Cómo mejorar la seguridad de los servicios de DNS, DHCP e IPAM

© 2013 Infoblox Inc. All Rights Reserved.
L. Francisco Abarca, Director Sales LATAM
Expanding Your Network Security
1

Infoblox Overview & Business Update
($MM)
$35.0
$56.0
$61.7
$102.2
$132.8
$169.2
$0
$20
$40
$60
$80
$100
$120
$140
$160
$180
FY2007 FY2008 FY2009 FY2010 FY2011 FY2012
Total Revenue
(Fiscal Year Ending July 31)
Founded in 1999
Headquartered in Santa Clara, CA
with global operations in 25 countries
Market leadership
•  Gartner “Strong Positive” rating
•  40%+ Market Share (DDI)
6,100+ customers, 45,000+
systems shipped
20 patents, 27 pending
IPO April 2012: NYSE BLOX
Leader in technology
for network control
2

Conventional Networks –
Static and Simple
192.168.255.255
132.18.255.45 126.78.255.35 72.168.21.135
72.168.21.135
72.168.21.135
Static
IPv4
Rudimentary
Tools for Control
Manually
Configured
3

Next Generation Networks –
Very Complex
132.18.255.45 126.78.255.35
72.168.21.135
72.168.21.135
2001:0fb8:85a3:0000:0000:8a2e:6332:4328
2001:0db8:85a3:0000:0000:8a2e:3375:9356
2001:0db8:85a3:0000:0000:8a2e:2385:3690
2001:0db8:85a3:0000:0000:8a2e:0647:8574
2001:0db8:85a3:0000:0000:8a2e:5330:7854
2001:0db8:85a3:0000:0000:8a2e:5370:6954
VM
VM
Expensive
Manual Inflexible
VM
VM
4

Triggers that are Redefining the Network
THREAT LANDSCAPE
MOBILE DEVICE
EXPLOSION
CLOUD /
VIRTUALIZATION
CONSOLIDATION
SOFTWARE DEFINED
NETWORKS
IPv6 TRANSITION
5

Traditional Approach
CONTROLPLANE
APPS&
END-POINTS
END POINTS VIRTUAL MACHINES PRIVATE CLOUD APPLICATIONS
NETWORK
INFRASTRUCTURE
FIREWALLS SWITCHES ROUTERS WEB PROXY LOAD BALANCERS
Complexity
Risk & Cost
Agility
Flexibility
QIPMICROSOFT DHCPMICROSOFT DNS VMWARE DNS UNIX BIND
SCRIPTS COMMAND LINE
6

What We Do:
Innovative Technology for Network Control
APPS&
END-POINTS
END POINTS VIRTUAL MACHINES PRIVATE CLOUD APPLICATIONS
NETWORK
INFRASTRUCTURE
FIREWALLS SWITCHES ROUTERS WEB PROXY LOAD BALANCERS
CONTROLPLANE
Infoblox GridTM
w/ Real-time
Network Database
Historical /Real-time
Reporting & Control
7

Expanding Your Network Security
8

Maintaining Security with Infoblox
Compliance & Policy Standardization
Enforce
Firewall ACL & Rule Automation
Control
Secure
DNS, DHCP and IP Address Management DNS Firewall
Protect
9

DNS, DHCP and IP Address Management
Secure
10

Security Risks with Conventional Approach
þ  Dedicated hardware with no unnecessary logical
or physical ports
þ  No OS-level user accounts – only admin accts
þ  Immediate updates to new security threats
þ  Secure HTTPS-based access to device
management
þ  No SSH or root-shell access
þ  Task-specific network appliance
–  Many open ports subject to attack
–  Users have OS-level account privileges on
server
–  Requires time-consuming manual updates
–  Requires multiple applications for device
management
Conventional Server Approach Infoblox Appliance Approach
Multiple
Open Ports
Limited
Port Access
Infoblox
Update
Service
Secure
Access
11

Security – Purpose Built Appliances
§  Task specific hardware
§  Restrictive/hardened Linux OS
§  Root access disabled
§  Simple VRRP-based HA setup
§  Active/active DR recovery
§  Common Criteria EAL-2 Cert.
§  128-bit AES Grid VPN comm.
§  FIPS 140-2 certification
§  DNS Firewall / RPZ protection
§  Fast/easy upgrades
12

Security – Purpose Built OS (NIOS)
§  Central view & management
§  Role-based admin controls
§  6 authentication methods
§  Two factor Auth. (CAC/PKI)
§  HTTPS Web access
§  Detailed audit logging
§  1-click DNSSEC
§  SSL-Based REST/Perl API
§  DNS blacklisting / re-directs
§  Anycast (BGP/OSPF)
§  GSS-TSIG & TSIG
§  Robust DDI Reporting
13

Infoblox Grid a Key Differentiator
Simple, Secure, Reliable
External DNS
Grid Member
Virtual
Environment
Grid Master Candidate
at Recovery Site
Internal
Grid Members
IPAM
Insight
Grid Master
Branch Offices
A collection of High
Availability member
appliances
Coordinated by the
Grid Master
Sharing a distributed database
Communicating via
an SSL VPN
§  Centralized visibility
and control
§  Real time IPAM & discovery
§  Automated failover and DR
14

Fast Responses to Security Incidents
§  3 Major Feature Releases
a year
§  Several patch/
maintenance releases
§  Security vulnerabilities
addressed within hours
§  Dedicated “Customer
Engineering team”
focused on resolving
customer issues
15

Enhancing External DNS Security
Cryptographically
signed DNS data
DNS Root
2nd Level Domain
nth Level Domain
DNSSEC helps
to mitigate hijacking
threats such as the
Kaminsky attack
Manual Tasks
§  Numerous manual procedures
for BIND, Microsoft DNS or
other systems
§  Cumbersome and repetitive
maintenance and key refresh
procedures
§  Specialized knowledge resides
(and leaves) with admin
Infoblox Solution
§  Automated
deployment process
§  Automated key refresh
§  Automated maintenance
§  Knowledge and best practices
embedded in system
TrustChain
16

DNSSEC in 1-Click
§  No scripts / Auto-Resigning / 1-click
§  Central configuration of all DNSSEC parameters
§  Automatic maintenance of signed zones
17

Automated IP Address Management
§  Tracks what’s connected on the network
§  Enhances IP allocation through automation
§  Increases accuracy with continuous updates
§  Helps with IPv4 to IPv6 migrations
18

Role Based Administration
Visibility for Multiple Audiences
IPAM admin Track how effectively provisioned networks being used
DNS admin See heavy users, what are the top sites being queried
DHCP admin Improve lease history, find most active DHCP clients
Security admin Improve traceability for compliance purposes
Network admin Understand subnet utilization for planning purposes
Helpdesk Better “at a glance” visibility into current state of DDI
Management Provide simple, presentable reporting formats on trends
19

CAC / PKI Login Enhancement
User Name pulled
automatically from
the Smart Card
certificate
MSFT AD
RADIUS
TACACS+
local
continue to be
user authentication

CAC / PKI Access Protection
21
GUI locks when Smart Card is removed

IB-4030 Recursive DNS w/ DDOS
Performance
§  A carrier grade DNS recursive appliance with over 1M DNS
queries per second
Software
§  Built-in threat protection
§  URL Blacklisting / NXDOMAIN Redirection
§  Cache pre-fetching and DNSSEC
World’s Most Scalable, Secure, and Manageable DNS Caching Server
22

Infoblox DNS Firewall
Protect
23

Overall Malware Threats Booming
§  Average over 7 million new Malware
threats per quarter in 2012*
§  Mobile threats grew about 10X in 2012*
§  855 successful breaches / 174 million
records compromised in 2012**
§  69% of successful breaches
utilized Malware**
§  54% took months to discover,
29% weeks**
§  92% discovered by external party**
0
2,000,000
4,000,000
6,000,000
8,000,000
10,000,000
Q1
2010
Q2
2010
Q3
2010
Q4
2010
Q1
2011
Q2
2011
Q3
2011
Q4
2011
Q1
2012
Q2
2012
Q3
2012
New Malware
0
5,000
10,000
15,000
20,000
25,000
2004 2005 2006 2007 2008 2009 2010 2011 2012
Total Mobile Malware Samples in the Database
Startling Statistics
* Source: McAfee Threats Report: Third Quarter 2012
** Source: Verizon Security Study 2012
24

Customer Challenge: New Class of Malware
DNS HAS BECOME A TARGET PATHWAY FOR A NEW CLASS OF MALWARE
DNS INFRASTRUCTURE IS THE ONLY WAY TO DEFEND AGAINST THIS TYPE OF MALWARE
COMMUNICATION
PROTOCOL
BECAME MAINSTREAM
PATHWAY FOR MALWARE
IRC (Chat) 1999
HTTP 2004
P2P 2007
DNS 2011
25

DNS Firewall – Complement Existing Security
§  Traditional or next generation firewall
(e.g. Checkpoint, Juniper, Palo Alto, Imperva, Cisco, etc.)
§  Anti-Virus
(e.g. Symantec, McAfee, Webroot, Kapersky, etc.)
§  Email / Web security
(e.g. Blue Coat, McAfee, Websense)
§  Advance Persistent Threat (APT)
(e.g. Damballa, FireEye)
§  Security Information and Event Management (SIEM)
(e.g. Trustwave, McAfee, Q1Labs)
26

Write to Syslog
and send to
Trinzic
Reporting
Introducing Infoblox DNS Firewall
Reputational Feed
from Infoblox
Landing Page /
Walled Garden
Infected
Client
Infoblox DNS Firewall /
Recursive DNS Server
Redirect
Dynamic Grid-Wide
Policy Distribution
Dynamic
Policy Update
Block / Disallow
session
Contact botnetLink to malicious
www.badsite.com
Apply Policy
27

Detailed Tracking and Reporting Options
§  Automatic reporting
§  Top Infected Clients
§  Malicious requested
domains and number of
requests
§  Lease history by MAC
address with detailed
drill down
Security Policy Violations Report
28

§  1/30/13 NY Times article – NY Times victim of hacker /
malware attacks over 4 months originating in China*
§  The Attack
–  Initial infection: Phishing / Spear Phishing
–  Botnet / attackers changed IP addresses; used
compromised US University machines as proxies
–  Utilized over 45 types of malware, only 1 caught by the
Anti-Virus defense
§  Why so difficult to detect
–  Malware/attacks designed to circumvent firewalls, web
filtering, antivirus, and other defenses
–  Appears it used DNS to locate the botnet controller
§  How DNS Firewall could have helped
–  Probably prevented infection via phishing
–  Disrupted botnet communications to China
–  Report Server: Early alert of attacks
Perfect Breach Example – New York Times Attack
29

© 2013 Infoblox Inc. All Rights Reserved. 30
APT / Botnet Malware Requires a New Approach
§  Existing security approaches
do not effectively address malware
that exploits DNS. Examples:
–  Malware repacks to avoid signature-based
detection
–  Botnet controllers typically change URLs
dynamically to circumvent Web Filters
–  Botnet controllers change IP addresses /
use other techniques to circumvent
Firewalls
* http://www.securityweek.com/why-dns-firewalls-should-become-next-hot-thing-enterprise-security
“… DNS firewalls likely would have prevented the
success of more than 80 percent of these attacks.”*
30

Infoblox Security Device Controller
Control
31

DHCP Fingerprint
32

Very Simple, Un-Intrusive, No Discovery Overhead
33
DHCPDISCOVER Option Sequence 1,15,3,6,44,46,47,31,33,121,249,43
Windows 7
DHCPOFFER
Option Sequence 1,3,6,15,119,78,79,95,252
iPad
DHCPOFFER
DHCPDISCOVER
X

Control - What you don’t know
Enhanced DHCP Lease Information
34
Sort
Filter
Smart Folder

Control - What you don’t know
Custom DHCP Fingerprint Management
35

Control – Through Network Planning
Device Trend
What devices are
being used
where?
Is a certain
device trending
up, or down?
36

Control – Through Network Planning
Top Device
What are the top
devices?
Click on the
device type to
view IP/MAC
information
37

SDC
38

Network Security Management: Today
39

Manual
The Pain of Legacy Processes
Legacy
Approach
Hours/
Days
Firewall
Change
Needed
1
Search
For
Devices
2
Figure Out
Impacted
Devices
3
Determine
Correct
Config
4
Compare
Change to
Standards/
Compliance
5
Request
Change/
Implement
Manually
6
Reconfirm
Correctness
and
Compliance
Hours/DaysNetwork Provisioning Time
§  Manual processes cannot keep up
§  SLA are lengthening to weeks or a even a month
§  Require dedicated, senior network architects
–  Routine, repetitive, error-prone
–  Multiple vendor expertise needed
40

CHANGE
REQUEST
MULTI-
VENDOR
FIREWALL
MULTI-
VENDOR
ROUTER/
FIREWALL
MULTI-
VENDOR
FIREWALL
MULTI-
VENDOR
SWITCH/
FIREWALL
Infoblox Security Device Controller
§  Increases speed and accuracy of new service deployment
§  Improves SLAs with automated provisioning
§  Reduce risk with embedded intelligence and modeling
§  Reduce errors & over-reliance on high level engineers
SERVICE/
APPLICATIONUSER
APPROVED
CHANGE
IT TICKETING
SYSTEM
41

Five Pillars of Controlling Security Devices
Embedded
Expertise
Automated
Discovery
Multi-vendor
Provisioning
Customized
Alerting
Powerful
Search
42

Automated Network Discovery
Simple and complete
network-wide discovery
Powerful topology to
visualize path
43

Embedded Expertise
Built-in intelligence
automatically provides
detailed ACL/rule views
Detects problems like
unused, overlapping
and duplicate rules
out-of-the box
44

Powerful Search
Search results identify
all matching devices
including vendor
specific syntax
Easily customize search
criteria for one or
multiple devices
45

Customizable Alerting
Immediately identify and
track defined alerts to
allow or deny access
Create Alerts for both
Blacklisting and
Whitelisting
46

Multi-vendor Provisioning
Maintain control with
user-based access
rights and change
process
Provision changes in
the same platform and
view the vendor-specific
syntax
47

Manual
The Power of Infoblox
Legacy
Approach
Infoblox
Approach
Hours/
Days
1 62 3 4 5
Automated
Days/
Weeks
Firewall
Change
Needed
1
Search
For
Devices
2
Figure Out
Impacted
Devices
3
Determine
Correct
Config
4
Compare
Change to
Standards/
Compliance
5
Request
Change/
Implement
Manually
6
Reconfirm
Correctness
and
Compliance
Firewall
Change
Needed
48

Compliance, Internal Policies & Best Practices
Enforce and Maintain
49

Standard
ConfigurationsAuditability
Process
Enforcement
Secure
Configurations
User Permission
Control
Visibility &
Documentation
Continuous
Monitoring
Change Tracking
Standardization and Compliance Drivers
Regulatory or
Industry Mandates
Corporate Security
Policies
Engineering Team
Best Practices
50

Common Standardization & Compliance Situation
§  Requirements are
researched and documented
§  Normally not thought
of until:
–  An audit is required
–  Something breaks
§  Believe the processes are
good best practices but:
–  Staff is too busy doing
everything else to
be proactive
51

Compliance Monitoring Best Practices
Define &
Customize
Rules/Policies
Segment
Policies to
Devices
Track and Audit
Configurations
and Changes
Continuously
Review for
Compliance
Proactive
Notification for
Violations
Automated
Reports
52

Infoblox Network Automation Overview
• Network discovery
• Built-in analysis
• Check against best practices
• Detect issues
• Monitor and manage change
• Automate change
• Maintain compliance
• Provision ACL & rules
Collected Via:
SNMP
CLI/configuration
Syslog
Fingerprinting
Real-time & Historical
Analysis
53

Standardization - Compliance Management
Embedded
compliance rules
Customizable best
practice templates
Manage multiple
policies
Proactive violation
detected
Multiple remediation
options
Current and
historical views
54

Configuration Analysis
Unique pre-packaged
expertise
Identifies common
misconfigurations
Customizable
alerting
Recommended
remediation options
Understand concept
of the network
Network Scorecard
views
55

Powerful Reporting
Single-click
compliance reports
Pre-packaged and
customizable
Powerful filtering
Executive and
detailed reports
On-demand or
scheduled
User-based view
rights
56

Value of Network Standardization
Verify your “desired state” to
the “as is state”
§  Improve network stability and
consistency
§  Reduce manual processes
§  Eliminate extensive, time-
consuming audit teams
§  Increase accuracy with
automation and embedded
expertise
§  Focus on building secure
infrastructure instead of waiting
for audits
57

Infoblox Value To Our Customer
58
Secure
•  Secure hardware form-factor & hardened OS
•  Designed to minimize vulnerabilities and
attack surfaces
•  Common Criteria certified
•  GridTM technology for fault tolerance,
easy updates and one-click DR
•  Optimized for enterprise demand & performance
•  Authoritative source for network dataAvailable
•  Powerful automation of manual processes
•  Reduce change errors & assure compliance
•  Save time, money and effort
Automated
Automated
SecureAvailable
Infoblox makes networks more available, secure and automated

Thank You
59

Cómo mejorar la seguridad de los servicios de DNS, DHCP e IPAM

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (19)

Similar to Cómo mejorar la seguridad de los servicios de DNS, DHCP e IPAM

Similar to Cómo mejorar la seguridad de los servicios de DNS, DHCP e IPAM (20)

More from Mundo Contact

More from Mundo Contact (20)

Recently uploaded

Recently uploaded (20)

Cómo mejorar la seguridad de los servicios de DNS, DHCP e IPAM