Cloud computing security: Routing and DNS security threats

DNS security threats and cloud computing
When we discuss both routing and DNS, we must consider these services as they pertain to the client-cloud connection, the inter-cloud connection and the cloud-to-cloud connection, because vulnerabilities can occur differently depending on the connection type.

Most of us are familiar with the service that domain name service (DNS) provides. When humans manage the client in a browser scenario, for example, a domain name (ex. www.securitycurve.com) rather than an IP address (ex. 192.168.111.1), it is a lot easier to remember. DNS handles the translation of the name to a machine-usable IP address. Another benefit of using DNS is greater flexibility. Multiple servers can be set to resolve to a single name for load balancing purposes, and translation and routing proxies allow entire companies to resolve to a single IP address on the Internet while using protected, non-Internet-routable addresses internally.

The downside to using DNS is that the name translations and associated routing rules must be trusted by the client. If a user enters www.amazon.com, or an application is configured to call www.amazon.com, it is assumed the IP address that is ultimately returned is correct. However, if the client calls the server by name, the client runs the risk of being spoofed and rerouted to an evil twin cloud. For this reason, when using cloud computing services, use of the IP address for the call is recommended for connections that require the highest surety.

However, using IP addresses is not always feasible; thus, implementation of DNS security, such as DNSSEC, is recommended for domains participating in the cloud computing environment. With DNSSEC, both domains are digitally signed and must have exchanged DNSSEC public keys. DNSSEC mitigates DNS tampering and raises the trust level. One drawback to DNSSEC is that the domains must be DNSSEC compliant and the clients must also be DNSSEC aware.

DNS security threats: Why the path matters
Now that we've determined the endpoints, we must now consider the actual path. In this particular area there are no guarantees. Even if the client site and the server site have taken various security precautions, and the IP address-to-name mappings are resolved through DNSSEC, the routes can still present problems. The routing path may traverse hostile territory. Routes can be manipulated to present distant rogue collection sites as neighboring peer sites. In some cases, the goal is to prevent processing from happening, while in other cases, observation may be the end goal.

For more information: Experts debate cloud computing risks and whether they should be absorbed by the customer. Learn about the challenges of integrating extended cloud capabilities into corporate policies and procedures. Discover the importance of securing SaaS and cloud computing.

To prevent processing, data can be dropped or rerouted before it reaches the destination. This is more subtle than a DoS because there is no active flood of packets to the target, and the client is unsure why the connection or transaction never completed. Reroute/data drop attacks are particularly effective against time- and latency-sensitive applications like voice and video, because even short or intermittent service disruptions can render the service unusable.

If a front-end server is deployed by the cloud, the next issue to consider is how the traffic is being distributed to the server farm. In an "anycast" deployment scheme, a pool of addresses is rotated in order to load balance traffic. This provides a more robust solution than does the DNS round robin configuration. However, the DNS round robin method is free and easy to deploy. Therefore, it is important to discern how the cloud computing service provider is actually distributing the load. In most cases, anycast should be the load balancing method utilized.

Once the IP address of the cloud computing server is chosen, routing becomes an issue again. Unlike the client-to-front-end connection, however, this connection is handled transparently between applications, machines or networks. This is significant because the server farms are geographically distributed over a public infrastructure. The wider scale greatly increases the routing vulnerability.

Additional cloud computing attacks
The infrastructure that exists between the client and the cloud computing server, as well as the cloud computing server infrastructure itself, presents opportunities for other types of specifically targeted attacks. For example, DoS and DDoS attacks against either the cloud computing service provider or the cloud computing client. DoS attacks can be launched at the cloud computing service provider when the client may be the real target. Within the client server farm infrastructure, one server may become compromised and other good servers may suddenly become busy, resulting in anycast directing cloud computing requests to the rogue server and preventing legitimate connections to the client servers. If the cloud computing service provider is the target, all client servers within the provider's infrastructure could be rendered unavailable by flooding the cloud computing environment's entry points with connection requests.

The problem is exacerbated by the geographically distributed nature of cloud computing. When the server farms span multiple data centers and nations, there are no guarantees that each server is configured and managed identically. Though centralized policy management is available for massively distributed environments, it is not always implemented correctly; few customers demand proof of how policy conformance is implemented by their CC providers. Furthermore, if any server were to be compromised, the company policies must be reconciled with the host nation's cyber laws.

Robust centralized management of server configurations can help prevent DoS and ensure all servers in the cloud respond according to the same accepted baseline. Moreover, there are network and perimeter devices available to detect malicious traffic, such as DoS floods, that will mitigate this type of attack and ensure legitimate traffic continues to be processed.

Summary
Requests and data travel paths are invisible to the average user. Most enterprises trust the correctness of these paths and accept the general assumption that if a connection is made, it is a reliable one. Attackers can misuse this trust by misdirecting connection requests to rogue servers and clouds.

Mitigation techniques such as DNSSEC and DoS prevention provide protection against attacks and raise the assurance level of the overall cloud computing infrastructure. Securing the routing infrastructure is a more vexing challenge that will involve all parties, including clients, cloud computing providers and other service providers.

CLOUD COMPUTING SECURITY MODEL OVERVIEW
  What is cloud computing?
  Introduction to cloud computing security
  Secure devices that connect to the cloud
  Cloud computing security threats

About the authors:
Diana Kelley is a partner with Amherst, N.H.-based consulting firm SecurityCurve. She formerly served as vice president and service director with research firm Burton Group. She has extensive experience creating secure network architectures and business solutions for large corporations and delivering strategic, competitive knowledge to security software vendors.

Char Sample is a research scientist at BBN Technologies specializing in network security and integration issues.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Application and Platform Security,   Secure SaaS: Cloud services and systems,   Risk Management Strategies,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Secure SaaS: Cloud services and systems Network security expert urges hardening of cloud protocols Security challenges with cloud computing services Is Identity Management as a Service (IDaaS) a good idea? Burton Group warns of cloud computing risks Researchers say search, seizure protection may not apply to SaaS data McAfee to acquire email SaaS vendor MX Logic How secure is 'Platform as a Service (PaaS)?' When to use the service features of the Metasploit hacking tool Cloud-based security services should start private Cloud computing security: Infrastructure issues Risk Management Strategies Breach prevention: How to keep track of data and applications Information security management hype: Debunking best practices Monitoring program data and internal controls for risk management Cloud computing security: Choosing a VPN type to connect to the cloud Cloud computing security model overview: Network infrastructure issues How to align an information security framework to your business model When to use open source security tools over commercial products Vulnerability test methods for application security assessments Security book chapter: Applied Security Visualization The 100-day plan: Achieving success as a new security manager RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.