SOFtware Reviews Lucky Host
Home     Add To Favorites!         Make Your Home Page!
BlueCat s Public Sector Practice Announces New OMB Mandate...
_

DNSSEC Functionality Ensures Compliance with U.S. Federal Government Standards and Mandates

BlueCat Networks, the IPAM Intelligence Company , today underscored its commitment to the U.S. federal market by announcing new DNSSEC functionality for its Proteus IPAM and Adonis family of DNS DHCP solutions. Developed to meet all recommendations outlined by the National Institute of Standards and Technology NIST in its Secure Domain Name System DNS Deployment Guide, BlueCat s new functionality will make it simple for any U.S. federal government agency to comply with U.S. federal government DNSSEC standards and mandates including the recent OMB M-08-23 memorandum, which requires U.S. federal government agencies to add DNSSEC cryptographic authentication functionality to DNS servers by December, 2009.

Designed to protect DNS clients from forged DNS data that is the result of a DNS attack, such as cache poisoning, BlueCat s DNSSEC functionality signs all DNS requests on the authoritative server, using a digital signature. When a DNS client requests a DNS record, it can verify that the record received is identical to the record on the authoritative server.

In the event that an unauthorized user tries to exploit a U.S. federal government agency s DNS server, the altered record will not be verified as it has not been signed using the digital signature. This prevents users from receiving poisoned DNS, and increases the reliability of records received from DNSSEC-enabled DNS servers.

As high-profile incidents such as the Kaminsky exploit in 2008 underscore, U.S. federal government must take every precaution to ensure networks are secure, said Gene Skiba, VP U.S. Public Sector for BlueCat Networks dedicated U.S. Public Sector Group in Reston, Virginia. BlueCat has always been at the forefront of DNSSEC innovation, and this latest functionality will make it simpler than ever before for U.S. federal government agencies to fully comply with all U.S. federal government standards, Skiba continued. BlueCat has been gaining significant traction in the U.S. federal government space, and given the fact that DNSSEC usage is increasing, and that the U.S. federal government plans to sign the .gov and .mil domains by the end of 2009, providing leading-edge DNSSEC functionality remains a top priority for us.

BlueCat s new DNSSEC functionality includes:

Support for DNSSEC Resource Records
BlueCat will support all the required resource records needed to provide DNSSEC functionality for hosted authoritative domains, including Resource Record Signatures RRSIGs , DNSSKEY and Next Secure NSEC records. These records are not actually configurable and are automatically created and maintained by the DNS system.

DNSSEC Validation
BlueCat s Adonis DNS DHCP appliance will be able to properly validate signed records from other DNSSEC enabled servers.

Support for DNSSEC Signed Zones
BlueCat will provide support for DNSSEC Signed Zones using Zone Signing Keys ZSK and Key Signing Keys KSK . Zone Signing Keys are used to sign the records within a zone for example, www host in the zone bluecatnetworks.com. Key Signing Keys are used to sign the ZSKs and are also used as the trust anchor for validation of DNS responses. Both ZSKs and KSKs can be automatically generated on a per zone basis within Proteus. The new functionality will enable BlueCat to support RSASHA-1 and DSASHA-1 key ciphers at 1024 bit and 4096 bit strengths. Optionally, administrators can manually add their own keys to the system that will be used for signing. Other key ciphers may be added in future releases depending on customer needs.

Ability to Configure Trust Anchors
BlueCat will provide the ability to configure Trust Anchors, which are used to validate responses from other authoritative name servers. Trust Anchors will be configurable at a server level using DNS Options, where multiple Trust Anchors can be configured using their zone name and public KSK.

The proliferation of such technology as VoIP, RFID, wireless, virtualization, and IPv6 is making it impossible for U.S. federal government agencies to continue managing IP addresses with spreadsheets and homegrown solutions. BlueCat s market-leading solutions integrate with Microsoft Active Directory to enable U.S. federal government agencies to completely eliminate network accessibility problems by making it simple and secure for administrators to centrally deploy, manage, monitor and audit IP addresses across an entire organization from a single web-based interface.






#