Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
OX ProtectDeep-Dive
OX Summit Rome
Neil Cook
September 28th 2018
• Provides a secure connectivity experience:
• Protects all devices using the broadband/mobile
network
• Protects against malware and phishing
• Malware alerts via SMS or Push Notifications
• Works even with encrypted traffic
• Detects infected devices, attempts to download
malware, attempts to go to phishing site etc.
OX Protect for Malware
Security
Protection
Pure Service – No software or special devices needed
Core Features:
• Full control over content categories allowed
• “Pause Internet” capability
• Bedtime/Homework Time
• Subscriber Black & Whitelists
• Optional Mobile App for Settings, Supervision &
Notification
• Blocking alerts via Push Notifications or SMS
OX Protect for Families
• Parents can manage settings for different profiles individually
• Configure Multiple Filtering Profiles
• E.g. Mom, Dad, Child1, Child2
• Devices are typically auto-detected and provisioned
• Each device is associated with a profile
• E.g. “Neil’s iPhone X”
• E.g. “Panasonic TV”
Advanced Features
OX Protect for Families
Wait what? I thought DNS was just a lookup protocol…
Using DNS to Filter Traffic
• The main purpose of DNS is to turn names like “open-xchange.com” into IP addresses “1.2.3.4”
The basis of OX Protect is DNS Filtering
Lookup “open-xchange.com”
DNS
Answer “62.146.90.68”
• DNS underlies almost all traffic on the Internet
• It is critical to almost every legitimate service
• not just Web but also Email, Chat services, Mobile Apps etc.
• Also critical to almost every malicious service
• DNS is used by the bad guys too
• DNS is also (currently) usually unencrypted
• This is changing with DNS over TLS (and DNS over HTTPS)
• Even then not end-to-end encrypted
DNS is Ubiquitous and Un-Encrypted
Thus DNS is Perfect for Filtering
Lookup “illegaldrugs.tv”
DNS
Answer “10.3.2.4”
Walled Garden Proxy
Including Malware/Malicious Sites
Lookup “xyz123.cn”
DNS
Answer “10.3.2.4”
Send Video Capture
DNS vs other Consumer Security MethodsSecurity solution approach DNS Deep Packet
Inspection (DPI)
Home Device Client on Customers
Premises Equipment
Example Vendors Open-Xchange,
Akamai, Cisco
Allot Circle Norton. McAfee
Works with any service and protocol
and encrypted traffic ☺ ☺ ☺
Traffic routing efficiency☺ ☺ ☺
Scalability☺
Costs of setup, rollout and
management ☺ ☺
Open-Source availability ☺
Strengthens service providers position☺ ☺
Works for embedded IoT devices☺ ☺ ☺ ☺
More than just PowerDNS…OX Protect Architecture
• PowerDNS Recusor answers DNS queries
• Can be deployed without filtering initially
• Highly Scalable, Extremely Low Latency DNS
Solution
• Easy to add on Filtering Components at a later
date
Basic DNS Only
Core of Solution is PowerDNS
PowerDNS
Recursor &
DNSdist
DNS
Traffic
DNS
Traffic
Internet
Network Focused
PowerDNS Plus Filtering
PowerDNS
Recursor &
DNSdist
DNS
Traffic
DNS
Traffic
Internet
Filtering
Module
Filtering
Proxy
Dstore
Threat
Intelligence
Feeds
OSS/BS
S APIs
End-User Focused
Full OX Protect Architecture
PowerDNS
Recursor &
DNSdist
DNS
Traffic
DNS
Traffic
Internet
Filtering
Module
Subscriber
DB
Filtering
Proxy
Dstore
Threat
Intelligence
FeedsClient
REST
APIs
Notification
Server
Optional
Mobile
Apps
Notification
DBOSS/BS
S APIs
End-User
Reporting
APIs
Mobile Apps and APIs
OX Developed Mobile Apps
• User Centric mobile control apps
• For IOS and Android
• Centralized End-User Notifications and Control
• Configuration management
• Control Filtering settings for household and
individual devices
• Real-time Permissions
• Alerting
• Real-time alerting of suspicious events
Customer Developed Mobile Apps
•OX Protect provides multiple options to enable this:
• Mobile-Centric web application that can easily be embedded in a native
app for easy integration
• End-User Centric REST APIs to integrate fully into native apps
• Both options support:
- Authorization via OAUTH2
- Support for Push Notifications (new devices, blocked website, malware
etc.)
Threat Intelligence
Threat Intelligence Feeds
Open Threat Intelligence Platform
OX Protect
Built-In
Threat Intel
Internal
Threat Intel
Third-Party
Threat Intel
Deploying OX Protect
PowerDNS or
OX Protect
DNS Replacement
Existing DNS System
(Unbound, Bind, Nominum
etc.)
DNS Queries
Side-By-Side with Legacy DNS
Existing DNS System
(Unbound, Bind, Nominum
etc.)
DNS Queries
OX Protect
PowerDNS
Proxy
Integration Requirements
• Features of Basic Protection
• All features apply to the whole household/subscriber line
• Malware Filtering
• Block Attempts to access malware, phishing sites, command and
control servers
• Content Filtering
• Block access to unwanted content like Adult, Gambling, etc.
• Notifications
• Control when to receive notifications and how
Integration for Basic Protection(no Per-Device)
• Requires no changes to customer premise equipment
• Works for 100% of subscriber base
• Provisioning Integration
• Need to provision subscribers (e.g. RADIUS IDs)
• RADIUS Integration
• Start/Stop Accounting Feed
• OSS/BSS API Integration
• Web Portal for subscriber settings
• Customise Protect Proxy Landing Pages
Integration for Basic Protection(no Per-Device)
• Per-device features include:
• Automatic detection and provisioning of new devices
• Including device family
• Including device name
• Assigning devices to profiles (family members)
• Moving devices between profiles
• Detecting threats and filtering content on a per-device basis
• Information about which device is included in notifications
• Bedtime/Homework Time
Integration for Per-Device Features
• This is achieved with CPE integration
• dnamasq is the most widely used DHCP Server/DNS Proxy on CPEs
• Already supports EDNS0 options
• dnsmasq already has capability to provide mac address using EDNS0
• This allows per-device capabilities, and device-type recognition
• OX currently working with IETF & dnsmasq maintainer
• To standardize the transmission of per-device data including
hostname
On Fixed-Line Networks
Integration for Per-Device Features
Event Notifications
•Push notifications for malware or content filtering
events
• Frequency and timing of notifications is
configurable
• Can be disabled if required
• Support for iOS and Android
•Notifications are in real-time
• Particularly useful when using new devices for
the first time (e.g. new IOT devices)
OX Protect Roadmap
• PowerDNS Filtering Platform is released and deployed
already
• First version of OX Protect (End-User Features)
• NOW
• Includes all features described
• Completely new Web/Mobile App UI
• Version 2.0 scheduled for 1H 2019
• Improved Reporting Engine & APIs
• Event Aggregation Engine
• Support for SMEs – Portal, Reporting
OX Protect Roadmap
Open-Xchange AG
Rollnerstraße 14
D-90408 Nuernberg
Phone: +49 2761-8385-0
Fax: +49 2761-8385-30
www.open-xchange.com