DNS, DHCP & IP Address Management appliances
For Microsoft DNS & DHCP servers
For open source DNS & DHCP servers
Cloud-based visualization of analytics across DDI architecture
Manage multi-vendor cloud DNS servers centrally
RIR Declaration Management and Automation
Automated network device configuration and management
Centralized visibility over all your clouds
A single source of truth for your network automation
Why DDI is an Obvious Starting Point
DNS Threat Intelligence for proactive defense
Intelligence Insights for Threat Detection and Investigation
Adaptive DNS security for service continuity and data protection
Improve Application Access Control to prevent spread of attacks
Protect users and block DNS-based malware activity
Carrier-grade DNS DDoS attack protection
Optimize application delivery performance from the edge
for Proactive Network Security
Visibility, analytics and micro segmentation for effective Zero Trust strategy
Enable work from anywhere by controlling access, security and data privacy
Simplify management and control costs across AWS, Azure and GCP environments
Risk-free migration to reduce DDI complexity and cost
Move risk-free to improve performance, security and costs
Automate management, unify control and strengthen security of connected devices
Protect your network against all DNS attacks, data exfiltration and ransomware
Enable zero touch operations for network management and security
Improve resiliency, deployment velocity and user experience for SD-WAN projects
Integrated DNS, DHCP, IPAM services to simplify, automate and secure your network.
Simplify design, deployment and management of critical DDI services for telcos
Optimize administration and security of critical DDI services for healthcare
Simplify and automate management of critical DDI services for finance
Simplify and automate management of critical DDI services for higher education
Simplify and automate management of critical DDI services for retail
Simplify Management and Automation for Network Operations Teams
Elevate SecOps Efficiency by Simplifying Threat Response
Open architecture for DDI integration
Technology partnerships for network security & management ecosystems
Extend security perimeters and strengthen network defenses
Submit requests for temporary licenses
Submit access requests for EfficientIP knowledge platforms
Submit membership requests for EfficientIP Community
Strengthen Your Network Protection with Smart DNS Security
Customer-centric DDI project delivery and training
Acquire the skills needed to manage EfficientIP SOLIDserver™
Identify vulnerabilities with an assessment of your DNS traffic
Test your protection against data breaches via DNS
Dedicated representation for your organization inside EfficientIP
Explore content which helps manage and automate your network and cloud operations
Read content which strengthens protection of your network, apps, users and data
Learn how to enhance your app delivery performance to improve resilience and UX
Why Using DNS Allow Lists is a No-Brainer
This enterprise-grade cloud platform allows you to improve visibility, enhance operational efficiency, and optimize network performance effortlessly.
Who we are and what we do
Meet the team of leaders guiding our global growth
Technology partnerships for network security and management ecosystems
Discover the benefits of the SmartPartner global channel program
Become a part of the innovation
The latest updates, release information, and global events
March 21, 2019 | Written by: Efficient IP | DNS, DNS Security, IPAM
Command and ControlDNSDNS FilteringDNS ManagementDNS over TLSDNS SecurityDNS SolutionDNS Threat IntelligenceEnterprise Network SecurityIPAMIPAM RepositoryMalwareNetwork AutomationPhishingRansomwareZero Trust
Zero trust architecture is a paradigm focusing on a client rather than networks. It can be complex to set up, but a first simple step is possible with an appropriate DNS security solution.
Most enterprise networks are based on security topology separating the internal and the external networks. The internal where the users are located, and the external which connects to the Internet and partners. Most of the time, intermediate zones are built to allow and control inbound flows, often called DMZ. But such enterprise network security topology that relies on macro-segmentation principles is no longer appropriate. It is commonly accepted that threats mostly come from the inside of the enterprise network- for example malware, phishing invitations and cryptolockers.
Filtering between security zones is performed nowadays by firewall devices, as most traffic goes through them. But their job is becoming harder with the generalization of ciphered protocols, TLS-based in most cases (e.g. https). Therefore, in order to protect the enterprise network, filtering should rely on inspecting inside the transaction and decoding the ciphered traffic. However, even if technically possible, deciphering the traffic to inspect it is not always allowed, resulting in limited filtering capabilities.
The logical answer from an architecture point of view would be to scale down the size of the zones. This requires moving from macro-segments to micro-segments that could be as small as a single client, resource or server. This vision is complex to set up and requires thinking differently about the way networks are architectured and automated. It demands the ability to identify a client or a usage, rather than a port on a switch or a subnet. It also requires storing all policies and dynamic information on the network in a central repository. Finally, it requires being able to verify in real-time the behavior of the network and usages.
“Zero trust” is a standard enterprise network security approach. It aims to provide optimized security architecture and technologies. This approach is aligned with the requirements inducted by digital transformation, mainly agility and fast, small increments.
The proposed architecture pattern with zero trust relies on the fact that there are no longer trusted and untrusted zones, perimeters, devices, and users. Everything is untrusted – by default.
The main building blocks of the architecture are:
These building blocks are not standard recipes that a network engineering team could apply by the book…they need to be broken down into smaller architectural patterns. But we could easily see the requirement for a dynamic configuration model that needs a centralized and automated model of provisioning the network and associated security. Being able to provision an access network on a site for a set of users from a department requires automation, and therefore a software defined network (SDN) approach. This is also true in datacenters when building a specific network for elements of an application. Central provisioning is the key.
Moving from a set of network and security devices configured directly on the console interface to a centralized automated system using an abstracted model is a huge gap to close. It is like moving from monolithic applications to microservices with source repository, continuous deployment and immutable infrastructure. It requires specific network and security devices, an integrated solution, and a full understanding of the APIs that are involved in the ecosystem. But most importantly, it requires a serious dose of confidence in the automation process as everything will be performed automatically.
This is not a standard thinking approach for a network engineer to design a network service from the client usage towards application in a set of YAML files, and totally rely on an automated system to configure an overlay network on all the equipment. The impact could be perceived as larger than when modifying each equipment configuration step by step, which is not possible with underlay and overlay networks.
Manipulating IP addresses is implicit when using SDN, micro-segmentation, IAM and fully automated network process. This is where a midway step in the zero trust journey could be performed through a DNS solution.
When looking at the security side of the zero trust architecture, the only way to reduce the chances of success of an adversary is by understanding the who, what, when, where, and how of their actions. Knowing that most internal threats, in order to go into action, require DNS resolution service, we could think about an intermediate way of enabling and controlling user to application access. Thankfully this solution is available on most current enterprise networks and could be deployed immediately.
A DNS solution is a central network foundation, distributed and scalable, providing information for any client to access every application and service. Most of the traffic first goes through a DNS address resolution, so DNS plays a major role in the attack schema of most malware, ransomware and Command and Control (C2) communication. This known fact has been proven by multiple studies.
In addition, the DNS service knows each client on the network in detail. It knows their normal traffic patterns and the applications they access (since normal behavior is to resolve the address of a service before accessing it). Any deviance from this pattern, every request for a different application, a domain on the internet or any advanced usage relies from the very beginning on DNS requests. DNS has perfect visibility over all the traffic for each user, resource and server on the network, and therefore should be used as the first line of defense. This could be easily applied on a micro-segment of the size of a unique IP address. What is complex at the whole network level becomes easy to perform at the DNS client level. This is what an advanced DNS firewall solution offers.
DNS combined with threat intelligence can enhance the security of each micro-segment by analyzing client behavior and answering the client accordingly. Advanced patterns could be applied to be more reactive to abnormal behaviors, while predictive analysis and machine learning approaches would allow for being one step ahead of attackers on internal threats and result in quicker answers.
A DNS security solution with filtering at the client level authorizes enhancement in global enterprise network security. It provides a real increment in protecting infrastructures and can help network and security engineers to move forward towards zero trust architecture at their own speed.
When our goal is to help companies face the challenges of modern infrastructures and digital transformation, actions speak louder than words.
Explore content highlighting the value EfficientIP solutions bring to your network
We use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
We use cookies to enhance your browsing experience, serve personalized content, and analyze our traffic. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site.