DDI Security Best Practices Benefits - ... Security Best Practices Benefits ... Secure...

download DDI Security Best Practices  Benefits -   ...  Security Best Practices  Benefits ... Secure Interconnections, Consistent Coverage Core to Edge ... Infoblox DNS Firewall

of 47

  • date post

    23-May-2018
  • Category

    Documents

  • view

    212
  • download

    0

Embed Size (px)

Transcript of DDI Security Best Practices Benefits - ... Security Best Practices Benefits ... Secure...

  • 2013 Infoblox Inc. All Rights Reserved.

    DDI Security Best Practices & Benefits

    Victor Danevich Sr. Director, Americas System Engineering & Professional Services

    1

  • 2013 Infoblox Inc. All Rights Reserved.

    ($MM)

    $35,0

    $56,0 $61,7

    $102,2

    $132,8

    $169,2

    $0

    $20

    $40

    $60

    $80

    $100

    $120

    $140

    $160

    $180

    FY2007 FY2008 FY2009 FY2010 FY2011 FY2012

    Total Revenue (Fiscal Year Ending July 31)

    Infoblox: Market Leader in Network Control

    2

    Founded in 1999

    Headquartered in Santa Clara, CA with global operations in 25 countries

    Market leadership Gartner Strong Positive Rating

    40%+ Market Share

    6,100+ Customers, 45,000+ systems shipped

    20 patents, 27 pending

    IPO April 2012: NYSE BLOX

    Leader in technology for network control

  • 2013 Infoblox Inc. All Rights Reserved.

    Best Practices and Benefits

    Best Practice A best practice is a method or technique that has consistently shown

    results superior to those achieved with other means, and that is used as a benchmark. In addition, a "best" practice can evolve to become better as improvements are discovered.**

    benefit/benYfit/ Noun: An advantage or profit gained from something. Agenda DDI Security Highlights Selected Security Product Features 3rd Party Security Integrations F5, MS & Others

    3

    ** Wikipedia http://en.wikipedia.org/wiki/Best_practice

  • 2013 Infoblox Inc. All Rights Reserved.

    Conventional Networks Static and Simple

    192.168.255.255

    132.18.255.45 126.78.255.35 72.168.21.135

    72.168.21.135

    72.168.21.135

    4

    Static

    IPv4

    Rudimentary Tools for Control

    Manually Configured

  • 2013 Infoblox Inc. All Rights Reserved.

    Next Generation Networks Very Complex

    132.18.255.45 126.78.255.35

    72.168.21.135

    72.168.21.135

    2001:0fb8:85a3:0000:0000:8a2e:6332:4328

    2001:0db8:85a3:0000:0000:8a2e:3375:9356

    2001:0db8:85a3:0000:0000:8a2e:2385:3690

    2001:0db8:85a3:0000:0000:8a2e:0647:8574

    2001:0db8:85a3:0000:0000:8a2e:5330:7854

    2001:0db8:85a3:0000:0000:8a2e:5370:6954

    5

    VM

    VM

    Expensive

    Manual Inflexible

    VM

    VM

  • 2013 Infoblox Inc. All Rights Reserved.

    Cloud Applications

    IP E

    very

    wh

    ere

    Projects Driving Next Generation Networks

    6

    Data Center Consolidation

    Compliance Virtualization

    Cloud Mobility/

    Consumerization

    Good salesforce

    De afbeelding kan niet worden weergegeven. Het is mogelijk dat er onvoldoende geheugen beschikbaar is op de computer om de afbeelding te openen of dat de afbeelding beschadigd is. Start de computer opnieuw op en open het bestand opnieuw. Als de afbeelding nog steeds wordt voorgesteld door een rode X, kunt u de afbeelding verwijderen en opnieuw invoegen.

    Edge Client

    Dropbox Symantec

    Documents

    Jive

    LinkedIn Twitter

    SharePoint

    IPv4

    IPv6

  • 2013 Infoblox Inc. All Rights Reserved.

    GRID OS Security Highlights

    DNS Firewall Protection DNS Blacklisting/Redirection/Blackhole Robust Reporting Solution DNSSEC Role Based Administrative Functions Two Factor Authentication CAC/PKI DDOS Protection Security Device Controller Central View of Detail Data Collected from

    Many Systems 6 Authentication methods Robust Reporting Solution 128-bit AES Encrypted communications Restrictive and Hardened Linux based OS Detailed Audit Logging No root access Layer 2 NAC BYOD Portal SNMPv3 Support SSL based Secure API

    GRID Master to GRID Master Candidate Fail-over for fast DR recovery

    DNS GSS-TSIG & TSIG No MS like scavenge need DNSSEC Anycast

    DHCP Detailed custom option support Template based setup reduces human error

    File Distribution Secure upload

    Device and Network Discovery Discover, auto-add, smart-folder fast find vDiscover with vCenter NMAP device finger printing

    FIPS 140-2 Certification JITC IPv6 Certification Common Criteria EAL-2 Certification Thin Client Web Access via HTTPS Easy and fast patching

    7

  • 2013 Infoblox Inc. All Rights Reserved.

    Appliance Design Approach Deny All, Explicitly Permit Services

    Only enabled services are permitted

    Dedicated hardware with no unnecessary logical or physical ports

    No OS-level user accounts only admin accts

    Immediate updates to new security threats

    Secure HTTPS-based access to device management

    No ssh or root-shell access

    Task-specific network appliance

    All services enabled, then you need to run through a custom OS Hardening procedure

    Many open ports subject to attack

    Users have OS-level account privileges on server

    Requires time-consuming manual updates

    Requires multiple applications for device management

    Conventional Server Approach Infoblox Appliance Approach

    Limited Port Access

    Multiple Open Ports

    Infoblox Update Service

    Secure Access

    8

  • 2013 Infoblox Inc. All Rights Reserved.

    DNS Firewall

    9

  • 2013 Infoblox Inc. All Rights Reserved.

    DNS Blacklisting / Redirection

    Feature Description Maintains a list of prohibited domains or addresses Policy trigger is a DNS request that matches with blacklist Policy actions are:

    o Redirect to another URL o Do not resolve o Pass (resolve the request)

    10

  • 2013 Infoblox Inc. All Rights Reserved.

    DNS Security Defense

    Gap

    Layered Defense / Defense in Depth Model

    11

    Th

    reat

    s

    Hardening Perimeter IP-based Monitoring

    Virus and Worms Trojan Horses -

    IP-based (Adware)

    Trojan Horses IP-based (Dialers)

    Trojan Horses IP-based (Droppers)

    Malware Type

    APT Malware DNS-exploiting

    (Trojan Spyware & Backdoors)

    Not effective since Malware leverages

    comprehensive, working

    infrastructure

    Counter-Measures

    Some Malware gets behind firewall and is designed to morph IP, behavior, and file

    characteristics

    Some Malware leverages legitimate

    commands undetected by computer

    monitoring tools

    Web Filters and Data Feeds help avoid

    Droppers but can not detect DNS-

    exploiting Malware

    Hardened Appliances,

    Secure Interconnections,

    Consistent Coverage Core

    to Edge

    Traditional Firewalls, VPNs,

    Virus / Trojan Scanning, DDoS protection, etc.

    Computer Monitoring

    Tools Examine each command,

    function, and setting

    Reputation

    Data Feeds/

    Web Filters

  • 2013 Infoblox Inc. All Rights Reserved.

    DNS Firewall: What it is not.. Does not replace it complements.

    Traditional or Next Generation Firewall (e.g. Checkpoint, Juniper, Palo Alto, Imperva, Cisco, etc.)

    Anti-Virus (e.g. Symantec, McAfee, Webroot, Kapersky, etc.)

    Email / Web Security (e.g. Blue Coat, McAfee, Websense)

    Advance Persistent Threat (e.g. Damballa, FireEye)

    Security Information and Event Management (SIEM) (e.g. Trustwave, McAfee, Q1Labs)

  • 2013 Infoblox Inc. All Rights Reserved.

    Overall Malware Threats Booming

    13

    Around 7.8 million new Malware threats per quarter in 2012

    Mobile threats grew about 10X in 2012*

    855 successful breaches / 174 million records compromised in 2012**

    69% of successful breaches utilized Malware**

    54% took months to discover, 29% weeks**

    92% discovered by external party**

    0

    2.000.000

    4.000.000

    6.000.000

    8.000.000

    10.000.000

    Q1 2010

    Q2 2010

    Q3 2010

    Q4 2010

    Q1 2011

    Q2 2011

    Q3 2011

    Q4 2011

    Q1 2012

    Q2 2012

    Q3 2012

    New Malware

    0

    5.000

    10.000

    15.000

    20.000

    25.000

    2004 2005 2006 2007 2008 2009 2010 2011 2012

    Total Mobile Malware Samples in the Database

    Startling statistics

    * Source: McAfee Threats Report: Third Quarter 2012 ** Source: Verizon Security Study 2012

  • 2013 Infoblox Inc. All Rights Reserved.

    How does the DNS Firewall work?

    Malware Data Feed from Infoblox

    Dynamic Grid-Wide Policy Distribution

    2

    Walled Garden garden.yourcompany.com

    Infected Client

    4

    Redirect

    6 Reports Incident (3, 4) and Infected

    Client (5)

    Infoblox DNS Firewall / Recursive DNS Server

    Infoblox DNS Firewall / Recursive DNS Server

    Infoblox DNS Firewall / Recursive DNS Server

    14

    Dynamic Policy Update

    1

    www.badsite.com

    3

    Apply Policy Block / Disallow session

    Contact botnet

    5

  • 2013 Infoblox Inc. All Rights Reserved.

    Report on Infected Clients

    Click to view lease history for this IP

  • 2013 Infoblox Inc. All Rights Reserved.

    Overview: On 1/30/13, announced that they had been the victim of hacker / malware attacks over 4 months origin