Security Blog

ThinkstockPhotos-506758022_Blog_Ecosystem_Part2.jpg

Architecting Scalable Security for NREN (National Research and Education Networks)

The Problem

Internet connectivity facilitates the transfer of knowledge. Educational institutions therefore provide Internet access to scholars of all ages through National Research and Education Networks (NREN). Internet access not only provides access to a wealth of information and data but also exposes to risks. NREN have to protect the scholars while providing access to relevant Internet content and services.

 

With traditional protection through DPI (Deep Packet Inspection) technology, scalability becomes an issue. DPI scales linearly with the data volume. Even if enough DPI capacity can be deployed to filter the traffic, budget constraints then often surface and become an obstacle for deployment.

 

Solution

NREN can deliver cost effective protection with Infoblox, that leverages the scalability and pervasiveness of DNS . DNS can be seen as the signaling path that is far less voluminous than the data path. Infoblox solution is therefore more efficient than DPI while not reducing the effectiveness.

 

Infoblox offers DNS-based Security Services that include enhanced security and content filtering capabilities.  Optionally, the solution includes a Multi Service Proxy (MSP) for URL inspection or content injection after verification in DNS. The solution is very efficient as the bulk of the inspection is done at DNS level. In general, only a small percentage of the traffic is sent to the MSP for further inspection or organizations could decide not to deploy an MSP at all.

 

Characteristics

Since the solution leverages existing network infrastructure, no software is required on the student equipment.

 

Threat and content intelligence are provided by Infoblox and delivered as a feed. The high quality feeds are fully supported by Infoblox and updated regularly.  

 

Policies can be defined based on the categories. The selected policies will then be enforced at the Infoblox caching DNS appliance. Policies can be enforced for the entire population. The population can also be divided into groups, where each group has a separate policy.

 

The solution for the DNS-based Security services is supported by enabling Infoblox VAS capabilities on top of the Infoblox secure DNS platform. If, optionally, further inspection is required, the DNS can redirect to a Multi Service Proxy (MSP).

 

Infoblox solution uses reputational data feeds based on the industry standard RPZ to detect malicious behavior. Content categorization feeds can also be applied at DNS level and at MSP proxy level. Infoblox also leverages unique behavioral analytics and machine learning to detect zero day threats like data exfiltration, DGA, fast flux and fileless malware.

 

The solution can identify infected devices that are trying to connect to malicious domains and can enforce policies based on individual users and devices. The operator can take proper action because each violation is logged with subscriber’s data received from subscriber edge devices via RADIUS Accounting messages (e.g. IMSI, IMEI, MSISDN, and other identifiers in the RADIUS record).  That makes the logging actionable so that the operator can identify the specific device and take targeted action for remediation.

 

The service is delivered from the network. On premises solution can be centrally managed or distributed.  SAAS service delivery is also a possibility.

 

Service Delivery: SECURE Ubiquitous PLATFORM

Infoblox brings a highly resilient, distributed approach to security. Infoblox DNS servers are robust and secure, with highly automated and centralized management via the Infoblox Grid™. The Grid offers automated failover, eases upgrades, and avoids constant manual hands-on care needed to patch and upgrade DDI software and server hardware on a machine-by-machine basis. 

 

Infoblox Inc.’ purpose-built DNS caching server offers the industry’s highest DNS caching performance, while also conveying all of the associated management and resiliency benefits of the Infoblox Grid™.

 

Infoblox has added protection against botnet, malware and other threats to the portfolio. The protection is delivered through dynamic and static whitelists and blacklists implemented on the caching DNS platform. The caching DNS then enforces the security policy defined by the ISP. Blacklists can be obtained from Infoblox and can be blended with local black- and whitelists for comprehensive security.

 

Infoblox Advanced DNS Protection delivers a unique approach to protection against DNS-based attacks. Unlike approaches that rely on infrastructure over-provisioning or simple response rate limiting, Advanced DNS Protection intelligently detects DNS attacks and automatically drops malicious DNS traffic while continuing to respond to legitimate traffic. In addition, Advanced DNS Protection receives automatic updates, delivering ongoing protection against new and emerging attacks as they happen. Infoblox is the first and only vendor to offer this unique solution for superior protection of your critical DNS services.

 

The reference architecture is described here:

https://community.infoblox.com/t5/Best-Practices/Using-Anycast-in-Infoblox-DNS-Reference-Architectur...

 

Extension Content Protection to Secure Platform

The secure platform can be expanded with a Multi Service Proxy (MSP). When URL or content inspection is required, the DNS server can redirect to the MSP. The MSP can also be used to enforce time-based constraints and inject content.

 

Administration

The data model fits educational organizations very well. Students can be part of a group. A group can be applied a policy. A policy can cover the types of defense against malware and other network threats but also the allowed content (like alcohol, drugs, violence etc.). A group can be based on age or other properties (like type of study). The operator is free to use the group concept to fit the need.

 

The simplest configuration is when a blanket configuration will be applied to everyone. This simulates the case where everyone is in fact in one group and no further distinction has to be made. The system is flexible enough to define a policy per student with RADIUS identity.

 

Conclusion

National Research and Education Network should consider DNS as a line of defense to protect their users and sensitive academic data. The solution is efficient and effective. Infoblox Inc.can provide the reputational content feeds, real time analytics, DNS enforcement platform and the optional multi service proxy for content inspection. The end-to-end solution form content feeds to MSP can be delivered with fully supported Infoblox products.

 

 

NREN image.jpg

Comments
Moderator Dave_Signori
on ‎01-21-2019 01:44 PM

Ah Anton lives in France.  In the States, that second policy would have to be for "Group 21 Year" . :-)

Showing results for 
Search instead for 
Do you mean