nCipher Security News Release

BlueCat Networks Partners With Thales To Deliver Ultra Secure DNSSEC

New BlueCat Networks appliance models integrate with Thales nShield hardware security modules

BlueCat Networks, the IPAM Intelligence™ company, today announced that its DNS, DHCP and IP Address Management appliances are now integrated with the award-winning Thales nShield Connect hardware security module (HSM) to deliver simple and secure DNSSEC key management for organizations that demand the highest levels of security.

“Security is one of the top concerns of every CIO,” said Brad Micklea, Vice President of Product Management, BlueCat Networks. “The Domain Name System is a critical public service that is on the front line, so attacks on DNS can severely impact business operations and undermine customer loyalty. By adding support for the Thales HSM to our existing DNSSEC solution, BlueCat Networks is once again demonstrating its commitment to providing the smartest, simplest and most secure solutions available for managing and securing enterprise networks. BlueCat Networks combines the ultra-high security of HSM-based DNSSEC with the simplicity of fully automatic key rollover for all key types, as well as flexible support for a broad range of encryption algorithms.”

DNSSEC uses strong public key cryptography to bring far greater security to any enterprise by protecting the DNS core network service from attacks like cache poisoning which can be leveraged for web site spoofing and phishing. In order to optimally secure your web site you must implement DNSSEC. However, there are two challenges to implementing DNSSEC that remain unaddressed:

  1. Secure Key Storage: Standard DNS servers are not designed to be tamper or invasion proof, leaving keys potentially exposed to theft or misuse.
  2. Key Rollover: Implementation and management of off-box DNSSEC keys can be complex, costly and time consuming in part because if handled manually, security teams must spend a large portion of their time generating, administering and validating the many DNSSEC keys in use.

The combined BlueCat Networks and Thales solution for HSM-enabled DNSSEC solves both aspects. Keys are generated and secured via the Thales nShield appliance that is FIPS 140-2 Level 3 and Common Criteria EAL4+ certified. However, unlike more manual solutions, BlueCat’s DNSSEC integration with Thales retains the simplicity of interaction that BlueCat’s existing DNSSEC solution was known for. BlueCat Networks reduces the inherent complexity of DNSSEC with centralized key management, single-click signing policies, fully automated key rollover and emergency manual key rollover. With BlueCat Networks, organizations can control DNSSEC signed zones from a central location, gain a comprehensive view of all DNSSEC-related data and demonstrate compliance during security audits.

“Recent highly publicized cyber attacks like Stuxnet are a clear reminder that digital signature keys that underpin services like DNS are vulnerable to theft or mis-use and must be protected,” said Cindy Provin, president of the Americas, Thales eSecurity. “DNSSEC is already being widely adopted by government, financial services and healthcare organizations where the security of sensitive information is of paramount importance, but DNSSEC is only as good as the security of an organization’s cryptographic keys. The Thales nShield Connect HSM ensures that keys are generated and stored by an ultra-secure device that is both physically and electronically protected against tampering and invasion. When the Thales HSM is used in conjunction with BlueCat Networks’ smart, simple DDI solutions, organizations get the benefit of market-leading DDI and key security in an intuitive solution.”

Deployed at some of the most demanding and secure organizations in the world, BlueCat Networks’ DNS, DHCP and IP Address Management solutions provide an essential technology for helping organizations build smarter networks and manage IP-dependent services including cloud, virtualization and BYOD.