Presentation is loading. Please wait.

Presentation is loading. Please wait.

Logicalis Breakfast Briefing

Similar presentations


Presentation on theme: "Logicalis Breakfast Briefing"— Presentation transcript:

1 Logicalis Breakfast Briefing
Ceire McQuaid and Gary Cox – Network Discovery and DNS Security 10th July 2014

2 Infoblox Introduction – Ceire McQuaid

3 Infoblox: Market Leader in Network Control
Founded in 1999 Total Revenue (Fiscal Year Ending July 31) Headquartered in Santa Clara, CA with global operations in 25 countries ($MM) Leader in technology for network control 37% CAGR Market leadership Gartner Strong Positive Rating 40%+ Market Share Infoblox is not a start-up. The company was started more than a dozen years ago – our technology is mature and field proven The company HQ is in the heart of Silicon Valley with global operations in all major geographies – We do business in 3 regions (Americas, EMEA, APJ) – and 25 countries Infoblox makes essential technology to control networks – we’ll dig into that a bit later in the We are a market leader in the space that we serve – with Strong Positive ratings from Gartner (3 years in a row) and 40% market share (Note: Gartner Market Scope and market share stat is specific to DDI) Infoblox has a massive customer base – our latest count is 6,200 different companies- we have shipped 45,000 systems We are innovative, with a formal patent program for our employees. As of right now we own 20 patents and 27 more pending Last but not least – the company did a successful IPO in April We now share our financial results publicly – which can be seen on the right. 7,000+ Customers, 45,000+ systems shipped 20 patents, 27 pending IPO April 2012: NYSE BLOX

4 Broad Community of Engaged Partners
Strategic Alliance Partners We also have a very broad number partners in several categories: Strategic Alliance Partners are those partners with whom we have technology relationships with. Companies like VMware, F5 and Cisco with whom we have technology integrations Or companies like CA who are actually OEM’ing some of our products (NetMRI in this case) Our Channel Partners are “go-to-market” partners who resell our products as part of their solutions – there are hundreds of them worldwide We have a very successful channel program called Infoblox Channel IP (stands for “Invest & Profit). This program has been supremely successful in helping us train several tiers of partners and create opportunity for both companies. Lastly, we have System Integrator partners who deliver our products as part of their services offerings

5 Triggers that are Redefining the Network
consolidation Mobile device explosion Cloud / virtualization Software defined Networks Threat landscape Ipv6 transition At Infoblox , we are tracking six significant trends that are reshaping the network. 1. Consolidation IT organizations are continuing consolidation projects, to reduce overhead, deliver greater value (through better apps) This is massively changing the fabric of the network – as companies modernize and restructure for better performance for the dollar Mobile Device Explosion 2012 was the inflection point, more tablets & smartphones sold than PC’s 2.6B personal devices by the users are increasingly mobile and social These devices are consuming rich media – heavy video, web and rich content These devices are walking into the work-place and consuming business network services (BYOD) New compute paradigms Virtualization is certainly not new, but the massive virtualization of servers continues without slowing down – new virtual machines are being created at the rate of one every 6-8 seconds! All these virtual machines need IP addresses Cloud computing adoption is growing both in public and private cloud use cases. 52% of organizations we surveyed in 2012 said they had deployed a private cloud, 11% said they would deploy in the next 6 months Of those that had private clouds, 36% said they were running tier 1 applications on them Software Defined Networks While this is not something that most of our customers are dealing with today -- this is a trend that we at Infoblox is participating in As it matures, it will impact how we do networking in the next 3-5 years This trend is about the changing the economics of networking, in a very similar way server virtualization changed the game for physical servers. We will keep you informed as this evolves The threat landscape The big change here is that the bad guys are getting more sophisticated and more targeted Its no longer a just about infecting a bunch of PC’s with malware The threat landscape is shifting – and the big dangers that are lurking are about Advanced Persistent Threats (APT’s) Very sophisticated attackers, new attack vectors, targeting very specific elements of the network, iteratively looking for vulnerabilities over time – with the target never knowing they are there DNS infrastructure, VM’s, mobile devices are all significant attack surfaces It’s literally cyber warfare out there and networks are vulnerable IPv6 This has been a trend that has been brewing for a long time, but it’s finally impacting mainstream IT departments now The IPv4 address allowed for only 4.2 billion unique addresses – which is actually less than the human population in 2012 The global IANA IP registry exhausted their supply of IPv4 addresses in February of 2011 – they handed out their last blocks to the major regional registries The Asian regional registry was first to exhaust their supply of IPv4 addresses in April of 2011 EMEA exhausted theirs in October of 2012 North America / Latin America are likely to run out in the next months Companies that are doing business globally are dealing with the need to transition now because their European and Asian counterparts have moved to IPv6 Many are running “dual stack” configurations – which means they’re running both standards This trend is significant because traditional manual IP Address Management won’t cut it in the IPv6 mode. IPv6 is 128 Bit addresses converted to HEX are not human readable at all (IPv6 address is made up of 32 HEX characters represented in blocks of 4, separated by colons. This is what a typical IPv6 address looks like: 2001:0db8:85a3:0042:0000:8a2e:0370:7334

6 The Alternative Without Infoblox
APPS & END-POINTS End points VIRTUAL MACHINES Private cloud applications UNIX bind CONTROL PLANE Vmware dns Microsoft DNS Microsoft DHCP QIP Complexity Risk & Cost Agility Flexibility Scripts Command Line So what does that picture look like without Infoblox? Click: the Infrastructure layer is the same Click: the Apps and End-points layer is the same Click: but the middle layer – the control plane is VERY different Most organizations have a mixed bag of management products in the middle. Everything from Microsoft DNS servers (which you have to put MS Clustering on to make it highly available) Separate DHCP servers We often see DNS on VMware virtual machines Or Unix Bind servers with administrators using Excel spreadsheets to do IP Address Management And sometimes other dedicated vendors like QIP from Alcatel-Lucent For the network automation – we often see a mixed back of Perl Scripts, Command line interfaces and other 3rd party tools. And note, each of these systems requires significant human intervention and management, so you have a lot of administrator effort Each of these systems keeps it’s own repository for data, so the questions you have to ask are: How do you maintain this environment? How do you update this environment? How do you handle disaster recovery in this environment? How do you get visibility and reporting when the data is all over the place? How efficient is your staff in this type of environment? Last but not least – how secure is this environment? Click: We see this all the time. This type of arrangement increases complexity, risk and cost and drives down agility and flexibility. NETWORK INFRASTRUCTURE firewalls switches routers Web proxy Load balancers

7 What We Do: Innovative Technology for Network Control
APPS & END-POINTS End points VIRTUAL MACHINES Private cloud applications Essential Network Control Functions: DNS, DHCP, IPAM (DDI) CONTROL PLANE Infoblox GridTM w/ Real-time Network Database Historical /Real-time Reporting & Control Discovery, Real-time Configuration & Change, Compliance Infoblox can help organizations deal with the risks and expenses associated with these trends. Let’s take a look at how: Click: The modern network is made up of the infrastructure layer, which is all the devices you’re very familiar with (switches, routers, firewalls, load balancers, web proxy’s etc.) Click: These devices exist to support this layer – your Apps and Endpoints. Ranging from Voice Over IP Phones to tablets and smart phones, to all the VM’s and private clouds, all servicing the applications that drive the business. Click: Infoblox plays in the middle. In the control plane. We put our technology on high performance, highly available and secure platform (we call this the Grid). The grid has a very powerful, distributed network database that keeps all the information in one place So what does Infoblox do? Click: We deliver Discovery, Real-time Configuration & Change management, and compliance for this layer Click: And we deliver Essential Network Control functions like DNS, DHCP and IPAM (known as DDI) for this layer And since we touch all these devices and capture real-time data in a single place… Click: we can do some amazing real-time and historical reporting as well as advanced control NETWORK INFRASTRUCTURE firewalls switches routers Web proxy Load balancers

8 Network and Device Discovery

9 Connected, Dynamic DDI Integrated Database, 360 Degree View of IP Data
Advanced Reporting Infoblox DNS/DHCP Network Task Automation Microsoft DNS/DHCP Infoblox is uniquely positioned to address the challenges in the last slide. Our solution is designed to take you from that disconnected, manual environment to a completely connected, dynamic DDI system. We accomplish this in a number of different ways. First, we provide an integrated database with a single point of management and 360 degree view of all of your IP data. We then connect IP Management to 4 critical parts of your active network: Our own DNS and DHCP services, integrated into one central database Microsoft DNS and DHCP using a true agentless connector. This not only allows you replicate Microsoft DNS and DHCP data right into our IPAM database but also delivers central management for Microsoft DNS and DHCP right from our next gen GUI. The physical network using Layer 2 and Layer 3 discovery. Infoblox will talk with your routers and switches, read ARP caches and CAM tables, so you can see all the subnets defined on your network and where IP devices are connecting on what switches, switch ports, VLANs…even at what duplex setting. All of this valuable information is replicated to the IPAM database and updated as information changes over time. In VMware virtual environments you have visibility into virtual servers, virtual IP’s and virtual host information. This allows you to see new VM’s as they are spun up on the network and reclaim IP’s when VM’s are decommissioned. Since all of your IP data is now stored in a central repository you can significantly improve your reporting capabilities and get visibility into DNS query response times, top talkers, network utilization, IPAM utilization, DHCP statistics, network compliance and more. This includes recent trends as well as historical information. Finally, now that you have a completely connected IPAM system you have a launching platform for network automation. The ability to define a static IP address, configure the downstream router, turn up switch ports, reconfigure the VLAN…..all from a single management GUI. VMware Virtual Discovery Layer 2 and Layer 3 Discovery Network IP Endpoints Switch/Routers

10 Detection 69% of users say they are accessing corporate networks with personal devices! 34% of CIOs think employees are accessing their network with personal devices… Infoblox Device Fingerprinting lets you detect ALL the dynamic devices on your network

11 Historical Lease Information with Fingerprint
Filter Smart Folder Sort Sort by device type Filter to manage specific devices quickly Build unique Smart Folders

12 Find & Remediate Potential Security Breaches
v1 Find & Remediate Potential Security Breaches Physically Locate a MAC or IP Address Uncover Rogue Devices Find and Remediate Security Breaches: There are many ways security can be breached, Augusta’s discovery can help find those devices / connections that are not within policy. VLAN creation in slave of a switch stack: The VLAN may look ok on its own however Augusta data shows that it has been configured at the slave level as opposed to being propagated from the master switch. This is a non-standard practice. With the use of a tool like CiscoWorks the network administrator can determine who configured the VLAN on that port and then the real question can be asked… WHY? Rouge DHCP Servers: Network teams have reported branch location outages because of a rogue DHCP server with in the office. Standard wireless routers like those from Linksys and Netgear are combination devices with the ability to act as a DHCP server handing out IP addresses. Detection of the rouge devices is easily accomplished with Augusta and the Smart Folders feature. Having a smart folder for unmanaged networks a Linksys router can be detected and probed to determine if the port for DHCP services is open on the device. This is an indication that if it is not already it is capable of and configured to issue IP addresses on an unmanaged network. Physically Track MAC address: In some instances the security team only has a MAC address that has been flagged as a potential risk. The MAC address is provided to the network team in order for them to physically locate the device with that MAC address. Utilizing the combined grid data of DHCP and Augusta discovery data the current physical location can be quickly ascertained and provided to security for further investigation. Find & Investigate Suspicious or unknown VLANs

13 A closer look with ‘Network Insight’
GATHER ANALYZE TAKE ACTION Network Insight’s intelligent IPAM integrates near real-time infrastructure device data with IP address management The collection and correlation of the data provides unprecedented visibility, the better the data the better the decision Validate designs, effectively provision, troubleshoot, remediate rogue devices, errors, and unmanaged devices and networks Substantiate newly installed network equipment against original plans Trim process steps for trouble shooting - reducing mean- time-to-repair (MTTR) Quickly eliminate the network as a root cause, refocus trouble shooting teams Identify and respond to security risks in the network Improve "cleanliness" of network data to: Build trust in automated processes with the ability to track and confirm automated results Improve operational efficiencies / create a manageable automated environment Collaborate with cross-functional groups with confidence See the use of IP ranges allocated to other work groups Implement role-based administration of IP ranges for those groups

14 Infoblox Grid with Network Insight
Cloud Orchestration Integration (VMware, BMC) Virtualization VMware Integration Patented Grid Technology: Central Management, Authoritative DB Virtualization & Cloud Integration Grid Master at Recovery Site Edge Network/ Remote Offices Branch Office DNS/DHCP HQ Grid Master ND Consolidator New Network Insight ND Appliance Reporting Server Integrated Advanced Reporting Engine All Centrally Managed as ONE System The foundation of Infoblox DNS, DHCP and IP address mgmt. is patented technology we call the Grid. This technology links a unified, centrally managed system of appliances that share a common, real-time distributed database, rather than individual nodes with siloed data common with general purpose servers. It synchronizes the data across the systems in real time in response to changes as devices are added, deleted or data changes. A new or replacement Infoblox appliance need only be plugged into the Grid and it is automatically loaded with the right level of the operating system and its data is synchronized. By design, it is a more reliable and secure than software solutions on general purpose servers. On the Slide bottom notice there is Microsoft management Moving counter clock-wise there is the Grid Master recovery site or the Grid Master candidate to ensure the systems is available in case of a disaster. At the top of the screen is virtual support for a variety of platforms and technologies And there is reporting that Ed will talk about in a bit. It is designed so all management functions are available through the GUI… so we eliminate the need for using Command Line or writing custom scripts. And note in red “ It is All centrally Managed as ONE System” Microsoft DNS, DHCP Branch Office ND Probe New Network Insight ND Appliance Agentless Management of Microsoft DNS/DHCP & Full AD Integration

15 Network Insight in the Grid
New Device Tab Network device data now integrated into IPAM Know what your infrastructure devices are by vendor, model, OS version, etc.

16 Visibility into all configured networks
IPAM view automatically indicates managed and unmanaged networks (highlighted in yellow) From the IPAM view select a network and view the infrastructure devices located on that network

17 You can’t fix what you don’t see
Unknown devices identified in the network that are not in IPAM are flagged as Unmanaged enabling easy identification and fast action. (highlighted in yellow) Select an IP address to view more information about the switch port the device is connected too. A complete view of all interfaces, port speed, port type and VLANS on the port, admin status, and operation status

18 DNS Security Protect, Contain, Report

19 The Rising Tide of DNS Threats
Are You Prepared? In the last year alone there has been an increase of 200% 58% With possible amplification up to 100x DNS attacks1 DDoS attacks1 on a DNS attack, the amount of traffic delivered to a victim can be huge 28M 2M Pose a significant threat to the global network infrastructure and can be easily utilized in DNS amplification attacks2 With enterprise level businesses receiving an average of 2 million DNS queries every single day, the threat of attack is significant 33M Number of open recursive DNS servers2 1. Quarterly Global DDoS Attack Report, Prolexic, 1st Quarter,

20 The Rising Tide of DNS Threats
Are You Prepared? DNS attacks are rising for 3 reasons: Countries of origin for the most DDoS attacks in the last year China 1 Easy to spoof US Brazil Russia France India 2 Asymmetric amplification Germany Korea Egypt Taiwan 3 High-value target

21 The Rising Tide of DNS Threats
Are You Prepared? Financial impact is huge Top Industries Targeted4 Public Sector 5% $27 Media & Entertainment 17% Financial Services 13% million 42% Enterprise High Tech 7% Business Services 21% The average loss for a 24-hour outage from a DDoS attack3 29% Commerce Consumer Goods 2% Avg estimated loss per DDoS event in 20123 Healthcare 2% Hotels 5% Automotive 1% Government -$7.7M Technology company Financial services Retail 22% Miscellaneous 5% -$13.6M -$17M 3. Develop A Two-Phased DDoS Mitigation Strategy, Forrester Research, Inc. May 17, State of the Internet, Akamai, 2nd Quarter, 2013

22 The Rising Tide of DNS Threats
Are You Prepared? TCP/UDP/ICMP floods: Flood victim’s network with large amounts of traffic DNS amplification: Use amplification in DNS reply to flood victim DNS cache poisoning: Corruption of a DNS cache database with a rogue address Protocol anomalies: Malformed DNS packets causing server to crash Top 10 DNS tunneling: Tunneling of another protocol through DNS for data ex-filtration DNS hijacking: Subverting resolution of DNS queries to point to rogue DNS server DNS attacks DNS based exploits: Exploit vulnerabilities in DNS software Reconnaissance: Probe to get information on network environment before launching attack DNS reflection/DrDos: Use third party DNS servers to propagate DDoS attack Fragmentation: Traffic with lots of small out of order fragments

23 The Rising Tide of DNS Threats
Are You Prepared? The bottom line is “Organizations should invest in protecting their DNS infrastructure.” – Gartner5 Infoblox helps protect against the rising tide of DNS threats 5. Leverage Your Network Design to Mitigate DDoS Attacks, Report ID G , Gartner, July 2013

24 Infoblox Advanced DNS Protection Solution
Unique Detection and Mitigation Intelligently detects DNS-based attacks Mitigates attacks while responding to legitimate DNS requests Centralized Visibility Centralized view of all attacks happening across the network through detailed reports Intelligence needed to take action Ongoing Protection against evolving threats Automatic threat rule updates based on threat analysis and research Ongoing protection against evolving DNS threats © 2013 Infoblox Inc. All Rights Reserved.

25 How Does Advanced DNS Protection Work?
Amplification DNS DDoS Legitimate Traffic Reflection Exploits Automatic Updates Block DNS attacks Infoblox Threat Rule Server New Grid-wide rule distribution Infoblox Adv. DNS Protection New Infoblox Adv. DNS Protection GRID Master Send Reports DNS attacks come interspersed with legitimate DNS traffic Advanced DNS Protection pre-processes the requests to filter out attacks It responds to legitimate DNS requests The attack types and patterns are sent to Infoblox Reporting server When Infoblox detects new threats, it creates rules and updates the Advanced DNS Reporting Server Reports on attack types, severity

26 What Attacks does Infoblox ADP protect against?
DOS/DDoS Category Amplification and reflection Using the DNS server to propagate a DOS/DDOS attack. We rate limit root and Any query Flood Based Attacks Floods UDP,TCP, ICMP Unexpected header values Land attack IGMP flood Invalid input Moyari13, OS and BIND server vulnerabilities Linux and Bind based exploits Example A Specially crafted query can cause BIND to terminate abnormally. We analyze packets on network processor before they reach the DNS server. Protocol Anomaly Based Attacks Impersonation attacks Smack Large packets Ping of death Invalid fragments Nestea, TearDrop, Jolt DNS Specific Cache poisoning Poison DNS server cache (Birthday Paradox attack) DNS Tunneling Iodine DNS Message type Block specific queries by record type FQDN, IP Template rule Reconnaissance Command to find version and other information Multi-pronged Security Dedicated compute capacity with additional network processor card so DNS server can continue to service under attack Signature based attack detection for known vulnerabilities and exploits Dynamic throttling to mitigate flood based, DDOS reflection and amplification DNS attacks Fine-grain filters to allow/block specific DNS record types offers automated threat mitigation Reports provide greater visibility into the DNS traffic for early detection of attack symptoms with reconnaissance type of activities Some of this is subject to Cavium issues. IGMP flood blocked by not allowing ICMP timestamp packets Land attack, Eyenetdee – land covered by blocking sameip, eyenetdee not used to attack dns, and we block ports it does attack

27 Reporting Intelligence needed to take action
Attack details by category, member, rule, severity and time Visibility into the origin and scope of the attacks Early detection and mitigation

28 DON’T LET THEM CALL HOME
In 2012… ~7.8 million new malware threats per quarter Mobile threats grew ~10X 855 successful breaches w/ 174 million records compromised DON’T LET THEM CALL HOME Stop malware before it causes trouble Infoblox DNS Firewall cuts off malware communications

29 Threat: Malware Uses DNS
Malware infects clients when they visit malicious web sites, whose names are resolved using DNS Malware rendezvous with command-and-control channels using hardwired domain names and rapidly changing IP addresses Malware can also tunnel new malicious code or commands through DNS itself

30 DNS Firewall Protects Against Malware
Reputational Feed from Infoblox 5 3 IPs/Oomains/etc. of ‘bad servers’ …. INTERNET DNS Firewall/ DNS Server with Response Policy Zone (RPZ) INTRANET DNS Firewall Protects Against Malware So how do you effectively take a way DNS from the Malware so it can’t find the botnets or Command & Control servers?! Infoblox DNS Firewall removes DNS as a hole in your network by disrupting resolution of DNS queries to malicious domains. To understand how DNS Firewall does it job lets work through how it works starting from the left side of the page and moving to the right. An infected mobile device is brought into the office. Upon connection, the malware starts to spread to other devices on the network. Malware begins to spread and gather up information to exfiltrate. Malware makes a DNS query (Domain) via an application such as VoIP, IM, RPC, CHAT, in order to find ‘home’ DNS Firewall has the ‘bad’ domain in its table of domains to block. It does not allow the DNS server to resolve the query and in the case of HTTP/URL requests redirects the user to a landing page or ‘Walled Garden’ 5. DNS Firewall is continually updated by the Infoblox Security Cloud with bad domains/IP addresses to block. Block / Re-direct DNS Query 4 1 2 User clicks on link to Malware site Infoblox Reporting Server – ID infected device by IP/MAC address & device type Uninfected End-point Brought into office

31 DNS Firewall Contains Malware
C&C Portals Reputational Feed from Infoblox 5 C&C Proxies IPs/Oomains/etc. of ‘bad servers’ 1 C & C / Botnet Portal IP’s …. Mobile End-point INTERNET DNS Firewall/ DNS Server with Response Policy Zone (RPZ) INTRANET 3 DNS Firewall Protects Against Malware So how do you effectively take a way DNS from the Malware so it can’t find the botnets or Command & Control servers?! Infoblox DNS Firewall removes DNS as a hole in your network by disrupting resolution of DNS queries to malicious domains. To understand how DNS Firewall does it job lets work through how it works starting from the left side of the page and moving to the right. An infected mobile device is brought into the office. Upon connection, the malware starts to spread to other devices on the network. Malware begins to spread and gather up information to exfiltrate. Malware makes a DNS query (Domain) via an application such as VoIP, IM, RPC, CHAT, in order to find ‘home’ DNS Firewall has the ‘bad’ domain in its table of domains to block. It does not allow the DNS server to resolve the query and in the case of HTTP/URL requests redirects the user to a landing page or ‘Walled Garden’ 5. DNS Firewall is continually updated by the Infoblox Security Cloud with bad domains/IP addresses to block. Block / Re-direct DNS Query 4 2 Malware searches & spreads within network Infoblox Reporting Server – ID infected device by IP/MAC address & device type Mobile End-point Brought into office Malware DNS Query to ‘find & phone home’

32 DNS Firewall - FireEye Adapter
Rogue Portals 1 C & C / Proxy Portal IP’s Compromised Web Server or Domain …. INTERNET DNS Server W/ DNS Firewall INTRANET FireEye 2 Block / Re-direct DNS Query 3 4 Domain-name & Host IP address to be blocked DNS Firewall - FireEye Adapter 2 Scenarios - Rouge organization infects a domain/web server frequented by employees of targeted entity. A callback to a command & control server (that could be separate from the compromised domain) FireEye captures & detonates traffic from suspicious files, web objects, and attachments within instrumented virtual machine environments. It determines that the data/file is malicious & therefore should be blocked. FireEye sends an XML alert to DNS Firewall has the ‘bad’ domain and Host IP address. Infoblox DNS Firewall Server adds the Domain and Host IP address to in its table of locations to be blocked. It does not allow the DNS server to resolve the query and in the case of HTTP/URL requests redirects the user to a landing page or ‘Walled Garden’. Malware makes a DNS query (Domain) via an application (e.g. VoIP, IM, RPC, CHAT, SIP) in order to find ‘home’ DNS Firewall sends information on those devices that made DNS queries to ‘bad’ domains or IP addresses to Infoblox Reporting which cross correlates the IP address, DHCP lease and DHCP Device type to create a report that helps Security ID devices for clean-up. Play Malware Attack Infoblox Reporting Server – ID infected device by IP, MAC address & device type for remediation Detects & detonates advanced malware Infected Enterprise End-point Malware / apps Initiate DNS requests for web domains

33 Questions?

34 Break time!


Download ppt "Logicalis Breakfast Briefing"

Similar presentations


Ads by Google