As you may already be aware, the DNS (Domain Name System) protocol has always been a weak spot in the way the Internet works. Most commercial-grade security solutions are designed to provide ample DNS security for your business, but the nature of the threat is constantly changing. If you’ve recently moved to a BYOD (bring your own device) policy that allows employees to use personal machines for work, it’s time to give your DNS communications a closer look.
Why You Need DNS Protection
DNS operates as a fundamental interpretive layer that plays a role in every Internet connection. DNS servers translate the addresses you use to browse websites, send emails, and access online apps into machine-readable forms. The problem is that a host of unwanted behaviors can be caused by attacking this translation service. Servers can be crashed with denial-of-service (DoS or DDoS) attacks targeted at their DNS queries.
Even more troubling from a commercial standpoint is that DNS communications can be hijacked to either take control of computers (botnets) or to capture the data computers send and receive online (DNS tunneling). The possibility of corporate espionage via DNS tunneling is particularly worrisome. Ample DNS safeguards are required to detect and prevent these intrusions.
Why Is BYOD A Security Risk?
Now that more and more employees own devices that feature the same capabilities as your own computers, allowing them to access corporate networks with their own hardware is an important tool for boosting productivity. It carries new risks with it, though. This is primarily because employee-owned devices are likely to serve as bridges between secure corporate servers and unsecured public servers.
An employee whose device is vulnerable to DNS hijacking runs the risk of being hijacked while surfing the Internet on his or her own time. The next time that employee’s device is linked back into your corporate network, the malicious access extends into your whole organization if it lacks up-to-date DNS security features.
Security Measures For BYOD Companies
There are a few basic steps you can take to improve your corporate DNS protection. The first is to confirm that your ISP uses strong DNS security measures, ideally including the DNSSEC security protocol. Second, you can add a DNS firewall to your existing security measures. Basic firewalls function solely by keeping logs of DNS servers that are known to be compromised; any communication with these servers and the devices on your corporate network is blocked and identified. More comprehensive security solutions can go well beyond DNS firewalls to add greater security.
If you are concerned about DNS attacks directed against your corporate network as a whole, you’ll want to set up robust in-house security measures to combat the possibility. These can take many forms, but multihoming (connecting to the Internet via more than one ISP) is an effective safeguard against DoS attacks and other DNS exploits. Note that this is merely a high-level precaution designed to avoid having a single chokepoint on your network; you’ll still need to take an active role in protecting your DNS communications.
There’s nothing inherently risky about opening your office up to a BYOD policy. You just need to be aware of the way it changes your network security landscape and prepare for the new challenges BYOD devices present. Making sure your DNS protection is up to the task will help minimize the problems caused by welcoming employee’s devices into your corporate network.