© 2012 Infoblox Inc. All Rights Reserved. © 2012 Infoblox Inc. All Rights Reserved.
DNS Security
Bezpieczny DNS ostatnią warstwą ochrony użytkowników
Adam Obszyński CISSP, CCIE #8557
© 2012 Infoblox Inc. All Rights Reserved.
Two kind of DNS Servers ? Internet users
> http://www.company.com
ETHERNET
DNS
Webserver
Mailserver
DNS
> http://www.google.com
ETHERNET
Internal users
Internal applications
Internet
Caching Name Servers (aka forwarders, resolvers, dns cache) Enable web surfing, sending emails, etc.
Authoritative Name Servers hosting company.com (corporate web site : www.company.com)
© 2012 Infoblox Inc. All Rights Reserved. 3
Agenda 4 Today
§ Unified Management and Visibility
§ DNSSEC - The Future is Now
§ Solid DNS Appliance Foundation
§ Combat Malware with DNS Firewall
© 2012 Infoblox Inc. All Rights Reserved.
Dedicated HW & OS as a Foundation
4
þ Dedicated hardware with no unnecessary logical or physical ports
þ Hardened purpose built OS þ No OS-level user accounts – only admin accts þ Immediate in-service updates to new security
threats þ Secure access to device management
– Many open ports subject to attack – Users have OS-level account privileges on
server – Requires time-consuming manual updates – Requires multiple applications for device
management
Conventional Approach Infoblox Appliance Approach
Limited Port Access
Multiple Open Ports
Infoblox Update Service
Secure Access
© 2012 Infoblox Inc. All Rights Reserved.
Infoblox Redundancy Hardware Features
§ High availability pairs § Separate management and
production network § Field replaceable
components – Disks, Power, Fans
§ Local spares & RMA § Lights Out Management § Energy efficient
5
© 2012 Infoblox Inc. All Rights Reserved. 6
HA Failover (VRRP) – few secounds
Active node owns the VIP
© 2012 Infoblox Inc. All Rights Reserved.
Infoblox 4030 – Hardware accelerated DNS Cache !
Software § Common Infoblox GUI for Easier Management § Built-in threat protection § URL Blacklisting / NXDOMAIN Redirection § DNSSEC Hardware: § High performance, ruggedized server platform, AC or DC power § Hot-swappable Power Supplies, Fan, RAID Disk Drives
Licensing: 300k qps, 600k qps, and over 1 million qps. 7
World’s Most Scalable, Secure, and Manageable DNS Caching Server
© 2012 Infoblox Inc. All Rights Reserved.
Foundational for Mobile and Social Media Needs
8
Supports Requirement Edge-based Scalability for Service Providers
“Trusted DNS” technology provides protection against
“Signal Storm” outages due to DNS overloading
Distributed Denial of Service (DDoS) attacks
Stealing credentials “Man-in-the-Middle” attacks
Redirection to a false website “Cache Poisoning” attacks
Centralized management AND distributed failover in the event of a disaster
Infoblox 4030 DNS Caching Appliance
© 2012 Infoblox Inc. All Rights Reserved.
Solutions vs. Servers Dedicated vs. Home made § 4030 DNS Cache appliance does not stop answering queries from cache when
capacity limits are reached for cache misses
9
Bind 9.8 Infoblox 4030
Avg. Latency (Seconds)
a
© 2012 Infoblox Inc. All Rights Reserved.
Focus. Dedicated vs Home made
§ Note how the response rate drops off at 35k queries per second. This is a result of the total number of outstanding recursive requests hitting the processing limit.
10
a
© 2012 Infoblox Inc. All Rights Reserved.
Number of Servers/Appliances Needed to Reach 500K and 1M DNS QPS
11
# of servers/appliances needed to reach 500K DNS QPS
# of servers/appliances needed to reach 1M DNS QPS
BIND 13 25
XXX 5 9
Infoblox 1 1
An Infoblox 4030 appliance can achieve up to 1 M DNS QPS
Competitive products require between 5 to 13 servers/appliances to reach 500K DNS QPS
between 9 to 25 servers/appliances to achieve 1M DNS QPS
and
© 2012 Infoblox Inc. All Rights Reserved. 12
Agenda 4 Today
§ Unified Management and Visibility
§ DNSSEC - The Future is Now
§ Solid DNS Appliance Foundation
§ Combat Malware with DNS Firewall
© 2012 Infoblox Inc. All Rights Reserved.
Virtual Appliance Member
Grid Master
Local Member
Remote Member
Network Availability & Control
Infoblox Grid™
All devices are synchronized
through a shared distributed database
Centralized visibility
& control
Grid™ Benefits § Automated Failover &
Disaster Recovery § Automated Maintenance § “Single pane of glass” § Secure Device-DNSSEC
13
© 2012 Infoblox Inc. All Rights Reserved.
Event: Growing organization
Do we have enough DNS capacity?
Infoblox Grid Advanced reporting Example: DNS Query and Caching Trends
14
Benefit: Ensure network availability now and in the future.
Quickly identify if low cache hit ratio is
negatively impacting users
Ensure there are no outlier servers with skewed QPS that
could impact performance
Track Queries Per Second (QPS) over time to view growth to plan for future requirements
Monitor responses to find anomalies that can slow
DNS for others
© 2012 Infoblox Inc. All Rights Reserved.
Event: Possible malware or virus attack
Is our intellectual property at risk?
Infoblox Grid Advanced Reporting Example: Security Issues
15
Benefit: Enhance security by easily tracking intermittent
and suspicious activity over time.
Verify and track if a high level of queries go to questionable 3rd
party sites at intermittent times
Find potential infected clients by seeing abnormally high
DNS queries
© 2012 Infoblox Inc. All Rights Reserved.
Infoblox Grid a Key Differentiator
Simple, Secure, Reliable
External DNS Grid Member
Virtual Environment
Grid Master Candidate at Recovery Site
Internal Grid Members
IPAM Insight
Grid Master
Branch Offices
A collection of High Availability member
appliances
Coordinated by the Grid Master
Sharing a distributed database
Communicating via an SSL VPN
§ Centralized visibility and control
§ Real time IPAM & discovery § Automated Failover and DR
© 2012 Infoblox Inc. All Rights Reserved.
GRID Security Highlights
§ Common criteria EAL-2 Certified § Restrictive and Hardened Linux
based OS § 5 Authentication methods § Role Based Administrative
Functions § Detailed Audit Logging § Central View of Detail Data
Collected from Many Systems § No root access § FIPS 140-2 Certified § JITC IPv6 Certified § CAC Card/Smart Cart § Layer 2 NAC BYOD Portal § Detailed Reporting § CLI tools
§ SNMPv3 Support § SSL based Secure API § Thin Client Web Access via HTTPS § Encrypted communications
between appliances – 128 bit AES via OpenVPN
§ Easy and fast patching § GRID Master to GRID Master
Candidate Fail-over for fast DR recovery
§ File Distribution – Secure upload
§ Device and Network Discovery – Discover, auto-add, smart-folder fast
find – vDiscover with vCenter – NMAP device finger printing
17
© 2012 Infoblox Inc. All Rights Reserved.
Fast Responses to Security Incidents
§ 3 Major Feature Releases a year
§ Several patch/ maintenance releases
§ Security vulnerabilities addressed within hours
§ Dedicated “Customer Engineering team” focused on resolving customer issues
18
© 2012 Infoblox Inc. All Rights Reserved. 19
Agenda 4 Today
§ Unified Management and Visibility
§ DNSSEC - The Future is Now
§ Solid DNS Appliance Foundation
§ Combat Malware with DNS Firewall
© 2012 Infoblox Inc. All Rights Reserved.
Enhancing External DNS Security
Cryptographically signed DNS data
DNS Root
2nd Level Domain
nth Level Domain
Automatically Implement DNSSEC to mitigate hijacking threats such as the Kaminsky attack
Manual Tasks
§ Numerous manual procedures for BIND, Microsoft DNS or other systems
§ Cumbersome and repetitive maintenance and key refresh procedures
§ Specialized knowledge resides (and leaves) with admin
Infoblox Solution
§ Automated deployment process
§ Automated key refresh § Automated maintenance § Knowledge and best practices
embedded in system
Trus
t Cha
in
© 2012 Infoblox Inc. All Rights Reserved.
§ The BIND way – The NIST guidelines for signing a single zone with
standard BIND tools are 16 pages long – Typical steps required to sign a zone:
• Generate a key pair for the Key Signing Key using the command line tool dnssec-keygen
• Generate a key pair for the Zone Signing Key using the command line tool dnssec-keygen. E.g., dnssec-‐keygen –a RSASHA1 –b 1024 –n ZONE foo.com
• Add the output of the KSK and the ZSK public key to the zone db file
• Use the dnssec-signzone command line tool to sign the zone using the private key pair. E.g., dnssec-‐signzone –o foo.com –k Kfoo.com.+005+67829.key /var/named/zonedb.foo.com Kfoo.com.+005+45798.key
– The zone must be re-signed every time there is a change in the contents
– Manual process is error prone and can take hours – Tool development requires significant expertise
Comparison to “command line” BIND Configuration of DNSSEC
The Infoblox way – One click
21
© 2012 Infoblox Inc. All Rights Reserved. 22
Agenda 4 Today
§ Unified Management and Visibility
§ DNSSEC - The Future is Now
§ Solid DNS Appliance Foundation
§ Combat Malware with DNS Firewall
© 2012 Infoblox Inc. All Rights Reserved.
DNS-exploiting Malware
23
§ Technology trends are accelerating the spread of this class of malware
§ DNS-exploiting malware are the underpinning for a variety of attacks
§ Professional attackers are successfully exploiting the largely unprotected DNS infrastructure
© 2012 Infoblox Inc. All Rights Reserved.
Advanced Persistent Threat / Botnet Malware – Too Dangerous to Ignore
24
1. Infects clients with Trojan Horse Spyware and Backdoor code that is undetectable by existing security approaches
2. Botnet controller also avoids detection by existing security approaches. Backdoor locates controller using DNS.
3. Criminal elements pay Botnet operators for data. Botnet operator instructs Spyware to collect sensitive data, whether governmental, corporate, or private.
How Botnets Exploit DNS to Operate
4. Botnet operators are also paid to launch DDoS attacks or to generate SPAM.
1
2
3
4
© 2012 Infoblox Inc. All Rights Reserved.
PREVENTIVE TIMELY TUNABLE
Leverages high quality Malware
Data Feed updated in near
real time
Maximizes potency against
malware worldwide
Prevents malware
infection and execution
Industry’s First True DNS Security Solution
Infoblox DNS Firewall Stops DNS-exploiting malware (APT & Botnets)
© 2012 Infoblox Inc. All Rights Reserved.
How Does the DNS Firewall work?
26
Malware Data Feed from Infoblox
Dynamic Grid-Wide Policy Distribution
2
Landing Page / Walled Garden
Infected Client 4
Redirect
6
Write to Syslog and send to Reporting Appliance
Infoblox DNS Firewall / Recursive DNS Server
Infoblox DNS Firewall / Recursive DNS Server
Infoblox DNS Firewall / Recursive DNS Server
Dynamic Policy Update
1
Link to malicious www.badsite.com 3
Apply Policy Block / Disallow session
Contact botnet 5
© 2012 Infoblox Inc. All Rights Reserved.
Infoblox DNS Firewall – New Reporting Option
27
§ Information Provided – List of Top Infected Clients – What malicious domains were
requested and # of requests – Mitigation performed
(e.g. Redirect, Block, or Pass) – Lease history by MAC address
via drilldown option
§ Enabling – Pinpoint infected client by MAC
address and by physical location • Explore the full lease history for
dynamic environments
– Near real-time mitigation or assignment to task lists
Click to view history for this IP
Security Policy Violations Report
© 2012 Infoblox Inc. All Rights Reserved.
Effectiveness Against DNS-Exploiting Malware
Aspect Web Filter (Cyberoam, bloxx, etc.)
Legacy Firewall with Reputation Feed (Cisco, Juniper, Checkpoint, etc.)
Data Loss Prevention (e.g. Websense)
Infoblox DNS Firewall
Focus Block inappropriate content
Access filtering All, including binaries DNS-exploiting Malware
Detection Web traffic only, no DNS monitoring
IP addresses only, no DNS monitoring
All traffic, generally doesn’t monitor DNS
Malicious entities (domain, IP, application, location)
Mitigation
Stops client from accessing inappropriate site § URL blocking § No IP blocking § No Domain
blocking § May / may not
pinpoint clients
Stops traffic to / from objectionable IP addresses § IP blocking § No URL blocking § No Domain
blocking § No client
pinpointing
Depends on location § IP blocking § No URL blocking § No Domain
blocking § No client
pinpointing
Full prevention and mitigation § Prevents infection § Prevents
communication with malicious entities
§ Pinpoints clients for cleanup
Requires Gateway appliances None Span port on each
switch, sensors, Gateway appliances
No additional hardware
28
© 2012 Infoblox Inc. All Rights Reserved.
Customer Benefits
§ Keep Malware from Overloading Your Team
§ Build Malware remediation into your IT systems and processes
§ Minimize Your Business Exposure from DNS-exploiting Malware
© 2012 Infoblox Inc. All Rights Reserved.
DNS Firewall Advantages
§ Easy to deploy – Enable feature on existing DNS caching server – Automated feeds – Proactively prevents infection
§ Effective – Added security plugs the hole of DNS based threats
§ Efficient – Reduce the load on existing DPI/content filtering defense
§ DNS Firewall is OS/device independent § Auditability / Trackability / Remediation
– Ability to target infected device days or even weeks later § Policy flexibility by action, by Geo, and by type
30
© 2012 Infoblox Inc. All Rights Reserved.
Infoblox High-Integrity DNS
§ Most scalable, secure and manageable DNS caching solution for ISPs, Telcos, MSOs and Mobile Network Operators
– High scale with minimal hardware deployment – Advanced embedded security against the modern threat – Cost-effective centralized management visibility
32
Scalable, Secure, Manageable
© 2012 Infoblox Inc. All Rights Reserved.
Within the Layer, DNS Security Must Be Multi-tier
33
Admin Authentication
DDoS
Hardware / OS Hardening
Man in the Middle DNSSEC, Port Randomization, etc. Man in the Middle from BYOD
Stateful DNS Firewall
Device Attack Device Attack
Application-level DNS Firewall Malware Infection Botnet Command and Control
Network Side ISP Side DNS Appliance
DDoS from internal “Zombies”
Physical Attack Physical Attack
© 2012 Infoblox Inc. All Rights Reserved.
Conclusions
§ Five Steps to Secure Network 1. Solid DNS Appliance Foundation 2. Unified Management and Visibility 3. DNSSEC 4. Combat Malware with DNS Firewall 5. Go to #1
34
© 2012 Infoblox Inc. All Rights Reserved. © 2012 Infoblox Inc. All Rights Reserved.
Thank you!
36
FIN …
Adam Obszyński CISSP, CCIE #8557
[email protected] +48-696-196-509
Top Related