DNS Security - Proidea

© 2012 Infoblox Inc. All Rights Reserved. © 2012 Infoblox Inc. All Rights Reserved.

DNS Security

Bezpieczny DNS ostatnią warstwą ochrony użytkowników

Adam Obszyński CISSP, CCIE #8557

[email protected]

© 2012 Infoblox Inc. All Rights Reserved.

Two kind of DNS Servers ? Internet users

> http://www.company.com

ETHERNET

DNS

Webserver

Mailserver

DNS

> http://www.google.com

ETHERNET

Internal users

Internal applications

Internet

Caching Name Servers (aka forwarders, resolvers, dns cache) Enable web surfing, sending emails, etc.

Authoritative Name Servers hosting company.com (corporate web site : www.company.com)

© 2012 Infoblox Inc. All Rights Reserved. 3

Agenda 4 Today

§  Unified Management and Visibility

§  DNSSEC - The Future is Now

§  Solid DNS Appliance Foundation

§  Combat Malware with DNS Firewall


Dedicated HW & OS as a Foundation

4

þ  Dedicated hardware with no unnecessary logical or physical ports

þ  Hardened purpose built OS þ  No OS-level user accounts – only admin accts þ  Immediate in-service updates to new security

threats þ  Secure access to device management

–  Many open ports subject to attack –  Users have OS-level account privileges on

server –  Requires time-consuming manual updates –  Requires multiple applications for device

management

Conventional Approach Infoblox Appliance Approach

Limited Port Access

Multiple Open Ports

Infoblox Update Service

Secure Access


Infoblox Redundancy Hardware Features

§  High availability pairs §  Separate management and

production network §  Field replaceable

components –  Disks, Power, Fans

§  Local spares & RMA §  Lights Out Management §  Energy efficient

5


HA Failover (VRRP) – few secounds

Active node owns the VIP


Infoblox 4030 – Hardware accelerated DNS Cache !

Software §  Common Infoblox GUI for Easier Management §  Built-in threat protection §  URL Blacklisting / NXDOMAIN Redirection §  DNSSEC Hardware: §  High performance, ruggedized server platform, AC or DC power §  Hot-swappable Power Supplies, Fan, RAID Disk Drives

Licensing: 300k qps, 600k qps, and over 1 million qps. 7

World’s Most Scalable, Secure, and Manageable DNS Caching Server


Foundational for Mobile and Social Media Needs

8

Supports Requirement Edge-based Scalability for Service Providers

“Trusted DNS” technology provides protection against

“Signal Storm” outages due to DNS overloading

Distributed Denial of Service (DDoS) attacks

Stealing credentials “Man-in-the-Middle” attacks

Redirection to a false website “Cache Poisoning” attacks

Centralized management AND distributed failover in the event of a disaster

Infoblox 4030 DNS Caching Appliance


Solutions vs. Servers Dedicated vs. Home made §  4030 DNS Cache appliance does not stop answering queries from cache when

capacity limits are reached for cache misses

9

Bind 9.8 Infoblox 4030

Avg. Latency (Seconds)

a


Focus. Dedicated vs Home made

§  Note how the response rate drops off at 35k queries per second. This is a result of the total number of outstanding recursive requests hitting the processing limit.

10

a


Number of Servers/Appliances Needed to Reach 500K and 1M DNS QPS

11

# of servers/appliances needed to reach 500K DNS QPS

# of servers/appliances needed to reach 1M DNS QPS

BIND 13 25

XXX 5 9

Infoblox 1 1

An Infoblox 4030 appliance can achieve up to 1 M DNS QPS

Competitive products require between 5 to 13 servers/appliances to reach 500K DNS QPS

between 9 to 25 servers/appliances to achieve 1M DNS QPS

and


Agenda 4 Today






Virtual Appliance Member

Grid Master

Local Member

Remote Member

Network Availability & Control

Infoblox Grid™

All devices are synchronized

through a shared distributed database

Centralized visibility

& control

Grid™ Benefits §  Automated Failover &

Disaster Recovery §  Automated Maintenance §  “Single pane of glass” §  Secure Device-DNSSEC

13


Event: Growing organization

Do we have enough DNS capacity?

Infoblox Grid Advanced reporting Example: DNS Query and Caching Trends

14

Benefit: Ensure network availability now and in the future.

Quickly identify if low cache hit ratio is

negatively impacting users

Ensure there are no outlier servers with skewed QPS that

could impact performance

Track Queries Per Second (QPS) over time to view growth to plan for future requirements

Monitor responses to find anomalies that can slow

DNS for others


Event: Possible malware or virus attack

Is our intellectual property at risk?

Infoblox Grid Advanced Reporting Example: Security Issues

15

Benefit: Enhance security by easily tracking intermittent

and suspicious activity over time.

Verify and track if a high level of queries go to questionable 3rd

party sites at intermittent times

Find potential infected clients by seeing abnormally high

DNS queries


Infoblox Grid a Key Differentiator

Simple, Secure, Reliable

External DNS Grid Member

Virtual Environment

Grid Master Candidate at Recovery Site

Internal Grid Members

IPAM Insight

Grid Master

Branch Offices

A collection of High Availability member

appliances

Coordinated by the Grid Master

Sharing a distributed database

Communicating via an SSL VPN

§  Centralized visibility and control

§  Real time IPAM & discovery §  Automated Failover and DR


GRID Security Highlights

§  Common criteria EAL-2 Certified §  Restrictive and Hardened Linux

based OS §  5 Authentication methods §  Role Based Administrative

Functions §  Detailed Audit Logging §  Central View of Detail Data

Collected from Many Systems §  No root access §  FIPS 140-2 Certified §  JITC IPv6 Certified §  CAC Card/Smart Cart §  Layer 2 NAC BYOD Portal §  Detailed Reporting §  CLI tools

§  SNMPv3 Support §  SSL based Secure API §  Thin Client Web Access via HTTPS §  Encrypted communications

between appliances – 128 bit AES via OpenVPN

§  Easy and fast patching §  GRID Master to GRID Master

Candidate Fail-over for fast DR recovery

§  File Distribution –  Secure upload

§  Device and Network Discovery –  Discover, auto-add, smart-folder fast

find –  vDiscover with vCenter –  NMAP device finger printing

17


Fast Responses to Security Incidents

§  3 Major Feature Releases a year

§  Several patch/ maintenance releases

§  Security vulnerabilities addressed within hours

§  Dedicated “Customer Engineering team” focused on resolving customer issues

18


Agenda 4 Today






Enhancing External DNS Security

Cryptographically signed DNS data

DNS Root

2nd Level Domain

nth Level Domain

Automatically Implement DNSSEC to mitigate hijacking threats such as the Kaminsky attack

Manual Tasks

§  Numerous manual procedures for BIND, Microsoft DNS or other systems

§  Cumbersome and repetitive maintenance and key refresh procedures

§  Specialized knowledge resides (and leaves) with admin

Infoblox Solution

§  Automated deployment process

§  Automated key refresh §  Automated maintenance §  Knowledge and best practices

embedded in system

Trus

t Cha

in


§  The BIND way –  The NIST guidelines for signing a single zone with

standard BIND tools are 16 pages long –  Typical steps required to sign a zone:

•  Generate a key pair for the Key Signing Key using the command line tool dnssec-keygen

•  Generate a key pair for the Zone Signing Key using the command line tool dnssec-keygen. E.g., dnssec-‐keygen –a RSASHA1 –b 1024 –n ZONE foo.com

•  Add the output of the KSK and the ZSK public key to the zone db file

•  Use the dnssec-signzone command line tool to sign the zone using the private key pair. E.g., dnssec-‐signzone –o foo.com –k Kfoo.com.+005+67829.key /var/named/zonedb.foo.com Kfoo.com.+005+45798.key

–  The zone must be re-signed every time there is a change in the contents

–  Manual process is error prone and can take hours –  Tool development requires significant expertise

Comparison to “command line” BIND Configuration of DNSSEC

The Infoblox way –  One click

21


Agenda 4 Today






DNS-exploiting Malware

23

§  Technology trends are accelerating the spread of this class of malware

§  DNS-exploiting malware are the underpinning for a variety of attacks

§  Professional attackers are successfully exploiting the largely unprotected DNS infrastructure


Advanced Persistent Threat / Botnet Malware – Too Dangerous to Ignore

24

1.  Infects clients with Trojan Horse Spyware and Backdoor code that is undetectable by existing security approaches

2.  Botnet controller also avoids detection by existing security approaches. Backdoor locates controller using DNS.

3.  Criminal elements pay Botnet operators for data. Botnet operator instructs Spyware to collect sensitive data, whether governmental, corporate, or private.

How Botnets Exploit DNS to Operate

4.  Botnet operators are also paid to launch DDoS attacks or to generate SPAM.

1

2

3

4


PREVENTIVE TIMELY TUNABLE

Leverages high quality Malware

Data Feed updated in near

real time

Maximizes potency against

malware worldwide

Prevents malware

infection and execution

Industry’s First True DNS Security Solution

Infoblox DNS Firewall Stops DNS-exploiting malware (APT & Botnets)


How Does the DNS Firewall work?

26

Malware Data Feed from Infoblox

Dynamic Grid-Wide Policy Distribution

2

Landing Page / Walled Garden

Infected Client 4

Redirect

6

Write to Syslog and send to Reporting Appliance

Infoblox DNS Firewall / Recursive DNS Server



Dynamic Policy Update

1

Link to malicious www.badsite.com 3

Apply Policy Block / Disallow session

Contact botnet 5


Infoblox DNS Firewall – New Reporting Option

27

§  Information Provided –  List of Top Infected Clients –  What malicious domains were

requested and # of requests –  Mitigation performed

(e.g. Redirect, Block, or Pass) –  Lease history by MAC address

via drilldown option

§  Enabling –  Pinpoint infected client by MAC

address and by physical location •  Explore the full lease history for

dynamic environments

–  Near real-time mitigation or assignment to task lists

Click to view history for this IP

Security Policy Violations Report


Effectiveness Against DNS-Exploiting Malware

Aspect Web Filter (Cyberoam, bloxx, etc.)

Legacy Firewall with Reputation Feed (Cisco, Juniper, Checkpoint, etc.)

Data Loss Prevention (e.g. Websense)

Infoblox DNS Firewall

Focus Block inappropriate content

Access filtering All, including binaries DNS-exploiting Malware

Detection Web traffic only, no DNS monitoring

IP addresses only, no DNS monitoring

All traffic, generally doesn’t monitor DNS

Malicious entities (domain, IP, application, location)

Mitigation

Stops client from accessing inappropriate site §  URL blocking §  No IP blocking §  No Domain

blocking §  May / may not

pinpoint clients

Stops traffic to / from objectionable IP addresses §  IP blocking §  No URL blocking §  No Domain

blocking §  No client

pinpointing

Depends on location §  IP blocking §  No URL blocking §  No Domain

blocking §  No client

pinpointing

Full prevention and mitigation §  Prevents infection §  Prevents

communication with malicious entities

§  Pinpoints clients for cleanup

Requires Gateway appliances None Span port on each

switch, sensors, Gateway appliances

No additional hardware

28


Customer Benefits

§  Keep Malware from Overloading Your Team

§  Build Malware remediation into your IT systems and processes

§  Minimize Your Business Exposure from DNS-exploiting Malware


DNS Firewall Advantages

§  Easy to deploy –  Enable feature on existing DNS caching server –  Automated feeds –  Proactively prevents infection

§  Effective –  Added security plugs the hole of DNS based threats

§  Efficient –  Reduce the load on existing DPI/content filtering defense

§  DNS Firewall is OS/device independent §  Auditability / Trackability / Remediation

–  Ability to target infected device days or even weeks later §  Policy flexibility by action, by Geo, and by type

30


Summary

Summary


Infoblox High-Integrity DNS

§  Most scalable, secure and manageable DNS caching solution for ISPs, Telcos, MSOs and Mobile Network Operators

–  High scale with minimal hardware deployment –  Advanced embedded security against the modern threat –  Cost-effective centralized management visibility

32

Scalable, Secure, Manageable


Within the Layer, DNS Security Must Be Multi-tier

33

Admin Authentication

DDoS

Hardware / OS Hardening

Man in the Middle DNSSEC, Port Randomization, etc. Man in the Middle from BYOD

Stateful DNS Firewall

Device Attack Device Attack

Application-level DNS Firewall Malware Infection Botnet Command and Control

Network Side ISP Side DNS Appliance

DDoS from internal “Zombies”

Physical Attack Physical Attack


Conclusions

§  Five Steps to Secure Network 1.  Solid DNS Appliance Foundation 2.  Unified Management and Visibility 3.  DNSSEC 4.  Combat Malware with DNS Firewall 5.  Go to #1

34


DEMO

LIVE DEMO – SHORT ONE

DNS Security - Proidea

Documents

Transcript of DNS Security - Proidea