1 2013 Infoblox Inc. All Rights Reserved. Securing the critical service - DNS Dominic Stahl Systems Engineer Central Europe 11.3.2014
Agenda Preface Advanced DNS Protection DDOS DNS Firewall dynamic Blacklisting High Performance DNS Caching DNSSEC 2 2013 Infoblox Inc. All Rights Reserved.
3 2013 Infoblox Inc. All Rights Reserved. Preface
The Problem DNS-based attacks are on the rise Traditional protection is ineffective against evolving threats DNS outage causes network downtime, loss of revenue, and negative brand impact Unprotected DNS infrastructure introduces security risks 4 4 2013 Infoblox Inc. All Rights Reserved.
Why is DNS an Ideal Attack Target? DNS is the cornerstone of the Internet, used by every business and government DNS protocol is stateless and hence vulnerable DNS as a protocol is easy to exploit Maximum impact with minimum effort 5 5 2013 Infoblox Inc. All Rights Reserved.
Advanced DNS Protection - DDOS 6 2013 Infoblox Inc. All Rights Reserved.
2013 DNS Threat is Significant Attacks against DNS infrastructure growing DNS-specific attacks up 200% in 2012 ICMP, SYN, UDP attacks growing significantly too DNS is #2 attack vector protocol HTTP 87% DNS 67% SMTP 25% HTTPS 24% SIP/VOIP 19% IRC 11% Other 7% 0% 20% 40% 60% 80% 100% Source: Arbor Networks Infrastructure Layer: 76.52% ACK: 1.69% CHARGEN: 3.37% FIN PUSH: 0.39% DNS: 8.94% ICMP: 11.41% RESET: 1.94% RIP: 0.13% RP: 0.39% SYN: 18.16% SYN PUSH: 0.13% TCP FRAGMENT: 0.65% UDP FLOODS: 14.66% UDP FRAGMENT: 14.66% Source: Prolexic Quarterly Global DDoS Attack Report Q3 2013 7 2013 Infoblox Inc. All Rights Reserved.
The Solution - Infoblox Advanced DNS Protection Unique Detection and Mitigation Intelligently distinguishes legitimate DNS traffic from attack traffic like DDoS, DNS exploits, tunneling Mitigates attacks by dropping malicious traffic and responding to legitimate DNS requests Centralized Visibility Centralized view of all attacks happening across the network through detailed reports Intelligence needed to take action Ongoing Protection Against Evolving Threats Regular automatic threat-rule updates based on threat analysis and research Helps mitigate attacks sooner vs. waiting for patch updates 8 2013 Infoblox Inc. All Rights Reserved.
Solution Components Infoblox Advanced DNS Protection Service Advanced DNS Protection activation Automatic updates for protection against new and evolving threats Support and Maintenance Infoblox Advanced Appliance PT-1400, PT-2200, PT-4000 DNS appliance purpose built with security in mind Enhanced processing and dedicated compute for threat mitigation Note: Customers who have IB-4030 Rev2 need to purchase a separate Adv. DNS Protection license. 9 9 2013 Infoblox Inc. All Rights Reserved.
Security Built-in to the DNS Infrastructure Use Cases Internet Enterprise Customers External authoritative DNS server Security Protection against all DNS threats Internal DNS- Enterprise / Universities with open networks DNS Server Standard Appliances DNS Server Advanced Appliances Serve DNS queries under attack Service Providers Recursive Caching Authoritative DNS services Traditional security appliances mitigate only partial attacks against DNS 10 2013 Infoblox Inc. All Rights Reserved.
Data for Reports Legitimate Traffic Fully Integrated into Infoblox Grid Infoblox Threat-rule Server Automatic updates New Block DNS attacks Infoblox Advanced DNS Protection (External Auth.) GRID Master New Infoblox Advanced DNS Protection (Internal Recursive) Reporting Server Reports on attack types, severity 11 2013 Infoblox Inc. All Rights Reserved.
Centralized Visibility: Reporting Intelligence Needed to Take Action Attack details by category, member, rule, severity, and time Visibility into source of attacks for blocking, to understand scope and severity Early identification and isolation of issues for corrective action 13 2013 Infoblox Inc. All Rights Reserved.
Service Providers Protection against attacks on caching and authoritative servers Authoritative DNS + DNS Caching (PT-4000) DNS Caching only (IB-4030) 1M qps 14 2013 Infoblox Inc. All Rights Reserved.
Advanced Appliances Come in Three Physical Platforms Advanced Appliances have next-generation programmable processors that provide dedicated compute for threat mitigation. The appliances offer both AC and DC power supply options. 15 2013 Infoblox Inc. All Rights Reserved.
DNS Firewall + FireEye Adapter 16 2013 Infoblox Inc. All Rights Reserved.
Conventional DNS - Security Gap in your network email Web Video Data Chat VoIP Malicious domain look-up Security infrastructure (Firewall, IPS/IDS, web gateway)! Conventional DNS Malware depends on DNS Protocol to find home Most often domain name is the only information available to identify malicious activity 17 2013 Infoblox Inc. All Rights Reserved.
How does the DNS Firewall work? Redirect 4 Infected Client Landing Page / Walled Garden Malicious link to www.badsite.com 3 5 Contact botnet Infoblox DNS Firewall / Recursive DNS Server 2 Dynamic Grid-Wide Policy Distribution Apply Policy Block / Disallow session 1 Dynamic Policy Update Infoblox DNS Firewall / Recursive DNS Server Malware Data Feed from Infoblox Infoblox DNS Firewall / Recursive DNS Server 6 Write to Syslog and send to Trinzic Reporting 18 2013 Infoblox Inc. All Rights Reserved. 18
Infoblox DNS Firewall Subscription Service Infoblox DNS Firewall / Recursive DNS Server Malware Droppers C&C + Botnet / DNS Servers 35+ sources (Public & Private) worldwide Inbound Attacks Correlation/compilation: Domains / URL s / IP s with bad reputation. Pushed every 2 hours via DNS NOTIFY Geographic Blocks Internal Black list RPZ can be acted upon 1st before hitting DNS Reputation RPZ 19 2013 Infoblox Inc. All Rights Reserved.
DNS Firewall - FireEye Adapter Rogue Portals 1 C & C / Proxy Portal IP s FireEye Compromised Web Server or Domain DNS Server W/ DNS Firewall 13.13.13.13 12.12.12.13. INTERNET INTRANET Block / Re-direct DNS Query 2 3 4 Play Malware Attack Detects & detonates advanced malware Infoblox Reporting Server ID infected device by IP, MAC address & device type for remediation Infected Enterprise End-point Malware / apps Initiate DNS requests for web domains 20 2013 Infoblox Inc. All Rights Reserved.
DNS Firewall - FireEye Adapter Reporting FireEye Alerts Date/Time Alert# Log Severity Type Visibility into traffic DNS Firewall is tracking & blocking 21 2013 Infoblox Inc. All Rights Reserved.
DNS Firewall - Reporting that drives remediation Identify device by IP Address, MAC Address, Host name, and Device Type. Security Policy Violations Report 22 2013 Infoblox Inc. All Rights Reserved.
DNS Firewall vs. other DDI vendors email Web Video Data Malicious domain Look-up Security infrastructure (Firewall, IPS/IDS, Web Gateway) Chat VoIP Complete solution vs. feature Pinpoint device by IP / MAC / Type Malware Data Feed Service Integrated reporting & IPAM vs. DIY log searches/correlation DNS-specific/expert-generated reputational feed vs. DIY ( Go fish! ) 23 2013 Infoblox Inc. All Rights Reserved.
High Performance DNS Caching 24 2013 Infoblox Inc. All Rights Reserved.
Introducing the Infoblox 4030 World s Most Manageable, Secure, and Scalable DNS Caching Device Carrier-grade appliance targeted to Service Providers Over 1M DNS Queries per second per appliance High performance, ruggedized server platform Optional AC or DC power Hot-swappable Power Supplies, Fan, RAID Disk Drives 25 2013 Infoblox Inc. All Rights Reserved.
26 2013 Infoblox Inc. All Rights Reserved. DNSSEC
The Infoblox DNSSEC Solution Makes the process of deploying and managing DNSSEC as simple as possible Single-click configuration Automatic and on-the-fly key generation and management Uses the latest technology and protocol features BIND 9.7.x with NSEC3 support HSM Module available for Safenet and Thales 27 2013 Infoblox Inc. All Rights Reserved.
Infoblox the Company 28 2013 Infoblox Inc. All Rights Reserved.
Infoblox Global Support Instant and hi-quality technical support 4 major Tech Support Centers around the globe with 24x7 coverage Santa Clara, United States Antwerp, Belgium Trivandrum, India Tokyo, Japan Multi-language support including Dutch, French, German, Japanese, Chinese, Korean, and Spanish 800+ Infoblox devices in our Santa Clara HQ lab Santa Clara Amsterdam Australia Hong Kong Nine global depots for NBD replacement Singapore Japan Indian China Canada 29 2013 Infoblox Inc. All Rights Reserved.
Infoblox is a Pioneer and Market Leader Pioneered Core Network Services Appliances: World s first DNS, DHCP and IPAM appliances 700+ employees with headquarters in Santa Clara, CA Offices/Partners in over 30 countries 4 TAC centers with 24/7 global support More than 6700 customers More than 35% of the Fortune 500 companies 55.000+ appliances shipped 30 30 2013 Infoblox Inc. All Rights Reserved.
Market Leaders Choose Infoblox 6,000+ Global Customers Telecom Retail Manufacturing Media and Internet Transportation Government Life Sciences Financial Services Education Energy Infoblox Alliance Partners 31 2013 Infoblox Inc. All Rights Reserved.
32 2013 Infoblox Inc. All Rights Reserved. Q&A