© 2013 infoblox inc. all rights reserved. tim connelly, manager, systems engineering...
TRANSCRIPT
© 2013 Infoblox Inc. All Rights Reserved.
Tim Connelly, Manager, Systems Engineering
Expanding Your Network Security
1
© 2013 Infoblox Inc. All Rights Reserved.
What We Do:Innovative Technology for Network Control
AP
PS
&
EN
D-P
OIN
TS
END POINTS VIRTUAL MACHINES PRIVATE CLOUD APPLICATIONS
Essential Network Control Functions: DNS, DHCP, IPAM (DDI)
NE
TW
OR
KIN
FR
AS
TR
UC
TU
RE
FIREWALLS SWITCHES ROUTERS WEB PROXY LOAD BALANCERS
Discovery, Real-time Configuration & Change, Compliance
CO
NT
RO
L P
LA
NE
Infoblox GridTM w/ Real-timeNetwork Database
Historical /Real-time Reporting & Control
2
© 2013 Infoblox Inc. All Rights Reserved.
THREAT LANDSCAPE MOBILE DEVICEEXPLOSION
VIRTUALIZATION / CLOUD
CONSOLIDATIONSOFTWARE DEFINEDNETWORKS
IPv6 TRANSITION
Trends Redefining Business Networks
3
© 2013 Infoblox Inc. All Rights Reserved.
Maintaining Security with Infoblox
Compliance & Policy Standardization Enforce
Firewall Rule & ACL AutomationControl
Secure
DNS, DHCP and IP Address Management Securing DNS
Protect
4
© 2013 Infoblox Inc. All Rights Reserved.
Securing DNS
Protect
5
© 2013 Infoblox Inc. All Rights Reserved.
Securing DNS
DNS Firewall
6
© 2013 Infoblox Inc. All Rights Reserved.
DNS-exploiting Malware
7
Technology trends are accelerating the spread of this class of malware
DNS-exploiting malware are the underpinning for a variety of attacks
Professional attackers are successfully exploiting the largely unprotected DNS infrastructure
This is a subset of threats security experts call “Advanced Persistent Threat (APT)” or “Botnet” Malware
© 2013 Infoblox Inc. All Rights Reserved.
Getting Around Traditional DefensesFast Flux – Rapid Change of IP Addresses – Requires DNS Query
• Security researchers discovered Fast Flux
usage in November 2006
• Multiple nodes within network registering /
de-registering IP addresses as part of the
DNS A (address) record list for a single
DNS name. TTL = 5 minutes (300 sec)
• DNS Queries used to ‘find’ C&C or BotNet
Server(s).
© 2013 Infoblox Inc. All Rights Reserved.
Complement to Existing Security Defense in Depth…
Traditional or Next Generation Firewall (e.g. Checkpoint, Juniper, Palo Alto, Imperva, Cisco, etc.)
Anti-Virus (e.g. Symantec, McAfee, Webroot, Kapersky, etc.)
Email / Web Security (e.g. Blue Coat, McAfee, Websense)
Advance Persistent Threat (e.g. Damballa, FireEye)
Security Information and Event Management (SIEM) (e.g. Trustwave, McAfee, Q1Labs)
© 2013 Infoblox Inc. All Rights Reserved.
Write to Syslog and send to Trinzic Reporting
6
Infoblox DNS Firewall
Reputational Feedfrom Infoblox
Walled Gardengarden.yourcompany.com
Infected Client
Infoblox DNS Firewall /Recursive DNS Server
Infoblox DNS Firewall /Recursive DNS Server
Infoblox DNS Firewall /Recursive DNS Server
Redirect
4
Dynamic Grid-Wide Policy Distribution
2
Dynamic Policy Update
1
Block / Disallow session
Contact botnet
5
Query tobadsite.com
Apply Policy
3
10
© 2013 Infoblox Inc. All Rights Reserved.
Detailed Tracking and Reporting Options
Automatic reporting
Top Infected Clients
Malicious requested domains and number of requests
Lease history by MAC address with detailed drill down
Security Policy Violations Report
11
© 2013 Infoblox Inc. All Rights Reserved.
Securing DNS
Advanced DNS Protecion
12
© 2013 Infoblox Inc. All Rights Reserved.
The Problem
13
DNS-based attacks are on
the rise
Traditional protection is ineffective
against evolving threats
DNS outage causes network downtime, loss of revenue, and negative brand
impact
Unprotected DNS infrastructure introduces security risks
© 2013 Infoblox Inc. All Rights Reserved.
Why is DNS an Ideal Attack Target?
14
DNS is the cornerstone of
the Internet, used by every business and government
DNS protocol is stateless and
hence vulnerable
DNS as a protocol is easy
to exploit
Maximum impact with minimum effort
15 | © 2013 Infoblox Inc. All Rights Reserved. 15 | © 2013 Infoblox Inc. All Rights Reserved.
2013 – DNS Threat is Significant
• Attacks against DNS infrastructure growing̶IDNS-specific attacks
up 200% in 2012̶IICMP, SYN, UDP attacks
growing significantly too
Source: Arbor Networks
Source: Prolexic Quarterly Global DDoS Attack Report Q3 2013
Other
IRC
SIP/VOIP
HTTPS
SMTP
DNS
HTTP
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
7%
11%
19%
24%
25%
67%
87%
DNS is #2 attack vector protocol
ACK: 1.69%
CHARGEN: 3.37%
FIN PUSH: 0.39%
DNS: 8.94%
ICMP: 11.41% RESET: 1.94%
RIP: 0.13%
RP: 0.39%
SYN: 18.16%
TCP FRAGMENT: 0.65%
SYN PUSH: 0.13%
UDP FLOODS: 14.66%
UDP FRAGMENT: 14.66%
Infrastructure Layer: 76.52%
© 2013 Infoblox Inc. All Rights Reserved.
Attack apps being built
How DNS DDoS is Becoming Easier
DDoS attacks against major U.S financial institutions
Launching (DDoS) taking advantage of Server bandwidth
4 types of DDoS attacks:– DNS amplification, – Spoofed SYN, – Spoofed UDP– HTTP+ proxy support
Script offered for $800
© 2013 Infoblox Inc. All Rights Reserved.
The Solution - Infoblox Advanced DNS Protection
Unique Detection and Mitigation Intelligently distinguishes legitimate DNS traffic
from attack traffic like DDoS, DNS exploits, tunneling
Mitigates attacks by dropping malicious traffic and responding to legitimate DNS requests
Centralized Visibility Centralized view of all attacks happening
across the network through detailed reports Intelligence needed to take action
Ongoing Protection Against Evolving Threats Regular automatic threat-rule updates
based on threat analysis and research Helps mitigate attacks sooner vs. waiting
for patch updates
© 2013 Infoblox Inc. All Rights Reserved.
Solution Components
18
Infoblox Advanced AppliancePT-1400, PT-2200, PT-4000
Infoblox Advanced DNS Protection Service
DNS
Advanced DNS Protection activation
Automatic updates for protection against new and evolving threats
Support and Maintenance
DNS appliance purpose built with security in mind
Enhanced processing and dedicated compute for threat mitigation
Note: Customers who have IB-4030 Rev2 need to purchase a separate Adv. DNS Protection license.
© 2013 Infoblox Inc. All Rights Reserved.
Fully Integrated into Infoblox Grid
ReportingServer
Automatic updates
Infoblox Threat-rule Server
Infoblox Advanced DNS Protection(External Auth.)
GRID Master
Reports on attack types, severity
New
Amplif
icationCache Poisoning
Legitimate Traffic
Legi
timat
e Tr
affic
Le
git
ima
te T
raff
ic
Legitimate Traffic
Rec
on
nai
ssan
ceDN
S E
xploits
Infoblox Advanced DNS Protection
(Internal Recursive)New
Block DNS attacks Grid-wide rule
distribution
Dat
a fo
r R
epo
rts
© 2013 Infoblox Inc. All Rights Reserved.
What Attacks Do We Protect Against?
DNS reflection/DrDoS attacksUsing third-party DNS servers(open resolvers) to propagate a DOS or DDOS attack
DNS amplificationUsing a specially crafted query to create an amplified response to flood the victim with traffic
DNS-based exploits Attacks that exploit vulnerabilities in the DNS software
TCP/UDP/ICMP floodsDenial of service on layer 3 by bringing a network or service down by flooding it with large amounts of traffic
DNS cache poisoning Corruption of the DNS cache data with a rogue address
Protocol anomaliesCausing the server to crash by sending malformed packets and queries
ReconnaissanceAttempts by hackers to get information on the network environment before launching a DDoS or other attack
DNS tunnelingTunneling of another protocol through DNS for data exfiltration
© 2013 Infoblox Inc. All Rights Reserved.
Intelligence Needed to Take Action
Centralized Visibility: Reporting
• Attack details by category, member, rule, severity, and time• Visibility into source of attacks for blocking, to understand scope and severity• Early identification and isolation of issues for corrective action
© 2013 Infoblox Inc. All Rights Reserved.
External authoritative and Internal Recursive Enterprise
Legitim
ate Tra
ffic
INTERNET
Advanced DNS
Protection
Grid Masterand Candidate (HA)
Advanced DNS Protection
D M Z
INTRANET
Reconnaissance
Amplif
ication
Exploits
DNS Tu
nneling
Legitim
ate Tra
ffic
Legitim
ate Tra
ffic
Legitim
ate Tra
ffic
Protection against cyber attacks and internal DNS attacks
GRID Masterand Candidate
(HA)
INTRANET
Endpoints
Advanced DNS Protection
Advanced DNS Protection
Amplificatio
n
Cache P
oisoning
Legitim
ate Tra
ffic
Legitim
ate Tra
ffic
DATACENTER CAMPUS/REGIONAL
DATACENTER CAMPUS/REGIONAL
© 2013 Infoblox Inc. All Rights Reserved.
Infoblox Security Device Controller
Control
23
© 2013 Infoblox Inc. All Rights Reserved.
Manual
The Pain of Legacy Processes
LegacyApproach
Hours/Days
Firewall Change Needed
1
SearchFor
Devices
2
Figure OutImpactedDevices
3
DetermineCorrectConfig
4
CompareChange toStandards/Compliance
5
RequestChange/
ImplementManually
6
ReconfirmCorrectness
andCompliance
Hours/DaysNetwork Provisioning Time
Manual processes cannot keep up SLA are lengthening to weeks or a even a month Require dedicated, senior network architects
– Routine, repetitive, error-prone– Multiple vendor expertise needed
24
© 2013 Infoblox Inc. All Rights Reserved.
Automated Network Discovery
Simple and complete network-wide discovery
Powerful topology to visualize path
25
© 2013 Infoblox Inc. All Rights Reserved.
Embedded Expertise
Built-in intelligence automatically provides detailed ACL/rule views
Detects problems like unused, overlapping and duplicate rules
out-of-the box
26
© 2013 Infoblox Inc. All Rights Reserved.
Powerful Search
Search results identify all matching devices
including vendor specific syntax
Easily customize search criteria for one or multiple devices
27
© 2013 Infoblox Inc. All Rights Reserved.
Customizable Alerting
Immediately identify and track defined alerts to allow or deny access
Create Alerts for both Blacklisting and
Whitelisting
28
© 2013 Infoblox Inc. All Rights Reserved.
Multi-vendor Provisioning
Maintain control with user-based access rights and change
process
Provision changes in the same platform and
view the vendor-specific syntax
29
© 2013 Infoblox Inc. All Rights Reserved.
Manual
The Power of Infoblox
LegacyApproach
InfobloxApproach
Hours/Days
1 62 3 4 5
Automated
Days/Weeks
Firewall Change Needed
1
SearchFor
Devices
2
Figure OutImpactedDevices
3
DetermineCorrectConfig
4
CompareChange toStandards/Compliance
5
RequestChange/
ImplementManually
6
ReconfirmCorrectness
andCompliance
Firewall Change Needed
30
© 2013 Infoblox Inc. All Rights Reserved.
Compliance, Internal Policies & Best Practices
Enforce & Maintain
31
© 2013 Infoblox Inc. All Rights Reserved.
Common Standardization & Compliance Situation
Requirements are researched and documented
The “Gap” – Between the Policies and the
actual state of the network devices
Manual vs Automation– It’s not reasonable to expect to
be able to achieve full compliance through manual processes
32
© 2013 Infoblox Inc. All Rights Reserved.
Infoblox Network Automation Overview
• Network discovery• Built-in analysis• Check against best practices• Detect issues• Monitor and manage change• Automate change • Maintain compliance• Provision ACL & rules
Collected Via:SNMP
CLI/configurationSyslog
Fingerprinting
Real-time & HistoricalAnalysis
33
© 2013 Infoblox Inc. All Rights Reserved.
Standardization - Compliance Management
Embedded compliance rules
Customizable best practice templates
Manage multiple policies
Proactive violation detected
Multiple remediation options
Current and historical views
34
© 2013 Infoblox Inc. All Rights Reserved.
Configuration Analysis
Unique pre-packaged expertise
Identifies common misconfigurations
Customizable alerting
Recommended remediation options
Understand concept of the network
Network Scorecard views
35
© 2013 Infoblox Inc. All Rights Reserved.
Powerful Reporting
Single-click compliance reports
Pre-packaged and customizable
Powerful filtering
Executive and detailed reports
On-demand or scheduled
User-based view rights
36
© 2013 Infoblox Inc. All Rights Reserved.
Value of Network Standardization
Verify your “desired state” to the “as is state”
Improve network stability and consistency
Reduce manual processes
Eliminate extensive, time-consuming audit teams
Increase accuracy with automation and embedded expertise
Focus on building secure infrastructure instead of waiting for audits
37
© 2013 Infoblox Inc. All Rights Reserved.
DNS, DHCP and IP Address Management
Secure
38
© 2013 Infoblox Inc. All Rights Reserved.
DHCP Fingerprinting
DHCPDISCOVER Option Sequence 1,15,3,6,44,46,47,31,33,121,249,43 Laptop
DHCPOFFER
Option Sequence 1,3,6,15,119,78,79,95,252
Tablet DHCPOFFER
DHCPDISCOVER
X
© 2013 Infoblox Inc. All Rights Reserved.
Introducing DHCP
Automatically detect DHCP clients during the DHCPDISCOVER process
Manage DHCP leases by asset or device Improve network planning with new device focused
reports Auto organize and group devices in Smart Folders Integrated with Reporting Server with pre-defined
reports
Benefits Un-intrusive discovery, and management of devices
Flexibly enforce corporate policy
Plan for network growth, determine application trends
Improve device supportability and security
40
© 2013 Infoblox Inc. All Rights Reserved.
Integrated IP Address Management
Tracks what’s connected on the network Enhances IP allocation through automation Increases accuracy with continuous updates Helps with IPv4 to IPv6 migrations
41
© 2013 Infoblox Inc. All Rights Reserved.
Maintaining Security with Infoblox
Compliance & Policy Standardization Enforce
Firewall Rule & ACL AutomationControl
Secure
DNS, DHCP and IP Address Management Securing DNS
Protect
42