![]() ![]() This could either be to “phone home” and connect to a command and control system or make a connection to download additional malware. The first activity that a piece of malware will perform is to make a DNS query for an Internet-based system. If the assumption is made that the malware is already on the internal systems, then the focus should be on rapid early detection and remediation. Most malware leverages these weak outbound security policies to infect an enterprise’s internal computers. Firewalls typically allow TCP port 80 and 443 (Web browsing), and TCP and UDP port 53 (DNS traffic) to pass through unobstructed. Organizations need to start to realize that they may not be able to stop the malware from entering the organization using traditional firewalls and IPS systems. Operationalizing DNS Inspection and Firewalling The DNS firewall then provides reports and data extracts to other Security Information Event Management Systems (SIEMS) for security practitioners to take action to remediate the infections. It is able to find the “needle in a haystack” and disarm malware before it starts to operate. The DNS firewall inspects all DNS traffic that is passing in and out of an organization. The Infoblox DNS Firewall can easily integrate with the FireEye’s malware protection system.įollowing is a picture of how this DNS firewall operates. It does this by integrating with your security perimeter system and by using RPZ technology to stop the DNS request from allowing the attack connectivity to take place. The Infoblox DNS security firewall component performs DNS forensics and prevents systems from communicating with malicious Internet sites. The second component of Infoblox’s secure DNS infrastructure is the Infoblox DNS Firewall. The reporting server gives the DNS administrator up-to-the-minute reports on the security status and performance. The Infoblox DNS servers block the attacks while maintaining proper operation for the legitimate queries. The Infoblox fortified appliances provide high availability and clustered resiliency through the Infoblox Grid system.įollowing is a diagram of the Infoblox Advanced DNS Protection system Infoblox DNS systems are security hardened and even meet the government’s EAL-2 certification. The DNS security settings are configurable and tunable to suit the organization. The Infoblox DNS servers can detect, mitigate and alert if they are being attacked. This is a set of techniques that help thwart the most common attacks against the DNS infrastructure itself. ![]() The first component of Infoblox’s secure DNS infrastructure is the Infoblox Advanced DNS Protection. This type of a solution can help prevent inbound unsolicited spam e-mail and help prevent end-users from connecting to sites hosting malware or botnet command and control networks. This is a type of reputation filtering but it is DNS-based rather than implemented in the firewall or IPS. Organizations can pre-populate the policy with malicious domains or addresses or could obtain a “feed” of malicious Internet sites from another source. Based on the validity of the queried domain, the recursive DNS resolver can chose to allow or block the query, thus blocking the connection from taking place. RPZ is a method of sharing DNS firewall information with DNS software like BIND. One method to increase the security of an enterprise via DNS is to use Response Policy Zone (RPZ) mechanisms. We also cover techniques for stopping these security incidents right from the start of infection. In this blog we are going to discuss the various techniques at your disposal to help gain visibility to these types of attacks. ![]() Attackers control malware to change the DNS behavior on the end-user’s computer or server. Attackers use Fast-Flux DNS techniques to rapidly change the server’s hosting malware. In the previous blog post on DNS traffic inspection we covered how attackers target DNS systems. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |