DDI Security Best Practices & Benefits - Download.minoc...

© 2013 Infoblox Inc. All Rights Reserved.

DDI Security Best Practices & Benefits

Victor Danevich Sr. Director, Americas System Engineering & Professional Services

1


($MM)

$35,0

$56,0 $61,7

$102,2

$132,8

$169,2

$0

$20

$40

$60

$80

$100

$120

$140

$160

$180

FY2007 FY2008 FY2009 FY2010 FY2011 FY2012

Total Revenue (Fiscal Year Ending July 31)

Infoblox: Market Leader in Network Control

2

Founded in 1999

Headquartered in Santa Clara, CA with global operations in 25 countries

Market leadership • Gartner Strong Positive Rating

• 40%+ Market Share

6,100+ Customers, 45,000+ systems shipped

20 patents, 27 pending

IPO April 2012: NYSE BLOX

Leader in technology for network control


Best Practices and Benefits

Best Practice – A best practice is a method or technique that has consistently shown

results superior to those achieved with other means, and that is used as a benchmark. In addition, a "best" practice can evolve to become better as improvements are discovered.**

ben·e·fit/ÈbenYfit/ Noun: An advantage or profit gained from something. Agenda DDI Security Highlights Selected Security Product Features 3rd Party Security Integrations – F5, MS & Others

3

** Wikipedia http://en.wikipedia.org/wiki/Best_practice


Conventional Networks – Static and Simple

192.168.255.255

132.18.255.45 126.78.255.35 72.168.21.135

72.168.21.135

72.168.21.135

4

Static

IPv4

Rudimentary Tools for Control

Manually Configured


Next Generation Networks – Very Complex

132.18.255.45 126.78.255.35

72.168.21.135

72.168.21.135

2001:0fb8:85a3:0000:0000:8a2e:6332:4328

2001:0db8:85a3:0000:0000:8a2e:3375:9356

2001:0db8:85a3:0000:0000:8a2e:2385:3690

2001:0db8:85a3:0000:0000:8a2e:0647:8574

2001:0db8:85a3:0000:0000:8a2e:5330:7854

2001:0db8:85a3:0000:0000:8a2e:5370:6954

5

VM

VM

Expensive

Manual Inflexible

VM

VM


Cloud Applications

IP E

very

wh

ere

Projects Driving Next Generation Networks

6

Data Center Consolidation

Compliance Virtualization

Cloud Mobility/

Consumerization

Good salesforce

De afbeelding kan niet worden weergegeven. Het is mogelijk dat er onvoldoende geheugen beschikbaar is op de computer om de afbeelding te openen of dat de afbeelding beschadigd is. Start de computer opnieuw op en open het bestand opnieuw. Als de afbeelding nog steeds wordt voorgesteld door een rode X, kunt u de afbeelding verwijderen en opnieuw invoegen.

Edge Client

Dropbox Symantec

Documents

Jive

LinkedIn Twitter

SharePoint

IPv4

IPv6


GRID OS Security Highlights

DNS Firewall Protection DNS Blacklisting/Redirection/Blackhole Robust Reporting Solution DNSSEC Role Based Administrative Functions Two Factor Authentication CAC/PKI DDOS Protection Security Device Controller Central View of Detail Data Collected from

Many Systems 6 Authentication methods Robust Reporting Solution 128-bit AES Encrypted communications Restrictive and Hardened Linux based OS Detailed Audit Logging No root access Layer 2 NAC BYOD Portal SNMPv3 Support SSL based Secure API

GRID Master to GRID Master Candidate Fail-over for fast DR recovery

DNS GSS-TSIG & TSIG No MS like scavenge need DNSSEC Anycast

DHCP – Detailed custom option support – Template based setup – reduces human error

File Distribution – Secure upload

Device and Network Discovery – Discover, auto-add, smart-folder fast find – vDiscover with vCenter – NMAP device finger printing

FIPS 140-2 Certification JITC IPv6 Certification Common Criteria EAL-2 Certification Thin Client Web Access via HTTPS Easy and fast patching

7


Appliance Design Approach Deny All, Explicitly Permit Services

Only enabled services are permitted

Dedicated hardware with no unnecessary logical or physical ports

No OS-level user accounts – only admin accts

Immediate updates to new security threats

Secure HTTPS-based access to device management

No ssh or root-shell access

Task-specific network appliance

– All services enabled, then you need to run through a custom “OS Hardening procedure”

– Many open ports subject to attack

– Users have OS-level account privileges on server

– Requires time-consuming manual updates

– Requires multiple applications for device management

Conventional Server Approach Infoblox Appliance Approach

Limited Port Access

Multiple Open Ports

Infoblox Update Service

Secure Access

8


DNS Firewall

9


DNS Blacklisting / Redirection

Feature Description – Maintains a list of prohibited domains or addresses – Policy trigger is a DNS request that matches with blacklist – Policy actions are:

o Redirect to another URL o Do not resolve o Pass (resolve the request)

10


DNS Security Defense

Gap

Layered Defense / Defense in Depth Model

11

Th

reat

s

Hardening Perimeter IP-based Monitoring

Virus and Worms Trojan Horses -

IP-based (Adware)

Trojan Horses – IP-based (Dialers)

Trojan Horses – IP-based (Droppers)

Malware Type

APT Malware – DNS-exploiting

(Trojan Spyware & Backdoors)

Not effective since Malware leverages

comprehensive, working

infrastructure

Counter-Measures

Some Malware gets behind firewall and is designed to ‘morph’ IP, behavior, and file

characteristics

Some Malware leverages legitimate

commands undetected by computer

monitoring tools

Web Filters and Data Feeds help avoid

Droppers but can not detect DNS-

exploiting Malware

Hardened Appliances,

Secure Interconnections,

Consistent Coverage Core

to Edge

Traditional – Firewalls, VPNs,

Virus / Trojan Scanning, DDoS protection, etc.

Computer Monitoring

Tools– Examine each command,

function, and setting

Reputation

Data Feeds/

Web Filters


DNS Firewall: What it is not….. Does not replace… it complements….

Traditional or Next Generation Firewall (e.g. Checkpoint, Juniper, Palo Alto, Imperva, Cisco, etc.)

Anti-Virus (e.g. Symantec, McAfee, Webroot, Kapersky, etc.)

Email / Web Security (e.g. Blue Coat, McAfee, Websense)

Advance Persistent Threat (e.g. Damballa, FireEye)

Security Information and Event Management (SIEM) (e.g. Trustwave, McAfee, Q1Labs)


Overall Malware Threats Booming

13

Around 7.8 million new Malware threats per quarter in 2012

Mobile threats grew about 10X in 2012*

855 successful breaches / 174 million records compromised in 2012**

69% of successful breaches utilized Malware**

54% took months to discover, 29% weeks**

92% discovered by external party**

0

2.000.000

4.000.000

6.000.000

8.000.000

10.000.000

Q1 2010

Q2 2010

Q3 2010

Q4 2010

Q1 2011

Q2 2011

Q3 2011

Q4 2011

Q1 2012

Q2 2012

Q3 2012

New Malware

0

5.000

10.000

15.000

20.000

25.000

2004 2005 2006 2007 2008 2009 2010 2011 2012

Total Mobile Malware Samples in the Database

Startling statistics

* Source: McAfee Threats Report: Third Quarter 2012 ** Source: Verizon Security Study 2012


How does the DNS Firewall work?

Malware Data Feed from Infoblox

Dynamic Grid-Wide Policy Distribution

2

Walled Garden garden.yourcompany.com

Infected Client

4

Redirect

6 Reports Incident (3, 4) and Infected

Client (5)

Infoblox DNS Firewall / Recursive DNS Server



14

Dynamic Policy Update

1

www.badsite.com

3

Apply Policy Block / Disallow session

Contact botnet

5


Report on Infected Clients

Click to view lease history for this IP


Overview: On 1/30/13, announced that they had been the victim of hacker / malware attacks over 4 months originating in China*

How the attack developed** – Initial infection: Phishing / Spear Phishing likely but other

approaches are suspected as well – Botnet: The botnet / attackers changed IP addresses and used

compromised US University machines as proxies – Deepening: Utilized over 45 types of malware, only 1 type was

caught by the antivirus defense

Why It Was Difficult to Detect *** – The malware and attacks were designed to circumvent

firewalls, web filtering, antivirus, and other defenses – Appears it used DNS to locate the botnet controller

How DNS Firewall could have helped

– With the optional Malware Data Feed that targets geographic locations, may have prevented infection via phishing

– Would have disrupted botnet communications to China – Report Server would have alerted of the attacks very early in

the attack lifecycle

16

Perfect Breach Example New York Times Attack

* http://www.nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times-computers.html ** http://chinadigitaltimes.net/2013/02/new-york-times-hacking-highlights-other-cases/ *** http://www.activistpost.com/2013/02/chinese-hackers-attack-ny-times-over.html


Malware is Everywhere

17

Government “Cyberwar” teams

Government censor organizations

Hacktivists

Criminal Elements

Random Individuals

Entities launching attacks

© 2013 Infoblox Inc. All Rights Reserved. 18

APT / Botnet Malware Requires a New Approach

Existing security approaches do not effectively address malware that exploits DNS. Examples:

– Malware repacks to avoid signature-based detection

– Botnet controllers typically change URLs dynamically to circumvent Web Filters

– Botnet controllers change IP addresses / use other techniques to circumvent Firewalls

* http://www.securityweek.com/why-dns-firewalls-should-become-next-hot-thing-enterprise-security

“… DNS firewalls likely would have prevented the success of more than 80 percent of these attacks.”*


NetMRI Security Device Controller

19


20

• Extend visibility • Improve accuracy • Enhance security • Automate IPAM

SPM ACM NetMRI SDC

Advanced Discovery ✓ ✓ ✓

Topology Awareness ✓ ✓ ✓

Switch Capacity ✓ ✓ ✓

Sync with IPAM ✓ ✓ ✓

Change Automation & Detection ✓ ✓

Switch Port Control ✓ ✓

Approval Workflows ✓ ✓

Configuration Templates ✓ ✓

Pre-Packaged Automations ✓ ✓

Configuration Analysis ✓

Compliance Policy Design ✓ Configuration Policy Enforcement

✓

Single-click Compliance Reports ✓

Security Analysis & Enforcement ✓

Policy Design & Automation✓

• Improve time to value • Delegate authority • Lower risk • Provision dynamically

• Ensure compliance • Find potential issues • Maintain standards • Plan better

• Security Analysis • Security Provisioning • Customized Alerting


Multi-Vendor Support

21

Automated Network Discovery

Embedded Expertise

Powerful Search

Customizable Alerting

Multi-vendor Provisioning

Enforce Network Security Policies


Security Device Controller (SDC) Network Security Management: Today


Manual

The Pain of Legacy Processes

Legacy Approach

Hours/ Days

Firewall Change Needed

1

Search For

Devices

2

Figure Out Impacted Devices

3

Determine Correct Config

4

Compare Change to Standards/ Compliance

5

Request Change/

Implement Manually

6

Reconfirm Correctness

and Compliance

Hours/Days Network Provisioning Time

Manual processes cannot keep up SLA are lengthening to weeks or a even a month Require dedicated, senior network architects

– Routine, repetitive, error-prone


Manual

The Power of Infoblox

24

Legacy Approach

Infoblox Approach

Hours/ Days

1 6 2 3 4 5

Automated

Days/ Weeks


1

Search For

Devices

2

Figure Out Impacted Devices

3

Determine Correct Config

4

Compare Change to Standards/ Compliance

5

Request Change/

Implement Manually

6

Reconfirm Correctness

and Compliance



Supported Devices

Cisco Routers Cisco Switch-Routers,

including Catalyst switches

Cisco Catalyst 6500 Series Firewall Services Modules (FWSM)

Cisco PIX and ASA firewalls

Juniper Firewalls in packet processing mode (stateful packet filtering only)

Juniper Routers in Flow mode

25


Security Device Controller Feature Summary

• Search & Provision • Multiple rules • Multiple vendor devices.

• Automatic alerting:

• Unused and Duplicate rules and objects

• Overlapping and hidden rules

• Custom Alerts: • Blacklist and Whitelist • Alert when services should

never be enabled • Alert when mission critical

services are impacted

• Faster ROI and deployment • With automated discovery


Select Security Products

27


Clean Up Unused DNS Records

28

Quickly identify DNS records/zones that are not

queried and safely delete them


Event: At what rate DNS query rate is increasing?

When should and where should I add new servers?

Reports for DNS Capacity Planning Enhanced DNS Query Monitoring Reports

29

Benefit: Understand current state of DNS load to ensure a

successful transition

Identify Avg. daily query rate for the past week

Identify daily peak query rate for the past week


DNSSEC Configuration – its easy

Central configuration of all DNSSEC parameters

Single click to enable validation of DNSSEC records

zone can be signed with a single click” by using the “Sign Zone” toolbar button

– Keys are generated on the fly and records are automatically signed

– Auto-creation of all associated DNSSEC records

Automatic maintenance of signed zones

– All ZSK key expiration and resigning are handled automatically

– DNSSEC zones automatically resigned when new records are added


Role Based Administration Visibility for Multiple Audiences

IPAM admin Track how effectively provisioned networks being used

DNS admin See heavy users, what are the top sites being queried

DHCP admin Improve lease history, find most active DHCP clients

Security admin Improve traceability for compliance purposes

Network admin Understand subnet utilization for planning purposes

Helpdesk Better “at a glance” visibility into current state of DDI

Management Provide simple, presentable reporting formats on trends

31


CAC / PKI Login Enhancement

32

User Name pulled Automatically from

The Smart Card certificate

MSFT AD RADIUS

TACACS+ Local

Continue to be user authentication


CAC / PKI Full Logging

33

Positive Test Response

When a user is denied access due to a revoked certificate


CAC / PKI Access Protection

34

GUI locks when Smart Card is removed


IB-4030 Recursive DNS w/ DDOS

Performance A carrier grade DNS recursive appliance Over 1M DNS queries per second Software Common Infoblox GUI for Easier Management Built-in threat protection URL Blacklisting / NXDOMAIN Redirection AAAA Filtering: filter AAAA records in responses to queries over IPv4 Cache Pre-fetching DNSSEC Hardware: High performance, ruggedized server platform Optional AC or DC power Hot-swappable Power Supplies, Fan, RAID Disk Drives

35

World’s Most Scalable, Secure, and Manageable DNS Caching Server


IB-4030 Offers Continues Service

IB-4030 does not stop answering queries from cache when capacity limits are reached for cache misses

36

Bind 9.8 IB-4030

Avg. Latency (Seconds)


IB-4030 Security

Built-in automated threat protection – Operates under heavy traffic load above 1M qps per server – Detection and mitigation against Dos/DDoS

• TCP-SYN Flood • UDP Flood • Spoofed Source Addresses • Protocol level traffic prioritization and rate limiting

– Detection and mitigation against man-in-the-middle, cache poisoning

Advanced DNSSEC management – Hardens DNS infrastructure against cache poisoning attacks

Domain blacklisting – Block/redirect requests to malicious URLs

37


Security Level Banner

For any government where information on the Grid could be considered sensitive.

Unique to Infoblox in the DDI space Five levels to choose from

– Top Secret – Orange – Secret – Red – Unclassified – Green – Confidential – Green – Restricted – Green

Colors can be change to accommodate varying organizations

38


3rd Party Product Integrations

Microsoft – vm ware – Cisco – Juniper - F5 …and many more

39


Infoblox Load Balancer Manager

40

What: Infoblox Load Balancer Manager – New Trinzic DDI license – Requires / shipped with DDI 6.5 – Requires Grid Master – Adds new tabs, columns, and cell

options to existing DDI UI

Why – Global Availability, overburdened

network staff, need to delegate admin to departments

Who – Network Managers and

Administrators

Where – F5 Global Traffic Manager (GTM)

Customers and Prospects – Up to 4 GTMs or GTM groups

New Traffic Management tab under Data Mgmt

Extensible Attribute Support

Resource Status Provided

Define and view resources

flexibly


Managing Networks – With LBM

Infoblox Grid TM

41

F5 BIG-IP

F5 BIG-IP

F5 BIG-IP


IPAM for Microsoft

Seamless Integration • Automatically synchronizes

• Certified Active Directory support

• No agents required and no server impact

Allows “bi-directional” cooperation • MS Admins can delegate IPAM but

still use Microsoft MMC

• Different teams can use different tools but easily work together

Enterprise Management Scalability Monitoring and alerting

Utilization metrics and error correction

Extended attributes

Consolidated audit

Internal DNS/DHCP

server

IPAM for Microsoft

Alliance Partner

MS DCOM

MS DCOM

Internal DNS/DHCP

server


vDiscovery IPAM Automation for VMware Virtualization

Collect detailed information about any VM

Unified IPAM view of physical hosts and VMs

Discover Collect

Group Unify

Group VMs using Smart Folders

Discover VMware virtual machines (VMs)

VMware vSphere

VM VM VM VM

VMware API

Infoblox Trinzic Enterprise Appliance

43


NetMRI Automated Network Change & Configuration Management

Understand Cause & Effect Full discovery and visualization of

network Infrastructure Collect & analyze network

infrastructure configurations Track and automate network

changes Identify violations of best practice

rules Identify security and compliance

policy violations (SOX, HIPAA, PCI, etc.)

Identify, verify and remediate issues proactively

44


Summary


Cutting Edge Security on Infoblox 6,100+ Customer Installs

IB-4030 DDOS Protection Security Device Controller DNS Firewall Protection with RPZ Two Factor Authentication with CAC/PKI Comprehensive reporting solution Role Based Administration DNSSEC w/ HSM Support – FIPS 140-2 Level 2 Certified End-to-End Real-Time Network Automation DNS64, Blacklisting, Redirection, Reporting, Anycast, SNMPv3 Highly Secure &

– Common Criteria EAL-2 Certification – JITC IPv6 Certification – NIST Special Publication 800-81r1 Compliant

Scalability: 3 billion DNS qps / 5 billion DHCP per day

46


Thank You

DDI Security Best Practices & Benefits - Download.minoc...

Documents

Transcript of DDI Security Best Practices & Benefits - Download.minoc...