DNS Firewall: Helps protect against DDoS attacks, Malware, Ransomware, Advanced Persistent Threats (ATPs), Active Phishing Sites, BYOD and IoT vulnerabilities.
By Paul Rummery, Securenet Consulting
The DNS vulnerability challenge
Hackers are well aware that holes exists in the security of the Internet’s infrastructure.
DNS traffic exists in nearly every organisation, creating an overwhelming ocean of data security teams often ignore, or do not have the tools to properly analyse. Knowing this, cyber attackers are increasingly abusing DNS to mask their ‘command-and-control’ activity in order to deliver additional malware or steal valuable data. Malicious domain names controlled by attackers enable the rapid movement of command-and-control centres from point to point, bypassing traditional security controls such as blacklists or web reputation.
Traditional protection methods do not intercept DNS communications to malicious locations, so a DNS security layer is required.
Business transformations like bring your own device (BYOD), cloud and the Internet of Things (IoT) introduce new ways for devices to become infected.
Cisco cited (91.3 percent) of that malware uses DNS in one of four ways:
- to gain command and control
- to exfiltrate data
- to redirect traffic
- attackers can exploit DNS servers to amplify DDoS attacks.
We have also uncovered a range of other DNS-related security issues in our customers’ networks, including DNS “typosquatting” (i.e. the act of registering a domain name similar to an existing domain name, in order to target users who may have inadvertently mistyped the intended domain) and pervasive DNS tunneling to Chinese-registered domains.
The traditional network as you know it has changed
Our networks no longer look the same as they did ten years ago. There are now more connected devices than ever before – and many more of them are non-traditional. Alongside the traditional mobile devices like smartphones and tablets, we now have VoIP, Point of Sale (POS), RFID, barcode scanners, IP security cameras, door locks and other devices. Enterprises are finding it increasingly difficult to pinpoint and isolate threats and defend against malicious intent. With the emergence of the Internet of Things, you have – or soon will have – entirely new types of devices joining your network: everything from smart thermostats and lights to vast numbers of sensors.
This is why attackers are increasingly targeting non-traditional devices to exploit their security vulnerabilities. Hackers that target traditional systems need to get past the many layers of defence in order to exploit the device. They need to make sure that their malware or Trojan is able to circumvent anti-virus, anti-malware, protocol filters and other security layers. Non-traditional devices simply have fewer layers of protection – so hackers don’t need to build sophisticated malware to get around anti-malware software because there isn’t any on the device they are targeting.
All Devices
|
All Protocols
|
Agentless
|
|
Anti
virus
|
N
|
N
|
N
|
Proxy
|
N
|
N
|
Y
|
Firewall
|
N
|
N
|
Y
|
DNS
Firewall
|
Y
|
Y
|
Y
|
Table: security solutions and coverage for DNS threat protection.
Industry experts highlight why it’s important to be vigilant by monitoring DNS - this should be part of an organisation’s on-going security strategy. DNS monitoring is so important for security investigations, as well, because it allows researchers to map out components that can help determine everything from the type of infrastructure supporting the attack to finding its source.
One reason organisations fail to monitor DNS - or simply do a poor job of it - is because their security teams and DNS experts typically work in different IT groups within the company and therefore don’t have an opportunity to interact often. Technology and service can bridges this gap.
The reported number of successful breaches has been growing alarmingly in recent years. One primary reason is that attackers have recognised and are exploiting the largely unprotected DNS-based Internet infrastructure to remain undetected while they infiltrate networks and exfiltrate valuable information. Reports suggest that much of the Fortune 2000 and numerous governmental agencies have fallen prey to spear-phishing and related exploits. Yet DNS firewalls likely would have prevented the success of more than 80 percent of these attacks.
Much as firewalls and IDS/IPS solutions have become critical - and expected - pieces of an enterprise’s security infrastructure, attention must now turn to DNS Firewalls as an essential strategic security asset. Secure DNS Firewalls function as a firewall for DNS, adding a vital layer of defence to combat the deluge of advanced persistent threats (APT) and other malware that circumvent traditional perimeter defences.
What is a DNS Firewall?
A DNS firewall is another way of saying a secure DNS resolver. It prevents enterprise employee and system connections to known malicious Internet locations, and can provide immediate feedback to enterprise security teams about potential compromises like botnets and APTs on their networks.
By utilising this secure DNS gateway, an enterprise can ensure its employees and IT systems are not routed to destinations that could jeopardise communications, proprietary information, customers’ private data and more.
But I already have a DNS resolver
Basic DNS resolvers act as gateways between an enterprise and the “outside world.” If that resolver connects a user to a malicious location, then communications, proprietary information, customers’ private data and more could be jeopardised. Despite these dangers, the typical DNS resolver in use by enterprises today is not only susceptible to various direct attacks, but also lacks a built-in security layer necessary to identify malicious locations and protect enterprise users. It’s like having an Internet gateway with no security at all, instead of one protected by a firewall.
As a result, the typical DNS resolution process doesn’t prevent users from arriving at known malicious locations. In fact, it actually enables malware infections to permeate an enterprise, and communicate freely with controlling machines and the infiltrators themselves.
For example, in late 2009, a Google employee in China clicked on a malicious link in an instant message. This set off a series of events that became known as “Aurora” which resulted in the infiltration of Google's network for months and the theft of data from a variety of the search engine giant's systems. When finally alerted, Google was able to determine the attack’s scope and reach within its network by examining log files from its DNS resolvers, where the attackers’ movements were easily spotted.
Spear phishing attacks that seed malware are highly effective since those attacks appear to come from trusted sources. Inevitably, an employee or partner will fall for such a scam, supplying a foothold for hackers. Once quietly inside the organisation, these attacks can quickly spread, putting an enterprise’s vital information at risk.
The malware delivered by spear phishing attacks usually circumvents traditional firewalls with ease. That’s because most malware programs are now designed to leverage the DNS for managing communications with their command and control servers. The malware uses hostnames, or an algorithm for generating those hostnames on the fly, rather than hard-coded IP addresses when determining where to find its C&C server. As a result, malware controllers can easily change the IP addresses for their C&C servers at will, and some do so as often as every minute. There is little chance that traditional firewall defenses can keep up with such tactics.
However, a properly maintained DNS firewall will block access to the DNS information for those malicious hostnames, preventing the connection and/or diverting traffic from any infected computers to a safe server for inspection. By implementing this one simple layer of defense, enterprises can stump over 80 percent of today’s malware and commensurately reduce their risk of information loss. While not a silver bullet, this approach is certainly going to be highly effective and should be considered an essential layer in any enterprise’s security posture.
Whether it’s malicious, coordinated assaults like Night Dragon, Shady Rat, Soysauce, Conficker, Stuxnet, SpyEye and Zeus, or individual unnamed attacks, security companies know almost all malware attacks by their DNS communications patterns. Yet a vast majority of enterprises don’t take steps to block such blatantly obvious communications.
DNS Firewall solution features
DNS Firewall solutions protect against malware that use DNS to communicate with command-and-control (C&C) malware and botnets.
For example, protection against a wide variety of threats, including DNS based DDoS attacks, ransomware, APT, active phishing sites, and others.
- Enables device fingerprinting
- Pinpoint infected devices for remediation.
- Capture the user name tied to an infected device
- Integrates seamlessly with other leading security platforms to enable sharing of intelligence, to enable automation of response and providing better protection against evolving threats.
- Same level of protection for both IPv4 and IPv6 communications protocols.
- Increase Network Performance: Reduce DNS server load by up to 70% with caching, protocol checking, validation and enforcement. Often, DNS servers are bombarded by non-DNS traffic - preventing other types of traffic from ever reaching DNS infrastructure. Besides shielding DNS servers from attacks, caching also reduces the number of DNS servers that need to be provisioned, lowering capital expenses.
Integrated DNS protection solutions
Other solutions and services SecureNet Consulting provide that incorporate an element of DNS protection – but not necessarily designed from the ground up to solve DNS vulnerability problems.
Cloud-based DNS & BGP redirect site service for Website / Web Application Security
In the event of high traffic (volumetric) DDoS attacks. Ensures 24/7 business continuity and service availability. Services provide high performance delivery of website, web page and e-commerce to users all around the world.Intrusion Detection
Scans all protocols, including HTTP, HTTPS, FTP, TCP, UDP, DNS, SMTP, and POP3 to block network, application, and protocol-based attacks.External Penetration Testing
External network security assessments are a one-off in-depth assessment of your externally facing, perimeter network. This can include testing for proper load balancing, SSL configurations, and DNS settings.Virtualisation Assessments
Troubleshooting of networking components such as network, firewall, DNS etcFirewalls
with DNS traffic intelligenceApplication Layer Level Firewalls
Prevent L7 attacks targeted at DNS and other protocols.DDoS Protection
Defend against DDoS Volumetric and Flood Attacks
DNS and NTP amplification.
Deep Packet Inspection
Go beyond traditional known signature based detection systems – Look out for data extraction through DNS txt records.Load Balancing
Applications - In both Lync 2010 and 2013 (now Skype for Business), there is a core requirement for load balancing and reverse proxy services. These two methods can be combined across an environment for a highly performing and reliable infrastructure. Additionally, published HTTP services require a reverse proxy.DNS Security (Firewall)
Log, record and manage data and access requests – useful to understand who is accessing your assets.DNS Security Extensions (DNSSEC)
FIPS 140-2 Level 4 cryptographically sign DNS records. When a DNS server hosting a signed zone receives a query, it returns the digital signatures in addition to the records queried for. A resolver or another server can obtain the public key of the public/private key pair and validate that the responses are authentic and have not been tampered with.Engineering Professional Services & Consultancy
DNS configuration / tuning.On-Premise & Cloud-Based Solutions
Easy to configure cloud-based and on-premise solution.IT Professional Services
Consultancy – design, planning, technical engineering implementation, configuration and support.
Related Topics: Firewall, Intrusion Prevention, Load Balancing, Vulnerability Assessment Services, Penetration Testing Services
Contact us today to discuss your requirements in more detail.
 |
Telephone
|
+44(0)7714 209927
+44(0)1273 329753
|
 |
|
 |
 |
|||
 |
 |