Open Your Eyes to Better Network Security
Jun 21, 2022
Let’s face it, your business relies on your network. From email to web browsing, and video meetings to chats, your network is indispensable to the usability of these applications that facilitate fundamental work functions like collaboration, communication, education and sales. Your network is mission-critical and the performance and availability of your network is paramount. Recognizing this, many organizations actively manage and monitor their networks in order to detect performance degradations and outages on network links, routers, switches and computing infrastructure. Such proactive monitoring affords an early warning system for teams responsible for network uptime and performance to identify and begin troubleshooting issues, not to mention potential security events, before network users are affected. Deployed redundancy of links and infrastructure can provide uninterrupted performance from the end user perspective, while allowing time for troubleshooting teams to rectify the situation.
Surprisingly, some of these same organizations fail to apply the same discipline to monitoring DHCP and DNS servers, which are equally mission-critical network services given their fundamental roles of network admittance via DHCP and navigability through DNS. If a user cannot access your network due to a DHCP issue, it won’t matter how perfectly the network runs. Likewise, if DNS resolution malfunctions, user frustration would also taint perceptions of your otherwise well-managed network. I’d certainly advise you to apply the same monitoring, management and resiliency functions to DHCP and DNS if you don’t already.
But beyond these foundations of redundancy deployment and status monitoring, DHCP and DNS in particular provide a treasure trove of data regarding the devices and application activities across your network. Tracking of requested DHCP options upon bootup, one can ascertain the type of device attempting to connect to your network. This information along with the device’s associated client identifier or MAC address helps to identify what devices of what types are attempting to access your network. You can configure your DHCP servers to filter access attempts and permit or deny access as appropriate. In addition, logging of this information can provide insights on your network and the devices using it. Tracking of devices accessing your network is certainly valuable in helping secure your network. Forensics analysis of DHCP transactions can help narrow down devices and possibly device owners potentially engaged in nefarious activity, e.g., what devices had active leases at the time of a particular event in question.
Going beyond device initialization and access information that DHCP logging can provide, monitoring DNS transactions enables you to track network activity after the device has initialized and while active on your network. Every network connection generally begins with a DNS query to map a desired destination or link into its IP address. Browsing to a website typically spawns several additional DNS queries to locate images, videos, linked pages, ads, affinity sites, etc. Visibility to this information provides valuable information from a security standpoint. Users opening email attachments or otherwise instigating malware downloads generally initiate connections preceded with a DNS query. Devices infected with malware typically also use DNS and can connect to the malware author’s command and control (C2) center for instructions, software updates, or to send sensitive data through DNS tunneling. Malware employing domain generation algorithms (DGAs) to attempt to contact its C2 center based on an algorithmically-determined domain name, e.g., based on the date and time, would query derived domains in search of instructions. Monitoring and logging of all DNS transactions, queries and responses, can help you identify these conditions on your network.
Several log collector tools exist to enable aggregation of DHCP and DNS logs across your network, affording you visibility to logged transactions and events. However, while logging for DHCP transactions is sufficient, logging for DNS on most implementations logs only queries and not query responses. While useful, lack of visibility to query responses hinders your ability to detect and analyze malware query responses, DNS tunneling transactions, and DGA domain access attempts by providing only half of the requisite information. That’s why we’ve developed the Sapphire A30 IPAM Auditor appliance which enables DNS and DHCP packet capture from deployed Sapphire DHCP and DNS appliances.
The IPAM Auditor provides rich graphical reports displaying query and response trends, filtering by various criteria such as queried record types or top talkers, and for transaction drill down to specific DNS query and response packets. Capture of log data such as the response policy zone (RPZ, aka DNS firewall) events provides reporting on potential malware queries, and tracking of not only queries but appliance hardware vital statistics provides visibility to individual and aggregated DHCP and DNS appliance metrics. The IPAM Auditor provides visibility to the status of your mission-critical DHCP and DNS infrastructure, while providing DHCP and DNS transaction summaries, events, and drill downs to the packet level for spot checking, investigative reporting or forensics analysis. Feel free to review our data sheet and please contact me for more information and a demo.