secure and control your network! - aditinet: networking ... · secure and control your network!...

1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2015 Infoblox Inc. All Rights Reserved.

Secure and Control Your Network! Maurizio Desiderio, Giancarlo Palmieri | Infoblox Italy

Eataly – 26 Maggio 2015


Benvenuti Roma, 26 Maggio 2015 Maurizio Desiderio [email protected]

mailto:[email protected]


Infoblox Overview & Business Update

($MM)

Founded in 1999

Headquartered in Santa Clara, CA

with global operations in 25 countries

Market leadership

• Gartner “Strong Positive” rating

• 50%+ Market Share (DDI)

7,200+ customers, 75,000+

systems shipped

38 patents, 25 pending

IPO April 2012: NYSE BLOX

Leader in technology

for network control

Total Revenue (Fiscal Year Ending July 31)

$35,0

$56,0 $61,7

$102,2

$132,8

$169,2

$225.0

$0

$50

$100

$150

$200

$250

FY2007 FY2008 FY2009 FY2010 FY2011 FY2012 FY2013


TECHNOLOGY MANUFACTURING TELECOM

OTHER

Diverse Customer Base in All Key Verticals

GOVERNMENT

RECENT NEW CUSTOMERS

RETAIL HEALTHCARE FINANCIAL SERVICES

7

9

8

8

7

EXPOSURE TO INDUSTRY

TOP 10 LEADERS


Analyst Report Highlights

Infoblox is the leader in DDI brand

awareness and 45% of install base

Infoblox achieved 50% market

share – 3X next competitor

Centrally managing IP services at this

degree of scale requires robust DDI

solutions

Ad hoc approaches likely will

not be sufficient to meet the

security, management, and

control challenges facing IT

DDI — shorthand for DNS,

DHCP, and IPAM — is a

critical networking technology

for every IT organization

“All Organizations Should Consider Infoblox” -- Gartner

Commercial DDI solutions can

reduce OPEX by 50% or more”


DNS - From Yellow Pages to Simply the “Yellow Pages”?

One of the most critical service (should be comparable to

core switch/routers for a Service Provider)…

…Just think about the effects in case of outage!

Continually evolving since its invention 30 years ago

towards improving:

• Resiliency

• Stability

• Security

in order to cope with growing usage and evolving

attacks and threats


DNS Resiliency and Stability, facing… • Internet population and average usage booming

• Increasing numbers of gTLD or ccTLD

• Increasing DDoS threats (volume and frequency)

• Effects of this growth impacting all levels of hierarchy

• IPv6 slow adoption...

Source:

http://www.verisigninc.com/assets/infographic-

dnib-Q42014.pdf Source: http://www.internetlivestats.com/internet-users/#trend


DNS Security – Unsecure by design!

Original DNS

specifications did not

include security...yellow

pages!

Initially designed to be a

public database, with

authentication and

integrity of data out of

scope


DNS Hijackings in the news: 2013 & 2014


The Rising Tide of DNS Threats

In the last

year alone

there has been

an increase of

200% DNS attacks1

58% DDoS attacks1

With possible amplification up to

100x on a DNS attack, the

amount of traffic delivered

to a victim can be huge

28M Pose a significant threat

to the global network

infrastructure and can

be easily utilized in DNS

amplification attacks2

33M Number of open

recursive DNS servers2

With enterprise level businesses receiving an

average of 2 million DNS queries every single

day, the threat of attack is significant

2M

1. Quarterly Global DDoS Attack Report, Prolexic, 4th Quarter, 2013 2. www.openresolverproject.org

Financial services

Technology

company Government

Financial impact is huge

Avg estimated loss per DDoS event in 20123

-$7.7M

-$13.6M

-$17M

The average loss for a 24-hour

outage from a DDoS attack3

42% Enterprise

29% Commerce

Miscellaneous 5%

Automotive 1%

Healthcare 2%

Business

Services

21%

Financial

Services

13%

Public Sector

5%

Media &

Entertainment

17%

High Tech

7%

Consumer

Goods

2%

Hotels 5%

Retail 22%

Top Industries Targeted4

$27 million

3. Develop A Two-Phased DDoS Mitigation Strategy, Forrester Research, Inc. May 17, 2013 4. State of the Internet, Akamai, 2nd Quarter, 2013


Overall Malware Threats Booming

11

• Around 7.8 million new Malware

threats per quarter in 2012

• Mobile threats grew about 10X

in 2012*

• 855 successful breaches / 174 million

records compromised

in 2012**

• 69% of successful breaches

utilized Malware**

• 54% took months to discover,

29% weeks**

• 92% discovered by external party**

0

2.000.000

4.000.000

6.000.000

8.000.000

10.000.000

Q1 2010

Q2 2010

Q3 2010

Q4 2010

Q1 2011

Q2 2011

Q3 2011

Q4 2011

Q1 2012

Q2 2012

Q3 2012

New Malware

0

5.000

10.000

15.000

20.000

25.000

2004 2005 2006 2007 2008 2009 2010 2011 2012

Total Mobile Malware Samples in the Database

Startling statistics

* Source: McAfee Threats Report: Third Quarter 2012

** Source: Verizon Security Study 2012


Nasdaq, Visa, JCPenney among hacking victims:

prosecutors

NEWARK, New Jersey (Reuters) - The United States on Thursday

named major corporations including Nasdaq OMX Group Inc, New

York Times, J.C. Penney Co Inc and Visa Inc as among the victims

of what federal prosecutors said is the largest hacking and data

breach case prosecuted in the nation.

July 25, 2013

Security Breaches – 2013 Advance Persistent Threat is on the Rise….

$300 Million

Stolen


Malware attack hits thousands of Yahoo users per

hour

(CNN) -- A malware attack hit Yahoo's advertising server over the

last few days, affecting thousands of users in various countries, an

Internet security company said.

In a blog post, Fox-IT said Yahoo's servers were releasing an

"exploit kit" that exploited vulnerabilities in Java and installed

malware.

"Clients visiting yahoo.com received advertisements served by

ads.yahoo.com," the Internet security company said. "Some of the

advertisements are malicious."

December 31, 2013

Security Breaches – 2014 Malware from Yahoo….

For a time during the attack, which started on Dec. 31, 2013, and

was discovered on Jan.3, 2014, the malware was creating an

estimated 27,000 infections per hour.

The Infoblox DNS Firewall Subscription service had identified

and blocked the malicious IP before Yahoo noticed the

malware.


The DNS Security Challenge

Securing the DNS Platform

(HW/OS Hardening)

Defending against threats to the DNS

(Network and Application threats)

Defending against threats from DNS (Application threats)


Automate the Network and its Core Services

Network

Routing, Switching…

Core Services:

DNS / DHCP / IPAM

Closed Loop

Automation

Real Time Visibility

and

Task Automation Applications

Track and automate change

Automate IP Mgt, DNS & DHCP

Communicate /

Take Action

Infoblox NetMRI

Infoblox DDI,

Trinzic Enterprise

17 | © 2013 Infoblox Inc. All Rights Reserved. 17 | © 2015 Infoblox Inc. All Rights Reserved. 17

Coordinated by the Grid Master

Sharing a Distributed Database (with Zero Maintenance)

Grid: a collection of secure member appliances, all running the same software, providing one or more services (DNS, DHCP, Discovery, File Delivery, NTP etc.)

Communicating via an SSL VPN

Provides:

- Centralized visibility and control

- Real time IPAM & discovery

- Monitoring and reporting

- Failover and disaster recovery

for services, data & management

Grid Master

Infoblox Grid

Infoblox Grid™ Technology Simple, Secure and Reliable

Grid Manager GUI

External DNS

External DNS DNS, DHCP, NTP

DNS

NTP

Member

Member

Reporting

Member

Member

Member

Grid Master Candidate

DNS, DHCP, NTP

IPAM, DNS

DHCP, NTP

Configuration Examples Security Functions

ADP

ADP DNS

Firewall

DNS

Firewall


Infoblox Physical and Virtual Appliance

Infoblox Grid

Replacing Servers with Appliances in Branch Offices Improves Performance,

Provides Local Survivability and Drives Compelling ROI

18

Virtual Grid

Member

Grid Master Candidate

VMWare ESX / ESXi

Infoblox vNIOS

Virtual Appliance

Software

Virtual Grid

Member

Cisco 28/29xx & 38/39xx

ISR with Infoblox vNIOS

Virtual Grid

Member

Riverbed Appliance with

Infoblox vNIOS

Grid Member

Microsoft®

DNS / DHCP

Agent-less

Microsoft®

DNS / DHCP

Virtual Grid

Member

Virtual Grid

Member

Grid Master

Management

Interface


The DNS Security Challenge

Defending Against DNS Attacks 2

Preventing Malware from using DNS 3

Securing the DNS Platform 1


The Infoblox Solution: Secure DNS

Infoblox Advanced DNS Protection

Defend Against DNS Attacks

Infoblox DNS Firewall

Prevents Malware/APT from Using DNS

Hardened Appliance & OS under Grid™ Management

Secure the DNS Platform, Manage it Easily


Security Risks with Conventional Approach

Dedicated hardware with no unnecessary logical

or physical ports

No OS-level user accounts – only admin accts

Immediate updates to new security threats

Secure HTTPS-based access to device

management

No root-shell access, remote SSH can be disabled

Encrypted device to device communication

– Many open ports subject to attack

– Users have OS-level account privileges on

server

– Requires time-consuming manual updates

Conventional Server Approach Infoblox Appliance Approach

Multiple

Open Ports

21

Limited

Port Access

Infoblox

Update

Service

Secure

Access


Infoblox Purpose Built Appliance and OS

• Minimal attack surfaces

• HA & Active/Active DR recovery

• Common Criteria Certification

• FIPS 140-2 Compliance

• Encrypted Inter-appliance

Communication (Grid™)

• Centralized management with

role-based control

• Secured Access,

Communication & API/WAPI

• Detailed audit logging

• Fast/easy upgrades

• DNSSEC (easy management)


Centralized

Management Interface

Grid Master

IPAM

Grid

Grid Member

Cache/forwarder DNS

Authoritative DNS

Inte

rnet

DMZ

Grid Master

Candidate

Grid Member

DHCP Failover

Grid Member

Cache/forwarder DNS

Authoritative DNS

Grid Member

DHCP Failover

Failover

Association

Grid Member

DNS Secondary

Grid Member

DNS Primary

Infoblox Grid™ Technology Enterprise

Grid Member

Reporting Server

DNS Firewall

ADP


Centralized

Management Interface

Grid Master

IPAM

Hidden Primary DNS

Grid

Main Site

Grid Member

Cache/forwarder

Inte

rnet

Grid Member

Secondary DNS

Grid Member

Secondary DNS

Grid Member

Cache/forwarder

DMZ

Site 2

Site 3

Site 4

Site 1

Load B

ala

ncer

…

Infoblox Grid™ Technology Service Provider

Grid Member

Reporting Server

ADP + DFW


The Position

Protect Now or Wait until its Too Late?


Solution Components and Features

Infoblox Advanced Appliance

PT-1400, PT-2200, PT-4000

Infoblox Advanced DNS

Protection Service

Continuously monitor, detect,

and drop packets of DNS-based

attacks

Respond to legitimate traffic even

when under attack

Automatically update for protection

against new and evolving threats

Tune traffic thresholds for rules

DNS only

DNS appliance purpose built with

security in mind

Enhanced processing and dedicated

compute for threat mitigation


Infoblox - Differentiation and Value

Infoblox

Standard

Infoblox

Advanced

Load

Balancers

Pure

DDoS NGFW IPS Cloud

DNS server ✓ ✓ ✓

General DDoS ✓ ✓ ✓

DNS DDoS ✓ ✓ ✓ ✓

DNS server OS and

application

vulnerabilities ✓ ✓ ✓

Flood attacks ✓ ✓ ✓ ✓ ✓ ✓

Semantic attacks ✓ ✓ ✓

Cache poisoning ✓

DNS Reflection ✓

Tunneling ✓ ✓ ✓

DNS Amplification ✓


Reporting Server

Automatic Threat-rules

updates

Block DNS attacks

Infoblox Threat-rule Server

Infoblox Advanced DNS Protection (External DNS)

GRID Master

Reports on attack types, severity

Send reports

New

Grid-wide rule distribution

Leg

itim

ate

Tra

ffic

Infoblox Advanced DNS Protection (Internal DNS)

New

Fully Integrated into Infoblox Grid

Management

Interface


DNS Top

attacks

DNS amplification:

Use amplification in DNS reply to

flood victim

TCP/UDP/ICMP floods:

Flood victim’s network with large

amounts of traffic

Protocol anomalies:

Malformed DNS packets causing

server to crash

DNS cache poisoning:

Corruption of a DNS cache

database with a rogue address

DNS hijacking:

Subverting resolution of DNS queries

to point to rogue DNS server

DNS tunneling:

Tunneling of another protocol

through DNS for data ex-filtration

Reconnaissance:

Probe to get information on network

environment before launching attack

DNS based exploits:

Exploit vulnerabilities in

DNS software

Fragmentation:

Traffic with lots of small out of

order fragments

DNS reflection/DrDos:

Use third party DNS servers to

propagate DDoS attack

NXDOMAIN:

Flood DNS server with requests

for non-existent domains

Phantom Domain:

Force DNS server to resolve multiple

non-existent domains and wait for responses

What Attacks Do We Protect Against? The Rising Tide of DNS Threats


Internet

ADP

Infoblox DNS Protection: The Basics of ADP

ADP DCA

Smart NIC

Host Appliance

BIND

3-Synthesized Response (Pre-Recursion)

7-Synthesized Response (Post-Recursion)

4-Recursion

5-Response

3-DCA Cached Response

1-DNS Query

2-Drop/Rate Limit

Client

BIND

Cached?

Yes

No

Yes

DFW

Match?

No 7-Recursive Response

Threat

Rule

Match? No

Yes

DCA

Cached?

Yes

Yes

No No

6-Drop/Rate Limit

BLK-LIST

Match?


Protect for Real or Play Around?

Protect Now or Wait until its Too Late?


Infoblox DNS Firewall Blocking Malware

An infected device brought into

the office. Malware spreads to

other devices on network.

1

2

3

Malware makes a DNS query

to find “home.” (botnet / C&C).

DNS Firewall detects & blocks

DNS query to malicious domain

Malicious

domains

Infoblox DDI

with DNS

Firewall Blocked attempt

sent to Syslog

Malware /

APT

1

2

Malware / APT spreads

within network; Calls home

4

Pinpoint. Infoblox Reporting lists

blocked attempts as well as the:

• IP address

• MAC address

• Device type (DHCP fingerprint)

• Host name

• DHCP lease history

DNS Firewall is updated every 2

hours with blocking information

from Infoblox DNS Firewall

Subscription Service

Infoblox Malware Data Feed Service

4

IPs, Domains, etc. of Bad Servers

Internet

Intranet

3

2


Infoblox Malware Data Feed Service

Geographic

Blocks

Inbound

Attacks

Malware

Droppers

Botnet C&C /

DNS Servers

Infoblox

DNS Firewall

Infoblox

Malware Data

Feed Service

RPZ data

pushed thru

signed XFR

• 24/7 service

• Data from over 35 different public and

proprietary sources – 7 feed types

• Incremental threat data changes are

pushed every 2 hours

• Significant threats cause immediate

updates (notify)

External Feed:

Legge Gentiloni


Anatomy of an Attack Cryptolocker “Ransomware”

Why DNS Security is Important?

• Targets Windows-based computers

• Appears as an attachment to legitimate

looking email

• Upon infection, encrypts files: local hard

drive & mapped network drives

• Ransom: 72 hours to pay $300US

• Fail to pay and the encryption key is

deleted and data is gone forever

• Only way to stop (after executable has

started) is to block outbound connection to

encryption server


IP Address Management (IPAM)

Network Services Network

Automation Security

Infoblox Grid™

Real-time Network Database

Infoblox Advanced Reporting

The Infoblox Solution Portfolio

IPAM

Network Insight

IPAM for Microsoft (Windows

Server)

IPAM for Microsoft System

Center Orchestrator

Infoblox DDI:

(DNS, DHCP, IPAM)

Load Balancer Manager

NetMRI

Switch Port Manager

Security Device Controller

Automation Change

Manager

Advanced DNS Protection

DNS Firewall-FireEye

Adapter

DNS Firewall

Su

bscrip

tio

ns

IPAM for VMware vCenter

Orchestrator

Physical & Virtual Appliances

3rd Party Adapters


IP Address Management (IPAM)

Network Services Network

Automation Security

Infoblox Grid™

Real-time Network Database

Infoblox Advanced Reporting

New Products in Last 12 Months

IPAM

Network Insight

IPAM for Microsoft (Windows

Server)

IPAM for Microsoft System

Center Orchestrator

Infoblox DDI:

(DNS, DHCP, IPAM)

Load Balancer Manager

NetMRI

Switch Port Manager

Security Device Controller

Automation Change

Manager

Advanced DNS Protection

DNS Firewall-FireEye

Adapter

DNS Firewall

Su

bscrip

tio

ns

IPAM for VMware vCenter

Orchestrator

Physical & Virtual Appliances

3rd Party Adapters


Infoblox Appliances Family

Regional Centers

Branch Offices

Edge/Remote Locations

Headquarters

Trinzic Reporting

PT-4000

PT-2200

PT-1400

Network

Automation

4000

Network

Automation

2200

Network

Automation

1400 Trinzic 810

Trinzic 820

Trinzic 1410

Trinzic 1420 Trinzic 2210

Trinzic 2220

Trinzic 4010

Trinzic 4030

Trinzic 100

ND-1400

ND-800

ND-4000

ND-2200


This is the perfect opportunity to help

your customer to review their

infrastructure and rebuild the “house

properly”

It is no longer a “Nice to Have” but a

“Must Have”

Most customers have finally

acknowledge that their DNS is the

weakest link and have to address the

issue ASAP

If I build a house without Emergency

Exits, adding them later on is very

difficult and expensive.

Conclusion – Security by Design


Market Dynamics:

Private Clouds Deployments on the Rise

• Commodity gear

• Better utilization

Cost Savings IT & Business

Agility

• Faster App roll-out

• Self-service

LOB Productivity

• Less time waiting

• More time producing

IT Departments Increasingly Want Their Own

Amazon-like Cloud In-house…here is why:


Private Cloud Perception vs. Reality

• Perception

Snap of the fingers

Measured in seconds or

minutes

• Reality

Slow with manual processes

Measured in hours, days or

weeks

How long does it take deploy a new virtual instance?


Hidden Achilles Heel for Cloud Deployments

Manual

Traditional Approach

Provision Virtual

Instance

1

Request IP or Use

Allotment

2

Forward IP Data for Tracking

3

Update Database or Spreadsheet

4

Request DNS

Record

5

Allocate and Manually

Enter DNS

6

Clean Up When

De-provisioned

Automated

• Multiple teams and handoffs

• Shortcuts cause gaps and dangers

• Lack of correlated view across the organization

• Risk for compliance and auditing


Cloud Network Pain Points

No visibility to IP address/DNS records for VM/network resources No central reporting on lease history, DNS/IP associations

Lack of reliable DDI for Private Cloud Stability and simplified upgrades of underlying network inhibits Cloud rollout

Requires too much administrator overhead Manual IP address/DNS provisioning is slow, error-prone

Network provisioning is too slow for application delivery No Amazon-like capabilities i.e., on-demand, self-service, DevOps


Understanding Cloud Architecture

& Where Infoblox Fits

Hypervisors

VMware ESXi / MS Hyper-V

Cloud Orchestration Layer

Cloud Management Platform OpenSource: OpenStack

Commercial: VMware vCAC, MS SC/VMM

Network Functions:

Routing, switching,

firewalls, load-balancers

Cloud Consumer

Compute Storage Network

Physical Infrastructure

Cloud Network

Automation

Management UI

Infoblox Adapters VMware/Microsoft/OpenStack

Infoblox DNS/DHCP/IPAM

Core Network Services

Infoblox Cloud Network Automation helps you get more agility, scale and

reliability from your clouds – with fewer human resources.


id Master

id Master

Infoblox Cloud Network Automation

(Adapters Only)

Corporate

Wide DNS

Private Cloud

Data Center 1

Internal

DNS

Reporting

Server

Private Cloud

Data Center 2

Grid Master

VMs

Grid Member

id Master Internal

DNS

VMs

Grid Member

Corporate Data Center

DHCP

Grid Member

CMP 1 with IB Adapter

(E.g. OpenStack) CMP 2 with IB Adapter

(E.g. VMware vCAC)


id Master

id Master


(Cloud Platform)

Corporate

Wide DNS

Private Cloud

Data Center 1

Internal

DNS

Reporting

Server

Private Cloud

Data Center 2

Grid Master w/

Cloud Network Automation


(E.g. OpenStack)

WAPI

VMs

Cloud Platform

Appliance

id Master Internal

DNS


(E.g. VMware vCAC)

WAPI

VMs

Cloud Platform

Appliance

Corporate Data Center

DHCP

Cloud Platform

Appliance

New

New

New

New



Cloud-focused discovery

and visibility

Centralized, integrated management user interface

Cloud widgets for monitoring cloud network elements

Cloud-specific reports

2

Scalable cloud platform

deployment

Virtual appliances that supports communication with

Cloud Management Platforms through Infoblox

Adapters

Deployed per data center to support scale-out

3

1 Integrated adapters

Free adapters to integrate with key cloud

management / orchestration platforms

Leveraging RESTful API


Cloud Network Automation – New GUI


Provisioning a VM using a Cloud Management Platform

with Infoblox Integration

Hypervisor

CMP/Orchestrator

Infoblox

Adapter

2 - CMP/Orchestrator calls the

Infoblox Adapter 1 - A cloud admin/user requests a VM to be created through

self service portal

6 - VM starts up

either with

injected static IP

or IP allocated via

DHCP Request to

Member (Fixed

Address)

5 – CMP/Orchestrator

Spins up VM on

Hypervisor

Infoblox Grid Member

DNS/DHCP

3 - Infoblox Adapter

contacts NIOS via WAPI

for Next Available IP and

creates DNS Records

for VM

End User

7 - End User accesses VM

using DNS FQDN

Infoblox Grid Master

4 - GM synchronizes

Host record or Fixed

Address + A/AAAA/PTR

with Grid Member


Grid Master

Grid

Member Grid

Member

DDI Support for OpenStack

Description

Extend DDI to manage VM networks created by

OpenStack

Infoblox Grid

Creates/Deletes networks via OpenStack

UI/CLI/APIs

Allocates/De-allocates IP addresses when

VMs are created or floating IPs are assigned

Creates/Deletes DNS host records or

A/AAAA/PTR/CNAME records for allocated IPs

Provides DNS and DHCP Services to VMs

Manages internal and external networks

Benefits

Centralized Cross Platform DDI Service

(OpenStack/VMware/Microsoft Compatible)

High Availability

Operational Efficiency

Lower cost of migration (Physical to Virtual to

Cloud)

Project 9

IP IP IP

Project 10

IP IP IP

Project 11

IP IP IP

Infoblox Adapter

API

DDI Service DDI Service

Grid

Member

DDI Service

Reporting

Server


Delivering the Cloud Promise with Infoblox

IPAM & DNS Automation

Multi-vendor Cloud

Integration

Enhanced and

Extended Visibility

Auditing and Compliance

Centralized and

Integrated Management

Always On Core

Network Services

Speed Deployment Times with Infoblox Cloud Network Automation


The Power of Cloud Network Automation

Manual

Traditional Approach

Provision Virtual

Instance

1

Request IP or Use

Allotment

2

Forward IP Data for Tracking

3

Update Database or Spreadsheet

4

Request DNS

Record

5

Allocate and Manually

Enter DNS

6

Clean Up When

De-provisioned

1 6 2 3 4 5

Automated

Provision Virtual

Instance

Automated

Automated



Secure and Control Your Network! Maurizio Desiderio, Giancarlo Palmieri | Infoblox Italy

Eataly – 26 Maggio 2015

secure and control your network! - aditinet: networking ... · secure and control your network!...

Documents