Security Platforms/Tools

Nominum Wants to Play Watchdog

Nominum Inc. is adding features to let carriers run managed-security services from domain name system (DNS) servers, the latest salvo in the back-and-forth between black-hat hackers and network infrastructure providers.

Intelligent DNS, as Nominum is calling it, isn't created in response to a particular problem. Rather, it adds some monitoring and malware awareness to Nominum's DNS servers. The hope is that carriers can use these features to help sell customers on security services. (See Nominum Adds DNS Smarts.)

Some service providers are already thinking along those lines. Verizon Enterprise Solutions , for instance, recently launched a managed security service for large businesses. (See Verizon Boosts Security Offering.) But Nominum is thinking smaller, down to what the household user might buy.

"One of the things we've talked to service providers about is using the technology to upsell services to the user," says Gopala Tumuluri, Nominum's vice president of product management and marketing. For example, ISPs frequently offer security packages from the likes of McAfee Inc. (NYSE: MFE) or Symantec Corp. (Nasdaq: SYMC), but don't necessarily get a lot of nibbles from users. "Unless you think you have a problem, you're not going to go buy it," Tumuluri says.

Another possibility is a service that catches any URLs that point to malicious sites, rerouting the user to an education page that explains what almost just happened, Tumuluri says.

The new version of Nominum's DNS is shipping now.

Nominum says DNS needs to get smarter anyway, because it's increasingly being exploited by hackers. The Conficker worm, for instance, used DNS servers to help itself spread, Tumuluri says.

Or take last year's cache poisoning discovery. Researcher Dan Kaminsky found a hole in traditional DNS that opened the possibility for hijacking certain Internet domains. That led security outfits like Nominum and Neustar Inc. (NYSE: NSR) to develop neu ways of thwarting cache poisoning. (See New Internet Poison Gets Instant Antidote and Nominum Caches In.)

So what does Intelligent DNS do, exactly? Mainly, it watches traffic flows for untoward behavior -- a traffic pattern typical of a spam bot, for instance. Granted, it's only going to find problems after a computer gets infected, but it catches problems early and gives the service provider (or business) a chance to set up a defense.

This kind of monitoring has always been possible, but at the expense of server performance. Nowadays, though, many servers ship with more than one processor, so Intelligent DNS does the traffic monitoring on the "other" CPU, so it doesn't steal processing from regular traffic queries. Nominum also has the software avoid writing anything to disk if necessary.

Nominum taps third-party spam and phishing lists to keep up-to-date on known problem URLs. And it can take input from a service provider's own reporting tools, if it's got any.

Multiple avenues for tracking problems are needed, because any one method will inevitably get stymied. The third-party lists, for instance, can be defeated because "malware authors and spammers often rent equipment (or compromise machines) at legitimate hosting providers," notes Sean Leach, senior director of technology at NeuStar, in an email to Light Reading. "It really comes down to an arms race of trying to stay one step ahead of the bad guys and put in place as many layers of protection as you can."

— Craig Matsumoto, West Coast Editor, Light Reading

Sign In