When HP’s SDN App Store launched earlier this fall, BlueCat was one of the first vendors to join the marketplace for SDN applications and central hub for the developers who create those apps. We talked to Thomas Borrel, vice president of strategic alliances at BlueCat, about how BlueCat partnered with HP to develop DNS Director, an SDN app that takes a DNS-driven approach to network security.
SDNCentral: How does DNS apply to network security today?
Borrel: Networks today are besieged by a host of emerging threats, and it’s difficult to pinpoint and isolate and defend against them all. DNS is a core network service that enables device-to-app, app-to-app and device-to-device communication. This makes DNS uniquely positioned to enhance and extend existing security solutions that organizations already have in place.
Organizations are increasingly leveraging DNS-driven policies as an additional layer of protection because DNS shows intent. Before any communication can take place, devices and applications must perform a DNS lookup, which exposes their intent to connect. This makes DNS a tremendous source of visibility and insight for network security systems. DNS also translates names into IP address, meaning it can be used to control where devices and applications can and cannot go on the network.
DNS-driven policies are typically deployed on the corporate DNS infrastructure, so devices and applications must be properly configured for the policies to be effective. This means users and/or malware can change DNS settings to use non-corporate DNS servers and bypass DNS-driven policies.
BlueCat DNS Director is designed to close this security gap by ensuring that all devices and applications are subject to DNS-driven policies regardless of their configuration.
How does DNS Director strengthen network security?
DNS Director provides global visibility and centralized control over all DNS traffic across all connected devices. It uses SDN OpenFlow to direct all DNS traffic to the corporate-managed DNS servers where policies are applied.
DNS Director intercepts and redirects unwanted traffic at the network edge without overwhelming the SDN Controller or firewalls, or introducing a single point of failure. Responses to intercepted DNS queries are defined by policies and structured to look like the originally queried DNS server issued them. This approach makes it difficult for malware to programmatically detect that their DNS traffic has been intercepted, and it prevents devices from bypassing DNS-driven security policies and accessing untrusted DNS servers.
How does SDN make the approach in your app different from other DNS apps?
The use of SDN OpenFlow allows BlueCat to ensure that all DNS queries are intercepted at the edge and processed by the DNS server where policies can be applied. Other approaches rely predominantly on the deployment of agents on devices and applications, or they rely on firewall configuration to either block or proxy DNS traffic targeted at non-corporate managed DNS servers.
Deploying agents may be a viable approach for laptops, smartphones or tablets, but many users still are unwilling to embrace the approach. The Enterprise Internet of Things (IoT) further limits the coverage of this solution, as agents may not be available for all products deployed.
Meanwhile, both firewall approaches push the point of enforcement to the very edge of the network and only consider cross-pods and/or internal-to-external traffic. Recent breaches and malware attacks have demonstrated that a compromised system inside an organization could be used as a rendezvous point to exfiltrate data or help with the replication and spread of the malware infection, which current solutions cannot stop.
Some solutions may also result in an unacceptably poor user experience. For example, blocking DNS traffic at the firewall means users are unable to resolve DNS and under the impression that their connection is “down,” which results in unnecessary calls to the IT Help Desk.
How about proxying DNS at the firewall?
Proxying DNS at the firewall not only prevents organizations from leveraging the significant investment made in a highly scalable and responsive DNS infrastructure, but it also makes the interception visible to the endpoints, as the response is clearly issued by a corporate-managed DNS server.
By using OpenFlow and processing queries at the DNS server where policies can be applied, DNS Director ensures DNS-driven security policies are applied to all connected devices, regardless of ownership and configuration. It structures responses so the interception of the queries is non-programmatically detectable, thus addressing security challenges in ways current solutions cannot.
Why did you pick the HP VAN SDN platform to develop on?
BlueCat is solely focused on IP address management and DNS and DHCP core services. We have no desire to build an SDN controller, but our unique capabilities provide SDN with greater visibility and control over connected devices and application access.
Our mission is to develop IP address management, DNS, and DHCP solutions that help our customers build elastic networks that scale and adapt to changing demands. HP’s unique approach with the HP VAN SDN platform and the HP SDN App Store provide us with full access to leading vendors whose technology will supplement our solutions.
What kind of support did you get from HP while developing the application?
HP supported us from inception to marketing and distribution. They provided BlueCat with all the necessary tools to build our apps – from development environment to extensive documentation on the HP VAN SDN Controller API – as well as skilled resources to assist with any questions we might have.
What other applications do you see as being interesting to this SDN app world?
IP address management (IPAM) is critical to both centralized and distributed SDN deployments because it provides centralized and programmatic control of deployed DNS and DHCP network devices. Allowing SDN Controllers to use IPAM data drives greater network agility through automation and orchestration. DNS also is core to service provisioning, including cloud bridge, traditional and software-defined data centers, and orchestration of complex network changes across large enterprises.
BlueCat is exploring additional apps designed to automate service delivery through IPAM insight to the SDN Controller, as well as SDN flow impacting enforcement applications.
What would your advice be to other potential application developers?
We encourage potential application developers to strongly consider the HP VAN SDN platform because we think it’s a fantastic platform to develop and commercialize SDN applications. We also encourage developers to build their own lab so they are in a position to validate their application against a broader set of deployments and infrastructures.
For more about this application and the rest of the ecosystem please visit HP SDN App Store