Summary: Infoblox DNS Firewall provides the industry’s first true DNS security solution for protection against malware and advanced persistent threats (APTs). Infoblox DNS Firewall can detect DNS-based malware and APTs inside the network and disrupt the ability of infected clients to communicate with botnets. The DNS Firewall Virtual Evaluation is a trial version that can detect malware/APT activity in your network through detailed logging and reports.
Detect Malware and APTs Hidden in Your Network
According to recent research on malware, nearly every business network has suspicious traffic going to websites that host malware. In spite of using the latest firewall and intrusion prevention devices, many organizations have malware or APTs in their networks and don’t even know it. Moreover, every six minutes a known type of malware is being downloaded
You can find out what malware and APTs are hiding in your network with the 60-day DNS Firewall Virtual Evaluation. The evaluation:
• Shows DNS-based malware/APT activity and provides detailed logging and reports • Isn’t deployed in line and hence doesn’t disrupt the production network
• Is fully automated and easy to install
System Requirements
The evaluation software is a VMware-based vApp. The system requirements are:
• VMware ESX/ESXi 5.0 or above with DAS (Direct Attached Storage) or iSCSI (Internet Small Computer System Interface) or FC (Fibre Channel) SAN (Storage Area Network) attached
• Management system with vSphere client
• To manage multiple hosts, the vSphere client must be connected to vCenter (5.0 or above) • DNS Firewall VM: 4 CPUs, 8G RAM, 160G virtual drive
• Reporting VM: 2 CPUs, 8G RAM
• Internet connectivity to access Infoblox security feed (threat intelligence service) There are two deployment options:
1. Traffic mirroring using a switch span port for monitoring real-world traffic.
2. All-in-one standalone on a virtual server that doesn’t require any switch configuration changes. You simply input log files (PCAP, BIND traffic logs) into the Guide VM, which also serves as the management user interface (GUI) to the DNS Firewall and Reporting.
Reports That Clearly Display Malware/APT Activity
Once the DNS Firewall evaluation is installed and running, it might take a few minutes to a few hours, depending on your DNS traffic, for malware or APT activity to show up in the logs and reports. The RPZ statistics widget in the Infoblox UI records the malware or APT activity and shows it visually.
Figure 1: Response Policy Zone (RPZ) statistics widget
Communications going out to malicious domains, either to download more malicious software or to exfiltrate data, are logged.
The DNS Firewall Virtual Evaluation also receives regular automatic updates from Infoblox to provide ongoing protection against existing and new types of malware and APTs.
The reporting server bundled with this evaluation helps pinpoint actual infected clients for cleanup. You will need to select the security-related reports. There are five reports related to DNS Firewall, as follows:
• The DNS Top RPZ Hits report identifies domains in the RPZ that have the most hits qualified as malicious domains. This report is designed to shorten the time to identify malware impacts by tracking when attempts are made to reach domains on the RPZ list, including number of hits and time. Selecting Client ID will display the lease history for the client when information is available in the lease history (provided the client received a lease from Infoblox DHCP), and will display the user history for the client, provided the user logged in or authenticated on any Active Directory services captured by Infoblox.
• The DNS Top RPZ Hits by Client report tracks when client IDs attempt to reach domains on the RPZ list, including number of hits and time. This report is designed to shorten the time to identify clients impacted by malware by identifying which ones may be infected. Selecting Client ID will display the lease history for the client when information is available in the lease history, provided the client received a lease from Infoblox DHCP, and will display the user history for the client, provided the user logged in or authenticated on any Active Directory services
This report is designed to shorten the time to identifying clients that might be the riskiest points for data exfiltration and helps reduce time to remediation.
• The Top Malicious Activity by Client report provides information on the malicious destinations that are being contacted by the infected clients. This report is designed to shorten the time to identifying types of malware that clients are susceptible to and shorten time to remediation and protection against future infection of other clients in the network.
• The Top DNS Firewall Hits report identifies distribution of traffic between various malicious domains and provides contextual information on those domains. This report is designed to shorten time to remediation.
Figure 3: DNS Top RPZ Hits report
Figure 5: Top Malicious Activity by Client report
Figure 7: Top DNS Firewall Hits report
The Sooner You Know How Infected You Are, the Sooner You Can Take Action
Detecting malware and APTs before they cause damage is key. Download your free evaluation now, and then contact us to find out how the full-blown version of DNS Firewall can take you beyond detection and enable you to block communications from infected clients to botnet controllers.
About Infoblox
Infoblox (NYSE:BLOX), headquartered in Santa Clara, California, delivers network control solutions, the fundamental technology that connects end users, devices, and networks. These solutions enable more than 7,000 enterprises and service providers around the world to transform, secure, and scale complex networks. Infoblox (www.infoblox.com) helps take the burden of complex network control
