Primer on DNS tunneling used as a vector for data theft via malware and insider threats with mitigation techniques and pointers on improving outbound DNS security architecture.
ICT role in 21st century education and its challenges
The DNS Tunneling Blindspot
1. Stopping the bad guys
and what you can do
about itBrian A. McHenry
Sr. Security Solutions Architect
bam@f5.com
@bamchenry
2. Enterprise Blindspots in
the Age of Malware
& Insider ThreatsBrian A. McHenry
Sr. Security Solutions Architect
bam@f5.com
@bamchenry
3. Who is this guy?
• Brian A. McHenry, Sr. Security Solutions Architect, F5
Networks
• 9 years at F5, focused on application security solutions
• Regular contributor on DevCentral.f5.com &
InformationSecurityBuzz.com
• Follow me on Twitter @bamchenry
4. Greatest threats to data loss?
External
• Injection attacks
• SQL, cmd, etc.
• Open TCP ports
• SSH, Telnet, FTP, etc.
• Phishing
Internal
• Undetected malware
• Servers, desktops, laptops, etc.
• Employees, contractors
• Disgruntled or Careless
• Unverified backup systems
6. Mitigate Malicious Communication - RPZ
Open Service DNS Query Filtering by Reputation
Prevent malware and sites hosting
malicious content from ever
communicating with a client.
Live updates
BIG-IP
Inhibit the threat at the earliest
opportunity. Internet activity starts
with a DNS request.
Domain Reputation
Mitigate DNS threats by blocking
access to malicious IPs. Reduce
malware and virus infections.
Select Your
Service
Response Policy Zone (RPZ) Live Feed
DNS Server/Proxy
7. Protecting the Client
The internet isn’t an altogether safe place
MALICIOUS THREATS UNDESIRABLE CONTENT DUPING THE USER
BotNets
Inadvertently downloaded and
used to mount distributed attacks.
Viruses
Once installed, causes malicious
activity on end-user device,
sometimes for ransom.
OS Vulnerabilities
Unprotected, unpatched devices
are extremely vulnerable.
Phishing scams and Man
in the Middle
Websites which impersonate real
websites, often linked from email
or a website.
Scammers aim to capture
credentials.
Site redirection
DNS traffic is captured and sent to
a malicious DNS server serving bad
DNS results.
Offensive
Content may violate HR or local rules.
Violation of decency standards.
Be age inappropriate.
Irrelevant
Distractive content incompatible with
job function or policy.
Illegal content
File sharing or sites identified as
hosting banned material.
8. DNS IP and Name Reputation Choices
RESPONSE POLICY ZONES
URL FILTERING
IP REPUTATION
Screens a DNS request against domains with a bad reputation.
Intercept a DNS request in iRules. Categorize & make a decision.
Intercept a DNS response in iRules. Categorize & make a decision.
INHIBITS THREATS BY FQDN
INHIBITS THREATS BY IP
INHIBITS THREATS BY FQDN
POLICY CONTROL BY FQDN
9. Technical Use Cases
http://www.badsite.com
http://194.71.107.15
http://www.facebook.com
IP REPUTATION URL FILTERINGTHREAT TYPE
Virus, malware etc.
DNS lookup required.
Virus, malware etc
No DNS lookup issued
Social networking
Against corp policy.
RPZ
No DNS lookup
to filter.
Cover
malicious
content only.
Limited to IP address
reputation.
Limited to IP address
reputation.
No URL or
FQDN to
examine.
10. Prevent malware and sites hosting malicious content from ever communicating with a client.
Internet activity starts with a DNS request. Inhibit the threat at the earliest opportunity.
Live updates
CACHE
RESOLVER
PROTOCOL
VALIDATION
SCRIPTING
IPV4/V6
LISTENER
REPUTATION
DATABASE
SPECIAL
HANDLING
DNS Server or
Proxy
Use Case – User Protection
Prevent subscribers from reaching known bad domains
RPZ live
feed
11. Use Case – ISP Layered Client Protection
QUERY: WWW.DOMAIN.COM
DNS Policy
CACHE
RESOLVER
iConto
l
Subscriber
Policy
RPZ
IP
Reputation
URL
Filtering
EGRESS DNS PATH
INGRESS DNS
PATH
• Response Policy Zones (RPZ) filters out and provides NXDOMAIN / Redirect for know bad domains.
• URL Filtering further provides granular policy controls using categories.
• IP Intelligence blocks based on the resolved IP.
• It can also be used in the data path for other protocols.
RPZ Feed IP Rep Feed URL Feed
Policy
14. Title and Content Layout with List
• Add your first bullet point here
• Add your second bullet point here
• Add your third bullet point here
15. Title and Content Layout with Chart
0
1
2
3
4
5
6
Category 1 Category 2 Category 3 Category 4
Series 1 Series 2 Series 3
16. Two Content Layout with Table
• First bullet point here
• Second bullet point here
• Third bullet point here
Class Group 1 Group 2
Class 1 82 95
Class 2 76 88
Class 3 84 90
17. Title and Content Layout with
SmartArt
Step 1 Title
Task description
Task description
Task description
Task description
Step 2 Title
Task description
Task description
Task description
Step 3 Title
Task description
Task description
Step 4 Title
Task description
Task description