network intelligence for a secured network (2014-03-12)
DESCRIPTION
Comguard's Event for Emerging Threats in Doha on 12th of March 2014TRANSCRIPT
![Page 1: Network Intelligence for a secured Network (2014-03-12)](https://reader033.vdocuments.net/reader033/viewer/2022061213/5498efe8b479590e358b459d/html5/thumbnails/1.jpg)
BlueCat Network IntelligenceFor a secured Network Infrastructure
Andreas Taudte
Sales Engineer
BlueCat
Luca Maiocchi
Territory Manager SE & Middle East
BlueCat
![Page 2: Network Intelligence for a secured Network (2014-03-12)](https://reader033.vdocuments.net/reader033/viewer/2022061213/5498efe8b479590e358b459d/html5/thumbnails/2.jpg)
How did you secure your network?
Firewalls
Network Access Control
Anti-Virus
![Page 3: Network Intelligence for a secured Network (2014-03-12)](https://reader033.vdocuments.net/reader033/viewer/2022061213/5498efe8b479590e358b459d/html5/thumbnails/3.jpg)
But, they have done the same...
http://www.pcworld.com/article/2087240/target-pointofsale-terminals-were-infected-with-malware.htmlhttp://www.us-cert.gov/ncas/alerts/TA14-002Ahttp://www.pcworld.com/article/2086700/yahoo-malvertising-attack-linked-to-larger-malware-scheme.html
![Page 4: Network Intelligence for a secured Network (2014-03-12)](https://reader033.vdocuments.net/reader033/viewer/2022061213/5498efe8b479590e358b459d/html5/thumbnails/4.jpg)
...and they also.
http://securityaffairs.co/wordpress/22081/cyber-crime/cert-polska-detected-large-scale-dns-hacking-home-routers.htmlhttp://www.techweekeurope.co.uk/news/china-internet-outage-dns-hack-136759http://www.cloudshield.com/blog/dns-security-expert-series/groundhog-day-for-dns-ddos-attack-announcements/
![Page 5: Network Intelligence for a secured Network (2014-03-12)](https://reader033.vdocuments.net/reader033/viewer/2022061213/5498efe8b479590e358b459d/html5/thumbnails/5.jpg)
Typical Attack
Client connects to malicious Site unknowingly
Client downloads the malicious Code
Client becomes infected
malware.site.com
malware.site.com
![Page 6: Network Intelligence for a secured Network (2014-03-12)](https://reader033.vdocuments.net/reader033/viewer/2022061213/5498efe8b479590e358b459d/html5/thumbnails/6.jpg)
Typical Protection
Client: Security Software
Network: Filtering Software related to Protocol
Exit: Packet Inspection on a Firewall
![Page 7: Network Intelligence for a secured Network (2014-03-12)](https://reader033.vdocuments.net/reader033/viewer/2022061213/5498efe8b479590e358b459d/html5/thumbnails/7.jpg)
Typical Attack in Detail
Client first looks up the Host IP
Many Attacks leverage DNS
Allow to change IP w/o need to update Attack
malware.site.com
54.235.223.101
malware.site.com
54.235.223.101
Landscapehas changed DNS applies to
all Applications & all Devices.
![Page 8: Network Intelligence for a secured Network (2014-03-12)](https://reader033.vdocuments.net/reader033/viewer/2022061213/5498efe8b479590e358b459d/html5/thumbnails/8.jpg)
BlueCat Threat ProtectionFor a secured DNS Infrastructure
![Page 9: Network Intelligence for a secured Network (2014-03-12)](https://reader033.vdocuments.net/reader033/viewer/2022061213/5498efe8b479590e358b459d/html5/thumbnails/9.jpg)
BlueCat Threat Protection
Security Feed and Response
Policies Zones to filter DNS Traffic
Recursive DNS Servers enabled
to accept the BlueCat Security Feed
![Page 10: Network Intelligence for a secured Network (2014-03-12)](https://reader033.vdocuments.net/reader033/viewer/2022061213/5498efe8b479590e358b459d/html5/thumbnails/10.jpg)
Typical Attack with BlueCat Threat Protection
Blocks Devices from resolving malicious Hosts
Another Layer of Depth for traditional Devices
Blocks Access to known Malware, Botnet and other Sites for non-traditional Devices
malware.site.com
malware.site.com
![Page 11: Network Intelligence for a secured Network (2014-03-12)](https://reader033.vdocuments.net/reader033/viewer/2022061213/5498efe8b479590e358b459d/html5/thumbnails/11.jpg)
How it works
DNS server downloads list of known malicious sites
(updated every 5 minutes)
User queries for known malicious content
1
2
DNS server matches request against list
3
Response is given according to policy
4
Redirect
Blacklist
Do Not Respond
Log
![Page 12: Network Intelligence for a secured Network (2014-03-12)](https://reader033.vdocuments.net/reader033/viewer/2022061213/5498efe8b479590e358b459d/html5/thumbnails/12.jpg)
Redirect to notify the User & capture the Traffic
Response is redirected to another
server
4
Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse
You may be infected!!
Matched queries are redirected to SIEM
Admins can receive alerts from SIEM
User connects to Walled Garden site
6
5
7
![Page 13: Network Intelligence for a secured Network (2014-03-12)](https://reader033.vdocuments.net/reader033/viewer/2022061213/5498efe8b479590e358b459d/html5/thumbnails/13.jpg)
How to set up?
Automated Updates
Protection for all Devices
and all Applications
Self-maintained
Security Feed
Customizable Actions
Easy to set up
![Page 14: Network Intelligence for a secured Network (2014-03-12)](https://reader033.vdocuments.net/reader033/viewer/2022061213/5498efe8b479590e358b459d/html5/thumbnails/14.jpg)
Nice, but what about external DNS?
![Page 15: Network Intelligence for a secured Network (2014-03-12)](https://reader033.vdocuments.net/reader033/viewer/2022061213/5498efe8b479590e358b459d/html5/thumbnails/15.jpg)
External DNS Challenges
No Business
No DNS No Network
![Page 16: Network Intelligence for a secured Network (2014-03-12)](https://reader033.vdocuments.net/reader033/viewer/2022061213/5498efe8b479590e358b459d/html5/thumbnails/16.jpg)
Real Threats to DNS Services
DNS Spoofing Attacks
REAL SITE FAKE SITE
Attacker
Real User
Redirected toFake Server
DNS
DNSQueries
![Page 17: Network Intelligence for a secured Network (2014-03-12)](https://reader033.vdocuments.net/reader033/viewer/2022061213/5498efe8b479590e358b459d/html5/thumbnails/17.jpg)
Real Threats to DNS Services
DNS Reflection/Amplification Attacks
Victim 2
Victim
Victim 1
Target
Attackers LegitimateUserSpoofed Source Address
![Page 18: Network Intelligence for a secured Network (2014-03-12)](https://reader033.vdocuments.net/reader033/viewer/2022061213/5498efe8b479590e358b459d/html5/thumbnails/18.jpg)
What can be done to protect against them?
Anycast DNS
Same IP addressn identical DNS Servers
![Page 19: Network Intelligence for a secured Network (2014-03-12)](https://reader033.vdocuments.net/reader033/viewer/2022061213/5498efe8b479590e358b459d/html5/thumbnails/19.jpg)
What can be done to protect against them?
DNS Security Extensions (DNSSEC)
Real User
Root Servers
DNS Queries Real Authoritative DNS
TLD
DNS Resolver
False Authoritative DNS
Real Web Server
False Web Server
DNSSECSigned RR
Uns
igne
d R
R
Resolver validatesauthoritative Responses
![Page 20: Network Intelligence for a secured Network (2014-03-12)](https://reader033.vdocuments.net/reader033/viewer/2022061213/5498efe8b479590e358b459d/html5/thumbnails/20.jpg)
What can be done to protect against them?
DNS Response Rate Limiting (RRL)
DNS with RRLMalicious
UserNormal
User
Normal QPS Volume
Abnormal # of Queries, but
Responses Rate Limited by Admin
![Page 21: Network Intelligence for a secured Network (2014-03-12)](https://reader033.vdocuments.net/reader033/viewer/2022061213/5498efe8b479590e358b459d/html5/thumbnails/21.jpg)
BlueCat Hosted DNSFor a secured external DNS Infrastructure
![Page 22: Network Intelligence for a secured Network (2014-03-12)](https://reader033.vdocuments.net/reader033/viewer/2022061213/5498efe8b479590e358b459d/html5/thumbnails/22.jpg)
The Power of the Cloud
BlueCat Hosted DNS has it all:
DNS Security Extensions (DNSSEC) DNS Response Rate Limiting (RRL) Geographic Diversity (Anycast) Processing Power and Bandwidth Capacity
![Page 23: Network Intelligence for a secured Network (2014-03-12)](https://reader033.vdocuments.net/reader033/viewer/2022061213/5498efe8b479590e358b459d/html5/thumbnails/23.jpg)
BlueCat Hosted DNS
Reliability: 100% uptime (in over 9 years)
Redundancy: 18 global sites in 5 continents
Security: 24/7 anti-attack team
Scalability : providing additional DNS
services
![Page 24: Network Intelligence for a secured Network (2014-03-12)](https://reader033.vdocuments.net/reader033/viewer/2022061213/5498efe8b479590e358b459d/html5/thumbnails/24.jpg)
Yes nice, but how do you manage it all?
![Page 25: Network Intelligence for a secured Network (2014-03-12)](https://reader033.vdocuments.net/reader033/viewer/2022061213/5498efe8b479590e358b459d/html5/thumbnails/25.jpg)
BlueCat Solution Components
Address ManagerDNS, DHCP and IPAM
Connector for Windows DNS/DHCP
DNS/DHCP Management
Automation ManagerSystem Integration
Automation ManagerSelf-Service
Device Registration Portal
Self-Service
External HostedDNS Service
Global Anycast DNS
DNS/DHCP Server
Anycast, DHCP-Failover,Clustering, DNSSEC and
DNS Firewall
![Page 26: Network Intelligence for a secured Network (2014-03-12)](https://reader033.vdocuments.net/reader033/viewer/2022061213/5498efe8b479590e358b459d/html5/thumbnails/26.jpg)
BlueCat Client Value for Management
Single Pane of Glass for all IP Information
Efficiency: Automate Provisioning from the IP up
Security: Visibility and Control with IPAM Data
Mobility: Simple for Users and maximum Control for IT
Scalability: Manage complex dual-stacked Networks
![Page 27: Network Intelligence for a secured Network (2014-03-12)](https://reader033.vdocuments.net/reader033/viewer/2022061213/5498efe8b479590e358b459d/html5/thumbnails/27.jpg)
Thank you for your time.
Andreas Taudte
Sales Engineer
Luca Maiocchi
Territory Manager SE & Middle East
w w w . b l u e c a t n e t w o r k s . c o m