Firewalls are an important tool in the security arsenal, but are not enough to control malware infections and prevent data breaches. Here are three reasons why a complementary tool, a DNS Firewall, can help close some important gaps:
1. Firewalls are set to “default-allow” for DNS service.
Firewalls must allow DNS traffic to flow through it. Without that, users cannot access critical SaaS based data and applications in order to do business (CRM, HR applications, Internet for marketing purposes) being able to search for information, marketing products and services, etc.). However, hackers are aware of this and can take advantage. If they discover that a particular machine is infected with malware, they can try to initiate a command or series of commands to that target machine to make it call ‘home’ to their own command and control (C&C) server from which they subsequently would send instructions to that machine to either spread infection to other machines that communicate with that infected machine or to exfiltrate sensitive data.
2. Firewalls are not purpose-built to defend against DNS-based threats and data breaches.
Most firewalls cannot interpret nor analyze DNS traffic for threats and anomalies. That means an attacker could conceivably intersperse or send manipulated DNS queries which are subsequently processed as “normal” by the firewall, and through following actions, could ultimately steal data out of the network, all without a trace (no threat logs nor traffic logs would show any unusual patterns or events). In fact, this is something Infoblox confirmed recently through testing of a next generation firewall product. It could not distinguish legitimate from illegitimate DNS queries, the latter of which were being used to steal sensitive data out of the network.
3. When situated at the edge of a network monitoring traffic north-south, firewalls cannot detect lateral malware spread from machine-to-machine (east-west) inside the network nor identify the infected machines themselves.
During the cyber kill chain, after a machine becomes infected due to say an unsuspecting user clicking on a phishing link or a drive-by download, malware on that machine uses DNS to call ‘home’ to its command and control server. This DNS request is going to be interpreted by the DNS server, not the firewall.
Only a purpose-built solution such as a DNS firewall can see a DNS request to a bad domain, and using threat intelligence on known malicious domains (C&C servers, phishing sites, Domain Generation Algorithms, etc.), will block any malicious DNS communication—thereby, preventing spread of malware to other machines on the same network. Also, such a solution, when deployed inside the network (on premise), could identify the device that made the malicious DNS request, information that can be used for taking an action such as quarantining the device until it is cleaned up or cutting off connection to and from that machine (through switch port control). Furthermore, if the DNS firewall, such as Infoblox DNS Firewall, also uses behavioral analysis methods to detect and prevent DNS data exfiltration attempts, it can be a very unique and powerful tool in your security arsenal, complementing not only firewalls but also other commonly used security technologies like Data Loss Prevention (DLP), Intrusion Prevention (IPS), and Advanced Threat Detection in the fight against malware and data breaches.