While DHCP and DNS servers are critical to proper network operation, they’ve long been considered innocuous from a security standpoint. But unless you’re monitoring these protocols, your network could become compromised. Protect your network from these attacks with Cygna Radar.
Actionable threat detection
Cygna Radar is available as a standard appliance package which you can load in the VitalQIP Appliance Management Systems (AMS) and distribute to deployed QIP appliances. Detected DNS tunnels are summarized for viewing in the Radar user interface, with the severity indicating the level of confidence in the detection. Individual tunnels may be managed to modify severities, set an expiration time to remove the response policy from the server or to change the RPZ policy for the suspected tunnel in accordance with standard RPZ policies
Advanced threat mitigation
Advanced Persistent Threats posed by threat actors to the integrity of your network and sensitive data attempting to exfiltrate data via DNS can be detected and shutdown rapidly. Malware installed on an internal device may attempt to exfiltrate sensitive data using the DNS protocol. Cygna Radar detects DNS tunnels and these are added to the block list of the server’s response policy zone (RPZ) associated with Radar to drop tunnel packets. Such blocked tunnels can be viewed and managed using Cygna Radar’s web graphical interface.
Visibility and reporting
The Cygna Radar package is installed on your VitalQIP DNS and DHCP appliances. Transaction data can be viewed centrally through the Cygna Radar central server software. Access one or more appliance nodes to view DHCP and DNS transactions for analysis. You can also filter DHCP data to search for a particular IP address, MAC address, DHCP Unique Identifier (DUID), Identity Association Identifier (IAID), FQDN and message type and DNS data by client or server IP address, port, protocol, or pairwise connections, among other attributes.
SIEM Logging and Filtering
Cygna Radar enables logging of the DHCP and DNS transactions to a third-party SIEM system for correlation and persistent storage within the SIEM system. You may also filter logged traffic based on message types for example to reduce expenses associated with the volume of data transmitted to and stored in the SIEM.