Tools, services and other resources come in for enterprise DNSSEC adoption, but for now experts agree that it might take years before support of the technology is more widespread.
Network managers aren't feeling enough pain, and for this reason they don't seem to be moving to DNSSEC.
Lawrence Orans, research director at Gartner Inc.
Domain Name System Security Extensions (DNSSEC) contains protocols that add an encryption layer to DNS and security experts have praised the specifications in an effort to boost security by eliminating forged DNS data utilized in cache poisoning and man-in-the-middle attacks. Top-level domains, including .org, .net and .gov, have been signed to support the specifications. VeriSign signed the .com top-level domain in April.
Comcast Corp. announced this week that it was one of the first ISPs in North America to fully run the DNSSEC protocol as part of its services. PayPal is one of the first enterprises to secure its domains with DNSSEC, but it's unlikely many other enterprises will jump at the chance of becoming early adopters, said Lawrence Orans, research director at Stamford, Conn.-based Gartner Inc. Gartner has predicted that by 2014 no more than 30% of DNS lookups will be verified by DNSSEC. The risk of attack has to be high enough before adoption gains momentum, he said.Â
“Network managers aren't feeling enough pain, and as a result they aren't moving to DNSSEC,†Orans said. “We're just not seeing a lot of interest from enterprises.â€
Nonetheless, vendors are stepping up with technology to support the transition to DNSSEC. Thales Information Systems Security, which sells hardware security modules (HSMs), has already supported DNSSEC for early adopters using OpenDNSSEC open source software. This week, the company announced a partnership with Infoblox, adding support and automated features to simplify the deployment process. ISPs, hosting providers and domain registrars are currently the target level of adopters for DNSSEC, said Richard Moulds, vice president of product management and strategy at Thales.
Â
“Anyone deploying DNSSEC has to make decision on what level of assurance they want,†Moulds said.  “The highest links within the chain always use a HSM. Unlike database encryption, that's a private decision about risk management, when we're talking about DNS, every organization is playing a job in that chain of trust and that is the reason why your obligation is to follow the simplest practices.â€
A company enabling DNSSEC has a call between software or hardware strategy to key management or can turn over many of the management capabilities to a DNS organisation or domain registrar. Thales hopes its customers, mainly financial firms, will take the leap into DNSSEC using the hardware-based approach.Â
Nessun commento:
Posta un commento
Comments links could be nofollow free