View
9
Download
0
Category
Preview:
Citation preview
Accumuli Security - Head Office Tuscany House, White Hart Lane, Basingstoke, Hampshire, RG21 4AF, UKTel: +44 (0) 1256 303 700 Fax: +44 (0) 1256 303 701 Web: www.accumuli.com Email: info@accumuli.com
Traditional methods of reporting DNS and DHCP activity have involved collecting numerous large log files and required using various scripts to interpret them. With the increasing use of Security Information and Event Management (SIEM) products, the collection of DNS and DHCP activity is becoming more important in order to complement other network information and satisfy compliance and auditing requirements.
DDAM has the capability to collect DNS and DHCP activity, using agent-based or agent-less methods, and upload this information via industry standard FTP/SFTP protocols into a third party SIEM product. This data can complement other network related information to help provide an audit trail of activity.
DNS and DHCP administrators can also use the collected data to report and analyze DNS and DHCP traffic via a simple web-based GUI, rather than having to gain access to a corporate-wide SIEM product administered by a different team.
Simplify your DDI (DNS, DHCP & IPAM) infrastructure with DDAM.
Benefits
• Report and identify abusive network devices• Immediate notification of DNS Server issues• Monitor, measure and rebalance DNS and DHCP services• Reduce costs and optimize both administrator time
and labour• Have confidence in change management • Alert on the rising edge of DoS attacks• Identify potentially unauthorized devices• Feed DNS and DHCP activity from different vendors
and platforms into the security teams’ SIEM system• Identify client’s Switch Port and VLAN connection
DNS and DHCP administrators may wish to identify rogue clients, misconfigured applications, or identify clients utilizing a particular DNS/DHCP server e.g. for decommissioning purposes. In addition, alerts can be configured so that specific events are escalated immediately to the relevant staff.
Figure 1: DDAM/DDI Integration Architecture
DDAM - DNS & DHCP Activity Monitor v2.1
version: 2.1
DDAM - DNS & DHCP Activity Monitor V2.1
Accumuli Security - Head Office Tuscany House, White Hart Lane, Basingstoke, Hampshire, RG21 4AF, UKTel: +44 (0) 1256 303 700 Fax: +44 (0) 1256 303 701 Web: www.accumuli.com Email: info@accumuli.com
DDAM can be agent-less or agent-based
An agent-based solution requires a collector to be installed on each DNS/DHCP server that is to be monitored. The agent performs packet capture at the protocol level and therefore it does not matter what type of DNS or DHCP server is used. Also, no further configuration of the DNS or DHCP server is required that may impact performance i.e. no requirement to enable querylogging.
If DNS and DHCP appliances are being used that do not allow additional software to be installed e.g. Infoblox, then an agent-less solution will be required. Monitoring can be achieved by redirecting DNS querylogs/DHCP lease messages, via syslog, to a remote server which has a DDAM collector installed. The remote collector can then process syslog traffic sent from the DNS and DHCP servers.
Agent-less collection via syslog Agent-based collectors installed
Page 2 of 4
DDAM for the IT and Security Professional
DDAM provides features that both security and IT professionals will find invaluable:
For the Security professional:
• Ensure DDI is part of the regulatory compliance framework e.g. guarantee that all DNS queries and DHCP transactions are captured and stored for a minimum period
of time.
• Utilize DNS/DHCP activity logs to assist with forensic analysis of suspicious activity.
• Forward DNS/DHCP activity to a SIEM product, so that different sources of information can be correlated to assist with security auditing and reporting.
For the IT professional:
• Provide visibility of DNS/DHCP activity.
• Utilize built-in reports to perform specific tasks, e.g.:
• Find out which clients are sending queries for an application that is to be decommissioned.
• Find out which clients are sending queries to a particular DNS server.
• What are the most common DNS lookups.
• What are the least queried domain names.
• Receive alerts when abnormal activity is detected.
DDAM - DNS & DHCP Activity Monitor V2.1
Accumuli Security - Head Office Tuscany House, White Hart Lane, Basingstoke, Hampshire, RG21 4AF, UKTel: +44 (0) 1256 303 700 Fax: +44 (0) 1256 303 701 Web: www.accumuli.com Email: info@accumuli.com
DDAM provides a number of built-in reports and alerts*
Reports can be exported in PDF, CSV and PNG formats.Alerts can be generated via SNMP or SMTP.
System Requirements
The central DDAM server and collector agents are supported on the following platforms:
• Windows 2000, 2003 and 2008
• Solaris 8, 9 and 10
• Red Hat Linux RHEL3, RHEL4 and RHEL5
• n3k runIP appliance v2.0, v2.1, v2.2 and v2.3
Intuitive user interface
DDAM contains an intuitive user interface that contains sortable columns and filters to help make sense of the data. Filters can be combined to reduce the amount of data being displayed.
DHCP ReportsDHCP Lease Rate
DHCP Packets by Type
DHCP Scopes not used
DHCP Subnets not used
Top DHCP Clients
DNS ReportsDNS Queries by Type
DNS Query Rate
DNS Domains Not Queried
DNS Resource Records not Queried
Top DNS Clients
Top DNS Clients Querying a Domain
Top DNS Domains
Top DNS Queries
DHCP AlertsDHCP MAC Watch
Abnormal DHCP Packet Rate
DNS AlertsAbnormal DNS Query Rate
DNS Query Watch
DNS RCODE watch
* reports and alerts are subject to change
“DNS Queries by Type” Built-in Report
Filters can be used to Search for Data
Page 3 of 4
Locating a Client by MAC address using a right click Menu
Identify a client’s network location
DDAM can integrate with porttracker or Infoblox PortIQ appliances to help locate a device on the network. For example, if DDAM has identified a client that is continuously requesting DHCP leases, the “Locate Client by MAC” feature can be used to find out which switch, port and VLAN the device is connected to.
An administrator could then log into the switch and disable the switch port. This information is obtained from a porttracker or PortIQ appliance via an API call. A similar feature can be used to locate the client via its IP address e.g. a DNS client needs to be located.
DDAM - DNS & DHCP Activity Monitor V2.1
Head Office:Tuscany HouseWhite Hart LaneBasingstoke HampshireRG21 4AF
Tel: +44 (0) 1256 303 700 Web: www.accumuli.com
Leeds Office:5 Beaconsfield CourtGarforthLeedsLS25 1QH
Tel:+44 (0) 113 232 2330Email: info@accumuli.com
Control
Maintain the integrity ofcorporate
security policies outside the enterprise network
Layered security to protect corporate
applications & data
Secure
Structured management of devices and
resources
Manage
ClientServer
Inbound Threats = Protection and Prevention
Outbound Enforcement = Compliancy and Control
At Accumuli Security we ensure that our users and their data is Secured, Managed and Controlled.
Accumuli provides multi layered security services that protect customers’ networks and their users from targetted assaults on resources and data. Using leading edge technologies, we have created solutions that can identify irregular patterns and lead to disruption and financial loss. We deliver a full range of capabilities that ensure the sucessful deployment of advanced security solutions from inception to a fully managed support service.
With the proliferation of access points and devices, Accumuli Security brings together an “End to End Protection” to offer layered security services.
At Accumuli, not only can we provide the Solutions and Services to support requirements, we can also providea fully Managed Service. To discuss this further please contact us:
About Accumuli Security
The Accumuli Effect
The Accumuli Difference
Page 4 of 4
Recommended