Amphibians ppt 1-1 10-3 mila satchansky lewbina
MrJewett
 
DNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to KnowDNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to Know
laurenrprice
 
DNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & AfiliasDNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & Afilias
ORG, The Public Interest Registry
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
AFRINIC
 
ION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSEC
ION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSECION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSEC
ION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSEC
Deploy360 Programme (Internet Society)
 
Securing Digital Identities and Transactions in the Cloud Security Guide
Securing Digital Identities and Transactions in the Cloud Security GuideSecuring Digital Identities and Transactions in the Cloud Security Guide
Securing Digital Identities and Transactions in the Cloud Security Guide
SafeNet
 
Dnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 EnDnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 En
Erol Dizdar
 
Dnssec proposal-09oct08-en
Dnssec proposal-09oct08-enDnssec proposal-09oct08-en
Dnssec proposal-09oct08-en
guest3131f85
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security Extensions
Peter R. Egli
 
ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSEC
Deploy360 Programme (Internet Society)
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?
Deploy360 Programme (Internet Society)
 
SafeNet - Data Protection Company
SafeNet - Data Protection CompanySafeNet - Data Protection Company
SafeNet - Data Protection Company
ASBIS SK
 
Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy? Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy?
Digital Transformation EXPO Event Series
 
Windows most important server questions for l1 level
Windows most important server questions for l1 levelWindows most important server questions for l1 level
Windows most important server questions for l1 level
IICT Chromepet
 
Cloudshield-DNS_Defender-Data-Sheet
Cloudshield-DNS_Defender-Data-SheetCloudshield-DNS_Defender-Data-Sheet
Cloudshield-DNS_Defender-Data-Sheet
Chad Krantz
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
DNS Entrepreneurship Center
 
FOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons LearnedFOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons Learned
Neustar, Inc.
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big Data
Rommel Garcia
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big Data
Great Wide Open
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial
Men and Mice
 
[RDS /Remote Desktop Services] Lesson 1 : Security Risks & Best Practices You...
[RDS /Remote Desktop Services] Lesson 1 : Security Risks & Best Practices You...[RDS /Remote Desktop Services] Lesson 1 : Security Risks & Best Practices You...
[RDS /Remote Desktop Services] Lesson 1 : Security Risks & Best Practices You...
☁ Hicham KADIRI ☁
 
eIDAS Reference Guide
eIDAS Reference GuideeIDAS Reference Guide
eIDAS Reference Guide
SafeNet
 
Whose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the CloudWhose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the Cloud
SafeNet
 

Contenu connexe

Similaire à Building Trust into DNS: Key Strategies

Securing Digital Identities and Transactions in the Cloud Security Guide
Securing Digital Identities and Transactions in the Cloud Security GuideSecuring Digital Identities and Transactions in the Cloud Security Guide
Securing Digital Identities and Transactions in the Cloud Security Guide
SafeNet
 
Dnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 EnDnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 En
Erol Dizdar
 
Dnssec proposal-09oct08-en
Dnssec proposal-09oct08-enDnssec proposal-09oct08-en
Dnssec proposal-09oct08-en
guest3131f85
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security Extensions
Peter R. Egli
 
Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy? Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy?
Digital Transformation EXPO Event Series
 
Cloudshield-DNS_Defender-Data-Sheet
Cloudshield-DNS_Defender-Data-SheetCloudshield-DNS_Defender-Data-Sheet
Cloudshield-DNS_Defender-Data-Sheet
Chad Krantz
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
DNS Entrepreneurship Center
 

Similaire à Building Trust into DNS: Key Strategies (20)

DNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to KnowDNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to Know
 
DNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & AfiliasDNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & Afilias
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
 
ION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSEC
ION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSECION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSEC
ION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSEC
 
Securing Digital Identities and Transactions in the Cloud Security Guide
Securing Digital Identities and Transactions in the Cloud Security GuideSecuring Digital Identities and Transactions in the Cloud Security Guide
Securing Digital Identities and Transactions in the Cloud Security Guide
 
Dnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 EnDnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 En
 
Dnssec proposal-09oct08-en
Dnssec proposal-09oct08-enDnssec proposal-09oct08-en
Dnssec proposal-09oct08-en
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security Extensions
 
ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSEC
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?
 
SafeNet - Data Protection Company
SafeNet - Data Protection CompanySafeNet - Data Protection Company
SafeNet - Data Protection Company
 
Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy? Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy?
 
Windows most important server questions for l1 level
Windows most important server questions for l1 levelWindows most important server questions for l1 level
Windows most important server questions for l1 level
 
Cloudshield-DNS_Defender-Data-Sheet
Cloudshield-DNS_Defender-Data-SheetCloudshield-DNS_Defender-Data-Sheet
Cloudshield-DNS_Defender-Data-Sheet
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
 
FOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons LearnedFOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons Learned
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big Data
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big Data
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial
 
[RDS /Remote Desktop Services] Lesson 1 : Security Risks & Best Practices You...
[RDS /Remote Desktop Services] Lesson 1 : Security Risks & Best Practices You...[RDS /Remote Desktop Services] Lesson 1 : Security Risks & Best Practices You...
[RDS /Remote Desktop Services] Lesson 1 : Security Risks & Best Practices You...
 

Plus de SafeNet

A Single Strong Authentication Platform for Cloud and On-Premise Applications
A Single Strong Authentication Platform for Cloud and On-Premise ApplicationsA Single Strong Authentication Platform for Cloud and On-Premise Applications
A Single Strong Authentication Platform for Cloud and On-Premise Applications
SafeNet
 
Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...
Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...
Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...
SafeNet
 
Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...
Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...
Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...
SafeNet
 
Hardware Security Modules: Critical to Information Risk Management
Hardware Security Modules: Critical to Information Risk ManagementHardware Security Modules: Critical to Information Risk Management
Hardware Security Modules: Critical to Information Risk Management
SafeNet
 
Strong Authentication: Securing Identities and Enabling Business
Strong Authentication: Securing Identities and Enabling BusinessStrong Authentication: Securing Identities and Enabling Business
Strong Authentication: Securing Identities and Enabling Business
SafeNet
 
A Question of Trust: How Service Providers Can Attract More Customers by Deli...
A Question of Trust: How Service Providers Can Attract More Customers by Deli...A Question of Trust: How Service Providers Can Attract More Customers by Deli...
A Question of Trust: How Service Providers Can Attract More Customers by Deli...
SafeNet
 
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetPayment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
SafeNet
 

Plus de SafeNet (20)

eIDAS Reference Guide
eIDAS Reference GuideeIDAS Reference Guide
eIDAS Reference Guide
 
Whose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the CloudWhose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the Cloud
 
Whose Cloud Is It Anyway: Exploring Data Security Ownership and Control
Whose Cloud Is It Anyway: Exploring Data Security Ownership and ControlWhose Cloud Is It Anyway: Exploring Data Security Ownership and Control
Whose Cloud Is It Anyway: Exploring Data Security Ownership and Control
 
Cyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldCyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative World
 
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and MobilityNot Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
 
ProtectV - Data Security for the Cloud
ProtectV - Data Security for the CloudProtectV - Data Security for the Cloud
ProtectV - Data Security for the Cloud
 
Cloud Monetization: A Step-by-Step Guide to Optimizing Your SaaS Business Model
Cloud Monetization: A Step-by-Step Guide to Optimizing Your SaaS Business ModelCloud Monetization: A Step-by-Step Guide to Optimizing Your SaaS Business Model
Cloud Monetization: A Step-by-Step Guide to Optimizing Your SaaS Business Model
 
SafeWord 2008 Migration Bundle Building a Fully Trusted Authentication Enviro...
SafeWord 2008 Migration Bundle Building a Fully Trusted Authentication Enviro...SafeWord 2008 Migration Bundle Building a Fully Trusted Authentication Enviro...
SafeWord 2008 Migration Bundle Building a Fully Trusted Authentication Enviro...
 
A Single Strong Authentication Platform for Cloud and On-Premise Applications
A Single Strong Authentication Platform for Cloud and On-Premise ApplicationsA Single Strong Authentication Platform for Cloud and On-Premise Applications
A Single Strong Authentication Platform for Cloud and On-Premise Applications
 
Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...
Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...
Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...
 
Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...
Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...
Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...
 
Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...
Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...
Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...
 
Hardware Security Modules: Critical to Information Risk Management
Hardware Security Modules: Critical to Information Risk ManagementHardware Security Modules: Critical to Information Risk Management
Hardware Security Modules: Critical to Information Risk Management
 
Strong Authentication: Securing Identities and Enabling Business
Strong Authentication: Securing Identities and Enabling BusinessStrong Authentication: Securing Identities and Enabling Business
Strong Authentication: Securing Identities and Enabling Business
 
Building Trust into eInvoicing: Key Requirements and Strategies
Building Trust into eInvoicing: Key Requirements and StrategiesBuilding Trust into eInvoicing: Key Requirements and Strategies
Building Trust into eInvoicing: Key Requirements and Strategies
 
A Question of Trust: How Service Providers Can Attract More Customers by Deli...
A Question of Trust: How Service Providers Can Attract More Customers by Deli...A Question of Trust: How Service Providers Can Attract More Customers by Deli...
A Question of Trust: How Service Providers Can Attract More Customers by Deli...
 
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetPayment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
 
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...
 
SafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server Encryption
 
Charting Your Path to Enterprise Key Management
Charting Your Path to Enterprise Key ManagementCharting Your Path to Enterprise Key Management
Charting Your Path to Enterprise Key Management
 

Dernier

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Dernier (20)

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 

Building Trust into DNS: Key Strategies

  • 1. B Building Trust into DNS: Key Strategies W WHITE PAPER Introduction Executive Summary For all the benefits of an open Internet, there is a dangerous flip side. Domain name system DNSSEC represents a vital (DNS) servers are a perfect case in point. With no inherent security, DNS servers at a host of means with which to address organizations have been repeatedly compromised to enable a host of malicious endeavors, many security threats, including including cache poisoning (injecting incorrect/fraudulent data into a name server’s cache, cache poisoning, man-in-the- which then gets served to users), redirecting phone calls, man-in-the-middle attacks to steal middle attacks, and more. But passwords, rerouting email, denial of service attacks, and more. the DNSSEC infrastructure is only as secure as the To combat these threats, many organizations have implemented Domain Name Systems cryptographic keys used to Security Extensions (DNSSEC), the process of digitally signing DNS records in order to ensure protect DNS records. This paper that the messages received are the same as those that were sent. reveals important strategies By adopting DNSSEC, a range of organizations, including domain providers, online banks and for maximizing DNSSEC retailers, SaaS providers, and more, can realize a range of benefits: security, outlining the key role HSMs play and the critical • Boost security. DNSSEC can help guard against cache poisoning, redirected phone calls, requirements for successful HSM man-in-the-middle attacks, and more. implementations. • Ensure compliance. DNSSEC can help address ICANN, NSEC, and other mandates and guidelines. • Reduce costs. By safeguarding against a range of network based threats, organizations can reduce the time and cost associated with threat mitigation and post-attack forensics and reparation. Without Robust Security, DNSSEC Can Be Compromised In addition to several new concepts and operations for both the DNS server and the DNS client, DNSSEC introduces four new resource records (DNSKEY, RRSIG, NSEC, and DS) to DNS. What this means is that DNSSEC requires some new procedures such as key generation, signing, and key management. But, for all the potential DNSSEC benefits outlined above, the intended gains aren’t guaranteed because the resource records introduced by DNSSEC are kept in an unencrypted file. It is only when the entire DNSSEC infrastructure is fully and comprehensively secured that organizations can begin to fully enjoy DNSSEC’s benefits. To do so, they need capabilities to do the following: Building Trust into DNS: Key Strategies White Paper 1
  • 2. • Secure digital signatures. DNS messages need to be digitally signed in order to ensure the HSM Advantages validity of DNS services. • Completeness • Control access. Organizations need to ensure only authorized customers and internal staff • Performance can access sensitive applications and data. • Compliant and Secure • Centralization of Key • Maintain application integrity. All associated application code and processes need to be Management secured to ensure integrity and prohibit unauthorized application execution. • Scale to accommodate high volume processing. Since DNS updates are very frequent, DNSSEC infrastructures need to deliver the performance and scalability required to ensure timely processing at all times. The Role of HSMs in DNSSEC As outlined above, it is only by ensuring security throughout the DNSSEC infrastructure that businesses can realize the benefits of DNSSEC. To ensure the validity of DNS services, DNSSEC employs public key cryptography to digitally sign DNS messages. To realize the security required, robust protection of private signing keys is vital. If the keys and their corresponding digital certificates are compromised, the chain of trust in the DNS hierarchy is broken, rendering the entire system obsolete. This is where hardware security modules (HSMs) come into play. HSMs are dedicated systems that physically and logically secure the cryptographic keys and cryptographic processing that are at the heart of digital signatures. HSMs support the following functions: • Life-cycle management, including key generation, distribution, rotation, storage, termination, and archival. • Cryptographic processing, which produces the dual benefits of isolating and offloading cryptographic processing from application servers. By storing cryptographic keys in a centralized, hardened device, HSMs can eliminate the risks associated with having these assets housed on disparate, poorly secured platforms. In addition, this centralization can significantly streamline security administration. DNS Root Server Cluster HSM Authoritative Server Cluster TLD Server Cluster *FIPS 140-2 Level 4 Validated Root zone records signed by private key in HSM 2 SafeNet HSM Enterprise level zone key signed by SafeNet HSM SafeNet HSM (www.mybank.com) SafeNet HSM stores the cryptographic TLD zone records signed by 3 4 keys that sign the DNS records: (DNSKEY, RRSIG, NSEC, and DS) private key in SafeNet HSM Recursive (Caching) Name Server 1 Client initiates query for www.mybank.com 5 ISP Caching name server starts recursive 2 search at root if no record found in cache. Recursive search referred to applicable 3 TLD by root. If record does not exist in TLD zone query referred to the Authoritative server. (Simplified example – additional 1 zone searches may be required to identify Authoritative Name Server.) Client-Side of the DNS DNS Query 4 Authoritative Server responds with signed DNS zone record Recursive server returns verified IP address 5 for “mybank.com” to DNS client The diagram above depicts the steps involved in securing DNS messages through the use of HSMs. By safeguarding digital certificates and cryptographic keys, organizations can maximize the security of their DNSSEC implementations. Building Trust into DNS: Key Strategies White Paper 2
  • 3. The Advantages of HSMs SafeNet DNSSEC Benefits Compared to the process of storing cryptographic keys in software residing on general purpose • Enhance Security application servers, HSMs deliver several advantages: • Ensure Compliance • Optimize Operational Completeness Performance HSMs are fully contained solutions for cryptographic processing, key generation, and key storage. As purpose-built appliances, they automatically include the required hardware and firmware (i.e., software) in an integrated package. Physical and logical protection of the appliance is supported by a tamper resistant/evident shell; and protection from logical threats, depending on the vendor’s products, is supported by integrated firewall and intrusion prevention defenses. Some HSM vendors also include integrated support for two-factor authentication. Security certification is typically pursued by HSM vendors and positioned as a product feature. Software for these same functions is not a complete out-of-the-box solution. Server hardware is a separate purchase, unless unused servers are present, as is firewall, intrusion prevention, and two-factor authentication. Being tamper resistant is not a trait typically associated with general- purpose servers. Security certification encompassing the combination of hardware platform and software would be the responsibility of the user organization and can be a lengthy and very costly activity, especially if involvement with certification bodies is not standard operating practice for the organization using the software. Performance Cryptography is a resource intensive process that will introduce latency to any application that depends on it. Depending on the application and organization involved, the objective could be to minimize the latency introduced by cryptography. HSMs have an advantage over software as they are designed to optimize the efficiency of cryptographic processing. Compared to software running on general purpose servers, HSMs will accelerate processing; an outcome of being purpose-built. Compliant and Secure Frequently, cryptography is used to meet compliance mandates. Cryptography use, however, does not guarantee that information is secure. Further, there are no security guarantees (i.e., promises of no security instances ever) with any security solution so the objective becomes one of managing risk by reducing the number of vulnerabilities and the likelihood of vulnerabilities being exploited. The aforementioned completeness attributes of HSMs allow organizations that deploy HSMs to take efficient and simultaneous steps toward compliance and security. Centralization of Key Management An attribute of software is its portability; software can be installed on several servers. Consequently, cryptographic keys have greater likelihood to reside in several locations/software hosts. This multi-location characteristic will add to administrative complexity and potential lapses in the life-cycle management of cryptographic keys (e.g., rotation and revocation). In addition, if consistency in the protective layer of the software host (e.g., firewall, intrusion prevention, and access control) cannot be ensured, the risk of keys being compromised increases. With HSMs, the tendency is to store keys in a single unit. Not only does this streamline administration and reduce the potential for management lapses but it also supports a consistent layer of key protection. Building Trust into DNS: Key Strategies White Paper 3
  • 4. By leveraging HSMs, organization The Benefits of DNSSEC with SafeNet can enjoy the utmost in security SafeNet offers a broad set of HSMs that are ideally suited to the demands of securing private of the cryptographic keys and signing keys. By employing SafeNet HSMs, organizations can realize a range of benefits: digital certificates that underpin Enhance Security the DNSSEC infrastructure. SafeNet HSMs deliver sophisticated security capabilities that enable businesses to enjoy maximum security of DNSSEC. SafeNet HSMs ensure the most rigorous control over keys and their corresponding digital certificate. As a result, organizations can eliminate the threats of DNS exploits, and the damage they can wreak. Ensure Compliance The Internet Engineering Task Force has published a comprehensive set of guidelines for ensuring DNSSEC security. For example, RFC 5011 outlines extensive standards for securing various points in the DNS tree, referred to as trust points. Each trust point must be validated by at least one associated public key. In addition, the guidelines specify a host of efforts for securely adding keys, rotating keys, and removing keys. With their robust encryption and policy management support, SafeNet HSMs enable organizations to ensure compliance with these guidelines. Further, ICANN DNSSEC requirements state that private keys must be generated and stored on FIPS 140-2 validated HSMs. Many SafeNet HSMs meet these demanding FIPS requirements and many are also Common Criteria certified. Optimize Operational Performance By leveraging SafeNet’s secure HSMs, organizations can realize significant gains in operational performance: • Improve staff efficiency. By centralizing keys and policy administration on a central, comprehensive platform, security teams can significantly streamline administrative efforts. Further, with an appliance that supports XML, SafeNet enables easier up-front HSM integration. • Ensure high performance. By managing cryptographic processing on purpose-built appliances, SafeNet HSMs deliver scalable, responsive performance, ensuring the timely, reliable response required in DNSSEC environments. • Optimize key storage. With its support for the Elliptic Curve Digital Signature Algorithm (ECDSA), SafeNet enables more efficient storage of cryptographic keys. • Enhance customer service and loyalty. SafeNet HSMs safeguard the DNS infrastructure, so organizations can eliminate the DNS exploits that put customers at risk. By ensuring high levels of security, organizations can foster greater trust and loyalty among their customer base. SafeNet’s Breadth of HSM Offerings SafeNet HSMs provide reliable protection for applications, transactions, and information assets by safeguarding the cryptographic keys that are at the heart of any encryption-based security solution. SafeNet HSMs are the fastest, most secure, and easiest to integrate application security solution for enterprise and government organizations to ensure regulatory compliance, reduce the risk of legal liability, and improve profitability. SafeNet offers these HSM products: General Purpose HSMs, Network Attached • Luna SA. Luna SA offers award-winning application protection through powerful cryptographic processing and hardware key management. Luna PCI for Luna SA 4.1 has received Common Criteria EAL4+ certification. Building Trust into DNS: Key Strategies White Paper 4
  • 5. • Luna SP. The SafeNet Luna SP allows developers to securely deploy Web applications, Web By adopting DNSSEC services, and other Java applications in a protected, hardened security appliance. organizations can realize a range of benefits including: • Luna XML. SafeNet Luna XML is designed to secure next-generation XML Web services • Boost security and service-oriented architectures (SOAs). Other HSMs take months to integrate with • Ensure compliance new applications due to complex security APIs. Luna XML has zero footprint on the host application server, providing for rapid, independent, flexible, and highly scalable • Reduce costs deployments. • ProtectServer External. The SafeNet ProtectServer External is a network-attached HSM that connects via TCP/IP to a single machine or complete network (LAN) to function as a central cryptographic subsystem that delivers symmetric and asymmetric cryptographic services. All operations that would otherwise be performed on insecure servers are securely processed within the HSM, ensuring that sensitive keys are always protected from compromise. • Luna SX. The SafeNet Luna SX is a central management console for rapid HSM setup and easy remote administration for the SafeNet Luna SA and Luna SP. Using a simple GUI, SafeNet HSMs can be managed remotely and securely. General Purpose HSMs, Embedded • Luna CA4 HSM. The SafeNet Luna CA4 offers a complete hardware security solution for the protection of sensitive root keys belonging to certificate authorities used in public key infrastructures (PKI). • Luna PCI. SafeNet Luna PCI is designed to protect cryptographic keys and accelerate sensitive cryptographic operations across a wide range of security applications. • Luna PCM. SafeNet Luna PCM is a low-cost family of compact HSMs, offering hardware- based key management and hardware-accelerated cryptographic performance within a compact PCMCIA card. • ProtectServer HSMs. For server systems and support applications that require high performance symmetric and asymmetric cryptographic operations, ProtectServer Gold and ProtectServer Internal-Express provide tamper-protected hardware security. Conclusion Today, DNSSEC represents a critical approach for guarding against a range of threats to Internet- based communications. By leveraging HSMs, organization can enjoy the utmost in security of the cryptographic keys and digital certificates that underpin the DNSSEC infrastructure. Today, SafeNet offers a broad range of HSMs, solutions that accommodate the needs of a range of deployments, and ensure organizations enjoy maximum security in their DNSSEC environments. About SafeNet, Inc. Founded in 1983, SafeNet is a global leader in information security. SafeNet protects its customers’ most valuable assets, including identities, transactions, communications, data and software licensing, throughout the data lifecycle. More than 25,000 customers across both commercial enterprises and government agencies and in over 100 countries trust their information security needs to SafeNet. Contact Us: For all office locations and contact information, please visit www.safenet-inc.com Follow Us: www.safenet-inc.com/connected ©2010 SafeNet, Inc. All rights reserved. SafeNet and SafeNet logo are registered trademarks of SafeNet. All other product names are trademarks of their respective owners. WP (EN)-11.29.10 Building Trust into DNS: Key Strategies White Paper 5