Gestión del dns
Páginas: 9 (2176 palabras)
Publicado: 11 de junio de 2011
Improved network security with IP and DNS reputation
Business white paper
Table of contents
Introduction ............................................................3 Understanding today’s network security threats ..........3 Categories of cyber threats .....................................3 “Bad” devices .........................................................4 Device reputation, acritical first step ..........................6 Why TippingPoint IP and DNS reputation services? .......6 Full, powerful protection ...........................................7 Your next step .........................................................7
Introduction
Understanding today’s network security threats
As cyber threats across the globe continue to increase in number and sophistication,security and networking personnel must not only work harder but also smarter to stay ahead of malicious attacks. Sophisticated scanning, penetrating, and obfuscating tools and techniques are more widely available now more than ever before. Worst of all, hackers are now highly motivated to penetrate networks, applications, and databases to steal information that can quickly be sold for profit usingbotnets and other resources they control. The problem is compounded by the low risk of being caught; the risk of prosecution is even lower. How would a botnet attack crafted by a Romanian teenager using a machine in Bolivia to attack a bank server in the U.S. be traced? And even if a trace were possible, what law enforcement agency would be likely to understand the nature of the crime, let alonehelp prosecute it? In the meantime, a company might find itself on the front page of a national newspaper—for less than positive reasons.
Categories of cyber threats
A common first line of defense is identifying the types of traffic on the enterprise network. For the purposes of this white paper, they are broken down into the following three high-level categories: 1. Known “Good Traffic”—trustedtraffic that should pass through the network, unimpeded and uninspected 2. Known “Bad Traffic”—traffic that should be blocked proactively before it can attempt to compromise the network 3. Unknown or “Ugly Traffic”—untrusted traffic that requires deep packet inspection to determine if it is “good” (legitimate) or “bad” (malicious)
3
“Bad” devices
To stay ahead of today’s onslaught ofthreats, enterprises can identify known “bad” devices based on IP or DNS addresses and block the traffic they spew. These devices, existing in large quantities, are:
Botnet Command and Control (CnC) sites:
compromised because they haven’t been properly secured. These sites are trusted and typically visited by large numbers of users, allowing the malware on them to spread much faster. These depotscan also be used as botnet drop sites, and for hosting malware software updates. However, unlike the botnet CnC sites, the lookup mechanism for these depots is almost always the DNS name and not the IP address. Therefore, identification involves: (1) monitoring for malware downloads and tracking their origin, and (2) evaluating data hosting sites worldwide.
Phishing sites: There are approximately50,0004
It’s estimated that there are 5,000 to 6,000 botnet command and control sites worldwide on any given day1. If communications with their compromised hosts or bot army could be identified and stopped, their effectiveness would be seriously reduced. Unfortunately, this can be extremely challenging—botnet CnC servers are constantly moving to evade detection and blocking efforts fromsecurity and network personnel. In fact, botnet masters, those individuals who control and manage a botnet network, use a variety of techniques to avoid being discovered: • To communicate with their bots, bot masters use standard channels such as IRC, P2P, and HTTP traffic—including Twitter and instant messaging. This allows them to bypass traditional firewalls and some intrusion prevention system...
Business white paper
Table of contents
Introduction ............................................................3 Understanding today’s network security threats ..........3 Categories of cyber threats .....................................3 “Bad” devices .........................................................4 Device reputation, acritical first step ..........................6 Why TippingPoint IP and DNS reputation services? .......6 Full, powerful protection ...........................................7 Your next step .........................................................7
Introduction
Understanding today’s network security threats
As cyber threats across the globe continue to increase in number and sophistication,security and networking personnel must not only work harder but also smarter to stay ahead of malicious attacks. Sophisticated scanning, penetrating, and obfuscating tools and techniques are more widely available now more than ever before. Worst of all, hackers are now highly motivated to penetrate networks, applications, and databases to steal information that can quickly be sold for profit usingbotnets and other resources they control. The problem is compounded by the low risk of being caught; the risk of prosecution is even lower. How would a botnet attack crafted by a Romanian teenager using a machine in Bolivia to attack a bank server in the U.S. be traced? And even if a trace were possible, what law enforcement agency would be likely to understand the nature of the crime, let alonehelp prosecute it? In the meantime, a company might find itself on the front page of a national newspaper—for less than positive reasons.
Categories of cyber threats
A common first line of defense is identifying the types of traffic on the enterprise network. For the purposes of this white paper, they are broken down into the following three high-level categories: 1. Known “Good Traffic”—trustedtraffic that should pass through the network, unimpeded and uninspected 2. Known “Bad Traffic”—traffic that should be blocked proactively before it can attempt to compromise the network 3. Unknown or “Ugly Traffic”—untrusted traffic that requires deep packet inspection to determine if it is “good” (legitimate) or “bad” (malicious)
3
“Bad” devices
To stay ahead of today’s onslaught ofthreats, enterprises can identify known “bad” devices based on IP or DNS addresses and block the traffic they spew. These devices, existing in large quantities, are:
Botnet Command and Control (CnC) sites:
compromised because they haven’t been properly secured. These sites are trusted and typically visited by large numbers of users, allowing the malware on them to spread much faster. These depotscan also be used as botnet drop sites, and for hosting malware software updates. However, unlike the botnet CnC sites, the lookup mechanism for these depots is almost always the DNS name and not the IP address. Therefore, identification involves: (1) monitoring for malware downloads and tracking their origin, and (2) evaluating data hosting sites worldwide.
Phishing sites: There are approximately50,0004
It’s estimated that there are 5,000 to 6,000 botnet command and control sites worldwide on any given day1. If communications with their compromised hosts or bot army could be identified and stopped, their effectiveness would be seriously reduced. Unfortunately, this can be extremely challenging—botnet CnC servers are constantly moving to evade detection and blocking efforts fromsecurity and network personnel. In fact, botnet masters, those individuals who control and manage a botnet network, use a variety of techniques to avoid being discovered: • To communicate with their bots, bot masters use standard channels such as IRC, P2P, and HTTP traffic—including Twitter and instant messaging. This allows them to bypass traditional firewalls and some intrusion prevention system...
Leer documento completo
Regístrate para leer el documento completo.