Internet Identity

Part of IID's DNS Dojo Series

Of the many security measures individuals and companies take to safeguard their computers and networks, the firewall is perhaps one of the most commonly used. Personal computers’ operating systems have firewall features, as do many of the anti-virus software options commercially available. The traditional firewall uses “rules” to block or allow access to various “ports” on computers usually based on IP address ranges.  This is a very effective technique for preventing communications with known bad IP addresses or via insecure ports.  Engaging the firewall option is a good first step in safeguarding communications between the personal computer and the Internet at large. For enterprise security, networked computers should also take advantage of standard firewalls; companies might employ their computer software-based firewalls, but typically large, high-capacity hardware-based firewalls are deployed at network access points to protect the entire enterprise network.

Whatever the case, protecting incoming and outgoing communications between networked computers and the Internet is an important piece of the puzzle, but by no means should organizations trust firewalls to be comprehensive protection against the many security risks they face.  That’s why you’ll find all manner of additional security gear and systems running on enterprise networks��"they are looking for bad actors attempting to get past the firewall or malware running internally.  However, there is another kind of “firewall” that isn’t deployed widely at all, that can provide even more protection along a completely different vector.

I’ve Got a Traditional Firewall, Why Should I Worry?

A traditional firewall is supposed to protect a user’s computer by allowing or refusing connection to different IP addresses on the Internet based on a set of rules that is pre-positioned by the firewall operator, typically based on past experience, automated threat feeds, and even analysis results from other security products. Despite the firewall being a nearly ubiquitous way to ensure an enterprise’s security, the number of reported "successful" cyber attacks has been growing alarmingly in the past few years. This is because this new breed of attacks is taking a different approach and circumventing perimeter defenses. Most attacks are no longer based on the use of fixed IP addresses or ports, and use many tricks to come from different angles that firewall rules simply cannot keep up with or anticipate. For instance, attackers are luring inattentive users to download viruses and worms through email, hitting them with drive-by downloads from domain names they control, that are reached via cracked “safe” websites or embedded links in social network postings, creating circumstances in which an authorized employee accesses the virus by going outside an enterprise’s walls to malicious sites.  Firewalls aren’t designed to protect against these vectors, and updates required to cover for them are large and frequent, which is also a challenge for firewall technology.

The firewall is an important component of network security, but it’s not the final word on stopping cyber attacks, especially as cyber criminals have increasingly turned to the DNS (domain name system)-based Internet infrastructure to execute their attacks. To protect against those attacks, a DNS firewall like IID’s ActiveTrust Resolver is needed. A DNS firewall is a secure DNS resolver that employs a comprehensive and up-to-date list of known malicious Internet locations based on domain or host names to prevent employee and system connections to malware, advance persistent threats (APTs), and other nefarious content online. Using DNS firewalls could save an organization from large potential costs��"both to its reputations and to its bottom line��"that would result from a malware compromise and data leakage.

Recent Examples��"How a DNS Resolver Can Mitigate Cyber Attack Effects

In late 2009, a Google employee in China clicked on a malicious link in an instant message, setting off a series of events that resulted in the infiltration of Google’s network and the theft of data from a number of the search engine giant’s systems. Once the breach was finally discovered, Google was able to determine the attack’s scope and reach within its network by examining log files from its DNS resolvers, where the attackers’ movements were easily spotted.

Blocking connections to known malicious Internet locations with a DNS firewall is crucially important to the security of any enterprise. Had Google��"or the dozens of other US companies targeted by the same attacks��"been using a monitored DNS resolver that blocked connections to dangerous Internet locations, these attacks would have been identified and mitigated in the earliest stages.

Criminals have many methods for driving potential victims to dangerous Internet locations. A DNS firewall provides a reliable safeguard against the increasing threat of intrusion into enterprise systems by advanced persistent threats, botnets, and command and control servers. The increasing threat presented by BlackHole Exploit kits could be thwarted as well. The BlackHole Exploit kit is one of the largest customizable kits available for purchase or rental in the underground hacking community. With the kit employed, a victim is lured to a compromised legitimate website where malware is silently downloaded. The kit takes advantage of unpatched vulnerabilities in the user’s browser and, in some cases, will turn off any anti-virus protection on the newly infected machine, opening it up to further infections.

DNS hijacking is another way that cyber criminals might attempt to steer potential victims to locations loaded with malware. We’ve discussed in a previous post how hijacked DNS can affect a website associated with a domain, but a website isn’t all that’s at risk in a domain hijacking. In an upcoming DNS Dojo post, we’ll look at some other ways in which criminal manipulation of the DNS can put an enterprise’s operation and reputation at risk.