One of the aspects of Infoblox and our security technology that gets me the most excited is the value of DNS as a policy enforcement point. I’d like to take a few minutes and explain what I mean by that, and give you some examples of ways to use these tools to keep your network safe and respond to important industry events quickly.
So what am I talking about? Simple. Whether a given connection request is good or bad, trivial or life saving, it always starts with your client doing a DNS lookup to get the IP address of the destination. During that process, the Infoblox DNS appliance has the ability to take different actions – return the right answer, block the outgoing request, or redirect that request to another place by changing the answer.
This opens up tons of really great opportunities for both automated and manual controls. You may be aware that there is already an integration between the Infoblox DNS Firewall and FireEye’s NX Series. With this integration, FireEye automatically informs the Infoblox grid every time that a piece of malware is discovered via FireEye’s container solution. Once this notification is made, then all DNS appliances will automatically block DNS requests to that malicious domain, neutralizing the threat caused by the infection and giving IT the information they need to clean it up.1 See the figure below for an illustration of how this works. We’ve also done a similar integration with Bit 9, as regular readers here will remember. You’ll see many more of these types of integrations from Infoblox soon.
Just as exciting as these automated responses, however, is the fact that every Infoblox customer can block access to malicious or non-compliant sites quickly and easily with a simple manual process. Why would you want to do this? Let’s use a recent vulnerability announcement to explain. You may have heard about a recent successful attack on Apple’s IoS App Store. This attack was very complicated, and required the attack’s creator to convince developers to use a modified version of Apple’s Xcode development environment. This modified code embedded a malicious toolkit in all the apps created by this bogus version of Xcode. For this reason, the attack was called “XCodeGhost”.2
Clearly, malicious IoS apps are something that is unexpected, and many were scrambling to figure out how to respond. For Infoblox customers, however, the answer was simple. The malware toolbox that was embedded in these apps used three domains to report back to their evil overlords – init.crash-analytics.com, init.cloud-diagnostics.com, and init.cloud-analysis.com. Adding these domains to one of the Infoblox black lists quickly neutralizes the problem, and produces a nice set of log entries to identify any infected systems. It’s important to also note that the domains would also have shown up in DNS-FW customer’s automatic protection feeds, but in this case the threat was very quickly taken down the domain registrars.
These are just two of the examples of how Infoblox can help you by taking automated response, or giving you the tools to make your own policy decisions quickly, for your whole enterprise. So the next time you are worried about how to respond to a new threat, or need to control who can access an internet destination, remember that Infoblox has your back, and blocking that dangerous destination is just a few clicks away.
1. Complete details on this integration are here – https://www.infoblox.com/products/secure-dns/dns-firewall-fireeye-adapter.
2. A great explanation of this attack can be found here – http://arstechnica.com/security/2015/09/apple-scrambles-after-40-malicious-xcodeghost-apps-haunt-app….