Infoblox – control, secure & automate Mike Carroll © 2011 Infoblox Inc.
Download
Report
Transcript Infoblox – control, secure & automate Mike Carroll © 2011 Infoblox Inc.
Infoblox – control, secure & automate
Mike Carroll
© 2011 Infoblox Inc. All Rights Reserved.
Market Leaders Choose Infoblox
7500+ Global Customers, 300+ Fortune 500
Telecom
Retail
Manufacturing
Media and Internet
Transportation
Government
Life Sciences
Financial Services
Education
Energy
Infoblox Alliance Partners
© 2011 Infoblox Inc. All Rights Reserved.
Networks Without Infoblox – Siloes of Data, Multiple
Management Points
VIRTUAL MACHINES
PUBLIC CLOUD
APPLICATIONS
APPS &
END-POINTS
END POINTS
X
CONTROL PLANE
MALWARE
Complexity
Risk & Cost
MICROSOFT DNS
MICROSOFT DHCP
VMWARE DNS
EXTERNAL DNS
BIND / MICROSOFT
X
Agility
Flexibility
IPAM (IP ADDRESS MANAGEMENT)
NETWORK
INFRASTRUCTURE
SCRIPTS
FIREWALLS
© 2011 Infoblox Inc. All Rights Reserved.
SWITCHES
COMMAND LINE
ROUTERS
WEB PROXY
X
LOAD BALANCERS
3
With Infoblox
VIRTUAL MACHINES
PRIVATE CLOUD
APPLICATIONS
NETWORK
INFRASTRUCTURE
CONTROL PLANE
APPS &
END-POINTS
END POINTS
Infrastructure
Security
Historical / Real-time
Reporting & Control
Infoblox GridTM w/ Real-time
Network Database
FIREWALLS
© 2011 Infoblox Inc. All Rights Reserved.
SWITCHES
ROUTERS
WEB PROXY
LOAD BALANCERS
Infoblox DDI and Grid
Cloud
Orchestration
Integration
(VMware, BMC)
Virtualization
VMware
Integration
Virtualization & Cloud
Integration
Grid Master
HA pr.
Grid
Member
Grid Master
Candidate
@Recovery Site
Reporting
Server
Integrated
Advanced Reporting
Patented Grid Technology:
Central Management, Authoritative DB
Branch Office
DNS/DHCP
Branch Office
DNS/DHCP
Branch Office
Branch Office
Edge Network/
Remote Offices
Microsoft DNS, DHCP
Agentless Management of Microsoft
DNS/DHCP & Full AD Integration
© 2011 Infoblox Inc. All Rights Reserved.
Simplified Workflow Design
• Drag and drop GUI
• Create highly effective workflows within minutes
© 2011 Infoblox Inc. All Rights Reserved.
response to these trends, Infoblox has developed IPAM for Microsoft System Center Orchestrator (SCO). The integration
mplifies and streamlines provisioning and de-provisioning of IP addresses to newly created VMs, updates DNS records, and
eases IP addresses when the VMs are taken down—all in a matter of seconds instead of hours or days. This enables full
tomation of the workflow for provisioning VMs. The benefits are faster time to service of VMs and reduced manual processes.
also provides agility and elasticity to highly dynamic vir tual environments.
Orchestration Highlights
+
•
Automate IP/DNS and
network configurations for
VMs provisioned by MS
System Center
•
Pre-defined workflows that
can be customized. E.g.
• Reserve an IP for VMs
• Create VM in an
existing virtual
network
• Remove VM and
related DNS records
• Create network
• Delete network
•
Batch processing support
MS System Center Virtual Machine Manager
(SC VMM)
VM
VMM
Integration
Pack
VM
MS System Center Orchestrator (SCO)
VM
Infoblox
IPAM for
Microsoft
SCO
VM
VM
Physical
Virtual
Infoblox DDI
Figure 1: Overview of Infoblox IPAM for Microsoft System Center Orchestrator
ey Features and Benefits
foblox IPAM Integration
© 2011 Infoblox Inc. All Rights Reserved.
Infoblox Provides Complete Network Awareness
Authoritative Network Database, 360 Degree View of IP Data
© 2011 Infoblox Inc. All Rights Reserved.
8
Secure DNS
© 2011 Infoblox Inc. All Rights Reserved.
9
DNS Attacks
200%
58%
In the last Financial impact is
year alone
DNS attacks1 DDoS attacks1
there has been
an increase of
huge
With possibleTop
amplification
up to
Industries
100x
5%
on a DNS attack, the
amount of traffic delivered
to a victim can be huge
Public Sector
$27
28M
17%
13% Fin
Se
Media &
Entertainment
million
2M
42%
7%
The
average
loss for a 24-hour
Enterprise
Pose
a significant
High Tech
3
outage
from
a
DDoS
attack
threat to the global
29%
Commerce
network infrastructure
2% Consumer
and can
Goods
easily
utilized
in 3
Avg estimated loss per be
DDoS
event
in 2012
With enterprise
5% Hotels level businesses receiving
DNS amplification
an average of 2 million DNS queries every
Number of open
attacks22
single22%
day,Retail
the threat of attack is significant
recursive DNS servers
33M
-$7.7M
-$13.6M
Government
Technology
company
-$17M
Financial services
Quarterly Global DDoS Attack Report, Prolexic, 4th Quarter, 2013 2. www.openresolverproject.org
3. Develop A Two-Phased DDoS Mitigation Strategy, Forrester Research, Inc. May 17, 2013
2013
© 2011 Infoblox Inc. All Rights Reserved.
Targeted
4. State of the Internet, Akamai, 2nd Quarter,
21% Bu
Se
2% Healt
1% Autom
5% Miscella
DNS Protection Is Not Just About
DDoS
DNS reflection/DrDoS attacks
DNS amplification
DNS-based exploits
Using third-party DNS servers(open resolvers) to propagate a
DOS or DDOS attack
Using a specially crafted query to create an amplified response
to flood the victim with traffic
Attacks that exploit vulnerabilities in the DNS software
TCP/UDP/ICMP floods
Denial of service on layer 3 by bringing a network or service
down by flooding it with large amounts of traffic
DNS cache poisoning
Corruption of the DNS cache data with a rogue address
Protocol anomalies
Reconnaissance
DNS tunneling
© 2011 Infoblox Inc. All Rights Reserved.
Causing the server to crash by sending malformed packets
and queries
Attempts by hackers to get information on the network
environment before launching a DDoS or other type of attack
Tunneling of another protocol through DNS for data exfiltration
Legitimate Traffic
Advanced DNS Protection Work?
Automatic
updates
Advanced DNS
Protection
(External DNS)
Infoblox
Threat-rule
Server
Data for Reports
ADP appliance reaches out
to Threat-rule server
periodically for updates
Reporting
Server
Reports on attack types, severity
© 2011 Infoblox Inc. All Rights Reserved.
Grid-wide rule distribution
Advanced DNS
Protection
(Internal DNS)
Advanced DNS Protection
Programmable Technology (PT series)
Sizing
recommendation:
<50,000 QPS
<143,000 QPS
<200,000 QPS
For SP who have
IB 4030-Rev2 just
need the
protection
service
© 2011 Infoblox Inc. All Rights Reserved.
Malware Threats Booming!
New Malware
10,000,000
Startling statistics
8,000,000
Average over 7 million new Malware
threats per quarter in 2014*
Mobile threats grew about 10X
in 2014*
6,000,000
4,000,000
2,000,000
0
855 successful breaches / 174
million records compromised
in 2014**
69% of successful breaches
utilized Malware**
54% took months to discover,
29% weeks**
92% discovered by external party**
Q1
Q2
Q3
Q4
Q1
Q2
Q3
Q4
Q1
Q2
Q3
2010 2010 2010 2010 2011 2011 2011 2011 2012 2012 2012
Total Mobile Malware Samples in the Database
25,000
20,000
15,000
10,000
5,000
0
2004
© 2011 Infoblox Inc. All Rights Reserved.
2005
2006
2007
2008
2009
2010
2011
2012
14
DNS Firewall: Block Malware/APT
Malicious
domains
1
3
Malware /
APT
2
3
Infoblox DDI
with DNS
Firewall
Blocked attempt
sent to Syslog
1
2
4
4
An infected device brought
into the office. Malware
spreads to other devices on
network.
Malware makes a DNS query
to find “home.” (botnet /
C&C)
DNS Firewall blocks DNS query
(by Domain name / IP Address)
Pinpoint any infected device:
•
•
•
•
•
IP address
MAC address
Device type (DHCP fingerprint)
Host name
DHCP lease history
Reputation data comes from:
• DNS Firewall Subscription
Malware / APT spreads
within network; Calls
home
Svc
• FireEye Adapter (NX Series)
DNS FW – Security Net that can catch 80% of Malware comm.
© 2011 Infoblox Inc. All Rights Reserved.
Introducing: DNS Firewall + FireEye
Adapter
C&C Portals
A
A
DNS Firewall
Subscription Svc
B
Infoblox Firewall
Subscription service
C&C Proxies
DNS Firewall - FireEye
C & C / Botnet
Adapter
Portal IP’s
Ips/Domains/etc.
of ‘bad servers’
13.13.13.13
12.12.12.13….
INTERNET
FireEye
1
B
DNS Server with
DNS Firewall
INTRANET
2
Block / Re-direct
DNS Query
3
Play Malware
Attack
Infected
Enterprise
End-point
Detects & detonates
advanced malware
© 2011 Infoblox Inc. All Rights Reserved.
Malware
DNS Query to
‘find & phone home’
Infoblox Reporting
Server – ID infected
device by IP/MAC
address & device type
DNS FW & FEYE Use Case
Infoblox account team helped Mobile Device Company
extend their current investment in Infoblox and FireEye.
35 to 40 thousand DNS suspicious queries/day
FireEye alerts and Dynamically Updates the Infoblox DNS
Firewall w/ the Bad Domains, IP Addresses that the
malware is querying. GameOver Zeus & ThreatStop!
Key Takeaway: Infoblox and FireEye prevent infected
(present and future)clients from exploiting DNS services
© 2011 Infoblox Inc. All Rights Reserved.
IB DNS FW Use Case
Healthcare
Cryptolocker discovered and stopped
We blocked DNS query's to the HealthCare's webpage
Banner infected determined to be hosting cryptolocker
to trusted and guest network.
Key Takeaway: DNS FW and Feed is automatically
updated. Manually blacklisting is not a viable solution.
© 2011 Infoblox Inc. All Rights Reserved.
In Review
Defense In
Depth
DNS is critical
infrastructure
Unprotected DNS
infrastructure
introduces serious
security risks
Infoblox Secure DNS
Solution protects
critical DNS services
© 2011 Infoblox Inc. All Rights Reserved.
Infoblox DNS Firewall
Prevents Malware/APT from Using DNS
Infoblox Advanced DNS Protection
Defend Against DNS Attacks
Hardened Appliance & OS
Secure the DNS Platform