Network firewalls were created to block unauthorized content and code from the network while ensuring the unimpeded flow of data packets vital to the operations of the enterprise. But they were designed to intercept external incursion, not prevent security issues inside the network.
“As server virtualization has increased in popularity, the amount of traffic moving laterally across the data center (East-West) has dwarfed traditional client-server traffic, which moves in and out (North-South),” industry analyst Zeus Kerravala writes in Network World. “This is playing havoc with data center managers as they attempt to meet the demands of this era of IT.”
Firewalls are conceptually sound, but execution often leaves network and security teams scrambling to patch flaws and fix mistakes that hackers have already discovered and exploited. Worse, once bad data packets such as malware enter into the network they may have unimpeded access to that “East-West” traffic inside the network.
Firewalls are critical to any layered defense. An estimated 80% of enterprises have deployed next-generation firewalls (NGFWs) that combine deep packet inspection with intrusion detection and the ability to examine encrypted traffic. Many employ DNS firewalls aimed at preventing users or servers on the network from connecting to known or suspect public internet addresses outside the network. But most such defenses have a blind spot when it comes to DNS queries inside the network.
“The DNS firewall only sees a query and response from the DNS server, normally in the DMZ, that either forwards to DNS services (google, ISP), or queries public DNS directly,” explains Andrew Wertkin, chief product and technology officer for BlueCat. “It then compares that query/response against a blacklist of known entities harmful to the organization. Policies that may be in place only block queries already identified as unacceptable. Nothing more.”
But hackers have a field day probing for gaps in network defenses in order to plant malware. The vast majority of malware uses the DNS protocol for command and control, data exfiltration, and to deliver malicious payloads onto a network undetected. And employees increasingly are bringing devices into the network that could have been infected outside of the network. Once inside the network, these rogue programs too often are able to spread from device to device undetected, taking advantage of east-west flows.
Implementing separate firewalls at every east-west juncture would be prohibitively costly and add to management complexity. Enterprises can fight back, though. The massive amounts of DNS queries and responses across every network provide data that can be used to detect, mitigate and eliminate malware that exploits DNS. Cybersecurity teams can use that data to investigate incidents uncovering lateral movement and identifying the first endpoint that was infected.
Enterprises have already invested in DNS infrastructure, so it makes sense to leverage queries and responses to gain visibility, control, and detection capabilities into what is going on inside your network.
About BlueCat
BlueCat is the Enterprise DNS Company™. The largest global enterprises trust BlueCat to provide the foundation for digital transformation strategies such as cloud migration, virtualization and security. Our innovative Enterprise DNS solutions portfolio, comprised of BlueCat DNS Integrity™ and BlueCat DNS Edge™, enables the centralization and automation of DNS services and the ability to leverage valuable DNS data for significantly increased control, compliance and security. For more information, please visit http://www.bluecatnetworks.com/.