Reply

Block connections when no DNS query was performed

Authority
Posts: 18
1649     0

Hi,

 

RPZs are great idea and for sure can remediate a lot of threats. Still villains out there ain't stupid so when this protection will became more popular they will adjust and change approach for outbound communication.

One of the ways is to avoid DNS queries and use direct IP connections (so code will for example contain pool of possible IPs, or some algorithm to generate appropriate IPs).

Then RPZ protection will fail, but still having smart integration between Infoblox and security ecosystem can be used here - at least I thin so.

Process could look more or less like that:

Security device (NGFW, IDS/IPS etc.) is receiving request for outbound connection to some IP.

Device via API call check with Infoblox if there was DNS query performed for this IP

If there was not (sure it should be smart enough to take into account DNS records TTL and client DNS cache settings) event is raised.

Then any appropriate actions can be performed - like trying to figure out who send request (based on IP/MAC), is there any threat info about destination IP and so on.

I wonder if it would be possible with Infoblox WAPI or Outbound API and if some starting point examples exists?

Piotr

Highlighted

Re: Block connections when no DNS query was performed

pqian
Techie
Posts: 7
1649     0

if you are concerned about ip related hacking techniques for example fast flux (pool of possible IPs, or some algorithm to generate appropriate IPs as you mentioned), we have ways to detect those IPs and then those IPs can be sent to IP based protection systems for example firewalls. Would love to hear more details of your use case.


@dragonflymr wrote:

Hi,

 

RPZs are great idea and for sure can remediate a lot of threats. Still villains out there ain't stupid so when this protection will became more popular they will adjust and change approach for outbound communication.

One of the ways is to avoid DNS queries and use direct IP connections (so code will for example contain pool of possible IPs, or some algorithm to generate appropriate IPs).

Then RPZ protection will fail, but still having smart integration between Infoblox and security ecosystem can be used here - at least I thin so.

Process could look more or less like that:

Security device (NGFW, IDS/IPS etc.) is receiving request for outbound connection to some IP.

Device via API call check with Infoblox if there was DNS query performed for this IP

If there was not (sure it should be smart enough to take into account DNS records TTL and client DNS cache settings) event is raised.

Then any appropriate actions can be performed - like trying to figure out who send request (based on IP/MAC), is there any threat info about destination IP and so on.

I wonder if it would be possible with Infoblox WAPI or Outbound API and if some starting point examples exists?

Piotr



@dragonflymr wrote:

Hi,

 

RPZs are great idea and for sure can remediate a lot of threats. Still villains out there ain't stupid so when this protection will became more popular they will adjust and change approach for outbound communication.

One of the ways is to avoid DNS queries and use direct IP connections (so code will for example contain pool of possible IPs, or some algorithm to generate appropriate IPs).

Then RPZ protection will fail, but still having smart integration between Infoblox and security ecosystem can be used here - at least I thin so.

Process could look more or less like that:

Security device (NGFW, IDS/IPS etc.) is receiving request for outbound connection to some IP.

Device via API call check with Infoblox if there was DNS query performed for this IP

If there was not (sure it should be smart enough to take into account DNS records TTL and client DNS cache settings) event is raised.

Then any appropriate actions can be performed - like trying to figure out who send request (based on IP/MAC), is there any threat info about destination IP and so on.

I wonder if it would be possible with Infoblox WAPI or Outbound API and if some starting point examples exists?

Piotr


 

Showing results for 
Search instead for 
Do you mean 

Recommended for You