1 | © 2013 Infoblox Inc. All Rights Reserved. Protecting Critical Network Infrastructure Krupa...
-
Upload
carol-hufford -
Category
Documents
-
view
216 -
download
2
Transcript of 1 | © 2013 Infoblox Inc. All Rights Reserved. Protecting Critical Network Infrastructure Krupa...
1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2013 Infoblox Inc. All Rights Reserved.
Protecting Critical Network InfrastructureKrupa Srivatsan | Senior Product Marketing ManagerJanuary 2014
2 | © 2013 Infoblox Inc. All Rights Reserved. 2 | © 2013 Infoblox Inc. All Rights Reserved.
Agenda
Infoblox SolutionsAdvanced DNS Protection
DNS Firewall
Security Challenges
Infoblox Overview
3 | © 2013 Infoblox Inc. All Rights Reserved. 3 | © 2013 Infoblox Inc. All Rights Reserved.
Infoblox Overview & Business Update
($MM)
Founded in 1999
Headquartered in Santa Clara, CA with global operations in 25 countries
Market leadership• Gartner “Strong Positive” rating
• 40%+ Market Share (DDI)
6,900+ customers, 55,000+ systems shipped
35 patents, 29 pending
IPO April 2012: NYSE BLOX
Leader in technologyfor network control
Total Revenue (Fiscal Year Ending July 31)
FY2007 FY2008 FY2009 FY2010 FY2011 FY2012 FY2013$0
$50
$100
$150
$200
$250
$35.0
$56.0$61.7
$102.2
$132.8
$169.2
$225.0
30%
CAGR
4 | © 2013 Infoblox Inc. All Rights Reserved. 4 | © 2013 Infoblox Inc. All Rights Reserved.
InfrastructureSecurity
Infoblox : Technology for Network ControlN
ET
WO
RK
INF
RA
ST
RU
CT
UR
E
FIREWALLS SWITCHES ROUTERS WEB PROXY LOAD BALANCERS
Discovery, Real-time Configuration & Change, Compliance
Historical / Real-time Reporting & Control
AP
PS
&
EN
D-P
OIN
TS
END POINTS VIRTUAL MACHINES PRIVATE CLOUD APPLICATIONS
Essential Network Control Functions: DNS, DHCP, IPAM (DDI)
CO
NT
RO
L P
LA
NE
Infoblox GridTM w/ Real-timeNetwork Database
5 | © 2013 Infoblox Inc. All Rights Reserved. 5 | © 2013 Infoblox Inc. All Rights Reserved.
Why DNS an Ideal Attack Target?
DNS is the cornerstone of the Internet used by every business/
Government
DNS protocol is stateless and
hence vulnerable
DNS as a Protocol is easy to exploit
Maximum impact with minimum effort
6 | © 2013 Infoblox Inc. All Rights Reserved. 6 | © 2013 Infoblox Inc. All Rights Reserved.
Today’s Security Challenges
Challenges Trends
APT / malware exploits DNS to get around traditional security infrastructure
APT / Malware
DNS Firewall• Disrupts malware
communication
• Pinpointing infected devices for remediation
2
Unprotected DNS infrastructure introduces security risks
Adv. DNS Protection• Detection & mitigation
of attacks
• On-going protection against evolving threats
Attacks Targeting DNS
1
7 | © 2013 Infoblox Inc. All Rights Reserved. 7 | © 2013 Infoblox Inc. All Rights Reserved.
Attacks Targeting DNS
8 | © 2013 Infoblox Inc. All Rights Reserved. 8 | © 2013 Infoblox Inc. All Rights Reserved.
External Attacks on DNS
DNS-based attacks are on the rise
Traditional protection is
ineffective against evolving threats
DNS outage causes network downtime,
loss of revenue, and negative brand
impact
Unprotected DNS infrastructure introduces security risks
9 | © 2013 Infoblox Inc. All Rights Reserved. 9 | © 2013 Infoblox Inc. All Rights Reserved.
2013 – DNS Threat is Significant
• Attacks against DNS infrastructure growing̶MDNS-specific attacks
up 200% in 2012̶MICMP, SYN, UDP attacks
Source: Arbor Networks
Source: Prolexic Quarterly Global DDoS Attack Report Q3 2013
Other
IRC
SIP/VOIP
HTTPS
SMTP
DNS
HTTP
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
7%
11%
19%
24%
25%
67%
87%
DNS is #2 attack vector protocol
ACK: 2.81%
CHARGEN: 6.39%
FIN PUSH: 1.28%
DNS: 9.58%
ICMP: 9.71%
RESET: 1.4%RP: 0.26%
SYN: 14.56%
TCP FRAGMENT: 0.13%
SYN PUSH: 0.38%
UDP FLOODS: 13.15%
UDP FRAGMENT: 17.11%
Infrastructure Layer: 76.52%
10 | © 2013 Infoblox Inc. All Rights Reserved. 10 | © 2013 Infoblox Inc. All Rights Reserved.
The Solution - Infoblox Advanced DNS Protection
Unique Detection and Mitigation
Intelligently distinguishes legitimate DNS traffic from attack traffic like DDoS, DNS exploits, tunneling
Mitigates attacks by dropping malicious traffic and responding to legitimate DNS requests
Centralized Visibility Centralized view of all attacks happening across the
network through detailed reports Intelligence needed to take action
Ongoing Protection Against Evolving Threats
Regular automatic threat-rule updates based on threat analysis and research
Helps mitigate attacks sooner vs. waiting for patch updates
11 | © 2013 Infoblox Inc. All Rights Reserved. 11 | © 2013 Infoblox Inc. All Rights Reserved.
Fully Integrated into Infoblox Grid
ReportingServer
Automatic updates
Infoblox Threat-rule Server
Infoblox Advanced DNS Protection(External Auth.)
GRID Master
Reports on attack types, severity
New
Amplif
icationCache Poisoning
Legitimate Traffic
Legi
timat
e Tr
affic
Le
git
ima
te T
raff
ic
Legitimate Traffic
Rec
on
nai
ssan
ceDN
S E
xploits
Infoblox Advanced DNS Protection
(Internal Recursive)New
Block DNS attacks Grid-wide rule
distribution
Dat
a fo
r R
epo
rts
12 | © 2013 Infoblox Inc. All Rights Reserved. 12 | © 2013 Infoblox Inc. All Rights Reserved.
What Attacks do We Protect Against?
DNS reflection/DrDoS attacksUsing third-party DNS servers(open resolvers) to propagate a DOS or DDOS attack
DNS amplificationUsing a specially crafted query to create an amplified response to flood the victim with traffic
DNS-based exploits Attacks that exploit vulnerabilities in the DNS software
TCP/UDP/ICMP floodsDenial of service on layer 3 by bringing a network or service down by flooding it with large amounts of traffic
DNS cache poisoning Corruption of the DNS cache data with a rogue address
Protocol anomaliesCausing the server to crash by sending malformed packets and queries
ReconnaissanceAttempts by hackers to get information on the network environment before launching a DDoS or other type of attack
DNS tunnelingTunneling of another protocol through DNS for data exfiltration
13 | © 2013 Infoblox Inc. All Rights Reserved. 13 | © 2013 Infoblox Inc. All Rights Reserved.
Infoblox- Differentiation and ValueInfobloxStandard
Infoblox Advanced
Load Balancers
Pure DDoS
NGFW IPS Cloud
DNS server ✓ ✓ ✓
General DDoS ✓ ✓ ✓
DNS DDoS ✓ ✓ ✓ ✓DNS server OS and application vulnerabilities
✓ ✓ ✓
Flood attacks ✓ ✓ ✓ ✓ ✓ ✓
Semantic attacks ✓ ✓ ✓
Cache poisoning ✓
DNS Reflection ✓
Tunneling ✓ ✓ ✓
DNS Amplification ✓
14 | © 2013 Infoblox Inc. All Rights Reserved. 14 | © 2013 Infoblox Inc. All Rights Reserved.
External authoritative and Internal Recursive
Enterprise
Legitim
ate Tra
ffic
INTERNET
Advanced DNS
Protection
Grid Masterand Candidate (HA)
Advanced DNS Protection
D M Z
INTRANET
Reconnaissance
Amplif
ication
Exploits
DNS Tu
nneling
Legitim
ate Tra
ffic
Legitim
ate Tra
ffic
Legitim
ate Tra
ffic
Protection against cyber attacks and internal DNS attacks
GRID Masterand Candidate
(HA)
INTRANET
Endpoints
Advanced DNS Protection
Advanced DNS Protection
Amplificatio
n
Cache P
oisoning
Legitim
ate Tra
ffic
Legitim
ate Tra
ffic
DATACENTER CAMPUS/REGIONAL
DATACENTER CAMPUS/REGIONAL
15 | © 2013 Infoblox Inc. All Rights Reserved. 15 | © 2013 Infoblox Inc. All Rights Reserved.
Service Providers
• Protection against attacks on caching servers
• Authoritative DNS services
• Platform: IB 4030
16 | © 2013 Infoblox Inc. All Rights Reserved. 16 | © 2013 Infoblox Inc. All Rights Reserved.
APT / Malware
17 | © 2013 Infoblox Inc. All Rights Reserved. 17 | © 2013 Infoblox Inc. All Rights Reserved.
Q1 Q3Q2 Q4
Security Breaches Using Malware / APT - 2013
18 | © 2013 Infoblox Inc. All Rights Reserved. 18 | © 2013 Infoblox Inc. All Rights Reserved.
Every step of malware life cycle relies on DNS
Malware/APT Requires DNS
DNS server
Query a malicious
domain
Query the ‘call home server’ Query
Exfiltration destinations
Infection Download Exfiltration
19 | © 2013 Infoblox Inc. All Rights Reserved. 19 | © 2013 Infoblox Inc. All Rights Reserved.
PREVENTIVE TIMELY TUNABLE
Leverages high quality DNS Firewall Subscription Service
updated in near real time
Maximizes potency against APT / malware
worldwide
Disrupts malware communication and execution
Industry’s First True DNS Security Solution
19
INFOBLOX DNS FIREWALLDisrupts DNS-exploiting APT / malware (C&C & Botnets) communication
20 | © 2013 Infoblox Inc. All Rights Reserved. 20 | © 2013 Infoblox Inc. All Rights Reserved.
Infoblox DNS Firewall – How Does it Work?
An infected mobile device is brought into the office. Upon connection, the malware starts to spread to other devices on the network.
1
2
3
The malware makes a DNS query for “bad” domain to find “home.” The DNS Firewall has the “bad” domain in its table and blocks the connection.
The DNS Server is continually updated by a reputational data feed service to reflect the rapidly changing list of malicious domains.
Malicious domains
Infoblox DDI with DNS Firewall Blocked attempt
sent to Syslog
Live reputational feed of malicious domains
3
4
Malware
1
Mobile device
2
Malware searches and spreads within network
4 Infoblox Reporting provides list of blocked attempts as well as the
• IP address• MAC address• Device type (DHCP fingerprint)• Host Name• DHCP Lease
21 | © 2013 Infoblox Inc. All Rights Reserved. 21 | © 2013 Infoblox Inc. All Rights Reserved.
DNS Firewall – FireEye AdapterHow Does it Work? An mobile device receives
infected URL or content. Bad .exe or Malware starts to communicate or spread across the network.
1
2
3
FireEye NX detonates traffic from device. It determines the traffic is bad. Provides domains & IP addresses of where .exe / URL is trying to connect to DNS Firewall via FireEye Adapter.
DNS Firewall is updated and blocks the connection attempts to the domains/IP addresses provided by FireEye NX.
Malicious domains
Infoblox DDI with DNS Firewall
Blocked attempt sent to Syslog
3
4
Malware
1
2
4 Infoblox Reporting provides list of blocked attempts as well as the
• IP address• MAC address• Device type (DHCP fingerprint)• Host Name• DHCP LeaseDetonates & Detects
advanced malware
Play Malware Attack
Endpoint Attempting To Download Infected File
22 | © 2013 Infoblox Inc. All Rights Reserved. 22 | © 2013 Infoblox Inc. All Rights Reserved.
What Protection does DNS Firewall Provide?
DGA Domain generating algorithm malware that randomly generates domains to connect to malicious networks or botnets
Fast Flux Rapidly changing of domains & IP addresses by malicious domains to obfuscate identity and location
APT / Malware Malware designed to spread, morph and hide within IT infrastructure to perpetrate a long term attack (FireEye)
DNS Hijacking Hijacking DNS registry(s) & re-directing users to malicious domain(s)
Geo-Blocking Blocking access to geographies that have rates of malicious domains or Economic Sanctions by US Government
23 | © 2013 Infoblox Inc. All Rights Reserved. 23 | © 2013 Infoblox Inc. All Rights Reserved.
Anatomy of an AttackCryptolocker “Ransomware”
• Targets Windows-based computers
• Appears as an attachment to legitimate looking email
• Upon infection, encrypts files: local hard drive & mapped network drives
• Ransom: 72 hours to pay $300US
• Fail to pay and the encryption key is deleted and data is gone forever
• Only way to stop (after executable has started) is to block outbound connection to encryption server
Infoblox DNS Firewall blocks all connections to Cryptolocker domains
24 | © 2013 Infoblox Inc. All Rights Reserved. 24 | © 2013 Infoblox Inc. All Rights Reserved.
September 13 – Trial Run Initial roll-out of Cryptolocker started. Limited distribution & payment testing.
Oct. 8th – Full Distribution via ‘Pay per infection’.
1
4 DNS Firewall logs all attempted connections with Cryptolocker servers complete with IP and MAC addresses, and device type to drive remediation
Cryptolocker Timeline and Infoblox Response
3 Infoblox DNS Firewall now blocks Crypolocker encryption servers.
2 October 18th - Crypolocker behavior fully characterized. Infoblox DNS Firewall Subscription updated with domains & IP addresses. Customers Protected.
Infoblox DDI with DNS Firewall
Infoblox Malware Data Feed Updated
2
Syslog4
3
1
Infoblox DNS Firewall Geo-blocks delivered ZERO-day protection against Cryptolocker by blocking Eastern Europe domains
Infoblox DNS Firewall Protects Against Cryptolocker Malware
25 | © 2013 Infoblox Inc. All Rights Reserved. 25 | © 2013 Infoblox Inc. All Rights Reserved.
Summary
• Unprotected DNS infrastructure introduces security risks ̶MAdvanced DNS Protection protects against DNS-based attacks like
DDoS, cache poisoning, malformed packets and tunneling
• APT / malware exploits DNS to get around traditional security infrastructure̶MDNS Firewall & FireEye Adapter disrupts Malware usage of DNS and
pinpoints device to drive faster remediation (using Infoblox DDI)
26 | © 2013 Infoblox Inc. All Rights Reserved. 26 | © 2013 Infoblox Inc. All Rights Reserved.
Q&A
27 | © 2013 Infoblox Inc. All Rights Reserved. 27 | © 2013 Infoblox Inc. All Rights Reserved.
Thank you!
For more information www.infoblox.com