1 2014 2013 Infoblox Inc. All Rights Reserved. Talks about DNS: architectures & security

Similar documents
Infoblox Inc. All Rights Reserved. Securing the critical service - DNS

Securing Your Business with DNS Servers That Protect Themselves

WHITEPAPER. Designing a Secure DNS Architecture

TECHNICAL WHITE PAPER. Infoblox and the Relationship between DNS and Active Directory

Securing Your Business with DNS Servers That Protect Themselves

Detect Malware and APTs with DNS Firewall Virtual Evaluation

F5 Intelligent DNS Scale. Philippe Bogaerts Senior Field Systems Engineer mailto: Mob.:

Enhancing Your Network Security

STARTER KIT. Infoblox DNS Firewall for FireEye

Concierge SIEM Reporting Overview

WAN Traffic Management with PowerLink Pro100

Zscaler Internet Security Frequently Asked Questions

Arbor s Solution for ISP

Security of IPv6 and DNSSEC for penetration testers

Technical Note. ForeScout CounterACT: Virtual Firewall

Protecting DNS Infrastructure Inside and Out

Acquia Cloud Edge Protect Powered by CloudFlare

CloudFlare advanced DDoS protection

Defend Your Network with DNS Defeat Malware and Botnet Infections with a DNS Firewall

Availability Digest. Prolexic a DDoS Mitigation Service Provider April 2013

Recommended IP Telephony Architecture

Injazat s Managed Services Portfolio

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

On-Premises DDoS Mitigation for the Enterprise

Optimize Application Delivery Across Your Globally Distributed Data Centers

Enterprise Buyer Guide

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

IPv6 SECURITY. May The Government of the Hong Kong Special Administrative Region

The Hillstone and Trend Micro Joint Solution

TDC s perspective on DDoS threats

DDoS Overview and Incident Response Guide. July 2014

PAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ

Scale your DNS Infrastructure Ensure App and Service Availability. Nigel Ashworth Solution Architect EMEA

Chapter 8 Security Pt 2

ANATOMY OF A DDoS ATTACK AGAINST THE DNS INFRASTRUCTURE

WHITE PAPER. Creating a Best-of-Breed DDI Solution in a Microsoft Environment

BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE

WHITEPAPER. How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

LASTLINE WHITEPAPER. Using Passive DNS Analysis to Automatically Detect Malicious Domains

Reliable DNS and DHCP for Microsoft Active Directory

Defend Your Network with DNS Defeat Malware and Botnet Infections with a DNS Firewall

Network Infrastructure Under Siege

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

Automated Mitigation of the Largest and Smartest DDoS Attacks

CMPT 471 Networking II

Reliable DNS and DHCP for Microsoft Active Directory Protecting and Extending Active Directory Infrastructure with Infoblox Appliances

SANS Top 20 Critical Controls for Effective Cyber Defense

IINS Implementing Cisco Network Security 3.0 (IINS)

Chapter 9 Firewalls and Intrusion Prevention Systems

IPv6 Security. Scott Hogg, CCIE No Eric Vyncke. Cisco Press. Cisco Press 800 East 96th Street Indianapolis, IN USA

Are You Fully Prepared to Withstand DNS Attacks?

Secure and Hardened DNS Appliances for the Internet

Architecture Overview

F5 and Infoblox DNS Integrated Architecture Offering a Complete Scalable, Secure DNS Solution

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

How To Protect A Dns Authority Server From A Flood Attack

The F5 Intelligent DNS Scale Reference Architecture.

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

The Importance of a Resilient DNS and DHCP Infrastructure

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Infoblox vnios Software for CISCO AXP

Modular Network Security. Tyler Carter, McAfee Network Security

Hillstone Intelligent Next Generation Firewall

Cisco Security Manager 4.2: Integrated Security Management for Cisco Firewall, IPS, and VPN Solutions

Web Application Hosting Cloud Architecture

When Recognition Matters THE COMPARISON OF PROGRAMS FOR NETWORK MONITORING.

Challenges in Deploying Public Clouds

DNS Firewalls with BIND: ISC RPZ and the IID Approach. Tuesday, 26 June 2012

Implementing Cisco IOS Network Security

The Continuing Denial of Service Threat Posed by DNS Recursion (v2.0)

Firewall and UTM Solutions Guide

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

Firewalls and Intrusion Detection

Grid and Multi-Grid Management

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

Data Exfiltration and DNS

Datacenter Transformation

Secure Cloud-Ready Data Centers Juniper Networks

Fundamentals of Windows Server 2008 Network and Applications Infrastructure

Networking for Caribbean Development

5 DNS Security Risks That Keep You Up At Night (And How To Get Back To Sleep)

Virtualized Domain Name System and IP Addressing Environments. White Paper September 2010

Cisco Small Business ISA500 Series Integrated Security Appliances

Stop DDoS Attacks in Minutes

Securing and Accelerating Databases In Minutes using GreenSQL

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

STATE OF DNS AVAILABILITY REPORT

MEDIAROOM. Products Hosting Infrastructure Documentation. Introduction. Hosting Facility Overview

FortiBalancer: Global Server Load Balancing WHITE PAPER

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

QUARTERLY REPORT 2015 INFOBLOX DNS THREAT INDEX POWERED BY

Transcription:

1 2014 2013 Infoblox Inc. All Rights Reserved. Talks about DNS: architectures & security

Agenda Increasing DNS availability using DNS Anycast Opening the internal DNS Enhancing DNS security DNS traffic monitoring & alerting Leveraging DNS to protect against malwares Securing your DNS infrastructure against attacks 2 2014 2013 Infoblox Inc. All Rights Reserved.

Sounds 101? DNS is part of the network plumbing J Still overlooked in many entreprises Legacy infrastructure Lack of monitoring Patch management Change management & traceability New IT infrastructure trends & apps are increasing pressure on the DNS infrastructure Availability Performance Security and might require some DNS redesign or new approach 3 2014 2013 Infoblox Inc. All Rights Reserved.

Increasing DNS availability using Anycast 4 2014 2013 Infoblox Inc. All Rights Reserved.

Customer use case moving to Anycast Global WW press/media company headquartered in Europe Using legacy Solaris/Bind and Microsoft DNS infrastructure Lot of static laptop configuration L long term change process Challenges: Availability issues Primary/secondary DNS usual setup is not efficient - issues with in-house applications Lack of visibility no traceability of DNS operations Challenges with patching, esp. Solaris lack of ressources/expertise 5 2014 2013 Infoblox Inc. All Rights Reserved.

Anycast DNS quick refresh Anycast DNS allows multiple, distributed name servers to share a single virtual IP address Each name server advertises a route to that address to its neighbors typically using a routing protocol Queries sent to that address are routed to the closest name server instance From any one location on the Internet/Intranet, you can only see (and hence attack ) a single member of an anycast group at once 6 2014 2013 Infoblox Inc. All Rights Reserved.

Anycast in Action Client Router 1 DNS query to 10.0.0.1 192.168.0.1 Router 2 192.168.0.2 Router 3 Routing table from Router 1: Destination Mask Next-Hop Distance 192.168.0.0 /29 127.0.0.1 0 10.0.0.1 /32 192.168.0.1 1 10.0.0.1 /32 192.168.0.2 2 Router 4 10.0.0.1 Server instance A 10.0.0.1 Server instance B 7 2014 2013 Infoblox Inc. All Rights Reserved.

Anycast in Action 192.168.0.1 Router 2 10.0.0.1 Server instance A Client Router 1 192.168.0.2 Router 3 Router 4 10.0.0.1 Server instance B Routing table from Router 1: Destination Mask Next-Hop Distance 192.168.0.0 /29 127.0.0.1 0 10.0.0.1 /32 192.168.0.1 1 10.0.0.1 /32 192.168.0.2 2 8 2014 2013 Infoblox Inc. All Rights Reserved.

Customer use case implementation highlights Customer choosed to deploy a unified infrastructure (based on Infoblox Grid) Anycast DNS is now running for a few years internally One high-availability pair per geo datacenter for internal DNS using OSPF routing Key benefits Easier setup (client side & mobility) Increased SLA Easy maintenance and patching Phased migration Forward rules on legacy servers during transition/grace period (few months) Traffic monitoring 9 2014 2013 Infoblox Inc. All Rights Reserved.

Anycast DNS is a proven setup! Host anycasting service is not new (RFC1546 1993 J ) Proven deployment in the Internet C, F, I, J, K, L, M root-servers (hierarchical anycast).fr NS Service providers for distributed DNS caching service Anycast is (and should be) more and more considered for internal DNS 10 2014 2013 Infoblox Inc. All Rights Reserved.

Opening the internal DNS 11 2014 2013 Infoblox Inc. All Rights Reserved.

Customer use case - Need to open internal DNS European utility company Typical closed internal DNS infrastructure company.local No end-to-end resolution for external names an internal laptop is not able to resolve www.google.com using nslookup or dig DNS resolvers for external resolutions used by proxy/selected DMZ servers Leveraging web proxys for external access Moving mail in the cloud, office 365 and other services - Office 365 requires some external name resolutions from laptop/desktop - Identified proxy challenges in terms of workload SSL based connections Long life connections 12 2014 2013 Infoblox Inc. All Rights Reserved.

Customer use case - DNS implementation talks Decided to avoid proxy for office365 More global thinking around internal DNS Selective DNS forward rules Controlled DNS but Maintenance / scalability Troubleshooting open DNS resolution easier / future proof but requires increased security How can I improve my DNS monitoring? How can I improve security around DNS? - Malware protection and mitigation - Advanced DNS protection 13 2014 2013 Infoblox Inc. All Rights Reserved.

DNS traffic monitoring & alerting 14 2014 2013 Infoblox Inc. All Rights Reserved.

Best practice: Monitoring DNS Traffic Monitor traffic to your name servers: Aggregated query rate Top queriers Top domains Query types (with associated query rates) Response latency trend Ability to set alert on traffic change (threshold, growth) Ability to analyze DNS traffic smoothly and selectively DNS Queries AND Responses 15 2014 2013 Infoblox Inc. All Rights Reserved.

Monitoring Aggregate Query Rate 16 2014 2013 Infoblox Inc. All Rights Reserved. 1 6

Setting Alerts on Aggregate Query Rate 17 2014 2013 Infoblox Inc. All Rights Reserved.

Monitoring Top Clients 18 2014 2013 Infoblox Inc. All Rights Reserved.

Malware protection and mitigation using DNS? 19 2014 2013 Infoblox Inc. All Rights Reserved.

Malwares use DNS Malwares infects clients when they visit malicious web sites, whose names are resolved using DNS Malwares contact command-and-control channels using hardwired domain names and rapidly changing IP addresses (fast-flux, double fast-flux) Malwares can tunnel new malicious code through DNS 20 2014 2013 Infoblox Inc. All Rights Reserved.

Fast flux from Wikipedia The simplest type of fast flux, named "single-flux", is characterized by multiple individual nodes within the network registering and de-registering their addresses as part of the DNS A (address) record list for a single DNS name. This combines round robin DNS with very short TTL ( ) values to create a constantly changing list of destination addresses for that single DNS name. A more sophisticated type of fast flux, referred to itself as "double-flux", is characterized by multiple nodes within the network registering and de-registering their addresses as part of the DNS Name Server record list for the DNS zone. This provides an additional layer of redundancy and survivability within the malware network. 21 2014 2013 Infoblox Inc. All Rights Reserved.

Almost all malware communications use DNS!! Infoblox DNS Firewall makes it easy to detect this activity Source: Checkpoint Security Report 2014 22 2014 2013 Infoblox Inc. All Rights Reserved.

Infoblox DNS Firewall- key concept Many organizations on the Internet track malicious activity They know which web sites are malicious They know which domain names malware look up to rendezvous with command-and-control servers Infoblox DNS Firewall leverages RPZ (Response Policy Zones) Response Policy Zones are funny-looking zones that embed rules instead of records The rules say, If someone looks up a record for this [malicious] domain name, or that points to this [malicious] IP address, do this. This is generally return an error or return the address of this walled garden instead 23 2014 2013 Infoblox Inc. All Rights Reserved.

Infoblox Malware Data Feed Service Malware Droppers Botnet C&C / DNS Servers RPZ data pushed thru signed XFR Infoblox DNS Firewall Inbound Attacks Geographic Blocks Infoblox Malware Data Feed Service - 24/7 service - Data from over 35 different public and proprietary sources 7 feed types - Incremental threat data changes are pushed every 2 hours - Significant threats cause immediate updates (notify) 24 2014 2013 Infoblox Inc. All Rights Reserved.

Infoblox DNS Firewall in action Malicious domains 1 An infected device brought into the office. Malware spreads to other devices on network. 3 2 Malware makes a DNS query to find home. (botnet / C&C) 1 Malware / APT Infoblox DDI with DNS Firewall 2 4 Blocked attempt sent to Syslog 3 4 DNS Firewall blocks DNS query (by Domain name / IP Address) Pinpoint any infected device: IP address MAC address Device type (DHCP fingerprint) Host name DHCP lease history Reputation data comes from: Malware / APT spreads within network; Calls home DNS Firewall Subscription Svc FireEye Adapter (NX Series) 25 2014 2013 Infoblox Inc. All Rights Reserved.

Advanced DNS Protection Against DDoS and other funky stuff 26 2014 2013 Infoblox Inc. All Rights Reserved.

How can I further secure my DNS servers? Dedicated compute capacity to supervise DNS traffic with ability of early detection of attack symptoms Behavioral logic to mitigate flood based, DDOS reflection and amplification DNS attacks Fine-grain filters to allow/block specific DNS record types (DNS query using ANY type does not make sense from an application perspective ) Signature based attack detection for known vulnerabilities and exploits 27 2014 2013 Infoblox Inc. All Rights Reserved.

Advanced DNS Protection from Infoblox Secure access Infoblox Update Service Dedicated network processor card so the name server continues to serve good queries under attack Intelligently distinguishes legitimate traffic from attack traffic Protects the DNS infrastructure against incoming DNS-based attacks and floods 53 Limited port access Automated updates to protect against new threats Real-time centralized visibility via the Infoblox GUI and Reporting module 28 2014 2013 Infoblox Inc. All Rights Reserved. 28

Advanced DNS Protection integrates into existing Infoblox Grids Legitimate Traffic Infoblox Threat Rule Server Automatic Updates New Infoblox Adv. DNS Protection Block DNS attacks Grid-wide rule distribution GRID Master Send Reports New Infoblox Adv. DNS Protection Reporting Server Reports on attack types, severity 29 2014 2013 Infoblox Inc. All Rights Reserved.

DNS Protection is Not Just About DDoS DNS reflection/drdos attacks DNS amplification TCP/UDP/ICMP floods Using third-party DNS servers (mostly open resolvers) to propagate a DoS or DDoS attack Using a specially crafted query to create an amplified response to flood the victim with traffic Denial of service on layer 3 or 4 by bringing a network or service down by flooding it with large amounts of traffic DNS-based exploits DNS cache poisoning Protocol anomalies Reconnaissance DNS tunneling DNS hijacking NXDomain attack Phantom domain attack DNS-specific Exploits Attacks that exploit bugs or vulnerabilities in the DNS software Corruption of DNS server cache data with a rogue domain or IP Causing the server to crash by sending malformed DNS packets and queries Attempts by hackers to get information on the network environment before launching a DDoS or other type of attack Tunneling of another protocol through DNS port 53 for malware insertion and/or data exfiltration Modifying the DNS record settings to point to a rogue DNS server or domain Attacks that flood DNS server with requests for non-existent domains, causing it to send NXDomain (non-existent domain) responses Attacks where a DNS resolver is forced to resolve multiple non-existent domains, causing it to consume resources while waiting for responses Volumetric/DDoS Attacks 30 2014 2013 Infoblox Inc. All Rights Reserved.

Deployment Options EXTERNAL INTERNAL INTRANET INTERNET GRID Master and Candidate (HA) DATACENTER CAMPUS/REGIONAL Advanced DNS Protection Advanced DNS Protection D M Z Advanced DNS Protection Advanced DNS Protection INTRANET Grid Master and Candidate (HA) DATACENTER CAMPUS/REGIONAL Endpoints 31 2014 2013 Infoblox Inc. All Rights Reserved.

Take aways New trends & applications are impacting the DNS service Emerging IT requirements can drive some DNS redesign on the internal side DNS monitoring and alerting is a must have Some advanced mechanisms can help protect the DNS infrastructure and its usage We can help J don t hesitate to contact us! 32 2014 2013 Infoblox Inc. All Rights Reserved.

33 2014 2013 Infoblox Inc. All Rights Reserved. Questions?

Muchas gracias por su atención! 34 2014 2013 Infoblox Inc. All Rights Reserved.

Evaluate DNS Firewall now! New! Use DNS to Find Malware/APT Hiding in Your Network Internet Caching DNS Switch Span Port Query Response Internal Network Shows malware activity No hardware (100% virtual) Non-disruptive to production network DNS FW RPZ Hits Reporting Fully automated with simple install 60-day trial www.infoblox.com/catchmalware 35 2014 2013 Infoblox Inc. All Rights Reserved.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information