1 | © 2013 infoblox inc. all rights reserved. protecting critical network infrastructure krupa...

1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2013 Infoblox Inc. All Rights Reserved.

Protecting Critical Network InfrastructureKrupa Srivatsan | Senior Product Marketing ManagerJanuary 2014


Agenda

Infoblox SolutionsAdvanced DNS Protection

DNS Firewall

Security Challenges

Infoblox Overview


Infoblox Overview & Business Update

($MM)

Founded in 1999

Headquartered in Santa Clara, CA with global operations in 25 countries

Market leadership• Gartner “Strong Positive” rating

• 40%+ Market Share (DDI)

6,900+ customers, 55,000+ systems shipped

35 patents, 29 pending

IPO April 2012: NYSE BLOX

Leader in technologyfor network control

Total Revenue (Fiscal Year Ending July 31)

FY2007 FY2008 FY2009 FY2010 FY2011 FY2012 FY2013$0

$50

$100

$150

$200

$250

$35.0

$56.0$61.7

$102.2

$132.8

$169.2

$225.0

30%

CAGR


InfrastructureSecurity

Infoblox : Technology for Network ControlN

ET

WO

RK

INF

RA

ST

RU

CT

UR

E

FIREWALLS SWITCHES ROUTERS WEB PROXY LOAD BALANCERS

Discovery, Real-time Configuration & Change, Compliance

Historical / Real-time Reporting & Control

AP

PS

&

EN

D-P

OIN

TS

END POINTS VIRTUAL MACHINES PRIVATE CLOUD APPLICATIONS

Essential Network Control Functions: DNS, DHCP, IPAM (DDI)

CO

NT

RO

L P

LA

NE

Infoblox GridTM w/ Real-timeNetwork Database


Why DNS an Ideal Attack Target?

DNS is the cornerstone of the Internet used by every business/

Government

DNS protocol is stateless and

hence vulnerable

DNS as a Protocol is easy to exploit

Maximum impact with minimum effort


Today’s Security Challenges

Challenges Trends

APT / malware exploits DNS to get around traditional security infrastructure

APT / Malware

DNS Firewall• Disrupts malware

communication

• Pinpointing infected devices for remediation

2

Unprotected DNS infrastructure introduces security risks

Adv. DNS Protection• Detection & mitigation

of attacks

• On-going protection against evolving threats

Attacks Targeting DNS

1


Attacks Targeting DNS


External Attacks on DNS

DNS-based attacks are on the rise

Traditional protection is

ineffective against evolving threats

DNS outage causes network downtime,

loss of revenue, and negative brand

impact

Unprotected DNS infrastructure introduces security risks


2013 – DNS Threat is Significant

• Attacks against DNS infrastructure growing̶MDNS-specific attacks

up 200% in 2012̶MICMP, SYN, UDP attacks

Source: Arbor Networks

Source: Prolexic Quarterly Global DDoS Attack Report Q3 2013

Other

IRC

SIP/VOIP

HTTPS

SMTP

DNS

HTTP

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

7%

11%

19%

24%

25%

67%

87%

DNS is #2 attack vector protocol

ACK: 2.81%

CHARGEN: 6.39%

FIN PUSH: 1.28%

DNS: 9.58%

ICMP: 9.71%

RESET: 1.4%RP: 0.26%

SYN: 14.56%

TCP FRAGMENT: 0.13%

SYN PUSH: 0.38%

UDP FLOODS: 13.15%

UDP FRAGMENT: 17.11%

Infrastructure Layer: 76.52%


The Solution - Infoblox Advanced DNS Protection

Unique Detection and Mitigation

Intelligently distinguishes legitimate DNS traffic from attack traffic like DDoS, DNS exploits, tunneling

Mitigates attacks by dropping malicious traffic and responding to legitimate DNS requests

Centralized Visibility Centralized view of all attacks happening across the

network through detailed reports Intelligence needed to take action

Ongoing Protection Against Evolving Threats

Regular automatic threat-rule updates based on threat analysis and research

Helps mitigate attacks sooner vs. waiting for patch updates


Fully Integrated into Infoblox Grid

ReportingServer

Automatic updates

Infoblox Threat-rule Server

Infoblox Advanced DNS Protection(External Auth.)

GRID Master

Reports on attack types, severity

New

Amplif

icationCache Poisoning

Legitimate Traffic

Legi

timat

e Tr

affic

Le

git

ima

te T

raff

ic

Legitimate Traffic

Rec

on

nai

ssan

ceDN

S E

xploits

Infoblox Advanced DNS Protection

(Internal Recursive)New

Block DNS attacks Grid-wide rule

distribution

Dat

a fo

r R

epo

rts


What Attacks do We Protect Against?

DNS reflection/DrDoS attacksUsing third-party DNS servers(open resolvers) to propagate a DOS or DDOS attack

DNS amplificationUsing a specially crafted query to create an amplified response to flood the victim with traffic

DNS-based exploits Attacks that exploit vulnerabilities in the DNS software

TCP/UDP/ICMP floodsDenial of service on layer 3 by bringing a network or service down by flooding it with large amounts of traffic

DNS cache poisoning Corruption of the DNS cache data with a rogue address

Protocol anomaliesCausing the server to crash by sending malformed packets and queries

ReconnaissanceAttempts by hackers to get information on the network environment before launching a DDoS or other type of attack

DNS tunnelingTunneling of another protocol through DNS for data exfiltration


Infoblox- Differentiation and ValueInfobloxStandard

Infoblox Advanced

Load Balancers

Pure DDoS

NGFW IPS Cloud

DNS server ✓ ✓ ✓

General DDoS ✓ ✓ ✓

DNS DDoS ✓ ✓ ✓ ✓DNS server OS and application vulnerabilities

✓ ✓ ✓

Flood attacks ✓ ✓ ✓ ✓ ✓ ✓

Semantic attacks ✓ ✓ ✓

Cache poisoning ✓

DNS Reflection ✓

Tunneling ✓ ✓ ✓

DNS Amplification ✓


External authoritative and Internal Recursive

Enterprise

Legitim

ate Tra

ffic

INTERNET

Advanced DNS

Protection

Grid Masterand Candidate (HA)

Advanced DNS Protection

D M Z

INTRANET

Reconnaissance

Amplif

ication

Exploits

DNS Tu

nneling

Legitim

ate Tra

ffic

Legitim

ate Tra

ffic

Legitim

ate Tra

ffic

Protection against cyber attacks and internal DNS attacks

GRID Masterand Candidate

(HA)

INTRANET

Endpoints



Amplificatio

n

Cache P

oisoning

Legitim

ate Tra

ffic

Legitim

ate Tra

ffic

DATACENTER CAMPUS/REGIONAL

DATACENTER CAMPUS/REGIONAL


Service Providers

• Protection against attacks on caching servers

• Authoritative DNS services

• Platform: IB 4030


APT / Malware


Q1 Q3Q2 Q4

Security Breaches Using Malware / APT - 2013


Every step of malware life cycle relies on DNS

Malware/APT Requires DNS

DNS server

Query a malicious

domain

Query the ‘call home server’ Query

Exfiltration destinations

Infection Download Exfiltration


PREVENTIVE TIMELY TUNABLE

Leverages high quality DNS Firewall Subscription Service

updated in near real time

Maximizes potency against APT / malware

worldwide

Disrupts malware communication and execution

Industry’s First True DNS Security Solution

19

INFOBLOX DNS FIREWALLDisrupts DNS-exploiting APT / malware (C&C & Botnets) communication


Infoblox DNS Firewall – How Does it Work?

An infected mobile device is brought into the office. Upon connection, the malware starts to spread to other devices on the network.

1

2

3

The malware makes a DNS query for “bad” domain to find “home.” The DNS Firewall has the “bad” domain in its table and blocks the connection.

The DNS Server is continually updated by a reputational data feed service to reflect the rapidly changing list of malicious domains.

Malicious domains

Infoblox DDI with DNS Firewall Blocked attempt

sent to Syslog

Live reputational feed of malicious domains

3

4

Malware

1

Mobile device

2

Malware searches and spreads within network

4 Infoblox Reporting provides list of blocked attempts as well as the

• IP address• MAC address• Device type (DHCP fingerprint)• Host Name• DHCP Lease


DNS Firewall – FireEye AdapterHow Does it Work? An mobile device receives

infected URL or content. Bad .exe or Malware starts to communicate or spread across the network.

1

2

3

FireEye NX detonates traffic from device. It determines the traffic is bad. Provides domains & IP addresses of where .exe / URL is trying to connect to DNS Firewall via FireEye Adapter.

DNS Firewall is updated and blocks the connection attempts to the domains/IP addresses provided by FireEye NX.

Malicious domains

Infoblox DDI with DNS Firewall

Blocked attempt sent to Syslog

3

4

Malware

1

2

4 Infoblox Reporting provides list of blocked attempts as well as the

• IP address• MAC address• Device type (DHCP fingerprint)• Host Name• DHCP LeaseDetonates & Detects

advanced malware

Play Malware Attack

Endpoint Attempting To Download Infected File


What Protection does DNS Firewall Provide?

DGA Domain generating algorithm malware that randomly generates domains to connect to malicious networks or botnets

Fast Flux Rapidly changing of domains & IP addresses by malicious domains to obfuscate identity and location

APT / Malware Malware designed to spread, morph and hide within IT infrastructure to perpetrate a long term attack (FireEye)

DNS Hijacking Hijacking DNS registry(s) & re-directing users to malicious domain(s)

Geo-Blocking Blocking access to geographies that have rates of malicious domains or Economic Sanctions by US Government


Anatomy of an AttackCryptolocker “Ransomware”

• Targets Windows-based computers

• Appears as an attachment to legitimate looking email

• Upon infection, encrypts files: local hard drive & mapped network drives

• Ransom: 72 hours to pay $300US

• Fail to pay and the encryption key is deleted and data is gone forever

• Only way to stop (after executable has started) is to block outbound connection to encryption server

Infoblox DNS Firewall blocks all connections to Cryptolocker domains


September 13 – Trial Run Initial roll-out of Cryptolocker started. Limited distribution & payment testing.

Oct. 8th – Full Distribution via ‘Pay per infection’.

1

4 DNS Firewall logs all attempted connections with Cryptolocker servers complete with IP and MAC addresses, and device type to drive remediation

Cryptolocker Timeline and Infoblox Response

3 Infoblox DNS Firewall now blocks Crypolocker encryption servers.

2 October 18th - Crypolocker behavior fully characterized. Infoblox DNS Firewall Subscription updated with domains & IP addresses. Customers Protected.

Infoblox DDI with DNS Firewall

Infoblox Malware Data Feed Updated

2

Syslog4

3

1

Infoblox DNS Firewall Geo-blocks delivered ZERO-day protection against Cryptolocker by blocking Eastern Europe domains

Infoblox DNS Firewall Protects Against Cryptolocker Malware


Summary

• Unprotected DNS infrastructure introduces security risks ̶MAdvanced DNS Protection protects against DNS-based attacks like

DDoS, cache poisoning, malformed packets and tunneling

• APT / malware exploits DNS to get around traditional security infrastructure̶MDNS Firewall & FireEye Adapter disrupts Malware usage of DNS and

pinpoints device to drive faster remediation (using Infoblox DDI)


Q&A


Thank you!

For more information www.infoblox.com

1 | © 2013 infoblox inc. all rights reserved. protecting critical network infrastructure krupa...

Documents

modern network

market share ddi6

market share stat

market share note

distributed network

essential technology

gartner market scope

global operations