Network Intelligence for a secured Network (2014-03-12)
1. BlueCat Network Intelligence
For a secured Network Infrastructure
Andreas Taudte
Sales Engineer
BlueCat
Luca Maiocchi
Territory Manager SE & Middle East
BlueCat
2. How did you secure your network?
Firewalls
Network Access Control
Anti-Virus
3. But, they have done the same...
http://www.pcworld.com/article/2087240/target-pointofsale-terminals-were-infected-with-malware.html
http://www.us-cert.gov/ncas/alerts/TA14-002A
http://www.pcworld.com/article/2086700/yahoo-malvertising-attack-linked-to-larger-malware-scheme.html
7. Typical Attack in Detail
Client first looks up the Host IP
Many Attacks leverage DNS
Allow to change IP w/o need to update Attack
malware.site.com
54.235.223.101
malware.site.com
54.235.223.101
Landscape
has changed
DNS applies to
all Applications
& all Devices.
9. BlueCat Threat Protection
Security Feed and Response
Policies Zones to filter DNS Traffic
Recursive DNS Servers enabled
to accept the BlueCat Security Feed
10. Typical Attack with BlueCat Threat Protection
Blocks Devices from resolving malicious Hosts
Another Layer of Depth for traditional Devices
Blocks Access to known Malware, Botnet and
other Sites for non-traditional Devices
malware.site.com
malware.site.com
11. How it works
DNS server downloads list
of known malicious sites
(updated every 5 minutes)
User queries for known
malicious content
1
2
DNS server matches
request against list
3
Response is given
according to policy
4
Redirect
Blacklist
Do Not
Respond
Log
12. Redirect to notify the User & capture the Traffic
Response is redirected
to another server
4
Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed
do eiusmod tempor incididunt ut labore et dolore magna
aliqua. Ut enim ad minim veniam, quis nostrud exercitation
ullamco laboris nisi ut aliquip ex ea commodo consequat.
Duis aute irure dolor in reprehenderit in voluptate velit esse
You may be infected!!
Matched queries are
redirected to SIEM
Admins can
receive alerts
from SIEM
User connects to
Walled Garden site
6
5
7
13. How to set up?
Automated
Updates
Protection for
all Devices
and all
Applications
Self-
maintained
Security
Feed
Customizable
Actions
Easy to
set up
16. Real Threats to DNS Services
DNS Spoofing Attacks
REAL SITE FAKE SITE
Attacker
Real User
Redirected to
Fake Server
DNS
DNS
Queries
17. Real Threats to DNS Services
DNS Reflection/Amplification Attacks
Victim 2
Victim
Victim 1
Target
Attackers
Legitimate
UserSpoofed Source Address
18. What can be done to protect against them?
Anycast DNS
Same IP address
n identical DNS Servers
19. What can be done to protect against them?
DNS Security Extensions (DNSSEC)
Real User
Root Servers
DNS Queries Real Authoritative DNS
TLD
DNS Resolver
False Authoritative DNS
Real Web Server
False Web Server
DNSSEC
Signed RR
UnsignedRR
Resolver validates
authoritative Responses
20. What can be done to protect against them?
DNS Response Rate Limiting (RRL)
DNS with RRL
Malicious
User
Normal
User
Normal QPS Volume
Abnormal # of
Queries, but
Responses Rate
Limited by Admin
22. The Power of the Cloud
BlueCat Hosted DNS has it all:
DNS Security Extensions (DNSSEC)
DNS Response Rate Limiting (RRL)
Geographic Diversity (Anycast)
Processing Power and Bandwidth Capacity
23. BlueCat Hosted DNS
Reliability: 100% uptime (in over 9 years)
Redundancy: 18 global sites in 5 continents
Security: 24/7 anti-attack team
Scalability : providing additional DNS services
25. BlueCat Solution Components
Address Manager
DNS, DHCP and IPAM
Connector for
Windows DNS/DHCP
DNS/DHCP Management
Automation Manager
System Integration
Automation Manager
Self-Service
Device Registration
Portal
Self-Service
External Hosted
DNS Service
Global Anycast DNS
DNS/DHCP Server
Anycast, DHCP-Failover,
Clustering, DNSSEC and
DNS Firewall
26. BlueCat Client Value for Management
Single Pane of Glass for all IP Information
Efficiency: Automate Provisioning from the IP up
Security: Visibility and Control with IPAM Data
Mobility: Simple for Users and maximum Control for IT
Scalability: Manage complex dual-stacked Networks
27. Thank you for your time.
Andreas Taudte
Sales Engineer
Luca Maiocchi
Territory Manager SE & Middle East
w w w . b l u e c a t n e t w o r k s . c o
m
A DNS reflection attack is a popular form of denial of service (DoS) that relies on the use of inherited vulnerability of the DNS protocol to overwhelm a target system with DNS response traffic from victims’ authoritative servers.