1 | © 2013 Infoblox Inc. All Rights Reserved. Protecting Critical Network Infrastructure Krupa Srivatsan | Senior Product Marketing Manager January 2014

2 | © 2013 Infoblox Inc. All Rights Reserved. Agenda Infoblox Solutions Advanced DNS Protection DNS Firewall Security Challenges Infoblox Overview

3 | © 2013 Infoblox Inc. All Rights Reserved. Infoblox Overview & Business Update ($MM) Founded in 1999 Headquartered in Santa Clara, CA with global operations in 25 countries Market leadership Gartner “Strong Positive” rating 40%+ Market Share (DDI) 6,900+ customers, 55,000+ systems shipped 35 patents, 29 pending IPO April 2012: NYSE BLOX Leader in technology for network control Total Revenue (Fiscal Year Ending July 31) 30% CAGR

4 | © 2013 Infoblox Inc. All Rights Reserved. Infrastructure Security Infoblox : Technology for Network Control NETWORK INFRASTRUCTURE FIREWALLSSWITCHESROUTERSWEB PROXYLOAD BALANCERS Historical / Real-time Reporting & Control Historical / Real-time Reporting & Control APPS & END-POINTS END POINTSVIRTUAL MACHINESPRIVATE CLOUDAPPLICATIONS CONTROL PLANE Infoblox Grid TM w/ Real-time Network Database

5 | © 2013 Infoblox Inc. All Rights Reserved. Why DNS an Ideal Attack Target? DNS is the cornerstone of the Internet used by every business/ Government DNS protocol is stateless and hence vulnerable DNS as a Protocol is easy to exploit Maximum impact with minimum effort

6 | © 2013 Infoblox Inc. All Rights Reserved. Today’s Security Challenges ChallengesTrends APT / malware exploits DNS to get around traditional security infrastructure APT / Malware DNS Firewall Disrupts malware communication Pinpointing infected devices for remediation 2 Unprotected DNS infrastructure introduces security risks Adv. DNS Protection Detection & mitigation of attacks On-going protection against evolving threats Attacks Targeting DNS 1

7 | © 2013 Infoblox Inc. All Rights Reserved. Attacks Targeting DNS

8 | © 2013 Infoblox Inc. All Rights Reserved. External Attacks on DNS DNS-based attacks are on the rise Traditional protection is ineffective against evolving threats DNS outage causes network downtime, loss of revenue, and negative brand impact Unprotected DNS infrastructure introduces security risks

9 | © 2013 Infoblox Inc. All Rights Reserved – DNS Threat is Significant Attacks against DNS infrastructure growing ̶ DNS-specific attacks up 200% in 2012 ̶ ICMP, SYN, UDP attacks Source: Arbor Networks Source: Prolexic Quarterly Global DDoS Attack Report Q ACK: 2.81% CHARGEN: 6.39% FIN PUSH: 1.28% DNS: 9.58% ICMP: 9.71% RESET: 1.4% RP: 0.26% SYN: 14.56% TCP FRAGMENT: 0.13% SYN PUSH: 0.38% UDP FLOODS: 13.15% UDP FRAGMENT: 17.11% Infrastructure Layer: 76.52%

10 | © 2013 Infoblox Inc. All Rights Reserved. The Solution - Infoblox Advanced DNS Protection Unique Detection and Mitigation  Intelligently distinguishes legitimate DNS traffic from attack traffic like DDoS, DNS exploits, tunneling  Mitigates attacks by dropping malicious traffic and responding to legitimate DNS requests Centralized Visibility  Centralized view of all attacks happening across the network through detailed reports  Intelligence needed to take action Ongoing Protection Against Evolving Threats  Regular automatic threat-rule updates based on threat analysis and research  Helps mitigate attacks sooner vs. waiting for patch updates

11 | © 2013 Infoblox Inc. All Rights Reserved. Fully Integrated into Infoblox Grid Reporting Server Automatic updates Infoblox Threat-rule Server Infoblox Advanced DNS Protection (External Auth.) GRID Master Reports on attack types, severity New Amplification Cache Poisoning Legitimate Traffic Reconnaissance DNS Exploits Infoblox Advanced DNS Protection (Internal Recursive) New Block DNS attacks Grid-wide rule distribution Data for Reports

12 | © 2013 Infoblox Inc. All Rights Reserved. What Attacks do We Protect Against? DNS reflection/DrDoS attacks Using third-party DNS servers(open resolvers) to propagate a DOS or DDOS attack DNS amplification Using a specially crafted query to create an amplified response to flood the victim with traffic DNS-based exploits Attacks that exploit vulnerabilities in the DNS software TCP/UDP/ICMP floods Denial of service on layer 3 by bringing a network or service down by flooding it with large amounts of traffic DNS cache poisoning Corruption of the DNS cache data with a rogue address Protocol anomalies Causing the server to crash by sending malformed packets and queries Reconnaissance Attempts by hackers to get information on the network environment before launching a DDoS or other type of attack DNS tunneling Tunneling of another protocol through DNS for data exfiltration

13 | © 2013 Infoblox Inc. All Rights Reserved. Infoblox- Differentiation and Value Infoblox Standard Infoblox Advanced Load Balancers Pure DDoS NGFWIPSCloud DNS server ✓✓✓ General DDoS ✓✓✓ DNS DDoS ✓✓✓✓ DNS server OS and application vulnerabilities ✓✓✓ Flood attacks ✓✓✓✓✓✓ Semantic attacks ✓✓✓ Cache poisoning ✓ DNS Reflection ✓ Tunneling ✓✓✓ DNS Amplification ✓

14 | © 2013 Infoblox Inc. All Rights Reserved. External authoritative and Internal Recursive Enterprise Legitimate Traffic INTERNET Advanced DNS Protection Grid Master and Candidate (HA) Advanced DNS Protection D M Z INTRANET Reconnaissance Amplification Exploits DNS Tunneling Legitimate Traffic Protection against cyber attacks and internal DNS attacks GRID Master and Candidate (HA) INTRANET Endpoints Advanced DNS Protection Amplification Cache Poisoning Legitimate Traffic DATACENTERCAMPUS/REGIONAL DATACENTER CAMPUS/REGIONAL

15 | © 2013 Infoblox Inc. All Rights Reserved. Service Providers Protection against attacks on caching servers Authoritative DNS services Platform: IB 4030

16 | © 2013 Infoblox Inc. All Rights Reserved. APT / Malware

17 | © 2013 Infoblox Inc. All Rights Reserved. Q1Q3 Q2 Q4 Security Breaches Using Malware / APT

18 | © 2013 Infoblox Inc. All Rights Reserved. Every step of malware life cycle relies on DNS Malware/APT Requires DNS DNS server Query a malicious domain Query the ‘call home server’ Query Exfiltration destinations InfectionDownloadExfiltration

19 | © 2013 Infoblox Inc. All Rights Reserved. PREVENTIVE TIMELYTUNABLE Leverages high quality DNS Firewall Subscription Service updated in near real time Maximizes potency against APT / malware worldwide Disrupts malware communication and execution Industry’s First True DNS Security Solution 19 INFOBLOX DNS FIREWALL Disrupts DNS-exploiting APT / malware (C&C & Botnets) communication

20 | © 2013 Infoblox Inc. All Rights Reserved. Infoblox DNS Firewall – How Does it Work? An infected mobile device is brought into the office. Upon connection, the malware starts to spread to other devices on the network. 123 The malware makes a DNS query for “bad” domain to find “home.” The DNS Firewall has the “bad” domain in its table and blocks the connection. The DNS Server is continually updated by a reputational data feed service to reflect the rapidly changing list of malicious domains. Malicious domains Infoblox DDI with DNS Firewall Blocked attempt sent to Syslog Live reputational feed of malicious domains 34 Malware 1 Mobile device 2 Malware searches and spreads within network 4 Infoblox Reporting provides list of blocked attempts as well as the IP address MAC address Device type (DHCP fingerprint) Host Name DHCP Lease

21 | © 2013 Infoblox Inc. All Rights Reserved. DNS Firewall – FireEye Adapter How Does it Work? An mobile device receives infected URL or content. Bad.exe or Malware starts to communicate or spread across the network. 123 FireEye NX detonates traffic from device. It determines the traffic is bad. Provides domains & IP addresses of where.exe / URL is trying to connect to DNS Firewall via FireEye Adapter. DNS Firewall is updated and blocks the connection attempts to the domains/IP addresses provided by FireEye NX. Malicious domains Infoblox DDI with DNS Firewall Blocked attempt sent to Syslog 34 Malware 124 Infoblox Reporting provides list of blocked attempts as well as the IP address MAC address Device type (DHCP fingerprint) Host Name DHCP Lease Detonates & Detects advanced malware Play Malware Attack Endpoint Attempting To Download Infected File

22 | © 2013 Infoblox Inc. All Rights Reserved. What Protection does DNS Firewall Provide? DGA Domain generating algorithm malware that randomly generates domains to connect to malicious networks or botnets Fast Flux Rapidly changing of domains & IP addresses by malicious domains to obfuscate identity and location APT / Malware Malware designed to spread, morph and hide within IT infrastructure to perpetrate a long term attack (FireEye) DNS Hijacking Hijacking DNS registry(s) & re-directing users to malicious domain(s) Geo-Blocking Blocking access to geographies that have rates of malicious domains or Economic Sanctions by US Government

23 | © 2013 Infoblox Inc. All Rights Reserved. Anatomy of an Attack Cryptolocker “Ransomware” Targets Windows-based computers Appears as an attachment to legitimate looking Upon infection, encrypts files: local hard drive & mapped network drives Ransom: 72 hours to pay $300US Fail to pay and the encryption key is deleted and data is gone forever Only way to stop (after executable has started) is to block outbound connection to encryption server Infoblox DNS Firewall blocks all connections to Cryptolocker domains

24 | © 2013 Infoblox Inc. All Rights Reserved. September 13 – Trial Run Initial roll-out of Cryptolocker started. Limited distribution & payment testing. Oct. 8 th – Full Distribution via ‘Pay per infection’. 1 4 DNS Firewall logs all attempted connections with Cryptolocker servers complete with IP and MAC addresses, and device type to drive remediation Cryptolocker Timeline and Infoblox Response 3 Infoblox DNS Firewall now blocks Crypolocker encryption servers. 2 October 18 th - Crypolocker behavior fully characterized. Infoblox DNS Firewall Subscription updated with domains & IP addresses. Customers Protected. Infoblox DDI with DNS Firewall Infoblox Malware Data Feed Updated 2 Syslog Infoblox DNS Firewall Geo-blocks delivered ZERO-day protection against Cryptolocker by blocking Eastern Europe domains Infoblox DNS Firewall Protects Against Cryptolocker Malware

25 | © 2013 Infoblox Inc. All Rights Reserved. Summary Unprotected DNS infrastructure introduces security risks ̶ Advanced DNS Protection protects against DNS-based attacks like DDoS, cache poisoning, malformed packets and tunneling APT / malware exploits DNS to get around traditional security infrastructure ̶ DNS Firewall & FireEye Adapter disrupts Malware usage of DNS and pinpoints device to drive faster remediation (using Infoblox DDI)

26 | © 2013 Infoblox Inc. All Rights Reserved. Q&A

27 | © 2013 Infoblox Inc. All Rights Reserved. Thank you! For more information