1 / 26

Securing DNS Infrastructure

Securing DNS Infrastructure. Matt Gowarty | Senior Product Marketing Manager, Infoblox. Agenda. Infoblox Overview. DNS Security Challenges. Securing the DNS Platform Defending A gainst DNS Attacks Preventing Malware from using DNS. Sample Case Study: Acme Corp.

apollo
Download Presentation

Securing DNS Infrastructure

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing DNS Infrastructure Matt Gowarty | Senior Product Marketing Manager, Infoblox

  2. Agenda Infoblox Overview DNS Security Challenges Securing the DNS Platform Defending Against DNS Attacks Preventing Malware from using DNS Sample Case Study: Acme Corp.

  3. Infoblox Overview & Business Update Total Revenue (Fiscal Year Ending July 31) Founded in 1999 Headquartered in Santa Clara, CA with global operations in 25 countries ($MM) Leader in technologyfor network control • Market leadership • Gartner “Strong Positive” rating • 50%+ Market Share (DDI) 30% CAGR 7,100+ customers, 65,000+ systems shipped 38patents, 25 pending IPO April 2012: NYSE BLOX

  4. Infoblox : Technology for Network Control Load balancers End points Web proxy firewalls switches routers VIRTUAL MACHINES Private cloud applications APPS & END-POINTS InfrastructureSecurity Historical / Real-time Reporting & Control CONTROL PLANE Infoblox GridTM w/ Real-timeNetwork Database Essential Network Control Functions: DNS, DHCP, IPAM (DDI) Discovery, Real-time Configuration & Change, Compliance NETWORKINFRASTRUCTURE

  5. Why is DNS an Ideal Target? DNS Outage = Business Downtime Traditional protection is ineffective against evolving threats DNS as a Protocol is easy to exploit DNS is the cornerstone of the Internet used by every business/ Government

  6. The DNS Security Challenge Securing the DNS Platform Defending Against DNS Attacks 2 3 1 Preventing Malware from using DNS

  7. The Infoblox Solution: Secure DNS Infoblox DNS Firewall Prevents Malware/APT from Using DNS Infoblox Advanced DNS Protection Defend Against DNS Attacks Hardened Appliance & OSSecure the DNS Platform

  8. The Infoblox Solution: Secure DNS Infoblox DNS Firewall Prevents Malware/APT from Using DNS Infoblox Advanced DNS Protection Defend Against DNS Attacks Hardened Appliance & OSSecure the DNS Platform

  9. Hacks of DNS – 2013 & 2014

  10. Security Risks with Conventional Approach Conventional Server Approach Infoblox Appliance Approach Infoblox Update Service Secure Access Multiple Open Ports Limited Port Access • Dedicated hardware with no unnecessary logical or physical ports • No OS-level user accounts – only admin accts • Immediate updates to new security threats • Secure HTTPS-based access to device management • No SSH or root-shell access • Encrypted device to device communication • Many open ports subject to attack • Users have OS-level account privileges on server • Requires time-consuming manual updates

  11. Infoblox Purpose Built Appliance and OS • Minimal attack surfaces • Active/Active HA & DR recovery • Common Criteria Certification • FIPS 140-2 Compliance • Encrypted Inter-appliance Communication • Centralized management with role-based control • Secured Access, communication & API • Detailed audit logging • Fast/easy upgrades

  12. DNSSEC in 1-Click • No scripts / Auto-Resigning / 1-click • Central configuration of all DNSSEC parameters • Automatic maintenance of signed zones

  13. The Infoblox Solution: Secure DNS Infoblox DNS Firewall Prevents Malware/APT from Using DNS Infoblox Advanced DNS Protection Defend Against DNS Attacks Hardened Appliance & OSSecure the DNS Platform

  14. DNS Attacks up 216% ~ 10% of infrastructure attacks targeted DNS ACK: 2.81% ICMP: 9.71% RESET: 1.4% SYN PUSH: 0.38% UDP FRAGMENT: 17.11% TCP FRAGMENT: 0.13% CHARGEN: 6.39% SYN: 14.56% RP: 0.26% FIN PUSH: 1.28% UDP FLOODS: 13.15% DNS: 9.58% Source: Prolexic Quarterly Global DDoS Attack Report Q4 2013 ~ 80% of organizations surveyed experienced application layer attacks on DNS Source: Arbor Networks Survey Respondents

  15. Anatomy of an AttackDistributed Reflection DoS Attack (DrDoS) • Combines Reflection and Amplification • Use third-party open resolvers in the Internet (unwitting accomplice) • Attacker sends spoofed queries to the open recursive servers • Queries specially crafted to result in a very large response • Causes DDoS on the victim’s server How the attack works Internet Open Recursive Servers Spoofed queries Amplified Reflected packets Attacker Target Victim

  16. Infoblox Advanced DNS ProtectionProtection against attacks Legitimate Traffic Reconnaissance DNS Exploits Legitimate Traffic Legitimate Traffic Amplification Cache Poisoning Legitimate Traffic Automatic updates Advanced DNS Protection (External DNS) Infoblox Threat-rule Server Grid-wide rule distribution Advanced DNS Protection (Internal DNS) Data for Reports Reporting Server Reports on attack types, severity

  17. DNS Protection Is Not Just About DDoS Using third-party DNS servers(open resolvers) to propagate a DOS or DDOS attack DNS reflection/DrDoS attacks Using a specially crafted query to create an amplified response to flood the victim with traffic DNS amplification DNS-based exploits Attacks that exploit vulnerabilities in the DNS software Denial of service on layer 3 by bringing a network or service down by flooding it with large amounts of traffic TCP/UDP/ICMP floods DNS cache poisoning Corruption of the DNS cache data with a rogue address Causing the server to crash by sending malformed packets and queries Protocol anomalies Attempts by hackers to get information on the network environment before launching a DDoSor other type of attack Reconnaissance Tunneling of another protocol through DNS for data exfiltration DNS tunneling

  18. Deployment Options Amplification DNS Tunneling Reconnaissance Exploits EXTERNAL Legitimate Traffic Legitimate Traffic Legitimate Traffic Legitimate Traffic INTERNET Advanced DNS Protection Advanced DNS Protection D M Z INTRANET Grid Master and Candidate (HA) DATACENTER CAMPUS/REGIONAL

  19. Deployment Options INTERNAL INTRANET Grid Master and Candidate (HA) DATACENTER CAMPUS/REGIONAL Advanced DNS Protection Advanced DNS Protection Legitimate Traffic Legitimate Traffic Cache Poisoning Amplification Endpoints

  20. The Infoblox Solution: Secure DNS Infoblox DNS Firewall Prevents Malware/APT from Using DNS Infoblox Advanced DNS Protection Defend Against DNS Attacks Hardened Appliance & OSSecure the DNS Platform

  21. Security Breaches Using Malware / APT 2014 2013 Q1 Q2 Q3 Q4

  22. Anatomy of an AttackCryptolocker “Ransomware” • Targets Windows-based computers • Appears as an attachment to legitimate looking email • Upon infection, encrypts files: local hard drive & mapped network drives • Ransom: 72 hours to pay $300US • Fail to pay and the encryption key is deleted and data is gone forever • Only way to stop (after executable has started) is to block outbound connection to encryption server

  23. Infoblox DNS FirewallBlocking Malware An infected device brought into the office. Malware spreads to other devices on network. Infoblox Malware Data Feed Service Malicious domains Malware makes a DNS query to find “home.” (botnet / C&C). DNS Firewall detects & blocks DNS query to malicious domain IPs, Domains, etc. of Bad Servers 2 1 2 2 3 3 4 4 1 Internet • Pinpoint. Infoblox Reporting lists blocked attempts as well as the: • IP address • MAC address • Device type (DHCP fingerprint) • Host name • DHCP lease history Intranet Infoblox DDI with DNS Firewall Malware / APT Blocked attempt sent to Syslog DNS Firewall is updated every 2 hours with blocking information from Infoblox DNS Firewall Subscription Service Malware / APT spreads within network; Calls home

  24. Infoblox DNS Firewall - FireEye AdapterBlocking APT Detect - FireEye detects APT, alerts are sent to Infoblox. Malicious Domains 1 2 3 3 2 1 Disrupt – Infoblox DNS Firewall disrupts malware DNS communication Internet Intranet Infoblox DDI with DNS Firewall Malware • Pin Point - Infoblox Reporting provides list of blocked attempts as well as the • IP address • MAC address • Device type (DHCP fingerprint) • DHCP Lease (on/off network) • Host Name Blocked attempt sent to Syslog Alerts FireEye NX Series Endpoint Attempting To Download Infected File FireEye detonates and detects malware

  25. In Review DNS is critical infrastructure Unprotected DNS infrastructure introduces serious security risks Infoblox Secure DNS Solution protects critical DNS services Infoblox DNS Firewall Prevents Malware/APT from Using DNS Infoblox Advanced DNS Protection Defend Against DNS Attacks Hardened Appliance & OSSecure the DNS Platform

  26. Thank you!

More Related