In the 1990s, firewalls were all the rage– every organization big or small connecting to the Internet was jumping on the bandwagon to make sure it used a firewall at its corporate perimeter to keep malware and the bad guys out of the corporate network. That worked okay for some time, but soon the first-generation firewall was no match for attackers who started exploiting applications themselves (with vulnerabilities due to software misconfiguration or lack of security altogether) to launch malware and even steal data in some cases. A decade later, next generation firewalls or NGFWs began taking center stage, allowing administrators to apply policies to traffic based not just on port and protocol, but also applications and users accessing the network. Today, another a decade later, with hundreds of data breaches impacting a range of industries globally, including retail and financial institutions, and the fact that most malware isn’t detected until 200+ days after the infection, we have learned the drawback of simply relying on a NGFW, without paying attention to and securing a critical protocol service that is typically allowed through it and that is easily exploitable: the Domain Name System or DNS.
- The DNS protocol is typically not “inspected” by a NGFW for malware. Most NGFWs allow traffic to pass through Port 53, the protocol over which DNS queries and responses are sent.
- Solution: DNS firewall is an optimal policy enforcement point for DNS-specific protection from malware and advanced persistent threats.
- Attacks target the DNS infrastructure itself. There are a wide range of volumetric DNS DDoS or DNS amplification/reflection attacks, and exploits, such as DNS cache poisoning, spoofing and session hijacking, that could bypass or even disrupt the operation of NGFWs since NGFWs haven’t been designed to detect nor handle these types of threats.
- Solution: A purpose-built, self-defending DNS server helps protect the DNS infrastructure itself from attacks and allows legitimate traffic to pass through unfettered.
- DNS is increasingly being used as a pathway for data exfiltration, either unwittingly by malware-infected devices or intentionally by malicious insiders. DNS tunneling involves tunneling IP protocol traffic through DNS port 53 (of an NGFW) for the purposes of data exfiltration. According to a recent article in SC Magazine, a DNS security survey of 300 IT decision-makers in the U.S. and U.K. in November 2014, 46 percent of respondents experienced DNS exfiltration and 45 percent experienced DNS tunneling. Such attacks can result in loss of sensitive data such as credit-card information, social-security information, or company financials.
- Solution: Internal DNS security that combines DNS-based threat intelligence and analytics helps detect and protect against data exfiltration at the DNS layer.
Now that you have a better understanding of why DNS should be a critical component of your defense-in-depth security architecture, I will explain how a DNS firewall differs from a NGFW.
DNS Firewall, a product so named and introduced into the market by Infoblox in 2013, is defined as follows:
DNS Firewall is a Domain Name System (DNS) service that utilizes Response Policy Zones (RPZs) with a threat intelligence (malware feed) service to protect against malware and APTs by disrupting the ability of infected devices to communicate with command-and-control (C&C) sites and botnets, so that information is not exfiltrated.
According to Gartner, the world’s leading information technology research and advisory company:
Next Generation Firewall (NGFW) is a deep-packet inspection firewall that moves beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention, and bringing intelligence from outside the firewall.
NGFWs are purpose-built to block or allow certain types of traffic based on the port, protocol, and/or application. They are usually the first line of defense for users trying to access a corporate network or Web server. NGFWs typically have to keep the DNS service, for which traffic goes through port 53 on the firewall, open to all users, in order for them to use the Internet, a business-critical application. This can make the DNS service vulnerable to malware.
A NGFW is not a DNS server, and therefore, cannot interpret DNS queries and responses to detect malware that uses the DNS protocol, which is typically allowed through the firewall. This is not to say that all NGFWs are created equal. Certain products have specific DNS related security features, but these are “bolted on”, and lack the visibility that DNS servers have into all of the DNS requests and devices that are reaching out to bad domain destinations, and extensive attributes of infected devices (e.g. DHCP lease history, MAC OS, device type, IP address, username) which a DDI (DNS, DHCP and IP address management) vendor such as Infoblox provides seamlessly via reporting.
A DNS firewall, because it’s based on DNS, a ubiquitous and essential network control service, can be an ideal enforcement point for detecting any device that tries to call ‘home’ (malicious domain) using DNS. Moreover, a DNS server is a default service in the network with a NGFW, so why not let a DNS firewall perform tasks it’s suited for and at the scale and performance you need, without burdening the already busy NGFW? Infoblox customers, including most recently, Council Rock School District, are thankful they are.