Enhancing Zero Trust Architecture Through IPv6 and DNS Security

15

By: Mohammed Al-Moneer, Regional Director, META at Infoblox

Zero Trust Helps Secure Enterprise Networks and Sensitive Data

The Zero Trust security model can help cybersecurity professionals to secure enterprise networks and sensitive data. By continuously assuming that a breach is inevitable or has already occurred, the model eliminates trust in any single element. Zero Trust is a data-centric model that seeks to limit access while trying to identify anomalous or malicious activity.

The Zero Trust mindset brings substantial benefits. System administrators can better control devices, processes and users that engage with data in any way. When adhered to, the basic principles of Zero Trust can reduce the risks associated with insider threats, malicious activity that targets supply chain, the compromise of user credentials, remote exploitation and many other types of cyberattacks.

There are two things that can be done to enable Zero Trust: migrate to IPv6 and combine it with DNS security. 

Zero Trust through IPv6

In the last few years, the momentum of implementing IPv6 has grown significantly as its superior features have become compelling. This momentum has been sustained by reducing cost, decreasing complexity, improving security stack and eliminating barriers to innovation in networked information systems.

One of the important characteristics of IPv6 is the abundance of global IPv6 addresses it offers, and this abundance obsoletes the need for network address translation (NAT) in the quest of solving the problem of the depleting public IPv4 addresses. Without NATs in the middle of client-server communications, the application server receives the unmodified connection from the source IPv6 address of the client. 

Due to the constraints of IPv4 addresses, the use of NATs has become ubiquitous; this obfuscates client IPv4 addresses and provides anonymity to attackers. As a result, servers cannot always validate the identity of client connections, so other forms of authenticating end users have to be used. This creates problems with reputation filtering and with the use of client IPv4 addresses for authentication and for detecting and blocking fraudulent transactions.

Among the possibilities provided by an IPv6-based network, is taking much more advantage of secure DNS management, with a view to reinforcing the security of the entire network. In an IPv6 network, DNS can become an absolute “Zero Trust” control point, where every Internet address can be scanned for potentially malicious behavior and identified by built-in threat intelligence.

Building a Resilient Zero Trust Architecture with DNS Security 

One strategy that can significantly strengthen the security posture of the network is to integrate the valuable metadata residing in DDI (DNS, DHCP and IPAM) with the security stack. This information makes it possible to identify the connected device responsible for a set of network traffic, which enables IT teams to detect a potential threat and share that information with the security ecosystem. Using DNS security and leveraging DNS-related information within a Zero Trust architecture can reduce risk in all environments from the core of the on-premises network to its farthest cloud-enabled edge.

Visibility and automation capabilities are essential when deploying a Zero Trust architecture. DNS-based security with network device discovery – whether in on-prem virtualized or in hybrid multi-cloud environments – reduces IT silos through shared access to the integrated, authoritative database of protocol, IP address, network infrastructure devices, end hosts, connectivity and port data. These capabilities reduce security and service disruptions through the detection of rogue devices, errors, unmanaged devices, and networks that go unseen in standard IPAM tools.

DNS has a key role to play in a Zero Trust architecture, because it provides more-centralized visibility and control of all computing resources, including users and servers in a micro-segment, all the way to individual IP addresses. Because most traffic, including malicious, goes through DNS resolution first, DNS is an important source of telemetry that provides detailed client information and helps detect anomalous behavior and protect east-west traffic between micro-segments. DNS security can also continuously check for, detect and block C&C connections and attempts to access websites that host malware. For all of these reasons, DNS security is now a core enabler of the Zero Trust strategy. 

DNS security provides a single point of control for administering and managing all environments, including cloud, on-premise, WFA and mobile devices. This provides one DNS security administration point for all security stacks, and this point can easily be integrated with SOAR and other critical cybersecurity ecosystem controls. Organizations must always be in control of and have complete visibility into DNS traffic. It is best practice that all DNS traffic be resolved by servers controlled by the organization, not by external resolvers over which the IT team has no control.