This question often comes up with our customers and prospects when they hear the need to invest in additional solutions besides Next Generation Firewalls (NGFW), such as the products from Palo Alto Networks, Check Point Software and Cisco Systems, to resolve the DNS security gap. In fact, security professionals who imply that their NGFW products or services are all you need to protect your network are not well informed. Most vendors create products or solutions that provide an Internet-wide foundation for your security stack. A foundation, that, when stacked with other critical security controls, prevents attacks and malicious activity to your devices, no matter where they’re located.
Differences between DNS Firewall and Next Generation Firewall
Let’s look at the difference between Next Generation Firewalls and DNS Firewalls.
DNS Firewall is a Domain Name System (DNS) service that utilizes response policy zones (RPZs) (see an example) with a threat intelligence feed service to protect against malware and advanced persistent threats (APTs) by disrupting the ability of infected devices to communicate with command-and-control (C&C) sites and botnets.
Next Generation Firewall is a deep-packet inspection hardware or software firewall that moves beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention, and bring in intelligence from outside the firewall.
NGFW is Mostly a Reactive Defense Tool
NGFW defenses react after an attack already has been launched—so if your network is attacked, the NGFW will respond. Hence, NGFW acts as a reactive defense tool rather than as a proactive one. Today, this line of thinking could be very risky because the velocity and volume of new attack tools and techniques enable some malicious activity to be dormant and go undetected for minutes, weeks or even months.
DNS Firewall is Proactive in Stopping Malicious Traffic
While a DNS Firewall can stop malicious Internet connections before they occur at the DNS control plane, NGFW must scan each of these connections. NGFWs do not offer protection to off-network devices/users such as remote and roaming users without always keeping a VPN on, which adds latency. When it comes to protecting your end-users working inside or outside of your perimeter, a DNS Firewall is much faster, more responsive, and more effective.
NGFW Falls Short on DNS Control Plane
Signature-based products like NGFW are critical to blocking or containing phishing attacks. But you might be missing a crucial element at a different layer of your security defenses: DNS. The next layer on your NGFW based security solution should be focused on the DNS control plane. NGFWs allow administrators to apply policies to traffic based not just on port and protocol, but also applications and users accessing the network. However, the DNS protocol is typically not “inspected” by NGFW for malware. Most NGFWs allow traffic to pass through port 53, the protocol over which DNS queries and responses are sent. This can make the DNS service vulnerable to malware. NGFW is not a DNS server, and therefore, cannot interpret DNS queries and responses to detect malware that uses the DNS protocol, which is typically allowed through the firewall. This is not to say that all NGFWs lack DNS security-related features. Certain NGFW products have specific DNS related security features, but these are “bolted on,” and lack the visibility that DNS servers have into all the DNS requests and devices that are reaching out to malicious domains, and extensive attributes of infected devices (e.g. DHCP lease history, MAC OS, device type, IP address, username) that a sophisticated DDI vendor such as Infoblox provides seamlessly via reporting.
How to get the best of both worlds? Integrate DNS Firewall and NGFW.
Using a layered approach to security is critical as network perimeters continue to erode and confidential information is accessed through cloud services on public WiFi networks. The best way to maintain a strong security posture is by integrating DNS Firewall with NGFW. DNS Firewall can be installed as part of DNS either on-premises or offered as a service via the cloud. Since DNS Firewall does not include an intrusion prevention system, your network could be vulnerable to malformed packets or DDoS (distributed denial of service) attacks. So the best practice is to complement DNS firewall with NGFW as critical elements in your layered security solution, as opposed to simply adopting one or the other.
What Makes DNS Firewall Special?
DNS Firewall is an optimal policy enforcement point for DNS-specific protection from malware and APTs. DNS is increasingly being used as a pathway for data exfiltration, either unwittingly by malware-infected devices or intentionally by malicious insiders. DNS tunneling involves tunneling IP protocol traffic through DNS port 53 (of NGFW) for the purposes of data exfiltration. Such attacks can result in the loss of sensitive data such as credit card information, social security numbers, or company financials.
Internal DNS security that combines DNS-based threat intelligence and analytics helps detect and protect against data exfiltration at the DNS control point.
DNS firewall, because it’s based on DNS, can be an ideal enforcement point for detecting any device that tries to call ‘home’ (malicious domain) using DNS. Moreover, a DNS server is a default service in the network with NGFW, so why not let DNS Firewall perform tasks it’s suited for and at the scale and performance you need, without burdening the already busy NGFW?
How to Choose the Right DNS Firewall for Your Organization?
This really depends on whether you manage your own infrastructure on-premises or if you have a cloud-first strategy where you do not have infrastructure on-premises. In many organizations, a hybrid solution is required where you have a combination of users and devices both on-premises and off-premises such as remote, roaming and branch offices.
How can Infoblox Help?
Infoblox ActiveTrust® Suite proactively protects users everywhere from cyber attacks: on-premise, roaming and in remote office/ branch. The solution automatically stops device communications with C&Cs/botnets and protects against DNS based data exfiltration. It collects curated threat intelligence data and distributes the verified data to existing security infrastructure to remediate threats and prevent future attacks. It is operationally easy to use, deploy, maintain and enables unified policy management. Infoblox offers a hybrid solution that can deployed either on-premises or in the cloud.
Download a free thirty-day evaluation of: