Proteggere il DNS per maggiore sicurezza e minori rischi · Proteggere il DNS per maggiore...

1 | © 2015 Infoblox Inc. All Rights Reserved.

Proteggere il DNS per maggiore sicurezza e minori rischi

Gianluca Silvestri System Engineer, Exclusive Networks Italy


Who is Infoblox…

and what do they do?


Infoblox Overview and Business Update

($MM)

Founded in 1999

Headquartered in Santa Clara, CA,with global operations in 25 countries

Market leadership

• DDI Market Leader (Gartner)

• 50% DDI Market Share (IDC)

7,900+ customers85,000+ systems shipped to 100 countries

53 patents, 30 pending

IPO April 2012: NYSE BLOX

Leader in technologyfor network control

Total Revenue (Fiscal Year Ending July 31)

$35,0

$56,0 $61,7

$102,2

$132,8

$169,2

$225.0

$250,3

$0

$50

$100

$150

$200

$250

$300

FY2007 FY2008 FY2009 FY2010 FY2011 FY2012 FY2013 FY2014


DNS – Domain Name System

DHCP – Dynamic Host Configuration Protocol

IPAM – IP Address Management

DDI


CO

NT

RO

L P

LA

NE

Current Customer Network LandscapeA

UT

OM

AT

ION

END POINTS VIRTUAL MACHINES PRIVATE CLOUD APPLICATIONS

ComplexityRisk & Cost

AgilityFlexibility

QIPMICROSOFT DHCPMICROSOFT DNS VMWARE DNS UNIX BIND

SCRIPTS COMMAND LINE

INF

RA

ST

RU

CT

UR

E

FIREWALLS SWITCHES ROUTERS HYPERVISORS LOAD BALANCERS


Discover

Automate

Manage

Control


InfrastructureSecurity

With Infoblox

Historical / Real-time Reporting & Control

AU

TO

MA

TIO

N

END POINTS VIRTUAL MACHINES PRIVATE CLOUD APPLICATIONS

CO

NT

RO

L P

LA

NE

Infoblox GridTM w/ Real-timeNetwork Database

INF

RA

ST

RU

CT

UR

E

FIREWALLS SWITCHES ROUTERS HYPERVISORS LOAD BALANCERS


Market DriversFor DNS, DHCP and IPAM


IP Devices – Remember When?

9


What About Today?

4 – 7 IP’s are consumed by every employee at work

SDN

37% of companies are managing > 50,000 IPs


Customers Need Commercial Grade IPAM…

X NOT THIS!


The Use Case for Commercial Grade IPAM

• How do you detect changes?

• What’s the impact of an outage?

• How do you automate ?

• Virtual and cloud networks?

Mobility and IP device growth

IPv6 and DNSSEC

Data center virtualization

• How do you handle audits?

No centralized reporting

No historical trending

No effective audit prep

What are the challenges of Legacy “IPAM”?


IPAM with Infoblox


Infoblox IPAM in “IP Mapping” Mode


IPAM Discovery Information

Detailed view of what’s using that IP

Discovers virtual and physical devices

Search by any field on one or more criteria

Save criteria information to a Smart Folder

• Create custom smart folder of networks and other attributes

• Results updated automatically with any network changes


Dynamic Host Control Protocol

(DHCP)


What is DHCP?

• What is it?

Dynamic Host Configuration Protocol

Dynamically provides IP addresses to devices

• What is it equivalent to?

Borrowing a book from a Library

Or renting a car…

• Who and what needs it?

Laptops & Desktops

Virtual Servers (and sometimes physical)

Non-shared devices (mobile)

Any LAN or WAN device/server

• Performance measured in “Leases per second”


Detect, secure, enforce policy

• Visibility to BYOD device types

• Enforce connectivity by device type

• Enforce corporate device use policy• Block selected OS’s

• Focused DHCP reporting • Lease history w/ DHCP fingerprint data

• Number of device operating systems

• Device OS trend

Infoblox Offers Device Fingerprinting


Domain Name System

(DNS)


What is DNS?

What is it?

Domain Name System

Connects devices to Internet

What is it Equivalent to?

Phone book for the internet

What is an Example?

google.com

infoblox.com 205.234.19.21

Who and what needs it?

Web Browsing

Microsoft Active Directory

Everything!

Performance measured in “Queries per second”

20

http://www.infoblox.com


// Filename: /etc/named.conf

options {directory "/etc/domain";};

//----------------------------------------------------------------------

zone "." {type hint;file "named.root"; // This file should be picked up from}; // ftp://ftp.rs.internic.net/domain/named.root

zone "localhost" {type master;file "localhost";};

zone "0.0.127.in-addr.arpa" {type master;file "127.0.0";

zone "company.xy" { // The file "company.xy" should reside intype master; // the /etc/domain/ directory, and youfile "company.xy"; // have to create it yourself.};

Infoblox GUI/Wizard Or BIND CLI**Command Line Interface

DNS Use Case – Centralization and OPEX


DNS Use Case - Performance


Is Your Customer’s DNS Service Secure?


DNS is Now the #2 Attack Vector Protocol

Source: Arbor Networks

DNS 8.94%67% of all known attack vectors were DNS based46% of large companies have experienced a DNS attack76% of those reported a DDoS attack on DNS servers


Why is DNS an Ideal Target?

DNS is the cornerstone of the Internet

DNS traffic has been increasing by 95%

annually since 2012!

DNS protocol is easy to exploit.

DNS has been around for over 30

years!

DNS Outage = Business Down Time

Traditional protection is ineffective against evolving DNS

threats

Companies are at risk of sensitive data loss!


DNS Firewall


APTs: The New Threat Landscape

• Malicious traffic is visible on 100% of corporate networks1

• Every 1 minute, a bot communicates with its command and control center2

• Malicious attacks can take an average of 256 days to identify3

• Average total cost of data breach is $3.8 million, intangible loss higher3

• APTs rely on DNS at various stages of the cyber kill chain to infect devices, propagate malware, and exfiltrate data

Source: 1. Cisco 2014 Annual Security Report, 2. Check Point 2015 Security Report, 3. The Ponemon Institute 2015 Cost of Data Breach Study: Global Analysis


Malware/APT Trends

• 100% companies are calling malicious malware hosts*

• Point solutions fail because malware is sophisticated

Multiprotocol

Multiple connections

“Encrypted,” which means deep-packet inspection is ineffective

* Source: Cisco 2014 Annual Security Report

© 2014 Infoblox Inc.


• Uses DNS as a covert communication channel to bypass firewalls

• Attacker tunnels other protocols like SSH, TCP, or web within DNS

• Enables attackers to easily pass stolen data or tunnel IP traffic without detection

• A DNS tunnel can be used as a full remote-control channel for a compromised internal host

Impact:

• Data exfiltration or malware insertion can happen through the tunnel

DNS Tunneling

Encoded IP in DNS queries

INTERNET

ENTERPRISE

Client-side tunnel program

DNS terminal server

IP traffic

Internet


Malware Examples

CryptoLocker• Targets Windows-based computers in form of email attachment

• Upon infection, encrypts files on local hard drive and mapped network drives

• If ransom isn’t paid, encryption key deleted and data irretrievable

Gameover Zeus (GOZ)• 500,000 – 1M infections globally and100s of millions of dollars stolen

• Uses P2P communication to control infected devices or botnet

• Takes control of private online transactions and diverts funds to criminal accounts


Malware Steals File Containing Sensitive Data

Data Exfiltration over DNS Queries

• Infected endpoint gets access to file containing sensitive data

• It encrypts and converts info into encoded format

• Text broken into chunks and sent via DNS using hostname.subdomain or TXT records

• Exfiltrated data reconstructed at the other end

• Can use spoofed addresses to avoid detection

INTERNET

ENTERPRISE

NameMarySmith.foo.thief.comMRN100045429886.foo.thief.comDOB10191952.foo.thief.com

NameMarySmith.foo.thief.comMRN100045429886.foo.thief.comDOB10191952.foo.thief.com

Infected endpoint

DNS server

Attacker controller server-

thief.com (C&C)

DataC&C commands


Infoblox Solution


Infoblox Security Approach

Visibility

See attacks, infections, and data-

exfiltration attempts in the network

Protection

Protect infrastructure and data from attacks and malicious agents

Response

Enable rapid response by providing contextual

information on infections


• Deep inspection of DNS traffic to drop attacks and block data exfiltration through DNS tunneling

• Adaptive APT/malware protection to stop propagation of malware and prevent infected devices from stealing data

• Automated threat intelligence feed to provide ongoing protection against new attacks, APTs, and malware

• Comprehensive DNS security without the need for endpoint agents

• Hardware accelerated DNS DDOS mitigation

maintains system integrity under attack

The Solution: Infoblox Internal DNS Security


Internal DNS Security

INTERNET

ENTERPRISE

Infoblox Automated Threat Intelligence Service

Firewall

Infoblox Internal DNS Security

x

xxxx

Attacker Thief Badsite1.comGood.com

Badsite1.comBadsite2.comBadsite3.com

SSN:123456789.foo.thief.comDOB-01012001.foo.thief.com

Updates for DNS attacks and malicious domains

Legitimate Query DNS DDoS attacks detected and dropped

Data exfiltration detected and dropped

Malware site blocked


Protection Against APTs/Malware

An infected device brought into the office. Malware spreads to other devices on network.

1Malware makes a DNS query to find “home” (botnet / C&C). DNS Firewall looks at the DNS response and takes admin-defined action (disallows communication to malware site or redirects traffic to a landing page or “walled garden” site).

2Pinpoint. Infoblox Reporting lists DNS Firewall action as well as the:

• Device IP address• Device MAC address• Device type (DHCP fingerprint)• Device host name• Device lease history

3 An update will occur every 2 hours (or more often for significant threat).4

Additional threat intelligence from sources outside Infoblox can also be used by DNS Firewall (e.g. FireEye)

5

Malware/APT

Infoblox Internal DNS SecurityFireEye detonates and detect SPT based Malware

Malicious Domains

Infoblox threat update deviceIPs, Domains, ect. of Bad Servers

Blocked communication attempt sent to Syslog

Malware/APT spreads within network; calls home

INTERNET

INTRANET


Types of APT/Malware Blocked

Fast flux Rapid changing of domains and IP addresses by malicious domains to obfuscate ID and location

DGA Malware that randomly generates domains to connect to malicious networks or botnets

APT Malware designed to spread, morph, and hide within IT infrastructure to perpetrate long-term attack

Geo-Based

Can block access to geos with many malicious domains or that have economic sanctions by governance


Protection Against Data Exfiltration via DNS Tunnel

• Focuses on large size requests and responses

• Detects too-many, too-large requests in a given timeframe

• Drops beyond these thresholds

• Signatures are used to detect well known tunneling tools


Intelligence Needed to Take Action

Contextual Reporting

• Attack details by category, member, rule, severity, and time

• Drill-down analytics and visualization of entire network

• List of top infected clients with associated user names (enabled by Microsoft AD integration)

• CISO/Executive report with top APT/malware threats


Infoblox Complements Other Solutions

Solution Focus Infoblox Complements Each Solution

Nextgeneration firewall

Perimeter protection from network and application threats and usually allows DNS traffic

• DNS threat intelligence feed offers defense-in-depth protection against APT/malware-based communications to C&C servers

• Because of its unique position in the network, can more easily identify and protect against advanced DNS evasion techniques like Fast Flux and DGAs

IDS/IPS Anomaly detection and heuristics to detect and block malware

• Identifies and protects against advanced DNS evasion techniques like Fast Flux and DGAs

• Detects attacks disguised within encrypted communications• Identifies infected endpoints based on user ID, IP address, MAC address

Web proxy/gateway

Filtering of unwanted software and malware from internal user-initiated web/Internet traffic

• Detects malware within multiple types of traffic, not just Web• Identifies and protects against advanced DNS evasion techniques like

Fast Flux and DGAs• Identifies infected endpoints based on user ID, IP address, MAC address

and other unique identifiers

Anti-malware

Protecting the endpoint against viruses, worms and other malware by means of signatures

• Provides defense-in-depth by stopping a broad set of malware• Provides easy coverage for endpoints that can’t or don’t have endpoint

agents installed• Identifies infected endpoints based on user ID, IP address, MAC address


Key Benefits of Infoblox DNS Firewall

• Proactive detection and mitigation of APT/malware threats

• FireEye integration for DNS level APT disruption

• Help prevent data exfiltration

• Pinpointing infected devices

• Threat severity and impact data

• Contextual reporting, alerts, and incident notification

• Automated threat-update service

• No downtime/patching

• Scalable protection

PROACTIVE INSIGHTFUL ADAPTABLE


Malware Assessment Program

(MAP)


Send Us Your PCAP Files

• Infoblox analyzes and provides insights on malicious activity in seconds

• Report on findings to take back to management


Scopo del programma

• Lo scopo del Malware Assessment Program (MAP) è informare i tuoi clienti, potenziali ed esistenti, dei malware che si trovano all'interno del loro ambiente, fornendo loro un dettagliato rapporto sulla loro infrastruttura.

• Tale rapporto mostrerà le query rivolte tramite i loro server DNS a siti o indirizzi pericolosi noti e illustrerà al cliente come proteggersi dai malware integrando la propria infrastruttura di sicurezza corrente con Infoblox DNS Firewall™.

• Infoblox fornirà le informazioni necessarie a rendere consapevoli i tuoi clienti, potenziali ed esistenti, dei rischi all'interno dei loro ambienti e lo scopo è quello di far sì che effettuino una packet capture (PCAP) in modo che possiamo individuare il traffico dannoso all'interno del loro ambiente.



Come effettuare una packet capture (PCAP)

• Una packet capture ci aiuta a individuare la comunicazione malware con DNS in posizioni dannose note.

• Per catturare il traffico, andrà individuato il Server DNS interno nell'ambiente del tuo cliente. Andrà poi chiesto al cliente di effettuare una packet capture di 15-20 minuti sul traffico in entrata e in uscita sul server DNS. Se il cliente è in grado di farlo, andrà richiesto che la cattura del traffico filtri solo il traffico basato sul DNS.

• Potrete salvare e caricare la packet capture effettuata sulla Cartella di archiviazione Infoblox online al seguente link: https://infoblox.box.com/s/q8r0a37jgq5is6rcw6kpiffe26hp1hbi



Cosa ti offriamo in cambio


• Infoblox prenderà la packet capture e la riproporrà al nostro feed RPZ per trovare i dettagli di traffico relativi al malware che sta cercando di contattare siti pericolosi noti tramite indirizzo IP o nomi DNS.

• Genereremo un rapporto personalizzato che individua il tipo di malware associato alla query dannosa e ne classifica il livello di pericolo. Tale rapporto può essere trasmesso al tuo cliente per determinare i passi successivi


Cosa ci guadagni?

• Diventerai il punto di riferimento affidabile e competente per tutti i tuoi clienti che hanno questo tipo di problema.

• Aumenterai le tue opportunità di vendita sul budget di security dei tuoi clienti

• Una carta regalo da $250 per ogni PCAP approvata!!!

• La richiesta deve essere inviata tramite Partner Central e approvata da Infoblox. Le informazioni del cliente saranno trasmesse nel modulo di richiesta. Contattare il tuo commerciale di riferimento per qualsiasi informazione.



Thank You

Date post:	23-May-2018
Category:	Documents
Upload:	phungcong
View:	221 times
Download:	3 times

Proteggere il DNS per maggiore sicurezza e minori rischi · Proteggere il DNS per maggiore...

Documents