Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Detect Malware and APTs with DNS Firewall Virtual Evaluation

SOLUTION NOTE
Detect Malware and APTs
with DNS Firewall Virtual Evaluation
Summary: Infoblox DNS Firewall provides the industry’s first true DNS security solution for protection against
malware and advanced persistent threats (APTs). Infoblox DNS Firewall can detect DNS-based malware and APTs
inside the network and disrupt the ability of infected clients to communicate with botnets. The DNS Firewall Virtual
Evaluation is a trial version that can detect malware/APT activity in your network through detailed logging and reports.
Detect Malware and APTs Hidden in Your Network
According to recent research on malware, nearly every business network has suspicious traffic going to websites that
host malware. In spite of using the latest firewall and intrusion prevention devices, many organizations have malware
or APTs in their networks and don’t even know it. Moreover, every six minutes a known type of malware is being
downloaded
You can find out what malware and APTs are hiding in your network with the 60-day DNS Firewall Virtual Evaluation.
The evaluation:
•
•
•
Shows DNS-based malware/APT activity and provides detailed logging and reports
Isn’t deployed in line and hence doesn’t disrupt the production network
Is fully automated and easy to install
System Requirements
The evaluation software is a VMware-based vApp. The system requirements are:
•
•
•
•
•
•
VMware ESX/ESXi 5.0 or above with DAS (Direct Attached Storage) or iSCSI (Internet Small Computer System
Interface) or FC (Fibre Channel) SAN (Storage Area Network) attached
Management system with vSphere client
To manage multiple hosts, the vSphere client must be connected to vCenter (5.0 or above)
DNS Firewall VM: 4 CPUs, 8G RAM, 160G virtual drive
Reporting VM: 2 CPUs, 8G RAM
Internet connectivity to access Infoblox security feed (threat intelligence service)
There are two deployment options:
1. Traffic mirroring using a switch span port for monitoring real-world traffic.
2. All-in-one standalone on a virtual server that doesn’t require any switch configuration changes. You simply input log
files (PCAP, BIND traffic logs) into the Guide VM, which also serves as the management user interface (GUI) to the
DNS Firewall and Reporting.
Detailed deployment instructions are available with the download kit.
©2015 Infoblox Inc. All rights reserved. Infoblox-SN-0049-01 Detect Malware and APTs with DNS Firewall Virtual Evaluation August2015
1
SOLUTION NOTE
Detect Malware and APTs
with DNS Firewall Virtual Evaluation
Reports That Clearly Display Malware/APT Activity
Once the DNS Firewall evaluation is installed and running, it might take a few minutes to a few hours, depending on your
DNS traffic, for malware or APT activity to show up in the logs and reports. The RPZ statistics widget in the Infoblox UI
records the malware or APT activity and shows it visually.
Figure 1: Response Policy Zone (RPZ) statistics widget
Communications going out to malicious domains, either to download more malicious software or to exfiltrate data,
are logged.
The DNS Firewall Virtual Evaluation also receives regular automatic updates from Infoblox to provide ongoing protection
against existing and new types of malware and APTs.
The reporting server bundled with this evaluation helps pinpoint actual infected clients for cleanup. You will need to
select the security-related reports. There are five reports related to DNS Firewall, as follows:
•
•
The DNS Top RPZ Hits report identifies domains in the RPZ that have the most hits qualified as malicious domains.
This report is designed to shorten the time to identify malware impacts by tracking when attempts are made to reach
domains on the RPZ list, including number of hits and time. Selecting Client ID will display the lease history for the
client when information is available in the lease history (provided the client received a lease from Infoblox DHCP),
and will display the user history for the client, provided the user logged in or authenticated on any Active Directory
services captured by Infoblox.
The DNS Top RPZ Hits by Client report tracks when client IDs attempt to reach domains on the RPZ list, including
number of hits and time. This report is designed to shorten the time to identify clients impacted by malware by
identifying which ones may be infected. Selecting Client ID will display the lease history for the client when
information is available in the lease history, provided the client received a lease from Infoblox DHCP, and will
display the user history for the client, provided the user logged in or authenticated on any Active Directory services
captured by Infoblox.
©2015 Infoblox Inc. All rights reserved. Infoblox-SN-0049-01 Detect Malware and APTs with DNS Firewall Virtual Evaluation August2015
2
SOLUTION NOTE
Detect Malware and APTs
with DNS Firewall Virtual Evaluation
•
•
•
The Top Infected Clients report identifies clients which have the most hits to known malicious hosts/domains.
This report is designed to shorten the time to identifying clients that might be the riskiest points for data exfiltration
and helps reduce time to remediation.
The Top Malicious Activity by Client report provides information on the malicious destinations that are being
contacted by the infected clients. This report is designed to shorten the time to identifying types of malware that
clients are susceptible to and shorten time to remediation and protection against future infection of other clients
in the network.
The Top DNS Firewall Hits report identifies distribution of traffic between various malicious domains and provides
contextual information on those domains. This report is designed to shorten time to remediation.
Figure 2: DNS Top RPZ Hits report
©2015 Infoblox Inc. All rights reserved. Infoblox-SN-0049-01 Detect Malware and APTs with DNS Firewall Virtual Evaluation August2015
3
SOLUTION NOTE
Detect Malware and APTs
with DNS Firewall Virtual Evaluation
Figure 3: DNS Top RPZ Hits report
Figure 4: DNS Top RPZ Hits by Client report
©2015 Infoblox Inc. All rights reserved. Infoblox-SN-0049-01 Detect Malware and APTs with DNS Firewall Virtual Evaluation August2015
4
SOLUTION NOTE
Detect Malware and APTs
with DNS Firewall Virtual Evaluation
Figure 5: Top Malicious Activity by Client report
Figure 6: Top Malicious Activity by Client report
©2015 Infoblox Inc. All rights reserved. Infoblox-SN-0049-01 Detect Malware and APTs with DNS Firewall Virtual Evaluation August2015
5
SOLUTION NOTE
Detect Malware and APTs
with DNS Firewall Virtual Evaluation
Figure 7: Top DNS Firewall Hits report
The Sooner You Know How Infected You Are, the Sooner You Can Take Action
Detecting malware and APTs before they cause damage is key. Download your free evaluation now, and then contact
us to find out how the full-blown version of DNS Firewall can take you beyond detection and enable you to block
communications from infected clients to botnet controllers.
About Infoblox
Infoblox (NYSE:BLOX), headquartered in Santa Clara, California, delivers network control solutions, the fundamental technology that
connects end users, devices, and networks. These solutions enable more than 7,000 enterprises and service providers around the
world to transform, secure, and scale complex networks. Infoblox (www.infoblox.com) helps take the burden of complex network control
out of human hands, reduce costs, and increase security, accuracy, and uptime.
Corporate Headquarters:
+1.408.986.4000
1.866.463.6256 (toll-free, U.S. and Canada)
info@infoblox.com
©2015 Infoblox Inc. All rights reserved. Infoblox-SN-0049-01 Detect Malware and APTs with DNS Firewall Virtual Evaluation August2015
www.infoblox.com
6
Related documents
Palo Alto Networks offers a full line of purpose
Palo Alto Networks offers a full line of purpose
Document12927714 12927714
Document12927714 12927714
Intrusion Detection
Intrusion Detection
Malicious Software A Technical B Breakdown
Malicious Software A Technical B Breakdown
Download