DNS Firewall Overview
|
Agenda
Call to Action
Customers
Infoblox DNS Firewall Solution
DNS Security Challenges
APTs: The New Threat Landscape
• Nation-state or organized-crime sponsored targeted cybercrime – directed at governments or
enterprises
• Malicious traffic visible on 100% of corporate networks1
• Average material loss per “breach” incident - $7.6M, intangible (brand) loss much higher2
• APTs use DNS to connect devices to malicious destinations on Internet
|
CryptoLocker “Ransomware” and Gameover Zeus
Malware Examples
CryptoLocker
• Targets Windows-based computers in form of email attachment • Upon infection, encrypts files on local hard drive and mapped
network drives
• If ransom isn’t paid, encryption key deleted and data irretrievable
Gameover Zeus (GOZ)
• 500,000 – 1M infections globally and100s of millions of dollars stolen • Uses P2P communication to control infected devices or botnet
• Takes control of private online transactions and diverts funds to criminal accounts
Common Security Solutions Not DNS Focused
Approach Pros Cons
Next generation firewall
Focuses on perimeter protection from network and application threats and usually allows DNS traffic
• Cannot easily mitigate Fast flux and DGA attacks
• May have to rely on endpoint software (agents) for protection against malware callbacks to command and control server
Intrusion detection/ Intrusion prevention
Supplements firewall with anomaly detection and heuristics to detect and block malware
• Because malware uses DNS to resolve IP address of domains, bad networks use rapid fast-flux change to quickly create unique
combinations of IP addresses and new domains; combinations won’t be identified by IDS/IPS as bad traffic & pass through misclassified. • Cannot detect attacks disguised within encrypted communications,
leaving a hole in threat prevention
Web filter or proxy/
Secure web gateway
Filters unwanted software and malware from internal user-initiated web/Internet traffic
• Limited to detecting only Web (HTTP/URL) traffic; malware using Internet-based applications such as FTP, VoIP, RPC, SIP, SSH, and Telnet pass through unfettered
• Deployment can be cumbersome; proxies are hard to implement even for HTTP traffic inspection only use case
• Does not address Fast flux attacks
|
Infoblox DNS Firewall
An infected device brought into the office. Malware spreads to other devices on network.
1
Malware makes a DNS query to find “home” (botnet / C&C). DNS Firewall looks at the DNS response and takes admin-defined action (disallows communication to malware site or redirects traffic to a landing page or “walled garden” site).
2
Pinpoint. Infoblox Reporting lists DNS Firewallaction as well as the:
• Device IP address
• Device MAC address
• Device type (DHCP fingerprint)
• Device host name
• Device lease history
3
An update will occur every 2 hours (or more often for significant threat).4
Additional threat intelligence from sources outside Infoblox can also be used by DNS Firewall (e.g. FireEye)
5
Malware/APT
Infoblox with DNS Firewall Malicious Domains
Infoblox threat update device
IPs, Domains, etc.. of Bad Servers
Blocked communication attempt sent to Syslog
Malware/APT spreads within network; calls home
FireEye detects zero-day APTs
INTERNET
Types of Attacks DNS Firewall Protects Against
• Fast flux
̶ Rapid changing of domains and IP addresses by malicious domains to obfuscate ID and location
• DGA
̶ Randomly generating domains that connect to malicious networks or botnets
• Geo-based
̶ Geographical locations with many malicious domains or that have economic sanctions by governance
|
Actionable Reporting and Logging
• CISO/Executive report
̶ Clients trying to communicate with malicious locations most often
̶ Top three domains clients are attempting to reach
̶ Top APT/malware threats by volume
• ID malicious activity
̶ By client, destination, and threat context
Geisinger Health System
Problem
• Obtain visibility, control, and security for distributed network
• Replace VitalQIP with more future-proof, cost-effective solution
• Support health services for 2M+ people
Infoblox Solution
Infoblox DDI and DNS Firewall with Reporting
• DNS security for medical devices • Visibility into infected devices • Scalability
|
A Global US Defense Agency
Problem
• Protect network from millions of daily connections to malicious domains
• Incorporate feeds from other agencies in its own blacklist
• Know which devices are infected
Infoblox Solution
Infoblox DNS Firewall• Prevents communications with malicious domains • Adds accurate, current malware data to its blacklists • Supports threat intelligence from non-Infoblox sources • Helps pinpoint infected devices
A Private University
Problem
• No visibility with other Security platforms into what is traversing via DNS
• DNS FW Assessment found 4K+ queries going out to known malicious sites
Infoblox Solution
Infoblox DNS Firewall with FireEye Integration License
• FireEye enables visibility into zero-day malware activity at the DNS level
• Aligns with defense-in-depth strategy – protection against DNS-based APTs
|
Use DNS to find APTs and malware lurking in your network
Try DNS Firewall/Virtual Evaluation
• Options: SPAN port or standalone • No hardware (100% virtual)
• Non-disruptive to production network
• 60-day trial
• See malware/APT activity with reports
