protecting critical network infrastructure n.
Skip this Video
Loading SlideShow in 5 Seconds..
Protecting Critical Network Infrastructure PowerPoint Presentation
Download Presentation
Protecting Critical Network Infrastructure

play fullscreen
1 / 27
Download Presentation

Protecting Critical Network Infrastructure - PowerPoint PPT Presentation

Download Presentation

Protecting Critical Network Infrastructure

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Protecting Critical Network Infrastructure Krupa Srivatsan | Senior Product Marketing Manager January 2014

  2. Agenda Infoblox Overview Security Challenges Infoblox Solutions Advanced DNS Protection DNS Firewall

  3. Infoblox Overview & Business Update Total Revenue (Fiscal Year Ending July 31) Founded in 1999 Headquartered in Santa Clara, CA with global operations in 25 countries ($MM) Leader in technologyfor network control • Market leadership • Gartner “Strong Positive” rating • 40%+ Market Share (DDI) 30% CAGR 6,900+ customers, 55,000+ systems shipped 35 patents, 29 pending IPO April 2012: NYSE BLOX

  4. Infoblox : Technology for Network Control Load balancers End points Web proxy firewalls switches routers VIRTUAL MACHINES Private cloud applications APPS & END-POINTS InfrastructureSecurity Historical / Real-time Reporting & Control CONTROL PLANE Infoblox GridTM w/ Real-timeNetwork Database Essential Network Control Functions: DNS, DHCP, IPAM (DDI) Discovery, Real-time Configuration & Change, Compliance NETWORKINFRASTRUCTURE

  5. Why DNS an Ideal Attack Target? Maximum impact with minimum effort DNS protocol is stateless and hence vulnerable DNS as a Protocol is easy to exploit DNS is the cornerstone of the Internet used by every business/ Government

  6. Today’s Security Challenges Challenges Trends • Adv. DNS Protection • Detection & mitigation of attacks • On-going protection against evolving threats Unprotected DNS infrastructure introduces security risks Attacks Targeting DNS APT / malware exploits DNS to get around traditional security infrastructure • DNS Firewall • Disrupts malware communication • Pinpointing infected devices for remediation 2 1 • APT / Malware

  7. Attacks Targeting DNS

  8. External Attacks on DNS Unprotected DNS infrastructure introduces security risks Traditional protection is ineffective against evolving threats DNS outage causes network downtime, loss of revenue, and negative brand impact DNS-based attacks are on the rise

  9. 2013 – DNS Threat is Significant • Attacks against DNS infrastructure growing • DNS-specific attacks up 200% in 2012 • ICMP, SYN, UDP attacks ACK: 2.81% ICMP: 9.71% SYN: 14.56% SYN PUSH: 0.38% UDP FRAGMENT: 17.11% CHARGEN: 6.39% TCP FRAGMENT: 0.13% RESET: 1.4% UDP FLOODS: 13.15% FIN PUSH: 1.28% RP: 0.26% DNS: 9.58% Source: Arbor Networks Infrastructure Layer: 76.52% Source: Prolexic Quarterly Global DDoS Attack Report Q3 2013

  10. The Solution - Infoblox Advanced DNS Protection Unique Detection and Mitigation • Intelligently distinguishes legitimate DNS traffic from attack traffic like DDoS, DNS exploits, tunneling • Mitigates attacks by dropping malicious traffic and responding to legitimate DNS requests Centralized Visibility • Centralized view of all attacks happening across the network through detailed reports • Intelligence needed to take action Ongoing Protection Against Evolving Threats • Regular automatic threat-rule updates based on threat analysis and research • Helps mitigate attacks sooner vs. waiting for patch updates

  11. Fully Integrated into Infoblox Grid Legitimate Traffic Reconnaissance DNS Exploits Legitimate Traffic Legitimate Traffic Amplification Cache Poisoning Legitimate Traffic New Block DNS attacks Automatic updates Infoblox Threat-rule Server Grid-wide rule distribution Infoblox Advanced DNS Protection (External Auth.) Infoblox Advanced DNS Protection (Internal Recursive) New Data for Reports GRID Master Reporting Server Reports on attack types, severity

  12. What Attacks do We Protect Against? Using third-party DNS servers(open resolvers) to propagate a DOS or DDOS attack DNS reflection/DrDoS attacks Using a specially crafted query to create an amplified response to flood the victim with traffic DNS amplification DNS-based exploits Attacks that exploit vulnerabilities in the DNS software Denial of service on layer 3 by bringing a network or service down by flooding it with large amounts of traffic TCP/UDP/ICMP floods DNS cache poisoning Corruption of the DNS cache data with a rogue address Causing the server to crash by sending malformed packets and queries Protocol anomalies Attempts by hackers to get information on the network environment before launching a DDoSor other type of attack Reconnaissance Tunneling of another protocol through DNS for data exfiltration DNS tunneling

  13. Infoblox- Differentiation and Value

  14. Enterprise External authoritative and Internal Recursive Amplification Legitimate Traffic Legitimate Traffic Legitimate Traffic Legitimate Traffic DNS Tunneling Reconnaissance Exploits Protection against cyber attacks and internal DNS attacks INTERNET INTRANET DATACENTER CAMPUS/REGIONAL GRID Master and Candidate (HA) Advanced DNS Protection Advanced DNS Protection D M Z INTRANET Advanced DNS Protection Advanced DNS Protection Legitimate Traffic Legitimate Traffic Cache Poisoning Amplification Grid Master and Candidate (HA) Endpoints DATACENTER CAMPUS/REGIONAL

  15. Service Providers • Protection against attacks on caching servers • Authoritative DNS services • Platform: IB 4030

  16. APT / Malware

  17. Security Breaches Using Malware / APT - 2013 Q1 Q2 Q3 Q4

  18. Malware/APT Requires DNS Every step of malware life cycle relies on DNS Infection Download Exfiltration Query the ‘call home server’ Query a malicious domain Query Exfiltrationdestinations DNS server

  19. Industry’s First True DNS Security Solution Infoblox DNS FirewallDisrupts DNS-exploiting APT / malware (C&C & Botnets) communication PREVENTIVE TIMELY TUNABLE Maximizes potency against APT / malware worldwide Leverages high quality DNS Firewall Subscription Service updated in near real time Disrupts malware communication and execution

  20. Infoblox DNS Firewall – How Does it Work? An infected mobile device is brought into the office. Upon connection, the malware starts to spread to other devices on the network. Malicious domains Live reputational feed of malicious domains 2 1 3 4 3 2 1 4 The malware makes a DNS query for “bad” domain to find “home.” The DNS Firewall has the “bad” domain in its table and blocks the connection. Infoblox DDI with DNS Firewall Malware The DNS Server is continually updated by a reputational data feed service to reflect the rapidly changing list of malicious domains. Blocked attempt sent to Syslog • Infoblox Reporting provides list of blocked attempts as well as the • IP address • MAC address • Device type (DHCP fingerprint) • Host Name • DHCP Lease Mobile device Malware searches and spreads within network

  21. DNS Firewall – FireEye AdapterHow Does it Work? An mobile device receives infected URL or content. Bad .exe or Malware starts to communicate or spread across the network. Malicious domains FireEye NX detonates traffic from device. It determines the traffic is bad. Provides domains & IP addresses of where .exe / URL is trying to connect to DNS Firewall via FireEye Adapter. 4 2 4 1 3 2 1 3 Malware Play Malware Attack Infoblox DDI with DNS Firewall DNS Firewall is updated and blocks the connection attempts to the domains/IP addresses provided by FireEye NX. Blocked attempt sent to Syslog • Infoblox Reporting provides list of blocked attempts as well as the • IP address • MAC address • Device type (DHCP fingerprint) • Host Name • DHCP Lease Endpoint Attempting To Download Infected File Detonates & Detects advanced malware

  22. What Protection does DNS Firewall Provide? Domain generating algorithm malware that randomly generates domains to connect to malicious networks or botnets DGA Rapidly changing of domains & IP addresses by malicious domains to obfuscate identity and location Fast Flux Malware designed to spread, morph and hide within IT infrastructure to perpetrate a long term attack (FireEye) APT / Malware Hijacking DNS registry(s) & re-directing users to malicious domain(s) DNS Hijacking Blocking access to geographies that have rates of malicious domains or Economic Sanctions by US Government Geo-Blocking

  23. Anatomy of an AttackCryptolocker “Ransomware” • Targets Windows-based computers • Appears as an attachment to legitimate looking email • Upon infection, encrypts files: local hard drive & mapped network drives • Ransom: 72 hours to pay $300US • Fail to pay and the encryption key is deleted and data is gone forever • Only way to stop (after executable has started) is to block outbound connection to encryption server Infoblox DNS Firewall blocks all connections to Cryptolocker domains

  24. Cryptolocker Timeline and Infoblox Response Infoblox DNS Firewall Protects Against Cryptolocker Malware September 13 – Trial Run Initial roll-out of Cryptolocker started. Limited distribution & payment testing. Oct. 8th – Full Distribution via ‘Pay per infection’. 3 4 1 2 1 2 4 3 October 18th - Crypolocker behavior fully characterized. Infoblox DNS Firewall Subscription updated with domains & IP addresses. Customers Protected. Infoblox DDI with DNS Firewall Infoblox DNS Firewall now blocks Crypolocker encryption servers. Syslog DNS Firewall logs all attempted connections with Cryptolocker servers complete with IP and MAC addresses, and device type to drive remediation Infoblox Malware Data Feed Updated Infoblox DNS Firewall Geo-blocks delivered ZERO-day protection against Cryptolocker by blocking Eastern Europe domains

  25. Summary • Unprotected DNS infrastructure introduces security risks • Advanced DNS Protection protects against DNS-based attacks like DDoS, cache poisoning, malformed packets and tunneling • APT / malware exploits DNS to get around traditional security infrastructure • DNS Firewall & FireEye Adapter disrupts Malware usage of DNS and pinpoints device to drive faster remediation (using Infoblox DDI)

  26. Q&A

  27. Thank you!For more information