DNS Security (DNSSEC) With BIG-IP Global Traffic Manager
2,730 views
8 slides
Dec 03, 2009
Slide 1 of 8
1
2
3
4
5
6
7
8
About This Presentation
This slideshow gives an overview of how F5's BIG-IP Application Delivery Controllers protect customers' DNS infrastructure against various attacks by implementing a unique dynamic security signing policy.
Slide Content
DNS Security (DNSSEC) With BIG-IP Global Traffic Manager
DNS Infrastructure is Vulnerable Spoofing and cache poisoning allow hijacking of domains Example.com App Servers GSLB LDNS www.example.com? www.example.com? 123.123.123.123 Hacker Spoofing with first response Cache poisoning 012.012.012.012 012.012.012.012 Problem Need to secure DNS infrastructure Cache poisoning and spoofing can hijack DNS records Need a method for trusted responses Need to meet US Government mandate for DNSSEC compliance
What is DNSSEC? DNS protocol extensions ensure the integrity of data returned by domain name lookups. Incorporates a “chain of trust” into the DNS hierarchy using public key cryptography (PKI). Each link in the chain consists of a public-private key pair. Provides origin authenticity, data integrity, and secure denial of existence. Origin authenticity: Resolvers can verify that data has originated from authoritative sources. Data integrity: Can also verify that responses are not modified in-flight. Secure denial of existence: When there is no data for a query, authoritative servers can provide a response that proves no data exists.
How Does DNSSEC Work? Each DNSSEC zone creates one or more pairs of public/private key(s) Public portion put in DNSSEC record type DNSKEY Zones sign all sets with private key(s) and resolvers use DNSKEY(s) to verify sets Each set has a signature attached to it: RRSIG So, if a resolver has a zone’s DNSKEY(s) it can verify that sets are intact by verifying their RRSIGs
Securing the DNS Infrastructure Dynamic and secure DNS with Global Traffic Manager Example.com App Servers BIG-IP GTM LDNS www.example.com? www.example.com? 123.123.123.123 + public key Hacker 123.123.123.123 + public key Client gets signed, trusted response Solution Secure and dynamic DNS Ensure users get trusted DNS queries with signed responses Reduce management costs – Simple to implement and maintain Meet mandates with DNSSEC compliant solution BIG-IP Global Traffic Manager with DNSSEC
Example.com Drop-in DNSSEC Compliance Simple DNSSEC compliance Drop GTM in front of existing DNS servers GTM signs requests without changes to DNS configuration Existing DNS Servers BIG-IP GTM site.example.com ? 172.16.124.1 +trusted SSL key BIG-IP Global Traffic Manager with DNSSEC
Find Out More on DNSSEC Video: DNSSEC in Five Easy Steps Blog: It’s DNSSEC not DNSSUX Tech Tip: Configuring GTM’s DNS Security Extensions
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 2,730
- Slides 8
- Favorites 1
- Age 5843 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
45 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
45 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
21
Know for Certain
DaveSinNM
20 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
24 views