cómo mejorar la seguridad de los servicios de dns, dhcp e ipam
Post on 19-Oct-2014
925 views
DESCRIPTION
Francisco Abarca, Sales Manager LATAM de InfobloxTRANSCRIPT
© 2013 Infoblox Inc. All Rights Reserved.
L. Francisco Abarca, Director Sales LATAM
Expanding Your Network Security
1
© 2013 Infoblox Inc. All Rights Reserved.
Infoblox Overview & Business Update
($MM)
$35.0
$56.0 $61.7
$102.2
$132.8
$169.2
$0
$20
$40
$60
$80
$100
$120
$140
$160
$180
FY2007 FY2008 FY2009 FY2010 FY2011 FY2012
Total Revenue (Fiscal Year Ending July 31)
Founded in 1999
Headquartered in Santa Clara, CA with global operations in 25 countries
Market leadership • Gartner “Strong Positive” rating • 40%+ Market Share (DDI)
6,100+ customers, 45,000+ systems shipped
20 patents, 27 pending
IPO April 2012: NYSE BLOX
Leader in technology for network control
2
© 2013 Infoblox Inc. All Rights Reserved.
Conventional Networks – Static and Simple
192.168.255.255
132.18.255.45 126.78.255.35 72.168.21.135
72.168.21.135
72.168.21.135
Static
IPv4
Rudimentary Tools for Control
Manually Configured
3
© 2013 Infoblox Inc. All Rights Reserved.
Next Generation Networks – Very Complex
132.18.255.45 126.78.255.35
72.168.21.135
72.168.21.135
2001:0fb8:85a3:0000:0000:8a2e:6332:4328
2001:0db8:85a3:0000:0000:8a2e:3375:9356
2001:0db8:85a3:0000:0000:8a2e:2385:3690
2001:0db8:85a3:0000:0000:8a2e:0647:8574
2001:0db8:85a3:0000:0000:8a2e:5330:7854
2001:0db8:85a3:0000:0000:8a2e:5370:6954
VM
VM
Expensive
Manual Inflexible
VM
VM
4
© 2013 Infoblox Inc. All Rights Reserved.
Triggers that are Redefining the Network
THREAT LANDSCAPE
MOBILE DEVICE EXPLOSION
CLOUD / VIRTUALIZATION CONSOLIDATION
SOFTWARE DEFINED NETWORKS IPv6 TRANSITION
5
© 2013 Infoblox Inc. All Rights Reserved.
Traditional Approach C
ON
TRO
L P
LAN
E
AP
PS
&
EN
D-P
OIN
TS END POINTS VIRTUAL MACHINES PRIVATE CLOUD APPLICATIONS
NE
TWO
RK
IN
FRA
STR
UC
TUR
E
FIREWALLS SWITCHES ROUTERS WEB PROXY LOAD BALANCERS
Complexity Risk & Cost
Agility Flexibility
QIP MICROSOFT DHCP MICROSOFT DNS VMWARE DNS UNIX BIND
SCRIPTS COMMAND LINE
6
© 2013 Infoblox Inc. All Rights Reserved.
What We Do: Innovative Technology for Network Control
AP
PS
&
EN
D-P
OIN
TS END POINTS VIRTUAL MACHINES PRIVATE CLOUD APPLICATIONS
NE
TWO
RK
IN
FRA
STR
UC
TUR
E
FIREWALLS SWITCHES ROUTERS WEB PROXY LOAD BALANCERS
CO
NTR
OL
PLA
NE
Infoblox GridTM w/ Real-time Network Database
Historical /Real-time Reporting & Control
7
© 2013 Infoblox Inc. All Rights Reserved.
Expanding Your Network Security
8
© 2013 Infoblox Inc. All Rights Reserved.
Maintaining Security with Infoblox
Compliance & Policy Standardization Enforce Firewall ACL & Rule Automation Control
Secure
DNS, DHCP and IP Address Management DNS Firewall
Protect
9
© 2013 Infoblox Inc. All Rights Reserved.
DNS, DHCP and IP Address Management
Secure
10
© 2013 Infoblox Inc. All Rights Reserved.
Security Risks with Conventional Approach
þ Dedicated hardware with no unnecessary logical or physical ports
þ No OS-level user accounts – only admin accts þ Immediate updates to new security threats þ Secure HTTPS-based access to device
management þ No SSH or root-shell access þ Task-specific network appliance
– Many open ports subject to attack – Users have OS-level account privileges on
server – Requires time-consuming manual updates – Requires multiple applications for device
management
Conventional Server Approach Infoblox Appliance Approach
Multiple Open Ports
Limited Port Access
Infoblox Update Service
Secure Access
11
© 2013 Infoblox Inc. All Rights Reserved.
Security – Purpose Built Appliances
§ Task specific hardware § Restrictive/hardened Linux OS § Root access disabled § Simple VRRP-based HA setup § Active/active DR recovery
§ Common Criteria EAL-2 Cert. § 128-bit AES Grid VPN comm. § FIPS 140-2 certification § DNS Firewall / RPZ protection § Fast/easy upgrades
12
© 2013 Infoblox Inc. All Rights Reserved.
Security – Purpose Built OS (NIOS)
§ Central view & management § Role-based admin controls § 6 authentication methods § Two factor Auth. (CAC/PKI) § HTTPS Web access § Detailed audit logging
§ 1-click DNSSEC § SSL-Based REST/Perl API § DNS blacklisting / re-directs § Anycast (BGP/OSPF) § GSS-TSIG & TSIG § Robust DDI Reporting
13
© 2013 Infoblox Inc. All Rights Reserved.
Infoblox Grid a Key Differentiator
Simple, Secure, Reliable
External DNS Grid Member
Virtual Environment
Grid Master Candidate at Recovery Site
Internal Grid Members
IPAM Insight
Grid Master
Branch Offices
A collection of High Availability member
appliances
Coordinated by the Grid Master
Sharing a distributed database
Communicating via an SSL VPN
§ Centralized visibility and control
§ Real time IPAM & discovery § Automated failover and DR
14
© 2013 Infoblox Inc. All Rights Reserved.
Fast Responses to Security Incidents
§ 3 Major Feature Releases a year
§ Several patch/ maintenance releases
§ Security vulnerabilities addressed within hours
§ Dedicated “Customer Engineering team” focused on resolving customer issues
15
© 2013 Infoblox Inc. All Rights Reserved.
Enhancing External DNS Security
Cryptographically signed DNS data
DNS Root
2nd Level Domain
nth Level Domain
DNSSEC helps to mitigate hijacking threats such as the Kaminsky attack
Manual Tasks
§ Numerous manual procedures for BIND, Microsoft DNS or other systems
§ Cumbersome and repetitive maintenance and key refresh procedures
§ Specialized knowledge resides (and leaves) with admin
Infoblox Solution
§ Automated deployment process
§ Automated key refresh § Automated maintenance § Knowledge and best practices
embedded in system
Trus
t Cha
in
16
© 2013 Infoblox Inc. All Rights Reserved.
DNSSEC in 1-Click
§ No scripts / Auto-Resigning / 1-click § Central configuration of all DNSSEC parameters § Automatic maintenance of signed zones
17
© 2013 Infoblox Inc. All Rights Reserved.
Automated IP Address Management
§ Tracks what’s connected on the network § Enhances IP allocation through automation § Increases accuracy with continuous updates § Helps with IPv4 to IPv6 migrations
18
© 2013 Infoblox Inc. All Rights Reserved.
Role Based Administration Visibility for Multiple Audiences
IPAM admin Track how effectively provisioned networks being used
DNS admin See heavy users, what are the top sites being queried
DHCP admin Improve lease history, find most active DHCP clients
Security admin Improve traceability for compliance purposes
Network admin Understand subnet utilization for planning purposes
Helpdesk Better “at a glance” visibility into current state of DDI
Management Provide simple, presentable reporting formats on trends
19
© 2013 Infoblox Inc. All Rights Reserved.
CAC / PKI Login Enhancement
User Name pulled automatically from
the Smart Card certificate
MSFT AD RADIUS
TACACS+ local
continue to be user authentication
© 2013 Infoblox Inc. All Rights Reserved.
CAC / PKI Access Protection
21
GUI locks when Smart Card is removed
© 2013 Infoblox Inc. All Rights Reserved.
IB-4030 Recursive DNS w/ DDOS
Performance § A carrier grade DNS recursive appliance with over 1M DNS
queries per second Software § Built-in threat protection § URL Blacklisting / NXDOMAIN Redirection § Cache pre-fetching and DNSSEC
World’s Most Scalable, Secure, and Manageable DNS Caching Server
22
© 2013 Infoblox Inc. All Rights Reserved.
Infoblox DNS Firewall
Protect
23
© 2013 Infoblox Inc. All Rights Reserved.
Overall Malware Threats Booming
§ Average over 7 million new Malware threats per quarter in 2012*
§ Mobile threats grew about 10X in 2012*
§ 855 successful breaches / 174 million records compromised in 2012**
§ 69% of successful breaches utilized Malware**
§ 54% took months to discover, 29% weeks**
§ 92% discovered by external party**
0
2,000,000
4,000,000
6,000,000
8,000,000
10,000,000
Q1 2010
Q2 2010
Q3 2010
Q4 2010
Q1 2011
Q2 2011
Q3 2011
Q4 2011
Q1 2012
Q2 2012
Q3 2012
New Malware
0
5,000
10,000
15,000
20,000
25,000
2004 2005 2006 2007 2008 2009 2010 2011 2012
Total Mobile Malware Samples in the Database
Startling Statistics
* Source: McAfee Threats Report: Third Quarter 2012 ** Source: Verizon Security Study 2012
24
© 2013 Infoblox Inc. All Rights Reserved.
Customer Challenge: New Class of Malware
DNS HAS BECOME A TARGET PATHWAY FOR A NEW CLASS OF MALWARE
DNS INFRASTRUCTURE IS THE ONLY WAY TO DEFEND AGAINST THIS TYPE OF MALWARE
COMMUNICATION PROTOCOL
BECAME MAINSTREAM PATHWAY FOR MALWARE
IRC (Chat) 1999
HTTP 2004
P2P 2007
DNS 2011
25
© 2013 Infoblox Inc. All Rights Reserved.
DNS Firewall – Complement Existing Security
§ Traditional or next generation firewall (e.g. Checkpoint, Juniper, Palo Alto, Imperva, Cisco, etc.)
§ Anti-Virus (e.g. Symantec, McAfee, Webroot, Kapersky, etc.)
§ Email / Web security (e.g. Blue Coat, McAfee, Websense)
§ Advance Persistent Threat (APT) (e.g. Damballa, FireEye)
§ Security Information and Event Management (SIEM) (e.g. Trustwave, McAfee, Q1Labs)
26
© 2013 Infoblox Inc. All Rights Reserved.
Write to Syslog and send to Trinzic Reporting
Introducing Infoblox DNS Firewall
Reputational Feed from Infoblox
Landing Page / Walled Garden
Infected Client
Infoblox DNS Firewall / Recursive DNS Server
Infoblox DNS Firewall / Recursive DNS Server
Infoblox DNS Firewall / Recursive DNS Server
Redirect
Dynamic Grid-Wide Policy Distribution
Dynamic Policy Update
Block / Disallow session
Contact botnet Link to malicious www.badsite.com
Apply Policy
27
© 2013 Infoblox Inc. All Rights Reserved.
Detailed Tracking and Reporting Options
§ Automatic reporting
§ Top Infected Clients
§ Malicious requested domains and number of requests
§ Lease history by MAC address with detailed drill down
Security Policy Violations Report
28
© 2013 Infoblox Inc. All Rights Reserved.
§ 1/30/13 NY Times article – NY Times victim of hacker / malware attacks over 4 months originating in China*
§ The Attack – Initial infection: Phishing / Spear Phishing – Botnet / attackers changed IP addresses; used
compromised US University machines as proxies – Utilized over 45 types of malware, only 1 caught by the
Anti-Virus defense
§ Why so difficult to detect – Malware/attacks designed to circumvent firewalls, web
filtering, antivirus, and other defenses – Appears it used DNS to locate the botnet controller
§ How DNS Firewall could have helped – Probably prevented infection via phishing – Disrupted botnet communications to China – Report Server: Early alert of attacks
Perfect Breach Example – New York Times Attack
29
© 2013 Infoblox Inc. All Rights Reserved. 30
APT / Botnet Malware Requires a New Approach
§ Existing security approaches do not effectively address malware that exploits DNS. Examples: – Malware repacks to avoid signature-based
detection
– Botnet controllers typically change URLs dynamically to circumvent Web Filters
– Botnet controllers change IP addresses / use other techniques to circumvent Firewalls
* http://www.securityweek.com/why-dns-firewalls-should-become-next-hot-thing-enterprise-security
“… DNS firewalls likely would have prevented the success of more than 80 percent of these attacks.”*
30
© 2013 Infoblox Inc. All Rights Reserved.
Infoblox Security Device Controller
Control
31
© 2013 Infoblox Inc. All Rights Reserved.
DHCP Fingerprint
32
© 2013 Infoblox Inc. All Rights Reserved.
Very Simple, Un-Intrusive, No Discovery Overhead
33
DHCPDISCOVER Option Sequence 1,15,3,6,44,46,47,31,33,121,249,43
Windows 7
DHCPOFFER
Option Sequence 1,3,6,15,119,78,79,95,252
iPad
DHCPOFFER
DHCPDISCOVER
X
© 2013 Infoblox Inc. All Rights Reserved.
Control - What you don’t know
Enhanced DHCP Lease Information
34
Sort
Filter
Smart Folder
© 2013 Infoblox Inc. All Rights Reserved.
Control - What you don’t know
Custom DHCP Fingerprint Management
35
© 2013 Infoblox Inc. All Rights Reserved.
Control – Through Network Planning
Device Trend What devices are
being used where?
Is a certain device trending
up, or down?
36
© 2013 Infoblox Inc. All Rights Reserved.
Control – Through Network Planning
Top Device
What are the top
devices?
Click on the device type to view IP/MAC information
37
© 2013 Infoblox Inc. All Rights Reserved.
SDC
38
© 2013 Infoblox Inc. All Rights Reserved.
Network Security Management: Today
39
© 2013 Infoblox Inc. All Rights Reserved.
Manual
The Pain of Legacy Processes
Legacy Approach
Hours/ Days
Firewall Change Needed
1
Search For
Devices
2
Figure Out Impacted Devices
3
Determine Correct Config
4
Compare Change to Standards/ Compliance
5
Request Change/
Implement Manually
6
Reconfirm Correctness
and Compliance
Hours/Days Network Provisioning Time
§ Manual processes cannot keep up § SLA are lengthening to weeks or a even a month § Require dedicated, senior network architects
– Routine, repetitive, error-prone – Multiple vendor expertise needed
40
© 2013 Infoblox Inc. All Rights Reserved.
CHANGE REQUEST
MULTI- VENDOR
FIREWALL
MULTI- VENDOR ROUTER/ FIREWALL
MULTI- VENDOR
FIREWALL
MULTI- VENDOR SWITCH/
FIREWALL
Infoblox Security Device Controller
§ Increases speed and accuracy of new service deployment § Improves SLAs with automated provisioning § Reduce risk with embedded intelligence and modeling § Reduce errors & over-reliance on high level engineers
SERVICE/ APPLICATION USER
APPROVED CHANGE
IT TICKETING SYSTEM
41
© 2013 Infoblox Inc. All Rights Reserved.
Five Pillars of Controlling Security Devices
Embedded Expertise
Automated Discovery
Multi-vendor Provisioning
Customized Alerting
Powerful Search
42
© 2013 Infoblox Inc. All Rights Reserved.
Automated Network Discovery
Simple and complete network-wide discovery
Powerful topology to visualize path
43
© 2013 Infoblox Inc. All Rights Reserved.
Embedded Expertise
Built-in intelligence automatically provides detailed ACL/rule views
Detects problems like unused, overlapping and duplicate rules
out-of-the box
44
© 2013 Infoblox Inc. All Rights Reserved.
Powerful Search
Search results identify all matching devices
including vendor specific syntax
Easily customize search criteria for one or multiple devices
45
© 2013 Infoblox Inc. All Rights Reserved.
Customizable Alerting
Immediately identify and track defined alerts to allow or deny access
Create Alerts for both Blacklisting and
Whitelisting
46
© 2013 Infoblox Inc. All Rights Reserved.
Multi-vendor Provisioning
Maintain control with user-based access rights and change
process
Provision changes in the same platform and
view the vendor-specific syntax
47
© 2013 Infoblox Inc. All Rights Reserved.
Manual
The Power of Infoblox
Legacy Approach
Infoblox Approach
Hours/ Days
1 6 2 3 4 5
Automated
Days/ Weeks
Firewall Change Needed
1
Search For
Devices
2
Figure Out Impacted Devices
3
Determine Correct Config
4
Compare Change to Standards/ Compliance
5
Request Change/
Implement Manually
6
Reconfirm Correctness
and Compliance
Firewall Change Needed
48
© 2013 Infoblox Inc. All Rights Reserved.
Compliance, Internal Policies & Best Practices
Enforce and Maintain
49
© 2013 Infoblox Inc. All Rights Reserved.
Standard Configurations Auditability
Process Enforcement
Secure Configurations
User Permission Control
Visibility & Documentation
Continuous Monitoring
Change Tracking
Standardization and Compliance Drivers
Regulatory or Industry Mandates
Corporate Security Policies
Engineering Team Best Practices
50
© 2013 Infoblox Inc. All Rights Reserved.
Common Standardization & Compliance Situation
§ Requirements are researched and documented
§ Normally not thought of until: – An audit is required – Something breaks
§ Believe the processes are good best practices but: – Staff is too busy doing
everything else to be proactive
51
© 2013 Infoblox Inc. All Rights Reserved.
Compliance Monitoring Best Practices
Define & Customize
Rules/Policies
Segment Policies to Devices
Track and Audit Configurations and Changes
Continuously Review for
Compliance
Proactive Notification for
Violations
Automated Reports
52
© 2013 Infoblox Inc. All Rights Reserved.
Infoblox Network Automation Overview
• Network discovery • Built-in analysis • Check against best practices • Detect issues • Monitor and manage change • Automate change • Maintain compliance • Provision ACL & rules
Collected Via: SNMP
CLI/configuration Syslog
Fingerprinting
Real-time & Historical Analysis
53
© 2013 Infoblox Inc. All Rights Reserved.
Standardization - Compliance Management
Embedded compliance rules
Customizable best practice templates
Manage multiple policies
Proactive violation detected
Multiple remediation options
Current and historical views
54
© 2013 Infoblox Inc. All Rights Reserved.
Configuration Analysis
Unique pre-packaged expertise
Identifies common misconfigurations
Customizable alerting
Recommended remediation options
Understand concept of the network
Network Scorecard views
55
© 2013 Infoblox Inc. All Rights Reserved.
Powerful Reporting
Single-click compliance reports
Pre-packaged and customizable
Powerful filtering
Executive and detailed reports
On-demand or scheduled
User-based view rights
56
© 2013 Infoblox Inc. All Rights Reserved.
Value of Network Standardization
Verify your “desired state” to the “as is state”
§ Improve network stability and consistency
§ Reduce manual processes
§ Eliminate extensive, time-consuming audit teams
§ Increase accuracy with automation and embedded expertise
§ Focus on building secure infrastructure instead of waiting for audits
57
© 2013 Infoblox Inc. All Rights Reserved.
Infoblox Value To Our Customer
58
Secure
• Secure hardware form-factor & hardened OS • Designed to minimize vulnerabilities and
attack surfaces • Common Criteria certified
• GridTM technology for fault tolerance, easy updates and one-click DR
• Optimized for enterprise demand & performance • Authoritative source for network data Available
• Powerful automation of manual processes • Reduce change errors & assure compliance • Save time, money and effort
Automated
Automated
Secure Available
Infoblox makes networks more available, secure and automated
© 2013 Infoblox Inc. All Rights Reserved.
Thank You
59