DNS RPZ in the Swiss NREN

Similar documents
DNS Firewalls with BIND: ISC RPZ and the IID Approach. Tuesday, 26 June 2012

Detect Malware and APTs with DNS Firewall Virtual Evaluation

STARTER KIT. Infoblox DNS Firewall for FireEye

LASTLINE WHITEPAPER. Using Passive DNS Analysis to Automatically Detect Malicious Domains

Infoblox Inc. All Rights Reserved. Securing the critical service - DNS

ThreatSTOP Technology Overview

Windows 7, Enterprise Desktop Support Technician Course 50331: 5 days; Instructor-led

Infoblox Inc. All Rights Reserved. Talks about DNS: architectures & security

Secure Your Mobile Workplace

WEB ATTACKS AND COUNTERMEASURES

WHITE PAPER. Using DNS RPZ to Protect Against Web Threats SPON. Published June 2015 SPONSORED BY. An Osterman Research White Paper.

Windows 7, Enterprise Desktop Support Technician

QUARTERLY REPORT 2015 INFOBLOX DNS THREAT INDEX POWERED BY

"Charting the Course to Your Success!" MOC D Windows 7 Enterprise Desktop Support Technician Course Summary

Defend Your Network with DNS Defeat Malware and Botnet Infections with a DNS Firewall

Software that provides secure access to technology, everywhere.

Using the DNS as a Hammer The Good, the Bad and the Ugly

Frequent Smart Updates: Used to detect and guard against new infections as well as adding enhancements to Spyware Doctor.

WHITEPAPER. How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware

Cymon.io. Open Threat Intelligence. 29 October 2015 Copyright 2015 esentire, Inc. 1

Module 3: Resolve Software Failure This module explains how to fix problems with applications that have problems after being installed.

Security workshop Protection against botnets. Belnet Aris Adamantiadis Brussels 18 th April 2013


GOOD GUYS VS BAD GUYS: USING BIG DATA TO COUNTERACT ADVANCED THREATS. Joe Goldberg. Splunk. Session ID: SPO-W09 Session Classification: Intermediate

Defend Your Network with DNS Defeat Malware and Botnet Infections with a DNS Firewall

Enhancing Your Network Security

Course Description. Course Audience. Course Outline. Course Page - Page 1 of 12

WildFire. Preparing for Modern Network Attacks

Security A to Z the most important terms

VIDEO Intypedia013en LESSON 13: DNS SECURITY. AUTHOR: Javier Osuna García-Malo de Molina. GMV Head of Security and Process Consulting Division

Ten Tips to Avoid Viruses and Spyware

Protecting against Mobile Attacks

Preetham Mohan Pawar ( )

Phishing and Banking Trojan Cases Affecting Brazil

DNS Traffic Monitoring. Dave Piscitello VP Security and ICT Coordina;on, ICANN

Global Security Report 2011

Practical Steps To Securing Process Control Networks

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

DNS Response Policy Zone (DNSRPZ)

We Know It Before You Do: Predicting Malicious Domains

Scale your DNS Infrastructure Ensure App and Service Availability. Nigel Ashworth Solution Architect EMEA

Securing Your Business with DNS Servers That Protect Themselves

White paper. Phishing, Vishing and Smishing: Old Threats Present New Risks

Response Policy Zones

Managing Web Security in an Increasingly Challenging Threat Landscape

Agenda , Palo Alto Networks. Confidential and Proprietary.

Spyware Doctor Enterprise Technical Data Sheet

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

Threat Events: Software Attacks (cont.)

Evaluation Guide. Powerful & Immediate Business Web Security via the Cloud

How Attackers are Targeting Your Mobile Devices. Wade Williamson

Emerging Security Technological Threats

SPAM, VIRUSES AND PHISHING, OH MY! Michael Starks, CISSP, CISA ISSA Fellow 10/08/2015

BE SAFE ONLINE: Lesson Plan

Current Threat Scenario and Recent Attack Trends

CHECK POINT THE MYTHS OF MOBILE SECURITY

WE KNOW IT BEFORE YOU DO: PREDICTING MALICIOUS DOMAINS Wei Xu, Kyle Sanders & Yanxin Zhang Palo Alto Networks, Inc., USA

Unified Security Management and Open Threat Exchange

EMR Link Server Interface Installation

Spam, Spyware, Malware and You! Don't give up just yet! Presented by: Mervin Istace Provincial Library Saskatchewan Learning

White Paper. How to Effectively Provide Safe and Productive Web. Environment for Today's Businesses

User Documentation Web Traffic Security. University of Stavanger

Malware & Botnets. Botnets

DNS Response Policy Zones Roadmap to Accellerate Adoption

Ralph Dolmans A solution for the DNS amplification attack problem

Marble & MobileIron Mobile App Risk Mitigation

Securing DNS Infrastructure Using DNSSEC

How To Monitor Network Activity On Palo Alto Network On Pnetorama On A Pcosa.Com (For Free)

Retail/Consumer Client. Internet Banking Awareness and Education Program

Internet Monitoring via DNS Traffic Analysis. Wenke Lee Georgia Institute of Technology

Administering the Web Server (IIS) Role of Windows Server 10972B; 5 Days

Hong Kong Information Security Outlook 2015 香 港 資 訊 保 安 展 望

Monitor Network Activity

EndUser Protection. Peter Skondro. Sophos

Security Evaluation CLX.Sentinel

Global Network Pandemic The Silent Threat Darren Grabowski, Manager NTT America Global IP Network Security & Abuse Team

Secret Server Qualys Integration Guide

RLI PROFESSIONAL SERVICES GROUP PROFESSIONAL LEARNING EVENT PSGLE 123. Cybersecurity: A Growing Concern for Small Businesses

Malware Monitoring Service Powered by StopTheHacker

Adaptive Intelligent Firewall - der nächste Entwicklungssprung der NGFW. Jürgen Seitz Systems Engineering Manager

Transcription:

DNS RPZ in the Swiss NREN First-hand experiences after half a year of productive usage Matthias Seitz matthias.seitz@switch.ch Tallinn, 25 th of September 2015

Agenda What is DNS RPZ? Timeline of the project at SWITCH SWITCH RPZs Web landing page and its purpose Log- and monitoring infrastructure A typical work routine Success story 2

DNSfirewall 3

DNS RPZ With RPZ, it is possible to control the answering behaviour of a recursive DNS server Firewall on DNS level Response Policy Zone Domains with policies: allow, drop, log A RPZ can be handled as any other DNS zone XFR, NOTIFY, TSIG Propagation is timely, efficient and authentic 4

DNS RPZ Internet security problems: Malware infection sites, drive-by downloads Malware command-and-control, botnet Phishing APT attacks Restrict access to malicious domains Runs on recursive DNS servers with BIND or on Infoblox devices 5

DNS with RPZ 6

DNSfirewall Name of the RPZ project / service at SWITCH Service includes Zone transfer to institutions. Or the institutions can use the SWITCH resolvers. SWITCH and external RPZs Most-likely infected reports to security contacts at the institutions Web landing page for redirecting and informing the enduser Side projects Logging / monitoring infrastructure IOC-DB (database with indicators of compromise) 7

Timeline September 2013: Internal RPZ testing, asking the community for their interest February 2014: Trial with three instituitions and four zone providers detection and log mechanism works zone transfer from the providers works great transmission of the hits work the setup is reliable problem: no appropriate zones 8

Timeline June 2014: Spamhaus introduces splitted RPZs Summer 2014: Evaluate log- and monitoring solution Splunk vs ELK September 2014: Second trial with Spamhaus and Farsight Security RPZs with two institutions. Still no appropriate zones December 2014: SURBL introduces splitted RPZs Malware and phishing RPZ 9

Timeline January 2015: Third trial. SURBL is fine against spy- and greyware. March 2015: purchase of the SURBL RPZs and decision also to maintain some SWITCH RPZs June 2015: first productive customer September 2015: Five productive customers 40 000 endusers 10

SWITCH RPZs zone.mw.rpz.switch.ch Automated input from interal analysis of malicious.ch /.li domain DGAs zone.ph.rpz.switch.ch Automated input from interal analysis of malicious.ch /.li domain zone.misc.rpz.switch.ch Adware, spyware, scams zone.wl.rpz.switch.ch Whitelist 11

zone.mw.rpz.switch.ch Contains mainly DGA domains most from extarnal sources About 760 000 DGA domains, changes daily vvvqrsensinaix.com, egrzrsensinaix.com, wufkrsensinaix.com zzwrrsensinaix.com, jtxtrsensinaix.com, vtkirsensinaix.com, wuymrsensinaix.com, bbrqrsensinaix.com Malware families About 50 different kind of malwares cryptolocker, dircrypt, dyre, emotet, gozi1m, gozi3m, tinba... 12

Landing page User awareness Getting more information URL Two landing pages in four languages One for malware and one for phishing German, french, italian and english Index the data monitoring system 13

Landing page 14

Landing page 15

Log- and monitoring infrastructure 16

Log- and monitoring infrastructure Splunk Easy installation, good documentation, works out of the box expensive ELK (Elasticsearch, Logstash and Kibana) Easy installation, needs time to setup, works out of the box with a limited feature set Opensource, Support also costs money Manpower vs money 17

A typical work routine 18

Success story In production at five instiutions Protecting 40 000 endusers Goal: Protect all 400 000 endusers in the SWISS NREN J Multiple detections and most-likely-reports necurs, gozi, suppobox, bedep (trojans) at the moment about 10 reports per month XcodeGhost (malicious ios applications, C&C server) Productive systems, no problems so far 19

Success story IT manager of a Swiss University The new RPZ service runs very well. With this new service, we have detected serveral security issues at our institution. The good thing is, that we now see our IT envirnoment more clear, but of course it also produces more work. 20

Next steps win more institutions develop / find solution for managing the domains automate most-likely-reports expand logging / monitoring infrastructure (BIND feauture request) 21

Further information http://securityblog.switch.ch/2015/05/07/protect-yournetwork-with-dns-firewall/ dnsrpz.info matthias.seitz@switch.ch or cert@switch.ch 22

Questions? 23

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information