Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to DNSWatch

Published byElin Langeland Modified over 6 years ago

Similar presentations

Presentation on theme: "Introduction to DNSWatch"— Presentation transcript:

1 Introduction to DNSWatch

2 Introduction to DNSWatch
DNSWatch Overview Enable DNSWatch DNSWatch and Your Network DNS Precedence DNSWatch License Expiration Manage DNSWatch

3 DNSWatch Overview

4 DNSWatch Overview DNSWatch is a new cloud-based service that monitors DNS requests through the Firebox to prevent connections to known malicious domains DNSWatch protects against malicious clickjacking and phishing domains regardless of the connection type, protocol or port DNSWatch requires Fireware v or higher It is included in the Total Security Suite subscription at release Available as a trial subscription during Fireware v beta Supported models: Firebox T Series, M Series, XTMv, FireboxV and Firebox Cloud Not supported on a Firebox configured in Bridge Mode

5 DNSWatch Overview DNSWatch Components:
Threat Intelligence — constantly updated feeds with information about threats based on domain DNS Servers — resolve DNS queries Blackhole Servers — destination for queries to blocked domains Dashboard — cloud-based management Firebox — redirects DNS queries to DNSWatch WatchGuard customers and service providers: Enable DNSWatch on the Firebox Log in to the WatchGuard Portal to manage DNSWatch Receive alerts when a domains are denied

6 DNSWatch Overview

7 DNSWatch Threat Intelligence
WatchGuard uses a complex set of heuristics to watch for malicious certificates and websites DNSWatch polls threat intelligence sources daily to identify new malicious domains and update the Fomain Feeds DNSWatch users can also share domains they manually add to the DNSWatch Blacklist with WatchGuard to help improve DNSWatch for all users

8 DNSWatch and the Firebox
When the Firebox receives a DNS query from a host on a protected network, it forwards the request to DNSWatch DNSWatch evaluates whether the domain is a known threat If the domain is not a known threat: DNSWatch resolves the DNS query to the destination If the domain is a known threat: DNSWatch resolves the domain to the IP address of the DNSWatch Blackhole Server The DNSWatch Blackhole Server attempts to gather more information about the threat from the host endpoint For HTTP and HTTPS requests, the DNSWatch Blackhole Server displays a customizable deny page to the user

9 DNSWatch Deny Page When an HTTP connection is blocked, a customizable deny page appears to the user The Deny Page includes a short training exercise about how to recognize phishing attacks

10 DNSWatch Deny Page For a denied HTTPS connection, an invalid certificate notice appears first The Deny Page appears only if the user continues to the site

11 DNSWatch Alerts When DNSWatch denies a connection, DNSWatch sends an alert to account administrators, with a link to alert details

12 Enable DNSWatch

13 DNSWatch Requirements
Before you can enable DNSWatch on the Firebox, make sure your Firebox meets these requirements: Fireware OS v or higher A Total Security Suite subscription or a DNSWatch Beta Trial You can activate a second Beta Trial after the first DNSWatch Beta Trial expires You cannot activate a second DNSWatch Beta Trial until the first Beta Trial expires

14 Update the Firebox Feature Key
Log in to Fireware Web UI Select System > Feature Key Click Get Feature Key Verify that the DNSWatch feature is enabled in the feature key

15 Enable DNSWatch in Policy Manager
To enable DNSWatch from WSM Policy Manager, select Subscription Services > DNSWatch DNSWatch Registration status and DNS Server IP addresses do not appear in Policy Manager To see this information, log in to Fireware Web UI and select Subscription Services > DNSWatch

16 Enable DNSWatch in Fireware Web UI
To enable DNSWatch, from Fireware Web UI: Select Subscription Services > DNSWatch Select Enable DNSWatch Service

17 Enable DNSWatch on the Firebox
Select the Usage Enforcement option Usage Enforcement is disabled by default For most networks, we recommend you enable Usage Enforcement on some or all internal interfaces If you have internal DNS servers, review the deployment scenarios later in this presentation before you enable enforcement Click Save

18 Enable DNSWatch on the Firebox
DNSWatch status is available only in Fireware Web UI DNSWatch status information includes: Registration Status DNS Servers Blackhole Servers

19 DNSWatch Regional DNS Servers
DNSWatch will have DNS servers in three regions: North America – available now Ireland –planned for availability at GA Japan –planned for availability at GA DNSWatch sends the Firebox the IP addresses of DNS servers in the nearest region

20 DNSWatch Servers and Exceptions
Many WatchGuard products and services are hosted on regional servers To make sure that these services connect to the closest regional server, the Firebox does not send DNS requests for these domains to DNSWatch when usage enforcement is enabled: watchguard.com (for services hosted by WatchGuard) ctmail.com (for spamBlocker) rp.cloud.threatseeker.com (for WebBlocker) If you enable DNSWatch without usage enforcement, you can manually add DNS Forwarding rules for these domains to make sure that these services connect to the closest regional server

21 DNSWatch Without Usage Enforcement
If usage enforcement is disabled: Configure the local DNS server to use DNSWatch server IP address as the primary server for DNS resolution Copy the DNS Servers IP addresses from the DNSWatch page on the Fireware Web UI Paste the DNSWatch IP addresses into the DNS configuration on the local DNS server Add the IP address of a public DNS server as an alternate server for DNS resolution Configure any other local network hosts that use a manually configured DNS server to use the DNSWatch IP address For example, a local DHCP server or other local server

22 DNSWatch Without Usage Enforcement
If usage enforcement is disabled, to make sure that WatchGuard services connect to a regional server: Add DNS Forwarding rules for these domains: watchguard.com ctmail.com rp.cloud.threatseeker.com For each rule, specify the IP address of a regional DNS server

23 Best Practices After you enable DNSWatch, we recommend that you not remove existing DNS server IP addresses from the Firebox configuration

24 DNSWatch License Expiration
When DNSWatch expires, the Firebox uses the existing DNS settings in the Firebox network configuration If DNSWatch expires, and no DNS servers are configured on the Firebox: The Firebox continues to use DNSWatch for DNS lookups only. No alerts or configuration options are applied The Firebox generates a log message to alert you that DNS servers are missing

25 DNSWatch and Your Network

26 DNSWatch and Your Network
The examples in this section show how DNSWatch fits in different network architectures

27 DNSWatch and Your Network
Example 1 — Network without a local DNS server

28 DNSWatch and Your Network
Example 2 — Network with a local DNS server Network DNS server list on the Firebox does not include the local DNS server

29 DNSWatch and Your Network
For Example 2 — DNSWatch enforcement is enabled The Network (Global) DNS server list on the Firebox only includes public DNS servers. The local DNS server is not included. Configure DNS Forwarding rules for your local domain and local DNS server if the Firebox itself must resolve local FQDNs

30 DNSWatch and Your Network
Example 3 — Network with a local DNS server Network DNS server list on the Firebox includes the local DNS server

31 DNSWatch and Your Network
For Example 3 — DNSWatch enforcement is enabled The Network (Global) DNS server list on the Firebox has your local DNS server first and public DNS servers last

32 DNSWatch and Your Network
For Example 3 — In this example, DNS requests for WatchGuard service domains are sent to DNSWatch instead of a public DNS server. The DNSWatch exception list is not used.

33 DNSWatch and Your Network
Example 4 — Network with a local DNS server DNSWatch enforcement disabled

34 DNSWatch and Your Network
For Example 4 — If you do not want to enable DNSWatch enforcement on your network, you can use this configuration You must manually add forwarders to DNSWatch DNS servers on your local DNS server Keep forwarders to public DNS servers as backup options

35 DNSWatch and Your Network
For Example 4 — You must also add DNS forwarding rules for WatchGuard service domains to make sure that these services connect to the closest regional server

36 DNSWatch and Your Network
Example 5 — Network with mobile VPN users

37 DNSWatch and Your Network
For Example 5 — DNSWatch enforcement is enabled Enforcement applies only to hosts on Trusted or Optional Firebox interfaces. Enforcement does not apply to mobile VPN users. Mobile VPN devices must point to the local DNS server The Network (Global) DNS server list on the Firebox has your local DNS server first and public DNS servers last Mobile VPN with IPSec, L2TP, and IKEv2 users get the DNS servers in the Network DNS server list on the Firebox. Make sure to include the local DNS server first in this list. Mobile VPN with SSL users get the DNS servers in the Mobile VPN with SSL settings on the Firebox. Make sure to include the local DNS server first in the Mobile VPN with SSL settings.

38 DNS Precedence

39 DNS Settings Precedence
In some cases, DNSWatch takes precedence over these DNS servers that could already be configured on your Firebox: Network (Global) DNS server — Default DNS server for all interfaces and local processes on the Firebox Interface DNS server — Specified in the DHCP server settings for an interface DNS server obtained from your ISP — When Firebox is configured as a DHCP or PPPoE client

40 Precedence ─ Network DNS Server
Network DNS servers When DNSWatch is enabled with enforcement on DNSWatch DNS servers take precedence over the public DNS servers in the Network DNS server list DNS queries for external resources are: Resolved by Firebox cache, or Sent to DNS servers specified in conditional DNS forwarding rules, or Sent to DNSWatch (in that order)

41 Precedence ─ Network DNS Server
Network DNS servers When DNSWatch is enabled with enforcement off Public DNS servers in the Network DNS server list are used If the DNS Forwarding feature is not enabled, DNS queries for external resources generated by the Firebox itself or sent directly to the Firebox interface IP address are sent to DNSWatch If the DNS Forwarding feature is enabled, DNS queries for external resources are: Resolved by the Firebox cache, or Sent to DNS servers specified in conditional DNS forwarding rules, or Sent to DNSWatch (in that order)

42 Precedence ─ Interface DNS Server
Interface DNS server (configured in interface settings) When DNSWatch is enabled with enforcement on, DNS queries for external resources are: Resolved by the Firebox cache, or Sent to DNS servers specified in conditional DNS forwarding rules, or Sent to DNSWatch (in that order) For a DHCP client with manually configured DNS servers, DNS queries for external resources are sent to DNSWatch because enforcement is on

43 Precedence ─ Interface DNS Server
Interface DNS server (configured in interface settings) When DNSWatch is enabled with enforcement off DNS requests are sent to the interface DNS server instead of DNSWatch For a DHCP client with manually configured DNS servers, DNS queries are sent to the manually configured DNS servers instead of DNSWatch. To protect this client with DNSWatch, we recommend you change the manually configured DNS servers to the DNSWatch server IP addresses.

44 Precedence ─ DNS Server from ISP
DNS server obtained from your ISP for a Firebox configured as a DHCP or PPPoE client Not used when DNSWatch is enabled DNS requests are sent to DNSWatch instead The Firebox continues to obtain DNS servers from your ISP and stores that information

45 Manage DNSWatch

46 Manage DNSWatch After you activate DNSWatch for a Firebox in your account, you can connect to DNSWatch in the WatchGuard Portal In the WatchGuard Support Center, select My WatchGuard > Manage DNSWatch

47 DNSWatch Dashboard The DNSWatch Dashboard provides DNS traffic data, top domain requests, top network requests, and a summary of monthly alerts. From the DNSWatch Dashboard you can add domains to the whitelist or blacklist, view reporting and alerts, change your settings, and customize the page users see when their HTTP or HTTPS connections are denied.

48 DNSWatch Dashboard The DNSWatch Dashboard provides: DNS traffic data
Top domain requests Top network requests Monthly alert summary

49 DNSWatch Web UI On the Domains menu, you can select options to:
Add domains to the Blacklist (Blackholed Domains) Add domains to the Whitelist See information about domain feeds Search for a domain on the Blacklist, Whitelist and Feeds

50 Blackholed Domains When you add a domain to the Blackholed Domains list: DNSWatch resolves all DNS requests for that domain to the IP address of the Blackhole Server When an HTTP or HTTPS connection is denied, a customizable Deny Page appears to the user To edit blackholed domains, select Domains > Blackholed The default list includes the test domain strongarm.test

51 Blackholed Domains To add a domain to the Blackholed Domains list:
Click Blackhole a New Domain Specify the domain name To include all subdomains for the domain, select Include Subdomains To share the domain with WatchGuard, select Share this domain

52 Whitelisted Domains When you add a domain to the Whitelisted Domains list, DNSWatch considers the domain safe and resolves the IP address, even if the domain is on a Domain Feed To edit whitelisted domains, select Domains > Whitelisted

53 Whitelisted Domains To add a domain to the Whitelisted Domains list:
Click Whitelist a New Domain Specify the domain name To include all subdomains for the domain, select Include Subdomains

54 DNSWatch Reports and Traffic History
On the Reporting menu you can select options to: See weekly reports of DNS domain requests Search the DNS traffic history You can also click View Reports on the dashboard

55 DNSWatch Weekly Reports
To see DNSWatch weekly reports, select Reporting > DNSWatch Weekly Reports Filter by week date range To filter the report for a specific network, select the network To see the top 20 domains without grouping by category, clear the Group domains by category check box

56 DNSWatch Weekly Reports
By default, DNSWatch reports group some domains by category, such as Advertising

57 DNSWatch Weekly Reports

58 DNSWatch Traffic History
To see DNS traffic history, select Reporting > DNS Traffic History Search for domains in DNS requests from computers on the protected networks History includes DNS traffic from the past week Results include only the exact domain name you specify

59 DNSWatch Alerts An alert summarizes one or more connections that DNSWatch denied to a domain from the same protected network

60 DNSWatch Alerts — Filter
To filter the Alerts list, click Filter

61 DNSWatch Alerts — Status
The Status column shows Alert status: Resolved  green check mark The alert was resolved by a DNSWatch user DNSWatch sends a notification if a resolved alert is seen again Unresolved  red x The alert is not resolved For unresolved alerts, the adjacent connection icon is red if there are active connections to the DNSWatch Blackhole Server for the alert

62 DNSWatch Alerts — Resolve Selected Alerts
To resolve an alert Select the alerts Click Resolve Selected Alerts

63 DNSWatch Alerts — Resolve Selected Alerts
If DNSWatch sees a DNS request that matches a resolved alert in the future, DNSWatch reopens the alert and sends a new notification You cannot resolve an alert that has an open connection

64 DNSWatch Alerts – View Details
To see the details for an alert, click View

65 DNSWatch Alert Details
The alert details includes victim information, destination information, and malware information

66 DNSWatch Alert Details
Click Resolve Alert to change the status to Resolved Click Silence Alerts to stop notification for the alert without changing the alert status

67 DNSWatch Alert Details – Discussion
Select Discussion to see feedback from WatchGuard support, and add additional comments or questions

68 DNSWatch Alert Details – Domain Analysis
Select Domain Analysis to view the domains that DNSWatch extracted from this infection Extracted domains are either the original destination domain, or domains related to it To add a blocked domain to your Whitelist, click Actions and select Add to Whitelist

69 DNSWatch Alert Details – Malware Analysis
An alert may include multiple connections to a domain from the same protected network The Malware Analysis tab shows details about the first connection

70 DNSWatch Alert Details – Connections
To see all connections associated with this alert select the Connections tab To see details for a connection, click View

71 DNSWatch Connection Information
Connection information includes: Netflow data Hex dump of the first bytes sent by the victim Parsed protocol details

72 DNSWatch Alert Details – History
The History tab for an alert is an audit trail of all actions taken for the alert by a DNSWatch user Changed the alert status to Resolved or Unresolved Silenced or enabled alert notification s

73 DNSWatch Denied Connections
To see a list of all connections that DNSWatch has denied, on the Alerts page click Connections

74 DNSWatch Denied Connections
The list of denied connections includes the source IP address, source and destination ports, and protocol To see more information for a denied connection, click View

75 DNSWatch Settings — Profile
To configure DNSWatch account settings, click your user name and then select Settings

76 DNSWatch Settings — Profile
In the Profile settings you can change your time zone

77 DNSWatch Settings — Notifications
In the Notification settings you can enable or disable notifications for new alerts, or updates to existing alerts notifications go to the address configured for your user account in the WatchGuard Portal

78 DNSWatch Settings — Protected Fireboxes
To see a list of Fireboxes and networks protected by DNSWatch, click Protected Fireboxes This page shows the public IP addresses for all Firebox external interfaces

79 DNSWatch Settings — Deny Page
You can customize the logo, text and colors of the Deny page

80 DNSWatch Settings — Deny Page
To customize the deny page, click Block Page Content

81 Customize the Deny Page
To customize the colors and logo, select Block Page Style

82 For More Information This introduction does not cover every feature of DNSWatch For more information about DNSWatch features, see Fireware Help

83 Thank You!

Download ppt "Introduction to DNSWatch"

Similar presentations

What’s New in Fireware XTM

What’s New in Fireware XTM
Whats New in Fireware XTM v11.5.2. New Features in Fireware XTM v11.5.2 Major Changes FireCluster with XTM 330 appliances Mobile VPN with SSL using multiple.

Whats New in Fireware XTM v New Features in Fireware XTM v Major Changes FireCluster with XTM 330 appliances Mobile VPN with SSL using multiple.
What’s New in Fireware XTM v11.3.4

What’s New in Fireware XTM v11.3.4
What’s New in Fireware XTM v11.3.2

What’s New in Fireware XTM v11.3.2
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
What’s New in Fireware XTM v11.8.3

What’s New in Fireware XTM v11.8.3
What’s New in Fireware XTM v11.9.1

What’s New in Fireware XTM v11.9.1
What’s New in WatchGuard Dimension v1.2

What’s New in WatchGuard Dimension v1.2
Web Filtering. ExchangeDefender Web Filtering provides policy-controlled protection from dangerous content on the web. Web Filtering is agent based, allowing.

Web Filtering. ExchangeDefender Web Filtering provides policy-controlled protection from dangerous content on the web. Web Filtering is agent based, allowing.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.

What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.
Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.

Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.
Department Of Computer Engineering

Department Of Computer Engineering
1 The VPN Menu. 2 The VPN Menu VPN The GD eSeries can be set up either as an OpenVPN server or as a client, and even play both roles at the same time,

1 The VPN Menu. 2 The VPN Menu VPN The GD eSeries can be set up either as an OpenVPN server or as a client, and even play both roles at the same time,
What’s New in Fireware XTM v11.8.1 WatchGuard Training.

What’s New in Fireware XTM v WatchGuard Training.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.

Similar presentations

Ads by Google