© 2013 Infoblox Inc. All Rights Reserved. Tim Connelly, Manager, Systems Engineering [email protected] Tim Connelly, Manager, Systems Engineering

© 2013 Infoblox Inc. All Rights Reserved.

Tim Connelly, Manager, Systems Engineering

[email protected]

Expanding Your Network Security

1


What We Do:Innovative Technology for Network Control

AP

PS

&

EN

D-P

OIN

TS

END POINTS VIRTUAL MACHINES PRIVATE CLOUD APPLICATIONS

Essential Network Control Functions: DNS, DHCP, IPAM (DDI)

NE

TW

OR

KIN

FR

AS

TR

UC

TU

RE

FIREWALLS SWITCHES ROUTERS WEB PROXY LOAD BALANCERS

Discovery, Real-time Configuration & Change, Compliance

CO

NT

RO

L P

LA

NE

Infoblox GridTM w/ Real-timeNetwork Database

Historical /Real-time Reporting & Control

2


THREAT LANDSCAPE MOBILE DEVICEEXPLOSION

VIRTUALIZATION / CLOUD

CONSOLIDATIONSOFTWARE DEFINEDNETWORKS

IPv6 TRANSITION

Trends Redefining Business Networks

3


Maintaining Security with Infoblox

Compliance & Policy Standardization Enforce

Firewall Rule & ACL AutomationControl

Secure

DNS, DHCP and IP Address Management Securing DNS

Protect

4


Securing DNS

Protect

5


Securing DNS

DNS Firewall

6


DNS-exploiting Malware

7

Technology trends are accelerating the spread of this class of malware

DNS-exploiting malware are the underpinning for a variety of attacks

Professional attackers are successfully exploiting the largely unprotected DNS infrastructure

This is a subset of threats security experts call “Advanced Persistent Threat (APT)” or “Botnet” Malware


Getting Around Traditional DefensesFast Flux – Rapid Change of IP Addresses – Requires DNS Query

• Security researchers discovered Fast Flux

usage in November 2006

• Multiple nodes within network registering /

de-registering IP addresses as part of the

DNS A (address) record list for a single

DNS name. TTL = 5 minutes (300 sec)

• DNS Queries used to ‘find’ C&C or BotNet

Server(s).


Complement to Existing Security Defense in Depth…

Traditional or Next Generation Firewall (e.g. Checkpoint, Juniper, Palo Alto, Imperva, Cisco, etc.)

Anti-Virus (e.g. Symantec, McAfee, Webroot, Kapersky, etc.)

Email / Web Security (e.g. Blue Coat, McAfee, Websense)

Advance Persistent Threat (e.g. Damballa, FireEye)

Security Information and Event Management (SIEM) (e.g. Trustwave, McAfee, Q1Labs)


Write to Syslog and send to Trinzic Reporting

6

Infoblox DNS Firewall

Reputational Feedfrom Infoblox

Walled Gardengarden.yourcompany.com

Infected Client

Infoblox DNS Firewall /Recursive DNS Server



Redirect

4

Dynamic Grid-Wide Policy Distribution

2

Dynamic Policy Update

1

Block / Disallow session

Contact botnet

5

Query tobadsite.com

Apply Policy

3

10


Detailed Tracking and Reporting Options

Automatic reporting

Top Infected Clients

Malicious requested domains and number of requests

Lease history by MAC address with detailed drill down

Security Policy Violations Report

11


Securing DNS

Advanced DNS Protecion

12


The Problem

13

DNS-based attacks are on

the rise

Traditional protection is ineffective

against evolving threats

DNS outage causes network downtime, loss of revenue, and negative brand

impact

Unprotected DNS infrastructure introduces security risks


Why is DNS an Ideal Attack Target?

14

DNS is the cornerstone of

the Internet, used by every business and government

DNS protocol is stateless and

hence vulnerable

DNS as a protocol is easy

to exploit

Maximum impact with minimum effort

15 | © 2013 Infoblox Inc. All Rights Reserved. 15 | © 2013 Infoblox Inc. All Rights Reserved.

2013 – DNS Threat is Significant

• Attacks against DNS infrastructure growing̶IDNS-specific attacks

up 200% in 2012̶IICMP, SYN, UDP attacks

growing significantly too

Source: Arbor Networks

Source: Prolexic Quarterly Global DDoS Attack Report Q3 2013

Other

IRC

SIP/VOIP

HTTPS

SMTP

DNS

HTTP

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

7%

11%

19%

24%

25%

67%

87%

DNS is #2 attack vector protocol

ACK: 1.69%

CHARGEN: 3.37%

FIN PUSH: 0.39%

DNS: 8.94%

ICMP: 11.41% RESET: 1.94%

RIP: 0.13%

RP: 0.39%

SYN: 18.16%

TCP FRAGMENT: 0.65%

SYN PUSH: 0.13%

UDP FLOODS: 14.66%

UDP FRAGMENT: 14.66%

Infrastructure Layer: 76.52%


Attack apps being built

How DNS DDoS is Becoming Easier

DDoS attacks against major U.S financial institutions

Launching (DDoS) taking advantage of Server bandwidth

4 types of DDoS attacks:– DNS amplification, – Spoofed SYN, – Spoofed UDP– HTTP+ proxy support

Script offered for $800


The Solution - Infoblox Advanced DNS Protection

Unique Detection and Mitigation Intelligently distinguishes legitimate DNS traffic

from attack traffic like DDoS, DNS exploits, tunneling

Mitigates attacks by dropping malicious traffic and responding to legitimate DNS requests

Centralized Visibility Centralized view of all attacks happening

across the network through detailed reports Intelligence needed to take action

Ongoing Protection Against Evolving Threats Regular automatic threat-rule updates

based on threat analysis and research Helps mitigate attacks sooner vs. waiting

for patch updates


Solution Components

18

Infoblox Advanced AppliancePT-1400, PT-2200, PT-4000

Infoblox Advanced DNS Protection Service

DNS

Advanced DNS Protection activation

Automatic updates for protection against new and evolving threats

Support and Maintenance

DNS appliance purpose built with security in mind

Enhanced processing and dedicated compute for threat mitigation

Note: Customers who have IB-4030 Rev2 need to purchase a separate Adv. DNS Protection license.


Fully Integrated into Infoblox Grid

ReportingServer

Automatic updates

Infoblox Threat-rule Server

Infoblox Advanced DNS Protection(External Auth.)

GRID Master

Reports on attack types, severity

New

Amplif

icationCache Poisoning

Legitimate Traffic

Legi

timat

e Tr

affic

Le

git

ima

te T

raff

ic

Legitimate Traffic

Rec

on

nai

ssan

ceDN

S E

xploits

Infoblox Advanced DNS Protection

(Internal Recursive)New

Block DNS attacks Grid-wide rule

distribution

Dat

a fo

r R

epo

rts


What Attacks Do We Protect Against?

DNS reflection/DrDoS attacksUsing third-party DNS servers(open resolvers) to propagate a DOS or DDOS attack

DNS amplificationUsing a specially crafted query to create an amplified response to flood the victim with traffic

DNS-based exploits Attacks that exploit vulnerabilities in the DNS software

TCP/UDP/ICMP floodsDenial of service on layer 3 by bringing a network or service down by flooding it with large amounts of traffic

DNS cache poisoning Corruption of the DNS cache data with a rogue address

Protocol anomaliesCausing the server to crash by sending malformed packets and queries

ReconnaissanceAttempts by hackers to get information on the network environment before launching a DDoS or other attack

DNS tunnelingTunneling of another protocol through DNS for data exfiltration


Intelligence Needed to Take Action

Centralized Visibility: Reporting

• Attack details by category, member, rule, severity, and time• Visibility into source of attacks for blocking, to understand scope and severity• Early identification and isolation of issues for corrective action


External authoritative and Internal Recursive Enterprise

Legitim

ate Tra

ffic

INTERNET

Advanced DNS

Protection

Grid Masterand Candidate (HA)

Advanced DNS Protection

D M Z

INTRANET

Reconnaissance

Amplif

ication

Exploits

DNS Tu

nneling

Legitim

ate Tra

ffic

Legitim

ate Tra

ffic

Legitim

ate Tra

ffic

Protection against cyber attacks and internal DNS attacks

GRID Masterand Candidate

(HA)

INTRANET

Endpoints



Amplificatio

n

Cache P

oisoning

Legitim

ate Tra

ffic

Legitim

ate Tra

ffic

DATACENTER CAMPUS/REGIONAL

DATACENTER CAMPUS/REGIONAL


Infoblox Security Device Controller

Control

23


Manual

The Pain of Legacy Processes

LegacyApproach

Hours/Days

Firewall Change Needed

1

SearchFor

Devices

2

Figure OutImpactedDevices

3

DetermineCorrectConfig

4

CompareChange toStandards/Compliance

5

RequestChange/

ImplementManually

6

ReconfirmCorrectness

andCompliance

Hours/DaysNetwork Provisioning Time

Manual processes cannot keep up SLA are lengthening to weeks or a even a month Require dedicated, senior network architects

– Routine, repetitive, error-prone– Multiple vendor expertise needed

24


Automated Network Discovery

Simple and complete network-wide discovery

Powerful topology to visualize path

25


Embedded Expertise

Built-in intelligence automatically provides detailed ACL/rule views

Detects problems like unused, overlapping and duplicate rules

out-of-the box

26


Powerful Search

Search results identify all matching devices

including vendor specific syntax

Easily customize search criteria for one or multiple devices

27


Customizable Alerting

Immediately identify and track defined alerts to allow or deny access

Create Alerts for both Blacklisting and

Whitelisting

28


Multi-vendor Provisioning

Maintain control with user-based access rights and change

process

Provision changes in the same platform and

view the vendor-specific syntax

29


Manual

The Power of Infoblox

LegacyApproach

InfobloxApproach

Hours/Days

1 62 3 4 5

Automated

Days/Weeks


1

SearchFor

Devices

2

Figure OutImpactedDevices

3

DetermineCorrectConfig

4

CompareChange toStandards/Compliance

5

RequestChange/

ImplementManually

6

ReconfirmCorrectness

andCompliance


30


Compliance, Internal Policies & Best Practices

Enforce & Maintain

31


Common Standardization & Compliance Situation

Requirements are researched and documented

The “Gap” – Between the Policies and the

actual state of the network devices

Manual vs Automation– It’s not reasonable to expect to

be able to achieve full compliance through manual processes

32


Infoblox Network Automation Overview

• Network discovery• Built-in analysis• Check against best practices• Detect issues• Monitor and manage change• Automate change • Maintain compliance• Provision ACL & rules

Collected Via:SNMP

CLI/configurationSyslog

Fingerprinting

Real-time & HistoricalAnalysis

33


Standardization - Compliance Management

Embedded compliance rules

Customizable best practice templates

Manage multiple policies

Proactive violation detected

Multiple remediation options

Current and historical views

34


Configuration Analysis

Unique pre-packaged expertise

Identifies common misconfigurations

Customizable alerting

Recommended remediation options

Understand concept of the network

Network Scorecard views

35


Powerful Reporting

Single-click compliance reports

Pre-packaged and customizable

Powerful filtering

Executive and detailed reports

On-demand or scheduled

User-based view rights

36


Value of Network Standardization

Verify your “desired state” to the “as is state”

Improve network stability and consistency

Reduce manual processes

Eliminate extensive, time-consuming audit teams

Increase accuracy with automation and embedded expertise

Focus on building secure infrastructure instead of waiting for audits

37


DNS, DHCP and IP Address Management

Secure

38


DHCP Fingerprinting

DHCPDISCOVER Option Sequence 1,15,3,6,44,46,47,31,33,121,249,43 Laptop

DHCPOFFER

Option Sequence 1,3,6,15,119,78,79,95,252

Tablet DHCPOFFER

DHCPDISCOVER

X


Introducing DHCP

Automatically detect DHCP clients during the DHCPDISCOVER process

Manage DHCP leases by asset or device Improve network planning with new device focused

reports Auto organize and group devices in Smart Folders Integrated with Reporting Server with pre-defined

reports

Benefits Un-intrusive discovery, and management of devices

Flexibly enforce corporate policy

Plan for network growth, determine application trends

Improve device supportability and security

40


Integrated IP Address Management

Tracks what’s connected on the network Enhances IP allocation through automation Increases accuracy with continuous updates Helps with IPv4 to IPv6 migrations

41


Maintaining Security with Infoblox

Compliance & Policy Standardization Enforce

Firewall Rule & ACL AutomationControl

Secure

DNS, DHCP and IP Address Management Securing DNS

Protect

42


Thank You

43

[email protected]

Documents

© 2013 Infoblox Inc. All Rights Reserved. Tim Connelly, Manager, Systems Engineering [email protected] Tim Connelly, Manager, Systems Engineering