Accumuli Security - Head Office Tuscany House, White Hart Lane, Basingstoke, Hampshire, RG21 4AF, UKTel: +44 (0) 1256 303 700 Fax: +44 (0) 1256 303 701 Web: www.accumuli.com Email: info@accumuli.com

Traditional methods of reporting DNS and DHCP activity have involved collecting numerous large log files and required using various scripts to interpret them. With the increasing use of Security Information and Event Management (SIEM) products, the collection of DNS and DHCP activity is becoming more important in order to complement other network information and satisfy compliance and auditing requirements.

DDAM has the capability to collect DNS and DHCP activity, using agent-based or agent-less methods, and upload this information via industry standard FTP/SFTP protocols into a third party SIEM product. This data can complement other network related information to help provide an audit trail of activity.

DNS and DHCP administrators can also use the collected data to report and analyze DNS and DHCP traffic via a simple web-based GUI, rather than having to gain access to a corporate-wide SIEM product administered by a different team.

Simplify your DDI (DNS, DHCP & IPAM) infrastructure with DDAM.

Benefits

• Report and identify abusive network devices• Immediate notification of DNS Server issues• Monitor, measure and rebalance DNS and DHCP services• Reduce costs and optimize both administrator time

and labour• Have confidence in change management • Alert on the rising edge of DoS attacks• Identify potentially unauthorized devices• Feed DNS and DHCP activity from different vendors

and platforms into the security teams’ SIEM system• Identify client’s Switch Port and VLAN connection

DNS and DHCP administrators may wish to identify rogue clients, misconfigured applications, or identify clients utilizing a particular DNS/DHCP server e.g. for decommissioning purposes. In addition, alerts can be configured so that specific events are escalated immediately to the relevant staff.

Figure 1: DDAM/DDI Integration Architecture

DDAM - DNS & DHCP Activity Monitor v2.1

version: 2.1

DDAM - DNS & DHCP Activity Monitor V2.1

Accumuli Security - Head Office Tuscany House, White Hart Lane, Basingstoke, Hampshire, RG21 4AF, UKTel: +44 (0) 1256 303 700 Fax: +44 (0) 1256 303 701 Web: www.accumuli.com Email: info@accumuli.com

DDAM can be agent-less or agent-based

An agent-based solution requires a collector to be installed on each DNS/DHCP server that is to be monitored. The agent performs packet capture at the protocol level and therefore it does not matter what type of DNS or DHCP server is used. Also, no further configuration of the DNS or DHCP server is required that may impact performance i.e. no requirement to enable querylogging.

If DNS and DHCP appliances are being used that do not allow additional software to be installed e.g. Infoblox, then an agent-less solution will be required. Monitoring can be achieved by redirecting DNS querylogs/DHCP lease messages, via syslog, to a remote server which has a DDAM collector installed. The remote collector can then process syslog traffic sent from the DNS and DHCP servers.

Agent-less collection via syslog Agent-based collectors installed

Page 2 of 4

DDAM for the IT and Security Professional

DDAM provides features that both security and IT professionals will find invaluable:

For the Security professional:

• Ensure DDI is part of the regulatory compliance framework e.g. guarantee that all DNS queries and DHCP transactions are captured and stored for a minimum period

of time.

• Utilize DNS/DHCP activity logs to assist with forensic analysis of suspicious activity.

• Forward DNS/DHCP activity to a SIEM product, so that different sources of information can be correlated to assist with security auditing and reporting.

For the IT professional:

• Provide visibility of DNS/DHCP activity.

• Utilize built-in reports to perform specific tasks, e.g.:

• Find out which clients are sending queries for an application that is to be decommissioned.

• Find out which clients are sending queries to a particular DNS server.

• What are the most common DNS lookups.

• What are the least queried domain names.

• Receive alerts when abnormal activity is detected.

DDAM - DNS & DHCP Activity Monitor V2.1

Accumuli Security - Head Office Tuscany House, White Hart Lane, Basingstoke, Hampshire, RG21 4AF, UKTel: +44 (0) 1256 303 700 Fax: +44 (0) 1256 303 701 Web: www.accumuli.com Email: info@accumuli.com

DDAM provides a number of built-in reports and alerts*

Reports can be exported in PDF, CSV and PNG formats.Alerts can be generated via SNMP or SMTP.

System Requirements

The central DDAM server and collector agents are supported on the following platforms:

• Windows 2000, 2003 and 2008

• Solaris 8, 9 and 10

• Red Hat Linux RHEL3, RHEL4 and RHEL5

• n3k runIP appliance v2.0, v2.1, v2.2 and v2.3

Intuitive user interface

DDAM contains an intuitive user interface that contains sortable columns and filters to help make sense of the data. Filters can be combined to reduce the amount of data being displayed.

DHCP ReportsDHCP Lease Rate

DHCP Packets by Type

DHCP Scopes not used

DHCP Subnets not used

Top DHCP Clients

DNS ReportsDNS Queries by Type

DNS Query Rate

DNS Domains Not Queried

DNS Resource Records not Queried

Top DNS Clients

Top DNS Clients Querying a Domain

Top DNS Domains

Top DNS Queries

DHCP AlertsDHCP MAC Watch

Abnormal DHCP Packet Rate

DNS AlertsAbnormal DNS Query Rate

DNS Query Watch

DNS RCODE watch

* reports and alerts are subject to change

“DNS Queries by Type” Built-in Report

Filters can be used to Search for Data

Page 3 of 4

Locating a Client by MAC address using a right click Menu

Identify a client’s network location

DDAM can integrate with porttracker or Infoblox PortIQ appliances to help locate a device on the network. For example, if DDAM has identified a client that is continuously requesting DHCP leases, the “Locate Client by MAC” feature can be used to find out which switch, port and VLAN the device is connected to.

An administrator could then log into the switch and disable the switch port. This information is obtained from a porttracker or PortIQ appliance via an API call. A similar feature can be used to locate the client via its IP address e.g. a DNS client needs to be located.

DDAM - DNS & DHCP Activity Monitor V2.1

Head Office:Tuscany HouseWhite Hart LaneBasingstoke HampshireRG21 4AF

Tel: +44 (0) 1256 303 700 Web: www.accumuli.com

Leeds Office:5 Beaconsfield CourtGarforthLeedsLS25 1QH

Tel:+44 (0) 113 232 2330Email: info@accumuli.com

Control

Maintain the integrity ofcorporate

security policies outside the enterprise network

Layered security to protect corporate

applications & data

Secure

Structured management of devices and

resources

Manage

ClientServer

Inbound Threats = Protection and Prevention

Outbound Enforcement = Compliancy and Control

At Accumuli Security we ensure that our users and their data is Secured, Managed and Controlled.

Accumuli provides multi layered security services that protect customers’ networks and their users from targetted assaults on resources and data. Using leading edge technologies, we have created solutions that can identify irregular patterns and lead to disruption and financial loss. We deliver a full range of capabilities that ensure the sucessful deployment of advanced security solutions from inception to a fully managed support service.

With the proliferation of access points and devices, Accumuli Security brings together an “End to End Protection” to offer layered security services.

At Accumuli, not only can we provide the Solutions and Services to support requirements, we can also providea fully Managed Service. To discuss this further please contact us:

About Accumuli Security

The Accumuli Effect

The Accumuli Difference

Page 4 of 4