DDI Security Best Practices & Benefits - Download.minoc...
Transcript of DDI Security Best Practices & Benefits - Download.minoc...
© 2013 Infoblox Inc. All Rights Reserved.
DDI Security Best Practices & Benefits
Victor Danevich Sr. Director, Americas System Engineering & Professional Services
1
© 2013 Infoblox Inc. All Rights Reserved.
($MM)
$35,0
$56,0 $61,7
$102,2
$132,8
$169,2
$0
$20
$40
$60
$80
$100
$120
$140
$160
$180
FY2007 FY2008 FY2009 FY2010 FY2011 FY2012
Total Revenue (Fiscal Year Ending July 31)
Infoblox: Market Leader in Network Control
2
Founded in 1999
Headquartered in Santa Clara, CA with global operations in 25 countries
Market leadership • Gartner Strong Positive Rating
• 40%+ Market Share
6,100+ Customers, 45,000+ systems shipped
20 patents, 27 pending
IPO April 2012: NYSE BLOX
Leader in technology for network control
© 2013 Infoblox Inc. All Rights Reserved.
Best Practices and Benefits
Best Practice – A best practice is a method or technique that has consistently shown
results superior to those achieved with other means, and that is used as a benchmark. In addition, a "best" practice can evolve to become better as improvements are discovered.**
ben·e·fit/ÈbenYfit/ Noun: An advantage or profit gained from something. Agenda DDI Security Highlights Selected Security Product Features 3rd Party Security Integrations – F5, MS & Others
3
** Wikipedia http://en.wikipedia.org/wiki/Best_practice
© 2013 Infoblox Inc. All Rights Reserved.
Conventional Networks – Static and Simple
192.168.255.255
132.18.255.45 126.78.255.35 72.168.21.135
72.168.21.135
72.168.21.135
4
Static
IPv4
Rudimentary Tools for Control
Manually Configured
© 2013 Infoblox Inc. All Rights Reserved.
Next Generation Networks – Very Complex
132.18.255.45 126.78.255.35
72.168.21.135
72.168.21.135
2001:0fb8:85a3:0000:0000:8a2e:6332:4328
2001:0db8:85a3:0000:0000:8a2e:3375:9356
2001:0db8:85a3:0000:0000:8a2e:2385:3690
2001:0db8:85a3:0000:0000:8a2e:0647:8574
2001:0db8:85a3:0000:0000:8a2e:5330:7854
2001:0db8:85a3:0000:0000:8a2e:5370:6954
5
VM
VM
Expensive
Manual Inflexible
VM
VM
© 2013 Infoblox Inc. All Rights Reserved.
Cloud Applications
IP E
very
wh
ere
Projects Driving Next Generation Networks
6
Data Center Consolidation
Compliance Virtualization
Cloud Mobility/
Consumerization
Good salesforce
De afbeelding kan niet worden weergegeven. Het is mogelijk dat er onvoldoende geheugen beschikbaar is op de computer om de afbeelding te openen of dat de afbeelding beschadigd is. Start de computer opnieuw op en open het bestand opnieuw. Als de afbeelding nog steeds wordt voorgesteld door een rode X, kunt u de afbeelding verwijderen en opnieuw invoegen.
Edge Client
Dropbox Symantec
Documents
Jive
LinkedIn Twitter
SharePoint
IPv4
IPv6
© 2013 Infoblox Inc. All Rights Reserved.
GRID OS Security Highlights
DNS Firewall Protection DNS Blacklisting/Redirection/Blackhole Robust Reporting Solution DNSSEC Role Based Administrative Functions Two Factor Authentication CAC/PKI DDOS Protection Security Device Controller Central View of Detail Data Collected from
Many Systems 6 Authentication methods Robust Reporting Solution 128-bit AES Encrypted communications Restrictive and Hardened Linux based OS Detailed Audit Logging No root access Layer 2 NAC BYOD Portal SNMPv3 Support SSL based Secure API
GRID Master to GRID Master Candidate Fail-over for fast DR recovery
DNS GSS-TSIG & TSIG No MS like scavenge need DNSSEC Anycast
DHCP – Detailed custom option support – Template based setup – reduces human error
File Distribution – Secure upload
Device and Network Discovery – Discover, auto-add, smart-folder fast find – vDiscover with vCenter – NMAP device finger printing
FIPS 140-2 Certification JITC IPv6 Certification Common Criteria EAL-2 Certification Thin Client Web Access via HTTPS Easy and fast patching
7
© 2013 Infoblox Inc. All Rights Reserved.
Appliance Design Approach Deny All, Explicitly Permit Services
Only enabled services are permitted
Dedicated hardware with no unnecessary logical or physical ports
No OS-level user accounts – only admin accts
Immediate updates to new security threats
Secure HTTPS-based access to device management
No ssh or root-shell access
Task-specific network appliance
– All services enabled, then you need to run through a custom “OS Hardening procedure”
– Many open ports subject to attack
– Users have OS-level account privileges on server
– Requires time-consuming manual updates
– Requires multiple applications for device management
Conventional Server Approach Infoblox Appliance Approach
Limited Port Access
Multiple Open Ports
Infoblox Update Service
Secure Access
8
© 2013 Infoblox Inc. All Rights Reserved.
DNS Blacklisting / Redirection
Feature Description – Maintains a list of prohibited domains or addresses – Policy trigger is a DNS request that matches with blacklist – Policy actions are:
o Redirect to another URL o Do not resolve o Pass (resolve the request)
10
© 2013 Infoblox Inc. All Rights Reserved.
DNS Security Defense
Gap
Layered Defense / Defense in Depth Model
11
Th
reat
s
Hardening Perimeter IP-based Monitoring
Virus and Worms Trojan Horses -
IP-based (Adware)
Trojan Horses – IP-based (Dialers)
Trojan Horses – IP-based (Droppers)
Malware Type
APT Malware – DNS-exploiting
(Trojan Spyware & Backdoors)
Not effective since Malware leverages
comprehensive, working
infrastructure
Counter-Measures
Some Malware gets behind firewall and is designed to ‘morph’ IP, behavior, and file
characteristics
Some Malware leverages legitimate
commands undetected by computer
monitoring tools
Web Filters and Data Feeds help avoid
Droppers but can not detect DNS-
exploiting Malware
Hardened Appliances,
Secure Interconnections,
Consistent Coverage Core
to Edge
Traditional – Firewalls, VPNs,
Virus / Trojan Scanning, DDoS protection, etc.
Computer Monitoring
Tools– Examine each command,
function, and setting
Reputation
Data Feeds/
Web Filters
© 2013 Infoblox Inc. All Rights Reserved.
DNS Firewall: What it is not….. Does not replace… it complements….
Traditional or Next Generation Firewall (e.g. Checkpoint, Juniper, Palo Alto, Imperva, Cisco, etc.)
Anti-Virus (e.g. Symantec, McAfee, Webroot, Kapersky, etc.)
Email / Web Security (e.g. Blue Coat, McAfee, Websense)
Advance Persistent Threat (e.g. Damballa, FireEye)
Security Information and Event Management (SIEM) (e.g. Trustwave, McAfee, Q1Labs)
© 2013 Infoblox Inc. All Rights Reserved.
Overall Malware Threats Booming
13
Around 7.8 million new Malware threats per quarter in 2012
Mobile threats grew about 10X in 2012*
855 successful breaches / 174 million records compromised in 2012**
69% of successful breaches utilized Malware**
54% took months to discover, 29% weeks**
92% discovered by external party**
0
2.000.000
4.000.000
6.000.000
8.000.000
10.000.000
Q1 2010
Q2 2010
Q3 2010
Q4 2010
Q1 2011
Q2 2011
Q3 2011
Q4 2011
Q1 2012
Q2 2012
Q3 2012
New Malware
0
5.000
10.000
15.000
20.000
25.000
2004 2005 2006 2007 2008 2009 2010 2011 2012
Total Mobile Malware Samples in the Database
Startling statistics
* Source: McAfee Threats Report: Third Quarter 2012 ** Source: Verizon Security Study 2012
© 2013 Infoblox Inc. All Rights Reserved.
How does the DNS Firewall work?
Malware Data Feed from Infoblox
Dynamic Grid-Wide Policy Distribution
2
Walled Garden garden.yourcompany.com
Infected Client
4
Redirect
6 Reports Incident (3, 4) and Infected
Client (5)
Infoblox DNS Firewall / Recursive DNS Server
Infoblox DNS Firewall / Recursive DNS Server
Infoblox DNS Firewall / Recursive DNS Server
14
Dynamic Policy Update
1
www.badsite.com
3
Apply Policy Block / Disallow session
Contact botnet
5
© 2013 Infoblox Inc. All Rights Reserved.
Report on Infected Clients
Click to view lease history for this IP
© 2013 Infoblox Inc. All Rights Reserved.
Overview: On 1/30/13, announced that they had been the victim of hacker / malware attacks over 4 months originating in China*
How the attack developed** – Initial infection: Phishing / Spear Phishing likely but other
approaches are suspected as well – Botnet: The botnet / attackers changed IP addresses and used
compromised US University machines as proxies – Deepening: Utilized over 45 types of malware, only 1 type was
caught by the antivirus defense
Why It Was Difficult to Detect *** – The malware and attacks were designed to circumvent
firewalls, web filtering, antivirus, and other defenses – Appears it used DNS to locate the botnet controller
How DNS Firewall could have helped
– With the optional Malware Data Feed that targets geographic locations, may have prevented infection via phishing
– Would have disrupted botnet communications to China – Report Server would have alerted of the attacks very early in
the attack lifecycle
16
Perfect Breach Example New York Times Attack
* http://www.nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times-computers.html ** http://chinadigitaltimes.net/2013/02/new-york-times-hacking-highlights-other-cases/ *** http://www.activistpost.com/2013/02/chinese-hackers-attack-ny-times-over.html
© 2013 Infoblox Inc. All Rights Reserved.
Malware is Everywhere
17
Government “Cyberwar” teams
Government censor organizations
Hacktivists
Criminal Elements
Random Individuals
Entities launching attacks
© 2013 Infoblox Inc. All Rights Reserved. 18
APT / Botnet Malware Requires a New Approach
Existing security approaches do not effectively address malware that exploits DNS. Examples:
– Malware repacks to avoid signature-based detection
– Botnet controllers typically change URLs dynamically to circumvent Web Filters
– Botnet controllers change IP addresses / use other techniques to circumvent Firewalls
* http://www.securityweek.com/why-dns-firewalls-should-become-next-hot-thing-enterprise-security
“… DNS firewalls likely would have prevented the success of more than 80 percent of these attacks.”*
© 2013 Infoblox Inc. All Rights Reserved.
20
• Extend visibility • Improve accuracy • Enhance security • Automate IPAM
SPM ACM NetMRI SDC
Advanced Discovery ✓ ✓ ✓
Topology Awareness ✓ ✓ ✓
Switch Capacity ✓ ✓ ✓
Sync with IPAM ✓ ✓ ✓
Change Automation & Detection ✓ ✓
Switch Port Control ✓ ✓
Approval Workflows ✓ ✓
Configuration Templates ✓ ✓
Pre-Packaged Automations ✓ ✓
Configuration Analysis ✓
Compliance Policy Design ✓ Configuration Policy Enforcement
✓
Single-click Compliance Reports ✓
Security Analysis & Enforcement ✓
Policy Design & Automation✓
• Improve time to value • Delegate authority • Lower risk • Provision dynamically
• Ensure compliance • Find potential issues • Maintain standards • Plan better
• Security Analysis • Security Provisioning • Customized Alerting
© 2013 Infoblox Inc. All Rights Reserved.
Multi-Vendor Support
21
Automated Network Discovery
Embedded Expertise
Powerful Search
Customizable Alerting
Multi-vendor Provisioning
Enforce Network Security Policies
© 2013 Infoblox Inc. All Rights Reserved.
Security Device Controller (SDC) Network Security Management: Today
© 2013 Infoblox Inc. All Rights Reserved.
Manual
The Pain of Legacy Processes
Legacy Approach
Hours/ Days
Firewall Change Needed
1
Search For
Devices
2
Figure Out Impacted Devices
3
Determine Correct Config
4
Compare Change to Standards/ Compliance
5
Request Change/
Implement Manually
6
Reconfirm Correctness
and Compliance
Hours/Days Network Provisioning Time
Manual processes cannot keep up SLA are lengthening to weeks or a even a month Require dedicated, senior network architects
– Routine, repetitive, error-prone
© 2013 Infoblox Inc. All Rights Reserved.
Manual
The Power of Infoblox
24
Legacy Approach
Infoblox Approach
Hours/ Days
1 6 2 3 4 5
Automated
Days/ Weeks
Firewall Change Needed
1
Search For
Devices
2
Figure Out Impacted Devices
3
Determine Correct Config
4
Compare Change to Standards/ Compliance
5
Request Change/
Implement Manually
6
Reconfirm Correctness
and Compliance
Firewall Change Needed
© 2013 Infoblox Inc. All Rights Reserved.
Supported Devices
Cisco Routers Cisco Switch-Routers,
including Catalyst switches
Cisco Catalyst 6500 Series Firewall Services Modules (FWSM)
Cisco PIX and ASA firewalls
Juniper Firewalls in packet processing mode (stateful packet filtering only)
Juniper Routers in Flow mode
25
© 2013 Infoblox Inc. All Rights Reserved.
Security Device Controller Feature Summary
• Search & Provision • Multiple rules • Multiple vendor devices.
• Automatic alerting:
• Unused and Duplicate rules and objects
• Overlapping and hidden rules
• Custom Alerts: • Blacklist and Whitelist • Alert when services should
never be enabled • Alert when mission critical
services are impacted
• Faster ROI and deployment • With automated discovery
© 2013 Infoblox Inc. All Rights Reserved.
Clean Up Unused DNS Records
28
Quickly identify DNS records/zones that are not
queried and safely delete them
© 2013 Infoblox Inc. All Rights Reserved.
Event: At what rate DNS query rate is increasing?
When should and where should I add new servers?
Reports for DNS Capacity Planning Enhanced DNS Query Monitoring Reports
29
Benefit: Understand current state of DNS load to ensure a
successful transition
Identify Avg. daily query rate for the past week
Identify daily peak query rate for the past week
© 2013 Infoblox Inc. All Rights Reserved.
DNSSEC Configuration – its easy
Central configuration of all DNSSEC parameters
Single click to enable validation of DNSSEC records
zone can be signed with a single click” by using the “Sign Zone” toolbar button
– Keys are generated on the fly and records are automatically signed
– Auto-creation of all associated DNSSEC records
Automatic maintenance of signed zones
– All ZSK key expiration and resigning are handled automatically
– DNSSEC zones automatically resigned when new records are added
© 2013 Infoblox Inc. All Rights Reserved.
Role Based Administration Visibility for Multiple Audiences
IPAM admin Track how effectively provisioned networks being used
DNS admin See heavy users, what are the top sites being queried
DHCP admin Improve lease history, find most active DHCP clients
Security admin Improve traceability for compliance purposes
Network admin Understand subnet utilization for planning purposes
Helpdesk Better “at a glance” visibility into current state of DDI
Management Provide simple, presentable reporting formats on trends
31
© 2013 Infoblox Inc. All Rights Reserved.
CAC / PKI Login Enhancement
32
User Name pulled Automatically from
The Smart Card certificate
MSFT AD RADIUS
TACACS+ Local
Continue to be user authentication
© 2013 Infoblox Inc. All Rights Reserved.
CAC / PKI Full Logging
33
Positive Test Response
When a user is denied access due to a revoked certificate
© 2013 Infoblox Inc. All Rights Reserved.
CAC / PKI Access Protection
34
GUI locks when Smart Card is removed
© 2013 Infoblox Inc. All Rights Reserved.
IB-4030 Recursive DNS w/ DDOS
Performance A carrier grade DNS recursive appliance Over 1M DNS queries per second Software Common Infoblox GUI for Easier Management Built-in threat protection URL Blacklisting / NXDOMAIN Redirection AAAA Filtering: filter AAAA records in responses to queries over IPv4 Cache Pre-fetching DNSSEC Hardware: High performance, ruggedized server platform Optional AC or DC power Hot-swappable Power Supplies, Fan, RAID Disk Drives
35
World’s Most Scalable, Secure, and Manageable DNS Caching Server
© 2013 Infoblox Inc. All Rights Reserved.
IB-4030 Offers Continues Service
IB-4030 does not stop answering queries from cache when capacity limits are reached for cache misses
36
Bind 9.8 IB-4030
Avg. Latency (Seconds)
© 2013 Infoblox Inc. All Rights Reserved.
IB-4030 Security
Built-in automated threat protection – Operates under heavy traffic load above 1M qps per server – Detection and mitigation against Dos/DDoS
• TCP-SYN Flood • UDP Flood • Spoofed Source Addresses • Protocol level traffic prioritization and rate limiting
– Detection and mitigation against man-in-the-middle, cache poisoning
Advanced DNSSEC management – Hardens DNS infrastructure against cache poisoning attacks
Domain blacklisting – Block/redirect requests to malicious URLs
37
© 2013 Infoblox Inc. All Rights Reserved.
Security Level Banner
For any government where information on the Grid could be considered sensitive.
Unique to Infoblox in the DDI space Five levels to choose from
– Top Secret – Orange – Secret – Red – Unclassified – Green – Confidential – Green – Restricted – Green
Colors can be change to accommodate varying organizations
38
© 2013 Infoblox Inc. All Rights Reserved.
3rd Party Product Integrations
Microsoft – vm ware – Cisco – Juniper - F5 …and many more
39
© 2013 Infoblox Inc. All Rights Reserved.
Infoblox Load Balancer Manager
40
What: Infoblox Load Balancer Manager – New Trinzic DDI license – Requires / shipped with DDI 6.5 – Requires Grid Master – Adds new tabs, columns, and cell
options to existing DDI UI
Why – Global Availability, overburdened
network staff, need to delegate admin to departments
Who – Network Managers and
Administrators
Where – F5 Global Traffic Manager (GTM)
Customers and Prospects – Up to 4 GTMs or GTM groups
New Traffic Management tab under Data Mgmt
Extensible Attribute Support
Resource Status Provided
Define and view resources
flexibly
© 2013 Infoblox Inc. All Rights Reserved.
Managing Networks – With LBM
Infoblox Grid TM
41
F5 BIG-IP
F5 BIG-IP
F5 BIG-IP
© 2013 Infoblox Inc. All Rights Reserved.
IPAM for Microsoft
Seamless Integration • Automatically synchronizes
• Certified Active Directory support
• No agents required and no server impact
Allows “bi-directional” cooperation • MS Admins can delegate IPAM but
still use Microsoft MMC
• Different teams can use different tools but easily work together
Enterprise Management Scalability Monitoring and alerting
Utilization metrics and error correction
Extended attributes
Consolidated audit
Internal DNS/DHCP
server
IPAM for Microsoft
Alliance Partner
MS DCOM
MS DCOM
Internal DNS/DHCP
server
© 2013 Infoblox Inc. All Rights Reserved.
vDiscovery IPAM Automation for VMware Virtualization
Collect detailed information about any VM
Unified IPAM view of physical hosts and VMs
Discover Collect
Group Unify
Group VMs using Smart Folders
Discover VMware virtual machines (VMs)
VMware vSphere
VM VM VM VM
VMware API
Infoblox Trinzic Enterprise Appliance
43
© 2013 Infoblox Inc. All Rights Reserved.
NetMRI Automated Network Change & Configuration Management
Understand Cause & Effect Full discovery and visualization of
network Infrastructure Collect & analyze network
infrastructure configurations Track and automate network
changes Identify violations of best practice
rules Identify security and compliance
policy violations (SOX, HIPAA, PCI, etc.)
Identify, verify and remediate issues proactively
44
© 2013 Infoblox Inc. All Rights Reserved.
Cutting Edge Security on Infoblox 6,100+ Customer Installs
IB-4030 DDOS Protection Security Device Controller DNS Firewall Protection with RPZ Two Factor Authentication with CAC/PKI Comprehensive reporting solution Role Based Administration DNSSEC w/ HSM Support – FIPS 140-2 Level 2 Certified End-to-End Real-Time Network Automation DNS64, Blacklisting, Redirection, Reporting, Anycast, SNMPv3 Highly Secure &
– Common Criteria EAL-2 Certification – JITC IPv6 Certification – NIST Special Publication 800-81r1 Compliant
Scalability: 3 billion DNS qps / 5 billion DHCP per day
46