cómo mejorar la seguridad de los servicios de dns, dhcp e ipam

© 2013 Infoblox Inc. All Rights Reserved.

L. Francisco Abarca, Director Sales LATAM

Expanding Your Network Security

1


Infoblox Overview & Business Update

($MM)

$35.0

$56.0 $61.7

$102.2

$132.8

$169.2

$0

$20

$40

$60

$80

$100

$120

$140

$160

$180

FY2007 FY2008 FY2009 FY2010 FY2011 FY2012

Total Revenue (Fiscal Year Ending July 31)

Founded in 1999

Headquartered in Santa Clara, CA with global operations in 25 countries

Market leadership •  Gartner “Strong Positive” rating •  40%+ Market Share (DDI)

6,100+ customers, 45,000+ systems shipped

20 patents, 27 pending

IPO April 2012: NYSE BLOX

Leader in technology for network control

2


Conventional Networks – Static and Simple

192.168.255.255

132.18.255.45 126.78.255.35 72.168.21.135

72.168.21.135

72.168.21.135

Static

IPv4

Rudimentary Tools for Control

Manually Configured

3


Next Generation Networks – Very Complex

132.18.255.45 126.78.255.35

72.168.21.135

72.168.21.135

2001:0fb8:85a3:0000:0000:8a2e:6332:4328

2001:0db8:85a3:0000:0000:8a2e:3375:9356

2001:0db8:85a3:0000:0000:8a2e:2385:3690

2001:0db8:85a3:0000:0000:8a2e:0647:8574

2001:0db8:85a3:0000:0000:8a2e:5330:7854

2001:0db8:85a3:0000:0000:8a2e:5370:6954

VM

VM

Expensive

Manual Inflexible

VM

VM

4


Triggers that are Redefining the Network

THREAT LANDSCAPE

MOBILE DEVICE EXPLOSION

CLOUD / VIRTUALIZATION CONSOLIDATION

SOFTWARE DEFINED NETWORKS IPv6 TRANSITION

5


Traditional Approach C

ON

TRO

L P

LAN

E

AP

PS

&

EN

D-P

OIN

TS END POINTS VIRTUAL MACHINES PRIVATE CLOUD APPLICATIONS

NE

TWO

RK

IN

FRA

STR

UC

TUR

E

FIREWALLS SWITCHES ROUTERS WEB PROXY LOAD BALANCERS

Complexity Risk & Cost

Agility Flexibility

QIP MICROSOFT DHCP MICROSOFT DNS VMWARE DNS UNIX BIND

SCRIPTS COMMAND LINE

6


What We Do: Innovative Technology for Network Control

AP

PS

&

EN

D-P

OIN

TS END POINTS VIRTUAL MACHINES PRIVATE CLOUD APPLICATIONS

NE

TWO

RK

IN

FRA

STR

UC

TUR

E

FIREWALLS SWITCHES ROUTERS WEB PROXY LOAD BALANCERS

CO

NTR

OL

PLA

NE

Infoblox GridTM w/ Real-time Network Database

Historical /Real-time Reporting & Control

7


Expanding Your Network Security

8


Maintaining Security with Infoblox

Compliance & Policy Standardization Enforce Firewall ACL & Rule Automation Control

Secure

DNS, DHCP and IP Address Management DNS Firewall

Protect

9


DNS, DHCP and IP Address Management

Secure

10


Security Risks with Conventional Approach

þ  Dedicated hardware with no unnecessary logical or physical ports

þ  No OS-level user accounts – only admin accts þ  Immediate updates to new security threats þ  Secure HTTPS-based access to device

management þ  No SSH or root-shell access þ  Task-specific network appliance

–  Many open ports subject to attack –  Users have OS-level account privileges on

server –  Requires time-consuming manual updates –  Requires multiple applications for device

management

Conventional Server Approach Infoblox Appliance Approach

Multiple Open Ports

Limited Port Access

Infoblox Update Service

Secure Access

11


Security – Purpose Built Appliances

§  Task specific hardware §  Restrictive/hardened Linux OS §  Root access disabled §  Simple VRRP-based HA setup §  Active/active DR recovery

§  Common Criteria EAL-2 Cert. §  128-bit AES Grid VPN comm. §  FIPS 140-2 certification §  DNS Firewall / RPZ protection §  Fast/easy upgrades

12


Security – Purpose Built OS (NIOS)

§  Central view & management §  Role-based admin controls §  6 authentication methods §  Two factor Auth. (CAC/PKI) §  HTTPS Web access §  Detailed audit logging

§  1-click DNSSEC §  SSL-Based REST/Perl API §  DNS blacklisting / re-directs §  Anycast (BGP/OSPF) §  GSS-TSIG & TSIG §  Robust DDI Reporting

13


Infoblox Grid a Key Differentiator

Simple, Secure, Reliable

External DNS Grid Member

Virtual Environment

Grid Master Candidate at Recovery Site

Internal Grid Members

IPAM Insight

Grid Master

Branch Offices

A collection of High Availability member

appliances

Coordinated by the Grid Master

Sharing a distributed database

Communicating via an SSL VPN

§  Centralized visibility and control

§  Real time IPAM & discovery §  Automated failover and DR

14


Fast Responses to Security Incidents

§  3 Major Feature Releases a year

§  Several patch/ maintenance releases

§  Security vulnerabilities addressed within hours

§  Dedicated “Customer Engineering team” focused on resolving customer issues

15


Enhancing External DNS Security

Cryptographically signed DNS data

DNS Root

2nd Level Domain

nth Level Domain

DNSSEC helps to mitigate hijacking threats such as the Kaminsky attack

Manual Tasks

§  Numerous manual procedures for BIND, Microsoft DNS or other systems

§  Cumbersome and repetitive maintenance and key refresh procedures

§  Specialized knowledge resides (and leaves) with admin

Infoblox Solution

§  Automated deployment process

§  Automated key refresh §  Automated maintenance §  Knowledge and best practices

embedded in system

Trus

t Cha

in

16


DNSSEC in 1-Click

§  No scripts / Auto-Resigning / 1-click §  Central configuration of all DNSSEC parameters §  Automatic maintenance of signed zones

17


Automated IP Address Management

§  Tracks what’s connected on the network §  Enhances IP allocation through automation §  Increases accuracy with continuous updates §  Helps with IPv4 to IPv6 migrations

18


Role Based Administration Visibility for Multiple Audiences

IPAM admin Track how effectively provisioned networks being used

DNS admin See heavy users, what are the top sites being queried

DHCP admin Improve lease history, find most active DHCP clients

Security admin Improve traceability for compliance purposes

Network admin Understand subnet utilization for planning purposes

Helpdesk Better “at a glance” visibility into current state of DDI

Management Provide simple, presentable reporting formats on trends

19


CAC / PKI Login Enhancement

User Name pulled automatically from

the Smart Card certificate

MSFT AD RADIUS

TACACS+ local

continue to be user authentication


CAC / PKI Access Protection

21

GUI locks when Smart Card is removed


IB-4030 Recursive DNS w/ DDOS

Performance §  A carrier grade DNS recursive appliance with over 1M DNS

queries per second Software §  Built-in threat protection §  URL Blacklisting / NXDOMAIN Redirection §  Cache pre-fetching and DNSSEC

World’s Most Scalable, Secure, and Manageable DNS Caching Server

22


Infoblox DNS Firewall

Protect

23


Overall Malware Threats Booming

§  Average over 7 million new Malware threats per quarter in 2012*

§  Mobile threats grew about 10X in 2012*

§  855 successful breaches / 174 million records compromised in 2012**

§  69% of successful breaches utilized Malware**

§  54% took months to discover, 29% weeks**

§  92% discovered by external party**

0

2,000,000

4,000,000

6,000,000

8,000,000

10,000,000

Q1 2010

Q2 2010

Q3 2010

Q4 2010

Q1 2011

Q2 2011

Q3 2011

Q4 2011

Q1 2012

Q2 2012

Q3 2012

New Malware

0

5,000

10,000

15,000

20,000

25,000

2004 2005 2006 2007 2008 2009 2010 2011 2012

Total Mobile Malware Samples in the Database

Startling Statistics

* Source: McAfee Threats Report: Third Quarter 2012 ** Source: Verizon Security Study 2012

24


Customer Challenge: New Class of Malware

DNS HAS BECOME A TARGET PATHWAY FOR A NEW CLASS OF MALWARE

DNS INFRASTRUCTURE IS THE ONLY WAY TO DEFEND AGAINST THIS TYPE OF MALWARE

COMMUNICATION PROTOCOL

BECAME MAINSTREAM PATHWAY FOR MALWARE

IRC (Chat) 1999

HTTP 2004

P2P 2007

DNS 2011

25


DNS Firewall – Complement Existing Security

§  Traditional or next generation firewall (e.g. Checkpoint, Juniper, Palo Alto, Imperva, Cisco, etc.)

§  Anti-Virus (e.g. Symantec, McAfee, Webroot, Kapersky, etc.)

§  Email / Web security (e.g. Blue Coat, McAfee, Websense)

§  Advance Persistent Threat (APT) (e.g. Damballa, FireEye)

§  Security Information and Event Management (SIEM) (e.g. Trustwave, McAfee, Q1Labs)

26


Write to Syslog and send to Trinzic Reporting

Introducing Infoblox DNS Firewall

Reputational Feed from Infoblox

Landing Page / Walled Garden

Infected Client

Infoblox DNS Firewall / Recursive DNS Server



Redirect

Dynamic Grid-Wide Policy Distribution

Dynamic Policy Update

Block / Disallow session

Contact botnet Link to malicious www.badsite.com

Apply Policy

27


Detailed Tracking and Reporting Options

§  Automatic reporting

§  Top Infected Clients

§  Malicious requested domains and number of requests

§  Lease history by MAC address with detailed drill down

Security Policy Violations Report

28


§  1/30/13 NY Times article – NY Times victim of hacker / malware attacks over 4 months originating in China*

§  The Attack –  Initial infection: Phishing / Spear Phishing –  Botnet / attackers changed IP addresses; used

compromised US University machines as proxies –  Utilized over 45 types of malware, only 1 caught by the

Anti-Virus defense

§  Why so difficult to detect –  Malware/attacks designed to circumvent firewalls, web

filtering, antivirus, and other defenses –  Appears it used DNS to locate the botnet controller

§  How DNS Firewall could have helped –  Probably prevented infection via phishing –  Disrupted botnet communications to China –  Report Server: Early alert of attacks

Perfect Breach Example – New York Times Attack

29

© 2013 Infoblox Inc. All Rights Reserved. 30

APT / Botnet Malware Requires a New Approach

§  Existing security approaches do not effectively address malware that exploits DNS. Examples: –  Malware repacks to avoid signature-based

detection

–  Botnet controllers typically change URLs dynamically to circumvent Web Filters

–  Botnet controllers change IP addresses / use other techniques to circumvent Firewalls

* http://www.securityweek.com/why-dns-firewalls-should-become-next-hot-thing-enterprise-security

“… DNS firewalls likely would have prevented the success of more than 80 percent of these attacks.”*

30


Infoblox Security Device Controller

Control

31


DHCP Fingerprint

32


Very Simple, Un-Intrusive, No Discovery Overhead

33

DHCPDISCOVER Option Sequence 1,15,3,6,44,46,47,31,33,121,249,43

Windows 7

DHCPOFFER

Option Sequence 1,3,6,15,119,78,79,95,252

iPad

DHCPOFFER

DHCPDISCOVER

X


Control - What you don’t know

Enhanced DHCP Lease Information

34

Sort

Filter

Smart Folder


Control - What you don’t know

Custom DHCP Fingerprint Management

35


Control – Through Network Planning

Device Trend What devices are

being used where?

Is a certain device trending

up, or down?

36


Control – Through Network Planning

Top Device

What are the top

devices?

Click on the device type to view IP/MAC information

37


SDC

38


Network Security Management: Today

39


Manual

The Pain of Legacy Processes

Legacy Approach

Hours/ Days

Firewall Change Needed

1

Search For

Devices

2

Figure Out Impacted Devices

3

Determine Correct Config

4

Compare Change to Standards/ Compliance

5

Request Change/

Implement Manually

6

Reconfirm Correctness

and Compliance

Hours/Days Network Provisioning Time

§  Manual processes cannot keep up §  SLA are lengthening to weeks or a even a month §  Require dedicated, senior network architects

–  Routine, repetitive, error-prone –  Multiple vendor expertise needed

40


CHANGE REQUEST

MULTI- VENDOR

FIREWALL

MULTI- VENDOR ROUTER/ FIREWALL

MULTI- VENDOR

FIREWALL

MULTI- VENDOR SWITCH/

FIREWALL

Infoblox Security Device Controller

§  Increases speed and accuracy of new service deployment §  Improves SLAs with automated provisioning §  Reduce risk with embedded intelligence and modeling §  Reduce errors & over-reliance on high level engineers

SERVICE/ APPLICATION USER

APPROVED CHANGE

IT TICKETING SYSTEM

41


Five Pillars of Controlling Security Devices

Embedded Expertise

Automated Discovery

Multi-vendor Provisioning

Customized Alerting

Powerful Search

42


Automated Network Discovery

Simple and complete network-wide discovery

Powerful topology to visualize path

43


Embedded Expertise

Built-in intelligence automatically provides detailed ACL/rule views

Detects problems like unused, overlapping and duplicate rules

out-of-the box

44


Powerful Search

Search results identify all matching devices

including vendor specific syntax

Easily customize search criteria for one or multiple devices

45


Customizable Alerting

Immediately identify and track defined alerts to allow or deny access

Create Alerts for both Blacklisting and

Whitelisting

46


Multi-vendor Provisioning

Maintain control with user-based access rights and change

process

Provision changes in the same platform and

view the vendor-specific syntax

47


Manual

The Power of Infoblox

Legacy Approach

Infoblox Approach

Hours/ Days

1 6 2 3 4 5

Automated

Days/ Weeks


1

Search For

Devices

2

Figure Out Impacted Devices

3

Determine Correct Config

4

Compare Change to Standards/ Compliance

5

Request Change/

Implement Manually

6

Reconfirm Correctness

and Compliance


48


Compliance, Internal Policies & Best Practices

Enforce and Maintain

49


Standard Configurations Auditability

Process Enforcement

Secure Configurations

User Permission Control

Visibility & Documentation

Continuous Monitoring

Change Tracking

Standardization and Compliance Drivers

Regulatory or Industry Mandates

Corporate Security Policies

Engineering Team Best Practices

50


Common Standardization & Compliance Situation

§  Requirements are researched and documented

§  Normally not thought of until: –  An audit is required –  Something breaks

§  Believe the processes are good best practices but: –  Staff is too busy doing

everything else to be proactive

51


Compliance Monitoring Best Practices

Define & Customize

Rules/Policies

Segment Policies to Devices

Track and Audit Configurations and Changes

Continuously Review for

Compliance

Proactive Notification for

Violations

Automated Reports

52


Infoblox Network Automation Overview

•  Network discovery •  Built-in analysis •  Check against best practices •  Detect issues •  Monitor and manage change •  Automate change •  Maintain compliance •  Provision ACL & rules

Collected Via: SNMP

CLI/configuration Syslog

Fingerprinting

Real-time & Historical Analysis

53


Standardization - Compliance Management

Embedded compliance rules

Customizable best practice templates

Manage multiple policies

Proactive violation detected

Multiple remediation options

Current and historical views

54


Configuration Analysis

Unique pre-packaged expertise

Identifies common misconfigurations

Customizable alerting

Recommended remediation options

Understand concept of the network

Network Scorecard views

55


Powerful Reporting

Single-click compliance reports

Pre-packaged and customizable

Powerful filtering

Executive and detailed reports

On-demand or scheduled

User-based view rights

56


Value of Network Standardization

Verify your “desired state” to the “as is state”

§  Improve network stability and consistency

§  Reduce manual processes

§  Eliminate extensive, time-consuming audit teams

§  Increase accuracy with automation and embedded expertise

§  Focus on building secure infrastructure instead of waiting for audits

57


Infoblox Value To Our Customer

58

Secure

•  Secure hardware form-factor & hardened OS •  Designed to minimize vulnerabilities and

attack surfaces •  Common Criteria certified

•  GridTM technology for fault tolerance, easy updates and one-click DR

•  Optimized for enterprise demand & performance •  Authoritative source for network data Available

•  Powerful automation of manual processes •  Reduce change errors & assure compliance •  Save time, money and effort

Automated

Automated

Secure Available

Infoblox makes networks more available, secure and automated


Thank You

59

cómo mejorar la seguridad de los servicios de dns, dhcp e ipam

Technology

determine

firewall change

grid master

network security

network planning

compare change

circumvent

rights reserved