Software Defined Perimeter

  • 1.  NSA Selecting a Protective DNS Service

    Posted Mar 06, 2021 11:58:00 PM
      |   view attached
    Hi All,

    The NSA just published Selecting a Protective DNS Service.

    Due to the centrality of DNS for cybersecurity, the Department of Defense (DoD) included DNS filtering as a requirement
    in its Cybersecurity Maturity Model Certification (CMMC) standard (SC.3.192). The Cybersecurity and Infrastructure
    Security Agency issued a memo and directive requiring U.S. government organizations to take steps to mitigate related
    DNS issues. Additionally, the National Security Agency has published guidance documents on defending DNS [1, 2, 3].
    This guidance outlines the benefits and risks of using a protective DNS service and assesses several commercial PDNS
    providers based on reported capabilities. The assessment is meant to serve as information for organizations, not as
    recommendations for provider selection. Users of these services must evaluate their architectures and specific needs
    when choosing a service for PDNS and then validate that a provider meets those needs.

    ------------------------------
    Michael Roza CPA, CISA, CIA, MBA, Exec MBA
    ------------------------------


  • 2.  RE: NSA Selecting a Protective DNS Service

    Posted Mar 14, 2021 11:43:00 AM
    Thanks for posting this, Michael - this is another in the series of useful guidance documents from the NSA. One interesting angle, relevant to this SDP and Zero Trust community, is the concept of connecting these DNS servers' detection of malicious requests into a ZT or SDP system. The idea is that if a device is issuing DNS requests for a known bad site, there are interesting and valuable steps that a security system can take, beyond just the domain blocking or sinkholing mentioned in the report. An SDP or Zero Trust system should be notified by the DNS server, and take immediate actions, such as by quarantining the user's device, prompting for MFA, etc.

    Coincidentally, this use case is one that we're writing about in the in-progress SDP and DNS whitepaper. Folks, look for peer review of this document in the group soon.

    ------------------------------
    Jason Garbis
    Co-Chair, SDP Working Group
    SVP Products, Appgate
    ------------------------------