network intelligence for a secured network (2014-03-12)
DESCRIPTION
Comguard's Event for Emerging Threats in Doha on 12th of March 2014TRANSCRIPT
BlueCat Network IntelligenceFor a secured Network Infrastructure
Andreas Taudte
Sales Engineer
BlueCat
Luca Maiocchi
Territory Manager SE & Middle East
BlueCat
How did you secure your network?
Firewalls
Network Access Control
Anti-Virus
But, they have done the same...
http://www.pcworld.com/article/2087240/target-pointofsale-terminals-were-infected-with-malware.htmlhttp://www.us-cert.gov/ncas/alerts/TA14-002Ahttp://www.pcworld.com/article/2086700/yahoo-malvertising-attack-linked-to-larger-malware-scheme.html
...and they also.
http://securityaffairs.co/wordpress/22081/cyber-crime/cert-polska-detected-large-scale-dns-hacking-home-routers.htmlhttp://www.techweekeurope.co.uk/news/china-internet-outage-dns-hack-136759http://www.cloudshield.com/blog/dns-security-expert-series/groundhog-day-for-dns-ddos-attack-announcements/
Typical Attack
Client connects to malicious Site unknowingly
Client downloads the malicious Code
Client becomes infected
malware.site.com
malware.site.com
Typical Protection
Client: Security Software
Network: Filtering Software related to Protocol
Exit: Packet Inspection on a Firewall
Typical Attack in Detail
Client first looks up the Host IP
Many Attacks leverage DNS
Allow to change IP w/o need to update Attack
malware.site.com
54.235.223.101
malware.site.com
54.235.223.101
Landscapehas changed DNS applies to
all Applications & all Devices.
BlueCat Threat ProtectionFor a secured DNS Infrastructure
BlueCat Threat Protection
Security Feed and Response
Policies Zones to filter DNS Traffic
Recursive DNS Servers enabled
to accept the BlueCat Security Feed
Typical Attack with BlueCat Threat Protection
Blocks Devices from resolving malicious Hosts
Another Layer of Depth for traditional Devices
Blocks Access to known Malware, Botnet and other Sites for non-traditional Devices
malware.site.com
malware.site.com
How it works
DNS server downloads list of known malicious sites
(updated every 5 minutes)
User queries for known malicious content
1
2
DNS server matches request against list
3
Response is given according to policy
4
Redirect
Blacklist
Do Not Respond
Log
Redirect to notify the User & capture the Traffic
Response is redirected to another
server
4
Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse
You may be infected!!
Matched queries are redirected to SIEM
Admins can receive alerts from SIEM
User connects to Walled Garden site
6
5
7
How to set up?
Automated Updates
Protection for all Devices
and all Applications
Self-maintained
Security Feed
Customizable Actions
Easy to set up
Nice, but what about external DNS?
External DNS Challenges
No Business
No DNS No Network
Real Threats to DNS Services
DNS Spoofing Attacks
REAL SITE FAKE SITE
Attacker
Real User
Redirected toFake Server
DNS
DNSQueries
Real Threats to DNS Services
DNS Reflection/Amplification Attacks
Victim 2
Victim
Victim 1
Target
Attackers LegitimateUserSpoofed Source Address
What can be done to protect against them?
Anycast DNS
Same IP addressn identical DNS Servers
What can be done to protect against them?
DNS Security Extensions (DNSSEC)
Real User
Root Servers
DNS Queries Real Authoritative DNS
TLD
DNS Resolver
False Authoritative DNS
Real Web Server
False Web Server
DNSSECSigned RR
Uns
igne
d R
R
Resolver validatesauthoritative Responses
What can be done to protect against them?
DNS Response Rate Limiting (RRL)
DNS with RRLMalicious
UserNormal
User
Normal QPS Volume
Abnormal # of Queries, but
Responses Rate Limited by Admin
BlueCat Hosted DNSFor a secured external DNS Infrastructure
The Power of the Cloud
BlueCat Hosted DNS has it all:
DNS Security Extensions (DNSSEC) DNS Response Rate Limiting (RRL) Geographic Diversity (Anycast) Processing Power and Bandwidth Capacity
BlueCat Hosted DNS
Reliability: 100% uptime (in over 9 years)
Redundancy: 18 global sites in 5 continents
Security: 24/7 anti-attack team
Scalability : providing additional DNS
services
Yes nice, but how do you manage it all?
BlueCat Solution Components
Address ManagerDNS, DHCP and IPAM
Connector for Windows DNS/DHCP
DNS/DHCP Management
Automation ManagerSystem Integration
Automation ManagerSelf-Service
Device Registration Portal
Self-Service
External HostedDNS Service
Global Anycast DNS
DNS/DHCP Server
Anycast, DHCP-Failover,Clustering, DNSSEC and
DNS Firewall
BlueCat Client Value for Management
Single Pane of Glass for all IP Information
Efficiency: Automate Provisioning from the IP up
Security: Visibility and Control with IPAM Data
Mobility: Simple for Users and maximum Control for IT
Scalability: Manage complex dual-stacked Networks
Thank you for your time.
Andreas Taudte
Sales Engineer
Luca Maiocchi
Territory Manager SE & Middle East
w w w . b l u e c a t n e t w o r k s . c o m