SlideShare a Scribd company logo

PLNOG15 :Scale and Secure the Internet of Things with Intelligent DNS Services

PROIDEA, profile picture
PROIDEA

The document discusses the Internet of Things and how it is driving changes to network architectures. It covers using intelligent DNS services to securely scale networks for IoT use cases internally and externally. The topics of DNS security, user protection from protocol abuse, and the operational cost savings of a DNS firewall solution are summarized.

Internet
1 of 39
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
Scale and Secure the Internet of Things with Intelligent DNS Services Nigel Ashworth Solution Architect F5 Networks 28th September 2015
© F5 Networks, Inc 2 • Drivers for the Internet of Things • Architecture changes • Security • Scale • Use cases – Internal and external • CapEx vs OpEx • Audits • Service chaining and DNS • GI Firewall / TCP optimisation / Rate management Agenda • User attributes • Parental control / contracts • White lists and filters • DDOS Attacks • Protocol Abuse • DNS Firewall • Not a Firewall for DNS • Reporting
Drivers
© F5 Networks, Inc 4 50 Billion Connected Devices 6 Billion Connected Devices 20202013 20182016 The Driving Force behind Device-Based Network and App Congestion
© F5 Networks, Inc 5 • Internet of Things needs scalable DNS services • Combination = 5 to 10 times Internet revolution • 10 billion devices in 2014 = 77 billion mobile apps • Ensure really fast connections and responses The Internet of Things and DNS
© F5 Networks, Inc 6 Connected Cars Connected Homes Connected Cities Wearables/Connected Devices/Utilities Surge in connected devices accessing SP networks Increasing connection rates (Connections per Sec) Spikes in application usage 50B connected devices worldwide by 2020 Surge in DNS queries DNS security vulnerabilities New advanced persistent threat vectors New DDoS attack vectors Network signaling spikes Diameter signaling storms IPv6 addressing requirements Lower ARPU per device Packet Core Gi-LAN Data Centers IMS Core Service Provider Challenges Implications for Service Providers Scaling the networks. End to end security. Profitable new services.
© F5 Networks, Inc 7 Connected Cars Wearables/Connected Devices/Utilities Surge in connected devices accessing SP networks Increasing connection rates (Connections per Sec) Spikes in application usage 50B connected devices worldwide by 2020 Packet Core Gi-LAN Data Centers IMS Core High Performance Hybrid Architectures Simpler Architecture / Network Flexibility Extensibility Virtualised Network Functions Scalable VNFs Virtual Software Editions • Scalable DNS • Load balancing • Network firewall • Application layer firewall • IPv6 routing • Carrier grade NAT • Traffic classification • Subscriber classification • Application awareness • Diameter routing • Protocol gateway • Policy enforcement Connected Homes Connected Cities Hybrid Architectures
Use cases
© F5 Networks, Inc 9 Mobile (e)NodeB SGW/SGSN MME Fixed Fixed Core Mobile Core BRAS DNS/GSLB GGSN/ PGW DNS Caching/ Resolvers Transparent Cache Internet Core Infrastructure DNS64 NAT64 Web Caching WAP Gateways Content Streaming DataPlaneControlPlane PCRF DNS Authoritative Local Zones Subscriber Management HSS/HLR DHCP Activation PKI CSCF Billing/Self Service Customer Portal IP Multimedia Subsystem (IMS) MGCF SBC DNS ENUM Infrastructure Authoritative DNS Auth. Local Zones LDNS Simplified and Consolidated DNS
© F5 Networks, Inc 10 • Intelligent DNS for Evolved Packet Core • Proactively monitor for service-level adherence • Enhanced subscriber experience • Robust, scalable portal and service access • Exponential DNS performance and DDoS security protection • Optimise global service delivery • Faster DNS for 3G/4G LTE • Enhanced performance through transparent cache • Caching resolver for server consolidation • Mitigate DNS threats by blocking malicious IPs Intelligent DNS and Global Service Optimisation LDNS Authoritative Infrastructure
Archiecture
© F5 Networks, Inc 12 Traditional Architectures will Buckle ... under the strain of increasing demand Data volumes double every 18 months Applications double every four years Source: IDC Directions, Battle for the Future of the Datacenter: The Role of Disaggregated Systems, March 2014 Forrester Consulting, April 2014 Customer populations four orders of magnitude larger than employee/partner
© F5 Networks, Inc 13
© F5 Networks, Inc 14
Firewall for DNS or a DNS Firewall ?
© F5 Networks, Inc 16
© F5 Networks, Inc 17 Anatomy of a DNS Firewall • IP Anycast • Pre filter • Packet inspection • Performance • Scaling resolution • DNSsec and Validation • Reporting and Automation • DNS Reputational Intelligence • DNS scrubbing • Hardware sizing • Certification
© F5 Networks, Inc 18 Anatomy of a DNS Firewall • IP Anycast • Pre filter • Packet inspection • Performance • Scaling resolution • DNSsec and Validation • Reporting and Automation • DNS Reputational Intelligence • DNS scrubbing • Hardware sizing • Certification Clients IPv4/IPv6 TCP/UDP Protocol Validatio n+ACL iRules DNSSEC GSLB 6 4 GSLBiRules DNS Express 6 4 DNSSEC RPZ /Cache/ Resolver DNS6-4 DNSLB Pool DNS Server Pool iRules LocalBIND Request Response AXFR Request AXFR Response Zone XFR Zone XFR
© F5 Networks, Inc 19 Anatomy of a DNS Firewall • IP Anycast • Pre filter • Packet inspection • Performance • Scaling resolution • DNSsec and Validation • Reporting and Automation • DNS Reputational Intelligence • DNS scrubbing • Hardware sizing • Certification Performa nce Time TMOS Single Process or SMP 8x 4x 2x
© F5 Networks, Inc 20 Anatomy of a DNS Firewall • IP Anycast • Pre filter • Packet inspection • Performance • Scaling resolution • DNSsec and Validation • Reporting and Automation • DNS Reputational Intelligence • DNS scrubbing • Hardware sizing • Certification
© F5 Networks, Inc 21 Anatomy of a DNS Firewall • IP Anycast • Pre filter • Packet inspection • Performance • Scaling resolution • DNSsec and Validation • Reporting and Automation • DNS Reputational Intelligence • DNS scrubbing • Hardware sizing • Certification Advanced DNS Analytics – Applications – Virtual Servers – Query Name – Query Type – Client IP
© F5 Networks, Inc 22 Anatomy of a DNS Firewall • IP Anycast • Pre filter • Packet inspection • Performance • Scaling resolution • DNSsec and Validation • Reporting and Automation • DNS Reputational Intelligence • DNS scrubbing • Hardware sizing • Certification RESPONSE POLICY ZONES* URL FILTERING IP INTELLIGENCE Screens a DNS request against domain names with a bad reputation. Categorize the FQDN from the request & make a decision. Categorize the IP address from the response & make a decision. MITIGATES THREATS BY FQDN POLICY CONTROL BY FQDN Ingress DNS path Any IP Protocol with iRules HTTP, HTTPS and DNS with iRules MITIGATES THREATS BY FQDN MITIGATES THREATS BY FQDN
© F5 Networks, Inc 23 Anatomy of a DNS Firewall • IP Anycast • Pre filter • Packet inspection • Performance • Scaling resolution • DNSsec and Validation • Reporting and Automation • DNS Reputational Intelligence • DNS scrubbing • Hardware sizing • Certification Legitimate Users Threat Feed Intelligence DDoS Attacker ISPa/b Cloud Scrubbing Service Scann er Anonym ous Proxies Anonym ous Request s Botnet Attack ers Network attacks: ICMP flood, UDP flood, SYN flood DNS attacks: DNS amplificatio n, query flood, dictionary attack, DNS poisoning IPS Next-Generation Firewall Tier 2 SSL attacks: SSL renegotiatio n, SSL flood HTTP attacks: Slowloris, slow POST, recursive POST/GET Applicatio n Corporate Users Financial Services E- Commerce Subscriber Tier 2 Threat Feed Intelligence Strategic Point of Control Multiple ISP strategy Network and DNS Tier 1 Access Control, Policy Enforcemen t
© F5 Networks, Inc 24 Anatomy of a DNS Firewall • IP Anycast • Pre filter • Packet inspection • Performance • Scaling resolution • DNSsec and Validation • Reporting and Automation • DNS Reputational Intelligence • DNS scrubbing • Hardware sizing • Certification Platforms
© F5 Networks, Inc 25 Anatomy of a DNS Firewall • IP Anycast • Pre filter • Packet inspection • Performance • Scaling resolution • DNSsec and Validation • Reporting and Automation • DNS Reputational Intelligence • DNS scrubbing • Hardware sizing • Certification CONVENTIONAL DNS THINKING Internet External Firewall DNS Load Balancing Array of DNS Servers Internal Firewall Hidden Master DNS DMZ Datacenter F5 PARADIGM SHIFT Internet Master DNS Infrastructure BIG-IP Global Traffic Manager 30M RPS
User Protection and Protocol Abuse
© F5 Networks, Inc 27 Updates CACHE RESOLVER PROTOCOL VALIDATION IRULES IPV4/V6 LISTENER REPUTATION DATABASE SPECIAL HANDLING ADC GTM RPZ feed • Prevent malware and sites hosting malicious content from ever communicating with a client • Internet activity starts with a DNS request, inhibit the threat at the earliest opportunity Client Protection Prevent subscribers from reaching known bad domains
© F5 Networks, Inc 28 • RPZ filters out and provides NXDOMAIN, redirect for know bad domains • URL filtering provides granular policy controls using categories • IP intelligence blocks based on resolved IP, can also be used in data path for other protocols Layered Client Protection QUERY: WWW.DOMAIN.COM DNS iRules (Request / Response) CACHE RESOLVER iControl iQuery Subscriber Policy RPZ IP Intelligence URL Filtering EGRESS DNS PATH INGRESS DNS PATH RPZ Feed IPI Feed URL Feed iRule DNS request path DNS response path
© F5 Networks, Inc 29 • Classify the traffic • Mobile or fixed • SLA for RPS and allowed response size • When a client sends in a query • Is query for a blocked domain? • Is query rate above allowed rate? • Client previously above allowed rate? • Resolve request and analyse response • Factor in response size to the score • Take an action • Is client above score threshold? • Drop request • Suspend DNS service for a period Preventing DNS Abuse ClientA ClientB ClientC ClientD ClientE ClientF Drop threshold Suspend threshold RESPONSE SIZE SCORING QUERY RATE SCORING
© F5 Networks, Inc 30 DNS Service Protection Policing Requests for Fairness and Availability Service Providers need to ensure availability of DNS services to customers according to their service level. Intelligent per-Client IP Rate Limiting gives SPs the tools to inhibit bad actors including DNS tunneling, without adversely affecting performance. MALICIOUS ACTOR COMPROMISE D CLIENT REGULAR CLIENT SUSPEND DNS SERVICE RATE LIMIT CLIENT LOG MALICIOUS IDENTITY ACTION S CACHE RESOLVE R Per-client DNS rates Rate limits DNS RATE LIMITER
© F5 Networks, Inc 31 DNS Tuneling
© F5 Networks, Inc 32 DNS Tunnelling Enforcement
© F5 Networks, Inc 33 DNS use case – Service Provider User Black List RPZ IPIOpt in/out Policy and Charging Rules Function Portal User Internet DNS • User Query request • PCRF request / response • Vip choice for protection profiles for: • Adult • Family • Child Exception Match DNS Query
Capex vs Opex
© F5 Networks, Inc 35
© F5 Networks, Inc 36 Lifecycle Costs for Traditional DNS Resolver Infrastructure Fixed and wireless ISP with 1M customers, 200K RPS today to 2M+ by 2016 Traditional DNS Resolver Topology CapExPatchOpEx 3M RPS caching resolver with discrete firewall, load balancer, and 60 DNS servers Investigate threat Design FW rules Review FW rule Test FW rule Deploy FW rule Administrative overhead 2 days 2 days 1 day 2 days 2 days 1 day Vulnerability identified Test patch in lab Deploy patch Revise firewall rules Administrative overhead 3 days 10 days 1 day 1 day Initial patch issued Test patch in lab Deploy patch Administrative overhead 3 days 10 days 1 day Final patch issued 39 days of effort per patch: Historically, traditional DNS servers are patched 6-10 times annually Numbers 39 Days annually @ $40 / hour x9 Patches per year Administration staff (team of 3) Total cost of hardware and maintenance (firewall, load balancer, and 60 servers) $424,800 $12,480 $112,320 $249,600 Total in year 1: $799,200 Total in year 2 onwards: $439,200 vs DNS Resolver Model Local zones 3M RPS caching resolver Test release in lab Deploy firmware 3 days 1 day Annual firmware release Annual maintenance: 4 days Total cost of hardware and maintenance $354,000 4 days annually $1,280 Total in year 1: $355,280 Total in year 2 onwards: $55,280
Summary
© F5 Networks, Inc 38 • Internet of Things • Use cases – Internal and external • Architecture changes • Security a DNS Firewall • User protection and Protocol abuse • CapEx vs OpEx Summary
PLNOG15 :Scale and Secure the Internet of Things with Intelligent DNS Services

More Related Content

PPTX
F5 DNS Solution for CSPs
F5 Networks
 
PDF
Presentation network design and security for your v mware view deployment w...
solarisyourep
 
PDF
Big Ip Global Traffic Manager Ds
Steven_Jackson
 
PPTX
DNS Security (DNSSEC) With BIG-IP Global Traffic Manager
DSorensenCPR
 
PPTX
F5 and Infoblox deliver complete secured DNS infrastructure
DSorensenCPR
 
PPT
BIG IP F5 GTM Presentation
PCCW GLOBAL
 
PPTX
F5's Dynamic DNS Services
F5 Networks
 
PPTX
The DNS of Things
Peter Silva
 
F5 DNS Solution for CSPs
F5 Networks
 
Presentation network design and security for your v mware view deployment w...
solarisyourep
 
Big Ip Global Traffic Manager Ds
Steven_Jackson
 
DNS Security (DNSSEC) With BIG-IP Global Traffic Manager
DSorensenCPR
 
F5 and Infoblox deliver complete secured DNS infrastructure
DSorensenCPR
 
BIG IP F5 GTM Presentation
PCCW GLOBAL
 
F5's Dynamic DNS Services
F5 Networks
 
The DNS of Things
Peter Silva
 

What's hot (20)

PPTX
Intelligent DNS Scale
Peter Silva
 
PDF
F5 DDoS Protection
MarketingArrowECS_CZ
 
PPTX
F5 Solutions for Service Providers
BAKOTECH
 
PDF
F5 GTM HEALTH CHECKS
Marco Essomba
 
PPTX
Big Data for Security - DNS Analytics
Marco Casassa Mont
 
PDF
F5 TMOS v13.0
MarketingArrowECS_CZ
 
PPTX
Big Data for Security
Marco Casassa Mont
 
PDF
DNSSEC Validation Tutorial
APNIC
 
PPTX
F5 Meetup presentation automation 2017
Guy Brown
 
PDF
Infoblox Cloud Solutions - Cisco Mid-Atlantic User Group
NetCraftsmen
 
PDF
Novinky F5 pro rok 2018
MarketingArrowECS_CZ
 
PDF
Cyber Side-Effects - Cloud Databases and Modern Malware
Imperva
 
PPTX
How to Reduce Latency with Cloudflare Argo Smart Routing
Cloudflare
 
PPTX
Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014
Puppet
 
PDF
A10 issa d do s 5-2014
Raleigh ISSA
 
PDF
New Products Overview: Use Cases and Demos
Caitlin Magat
 
PDF
Nginx app protect-for-meetup-v1.0-202006_lk
Juraj Hantak
 
PDF
F5 Scale n and BIG-IP v11 3 for Scalar Partner Event June 4 2013 Toronto
patmisasi
 
PPTX
What’s New at Cloudflare: New Product Launches
Cloudflare
 
PDF
Why Many Websites are still Insecure (and How to Fix Them)
Cloudflare
 
Intelligent DNS Scale
Peter Silva
 
F5 DDoS Protection
MarketingArrowECS_CZ
 
F5 Solutions for Service Providers
BAKOTECH
 
F5 GTM HEALTH CHECKS
Marco Essomba
 
Big Data for Security - DNS Analytics
Marco Casassa Mont
 
F5 TMOS v13.0
MarketingArrowECS_CZ
 
Big Data for Security
Marco Casassa Mont
 
DNSSEC Validation Tutorial
APNIC
 
F5 Meetup presentation automation 2017
Guy Brown
 
Infoblox Cloud Solutions - Cisco Mid-Atlantic User Group
NetCraftsmen
 
Novinky F5 pro rok 2018
MarketingArrowECS_CZ
 
Cyber Side-Effects - Cloud Databases and Modern Malware
Imperva
 
How to Reduce Latency with Cloudflare Argo Smart Routing
Cloudflare
 
Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014
Puppet
 
A10 issa d do s 5-2014
Raleigh ISSA
 
New Products Overview: Use Cases and Demos
Caitlin Magat
 
Nginx app protect-for-meetup-v1.0-202006_lk
Juraj Hantak
 
F5 Scale n and BIG-IP v11 3 for Scalar Partner Event June 4 2013 Toronto
patmisasi
 
What’s New at Cloudflare: New Product Launches
Cloudflare
 
Why Many Websites are still Insecure (and How to Fix Them)
Cloudflare
 
Ad

Viewers also liked (20)

PDF
PLNOG15: ROADM & OTN - teletransmision network of Orange Poland (presentation...
PROIDEA
 
PDF
PLNOG15 :From FTTH to BTTH - Fiber Broadband Through the Home,Stijn Coppieters
PROIDEA
 
PDF
PLNOG15: Virtualization and automation of network and security services in Da...
PROIDEA
 
PDF
PLNOG15-Inter VRF leaking in Enterprise/Corporate WAN,Piotr Papis
PROIDEA
 
PPTX
DevOpsDays Warsaw 2015: Zero-Friction Performance Instrumentation And Monitor...
PROIDEA
 
PDF
DevOpsDays Warsaw 2015: Automating microservices in Syncano – Michał Kobus & ...
PROIDEA
 
PPTX
DevOpsDays Warsaw 2015: Placebo of Progress – Caoimhin Graham
PROIDEA
 
PPTX
PLNOG15: Farm machine, taxi or armored car and maybe all in one – in other wo...
PROIDEA
 
PDF
CONFidence2015: Real World Threat Hunting - Martin Nystrom
PROIDEA
 
PDF
JDD2015: Frege - Introducing purely functional programming on the JVM - Dierk...
PROIDEA
 
PDF
JDD2015: Security in the era of modern applications and services - Bolesław D...
PROIDEA
 
PDF
JDD2015: Kubernetes - Beyond the basics - Paul Bakker
PROIDEA
 
PDF
JDD2015: Functional programing and Event Sourcing - a pair made in heaven - e...
PROIDEA
 
PDF
JDD2015: Jak dogadywać się z obcymi formami inteligencji - poradnik dla craft...
PROIDEA
 
PDF
JDD2015: Taste of new in Java 9 - Arkadiusz Sokołowski
PROIDEA
 
PPTX
PLNOG15 :Scrubing Center- what is it? Krzysztof Syrgut
PROIDEA
 
PPTX
DevOpsDays Warsaw 2015: Running High Performance And Fault Tolerant Elasticse...
PROIDEA
 
PDF
PLNOG15 :Assuring Performance, Scalability and Reliability in NFV Deployments...
PROIDEA
 
PDF
infraxstructure: Piotr Wojciechowski "Secure Data Center"
PROIDEA
 
PDF
infraxstructure: Robert Zdunek, "Jak zbudować innowacyjne i efektywne energet...
PROIDEA
 
PLNOG15: ROADM & OTN - teletransmision network of Orange Poland (presentation...
PROIDEA
 
PLNOG15 :From FTTH to BTTH - Fiber Broadband Through the Home,Stijn Coppieters
PROIDEA
 
PLNOG15: Virtualization and automation of network and security services in Da...
PROIDEA
 
PLNOG15-Inter VRF leaking in Enterprise/Corporate WAN,Piotr Papis
PROIDEA
 
DevOpsDays Warsaw 2015: Zero-Friction Performance Instrumentation And Monitor...
PROIDEA
 
DevOpsDays Warsaw 2015: Automating microservices in Syncano – Michał Kobus & ...
PROIDEA
 
DevOpsDays Warsaw 2015: Placebo of Progress – Caoimhin Graham
PROIDEA
 
PLNOG15: Farm machine, taxi or armored car and maybe all in one – in other wo...
PROIDEA
 
CONFidence2015: Real World Threat Hunting - Martin Nystrom
PROIDEA
 
JDD2015: Frege - Introducing purely functional programming on the JVM - Dierk...
PROIDEA
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
PROIDEA
 
JDD2015: Kubernetes - Beyond the basics - Paul Bakker
PROIDEA
 
JDD2015: Functional programing and Event Sourcing - a pair made in heaven - e...
PROIDEA
 
JDD2015: Jak dogadywać się z obcymi formami inteligencji - poradnik dla craft...
PROIDEA
 
JDD2015: Taste of new in Java 9 - Arkadiusz Sokołowski
PROIDEA
 
PLNOG15 :Scrubing Center- what is it? Krzysztof Syrgut
PROIDEA
 
DevOpsDays Warsaw 2015: Running High Performance And Fault Tolerant Elasticse...
PROIDEA
 
PLNOG15 :Assuring Performance, Scalability and Reliability in NFV Deployments...
PROIDEA
 
infraxstructure: Piotr Wojciechowski "Secure Data Center"
PROIDEA
 
infraxstructure: Robert Zdunek, "Jak zbudować innowacyjne i efektywne energet...
PROIDEA
 
Ad

Similar to PLNOG15 :Scale and Secure the Internet of Things with Intelligent DNS Services (20)

PPTX
The DNS of Things
F5 Networks
 
PPTX
F5 Networks Intelligent DNS Scale
F5 Networks
 
PPTX
F5 Intelligent DNS Scale
F5 Networks
 
PDF
Denial of Service - Service Provider Overview
MarketingArrowECS_CZ
 
PDF
Thinking about SDN and whether it is the right approach for your organization?
Cisco Canada
 
PDF
f5_synthesis_cisco_connect.pdf
GrigoryShkolnik1
 
PPTX
Spider & F5 Round Table - Application Centric Security
Tzoori Tamam
 
PDF
Bezpečnostní architektura F5
MarketingArrowECS_CZ
 
PPTX
F5 GOV Round Table - Application Centeric Security
Tzoori Tamam
 
PPTX
EfficientIP presentation used during the SWITCHPOINT NV/SA Quarterly Experien...
SWITCHPOINT NV/SA
 
PPTX
DNS Security, is it enough?
Zscaler
 
PDF
DNS как линия защиты/DNS as a Defense Vector
Positive Hack Days
 
PPTX
Dns security overview
Vladimir2003
 
PDF
Cisco vmd cwithf5_big-ip_ltm_whitepaper
shankar Psschiatanya
 
PDF
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
Sam Bowne
 
PPTX
AWS User Group - Perth - April 2021 - DNS
James Bromberger
 
PPTX
F5 Infosec Israel 2013 Application Centric Security
Tzoori Tamam
 
PDF
F5 Synthesis Toronto February 2014 Roadshow
patmisasi
 
PDF
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
APNIC
 
PDF
Alternative Dns Servers Choice And Deployment And Optional Sql Ldap Backends ...
zemedaryely
 
The DNS of Things
F5 Networks
 
F5 Networks Intelligent DNS Scale
F5 Networks
 
F5 Intelligent DNS Scale
F5 Networks
 
Denial of Service - Service Provider Overview
MarketingArrowECS_CZ
 
Thinking about SDN and whether it is the right approach for your organization?
Cisco Canada
 
f5_synthesis_cisco_connect.pdf
GrigoryShkolnik1
 
Spider & F5 Round Table - Application Centric Security
Tzoori Tamam
 
Bezpečnostní architektura F5
MarketingArrowECS_CZ
 
F5 GOV Round Table - Application Centeric Security
Tzoori Tamam
 
EfficientIP presentation used during the SWITCHPOINT NV/SA Quarterly Experien...
SWITCHPOINT NV/SA
 
DNS Security, is it enough?
Zscaler
 
DNS как линия защиты/DNS as a Defense Vector
Positive Hack Days
 
Dns security overview
Vladimir2003
 
Cisco vmd cwithf5_big-ip_ltm_whitepaper
shankar Psschiatanya
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
Sam Bowne
 
AWS User Group - Perth - April 2021 - DNS
James Bromberger
 
F5 Infosec Israel 2013 Application Centric Security
Tzoori Tamam
 
F5 Synthesis Toronto February 2014 Roadshow
patmisasi
 
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
APNIC
 
Alternative Dns Servers Choice And Deployment And Optional Sql Ldap Backends ...
zemedaryely
 

Recently uploaded (20)

PDF
Exploring VPS Hosting Trends for SMBs in 2025
Liquid Web
 
PDF
📍 LABUAN4D EXCLUSIVE SERVER STAR GAMING ASIA NO.1 TERPOPULER DI INDONESIA ! 🌟
alexiskandar061
 
PDF
Uptota Investor Deck - Where Africa Meets Blockchain
jjc123linkedin
 
PDF
SlidesGDGoCxRAIS about Google Dialogflow and NotebookLM.pdf
minhtrietgect
 
PDF
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
 
PDF
Session 1 (Week 1)fghjmgfdsfgthyjkhfdsadfghjkhgfdsa
ssuser25df8b
 
PPT
415456121-Jiwratrwecdtwfdsfwgdwedvwe dbwsdjsadca-EVN.ppt
woldemariamworku2
 
PPT
FIRE PREVENTION AND CONTROL PLAN- LUS.FM.MQ.OM.UTM.PLN.00014.ppt
MelwinPaul6
 
PPT
Ethics in Information System - Management Information System
faizhossain3
 
DOC
Rose毕业证学历认证,利物浦约翰摩尔斯大学毕业证国外本科毕业证
acoqwo
 
PPT
250152213-Excitation-SystemWERRT (1).ppt
woldemariamworku2
 
PPTX
Power Point - Lesson 3_2.pptx grad school presentation
JoyPPD
 
PDF
simpleintnettestmetiaerl for the simple testint
sherlockholmes10009
 
PDF
Slides PDF: The World Game (s) Eco Economic Epochs.pdf
Steven McGee
 
PDF
The Evolution of Traditional to New Media .pdf
NIKKODENSMIRO
 
PPTX
newyork.pptxirantrafgshenepalchinachinane
PrashantKoirala12
 
PPTX
Layers_of_the_Earth_Grade7.pptx class by
varadhanvara05
 
PPTX
t_and_OpenAI_Combined_two_pressentations
wuvjwfnaadbnzelauy
 
PDF
FINAL CALL-6th International Conference on Networks & IOT (NeTIOT 2025)
IJMIT JOURNAL
 
PPTX
IPCNA VIRTUAL CLASSES INTERMEDIATE 6 PROJECT.pptx
AldoCharaRojas
 
Exploring VPS Hosting Trends for SMBs in 2025
Liquid Web
 
📍 LABUAN4D EXCLUSIVE SERVER STAR GAMING ASIA NO.1 TERPOPULER DI INDONESIA ! 🌟
alexiskandar061
 
Uptota Investor Deck - Where Africa Meets Blockchain
jjc123linkedin
 
SlidesGDGoCxRAIS about Google Dialogflow and NotebookLM.pdf
minhtrietgect
 
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
 
Session 1 (Week 1)fghjmgfdsfgthyjkhfdsadfghjkhgfdsa
ssuser25df8b
 
415456121-Jiwratrwecdtwfdsfwgdwedvwe dbwsdjsadca-EVN.ppt
woldemariamworku2
 
FIRE PREVENTION AND CONTROL PLAN- LUS.FM.MQ.OM.UTM.PLN.00014.ppt
MelwinPaul6
 
Ethics in Information System - Management Information System
faizhossain3
 
Rose毕业证学历认证,利物浦约翰摩尔斯大学毕业证国外本科毕业证
acoqwo
 
250152213-Excitation-SystemWERRT (1).ppt
woldemariamworku2
 
Power Point - Lesson 3_2.pptx grad school presentation
JoyPPD
 
simpleintnettestmetiaerl for the simple testint
sherlockholmes10009
 
Slides PDF: The World Game (s) Eco Economic Epochs.pdf
Steven McGee
 
The Evolution of Traditional to New Media .pdf
NIKKODENSMIRO
 
newyork.pptxirantrafgshenepalchinachinane
PrashantKoirala12
 
Layers_of_the_Earth_Grade7.pptx class by
varadhanvara05
 
t_and_OpenAI_Combined_two_pressentations
wuvjwfnaadbnzelauy
 
FINAL CALL-6th International Conference on Networks & IOT (NeTIOT 2025)
IJMIT JOURNAL
 
IPCNA VIRTUAL CLASSES INTERMEDIATE 6 PROJECT.pptx
AldoCharaRojas
 

PLNOG15 :Scale and Secure the Internet of Things with Intelligent DNS Services

  • 1. Scale and Secure the Internet of Things with Intelligent DNS Services Nigel Ashworth Solution Architect F5 Networks 28th September 2015
  • 2. © F5 Networks, Inc 2 • Drivers for the Internet of Things • Architecture changes • Security • Scale • Use cases – Internal and external • CapEx vs OpEx • Audits • Service chaining and DNS • GI Firewall / TCP optimisation / Rate management Agenda • User attributes • Parental control / contracts • White lists and filters • DDOS Attacks • Protocol Abuse • DNS Firewall • Not a Firewall for DNS • Reporting
  • 4. © F5 Networks, Inc 4 50 Billion Connected Devices 6 Billion Connected Devices 20202013 20182016 The Driving Force behind Device-Based Network and App Congestion
  • 5. © F5 Networks, Inc 5 • Internet of Things needs scalable DNS services • Combination = 5 to 10 times Internet revolution • 10 billion devices in 2014 = 77 billion mobile apps • Ensure really fast connections and responses The Internet of Things and DNS
  • 6. © F5 Networks, Inc 6 Connected Cars Connected Homes Connected Cities Wearables/Connected Devices/Utilities Surge in connected devices accessing SP networks Increasing connection rates (Connections per Sec) Spikes in application usage 50B connected devices worldwide by 2020 Surge in DNS queries DNS security vulnerabilities New advanced persistent threat vectors New DDoS attack vectors Network signaling spikes Diameter signaling storms IPv6 addressing requirements Lower ARPU per device Packet Core Gi-LAN Data Centers IMS Core Service Provider Challenges Implications for Service Providers Scaling the networks. End to end security. Profitable new services.
  • 7. © F5 Networks, Inc 7 Connected Cars Wearables/Connected Devices/Utilities Surge in connected devices accessing SP networks Increasing connection rates (Connections per Sec) Spikes in application usage 50B connected devices worldwide by 2020 Packet Core Gi-LAN Data Centers IMS Core High Performance Hybrid Architectures Simpler Architecture / Network Flexibility Extensibility Virtualised Network Functions Scalable VNFs Virtual Software Editions • Scalable DNS • Load balancing • Network firewall • Application layer firewall • IPv6 routing • Carrier grade NAT • Traffic classification • Subscriber classification • Application awareness • Diameter routing • Protocol gateway • Policy enforcement Connected Homes Connected Cities Hybrid Architectures
  • 9. © F5 Networks, Inc 9 Mobile (e)NodeB SGW/SGSN MME Fixed Fixed Core Mobile Core BRAS DNS/GSLB GGSN/ PGW DNS Caching/ Resolvers Transparent Cache Internet Core Infrastructure DNS64 NAT64 Web Caching WAP Gateways Content Streaming DataPlaneControlPlane PCRF DNS Authoritative Local Zones Subscriber Management HSS/HLR DHCP Activation PKI CSCF Billing/Self Service Customer Portal IP Multimedia Subsystem (IMS) MGCF SBC DNS ENUM Infrastructure Authoritative DNS Auth. Local Zones LDNS Simplified and Consolidated DNS
  • 10. © F5 Networks, Inc 10 • Intelligent DNS for Evolved Packet Core • Proactively monitor for service-level adherence • Enhanced subscriber experience • Robust, scalable portal and service access • Exponential DNS performance and DDoS security protection • Optimise global service delivery • Faster DNS for 3G/4G LTE • Enhanced performance through transparent cache • Caching resolver for server consolidation • Mitigate DNS threats by blocking malicious IPs Intelligent DNS and Global Service Optimisation LDNS Authoritative Infrastructure
  • 12. © F5 Networks, Inc 12 Traditional Architectures will Buckle ... under the strain of increasing demand Data volumes double every 18 months Applications double every four years Source: IDC Directions, Battle for the Future of the Datacenter: The Role of Disaggregated Systems, March 2014 Forrester Consulting, April 2014 Customer populations four orders of magnitude larger than employee/partner
  • 13. © F5 Networks, Inc 13
  • 14. © F5 Networks, Inc 14
  • 15. Firewall for DNS or a DNS Firewall ?
  • 16. © F5 Networks, Inc 16
  • 17. © F5 Networks, Inc 17 Anatomy of a DNS Firewall • IP Anycast • Pre filter • Packet inspection • Performance • Scaling resolution • DNSsec and Validation • Reporting and Automation • DNS Reputational Intelligence • DNS scrubbing • Hardware sizing • Certification
  • 18. © F5 Networks, Inc 18 Anatomy of a DNS Firewall • IP Anycast • Pre filter • Packet inspection • Performance • Scaling resolution • DNSsec and Validation • Reporting and Automation • DNS Reputational Intelligence • DNS scrubbing • Hardware sizing • Certification Clients IPv4/IPv6 TCP/UDP Protocol Validatio n+ACL iRules DNSSEC GSLB 6 4 GSLBiRules DNS Express 6 4 DNSSEC RPZ /Cache/ Resolver DNS6-4 DNSLB Pool DNS Server Pool iRules LocalBIND Request Response AXFR Request AXFR Response Zone XFR Zone XFR
  • 19. © F5 Networks, Inc 19 Anatomy of a DNS Firewall • IP Anycast • Pre filter • Packet inspection • Performance • Scaling resolution • DNSsec and Validation • Reporting and Automation • DNS Reputational Intelligence • DNS scrubbing • Hardware sizing • Certification Performa nce Time TMOS Single Process or SMP 8x 4x 2x
  • 20. © F5 Networks, Inc 20 Anatomy of a DNS Firewall • IP Anycast • Pre filter • Packet inspection • Performance • Scaling resolution • DNSsec and Validation • Reporting and Automation • DNS Reputational Intelligence • DNS scrubbing • Hardware sizing • Certification
  • 21. © F5 Networks, Inc 21 Anatomy of a DNS Firewall • IP Anycast • Pre filter • Packet inspection • Performance • Scaling resolution • DNSsec and Validation • Reporting and Automation • DNS Reputational Intelligence • DNS scrubbing • Hardware sizing • Certification Advanced DNS Analytics – Applications – Virtual Servers – Query Name – Query Type – Client IP
  • 22. © F5 Networks, Inc 22 Anatomy of a DNS Firewall • IP Anycast • Pre filter • Packet inspection • Performance • Scaling resolution • DNSsec and Validation • Reporting and Automation • DNS Reputational Intelligence • DNS scrubbing • Hardware sizing • Certification RESPONSE POLICY ZONES* URL FILTERING IP INTELLIGENCE Screens a DNS request against domain names with a bad reputation. Categorize the FQDN from the request & make a decision. Categorize the IP address from the response & make a decision. MITIGATES THREATS BY FQDN POLICY CONTROL BY FQDN Ingress DNS path Any IP Protocol with iRules HTTP, HTTPS and DNS with iRules MITIGATES THREATS BY FQDN MITIGATES THREATS BY FQDN
  • 23. © F5 Networks, Inc 23 Anatomy of a DNS Firewall • IP Anycast • Pre filter • Packet inspection • Performance • Scaling resolution • DNSsec and Validation • Reporting and Automation • DNS Reputational Intelligence • DNS scrubbing • Hardware sizing • Certification Legitimate Users Threat Feed Intelligence DDoS Attacker ISPa/b Cloud Scrubbing Service Scann er Anonym ous Proxies Anonym ous Request s Botnet Attack ers Network attacks: ICMP flood, UDP flood, SYN flood DNS attacks: DNS amplificatio n, query flood, dictionary attack, DNS poisoning IPS Next-Generation Firewall Tier 2 SSL attacks: SSL renegotiatio n, SSL flood HTTP attacks: Slowloris, slow POST, recursive POST/GET Applicatio n Corporate Users Financial Services E- Commerce Subscriber Tier 2 Threat Feed Intelligence Strategic Point of Control Multiple ISP strategy Network and DNS Tier 1 Access Control, Policy Enforcemen t
  • 24. © F5 Networks, Inc 24 Anatomy of a DNS Firewall • IP Anycast • Pre filter • Packet inspection • Performance • Scaling resolution • DNSsec and Validation • Reporting and Automation • DNS Reputational Intelligence • DNS scrubbing • Hardware sizing • Certification Platforms
  • 25. © F5 Networks, Inc 25 Anatomy of a DNS Firewall • IP Anycast • Pre filter • Packet inspection • Performance • Scaling resolution • DNSsec and Validation • Reporting and Automation • DNS Reputational Intelligence • DNS scrubbing • Hardware sizing • Certification CONVENTIONAL DNS THINKING Internet External Firewall DNS Load Balancing Array of DNS Servers Internal Firewall Hidden Master DNS DMZ Datacenter F5 PARADIGM SHIFT Internet Master DNS Infrastructure BIG-IP Global Traffic Manager 30M RPS
  • 26. User Protection and Protocol Abuse
  • 27. © F5 Networks, Inc 27 Updates CACHE RESOLVER PROTOCOL VALIDATION IRULES IPV4/V6 LISTENER REPUTATION DATABASE SPECIAL HANDLING ADC GTM RPZ feed • Prevent malware and sites hosting malicious content from ever communicating with a client • Internet activity starts with a DNS request, inhibit the threat at the earliest opportunity Client Protection Prevent subscribers from reaching known bad domains
  • 28. © F5 Networks, Inc 28 • RPZ filters out and provides NXDOMAIN, redirect for know bad domains • URL filtering provides granular policy controls using categories • IP intelligence blocks based on resolved IP, can also be used in data path for other protocols Layered Client Protection QUERY: WWW.DOMAIN.COM DNS iRules (Request / Response) CACHE RESOLVER iControl iQuery Subscriber Policy RPZ IP Intelligence URL Filtering EGRESS DNS PATH INGRESS DNS PATH RPZ Feed IPI Feed URL Feed iRule DNS request path DNS response path
  • 29. © F5 Networks, Inc 29 • Classify the traffic • Mobile or fixed • SLA for RPS and allowed response size • When a client sends in a query • Is query for a blocked domain? • Is query rate above allowed rate? • Client previously above allowed rate? • Resolve request and analyse response • Factor in response size to the score • Take an action • Is client above score threshold? • Drop request • Suspend DNS service for a period Preventing DNS Abuse ClientA ClientB ClientC ClientD ClientE ClientF Drop threshold Suspend threshold RESPONSE SIZE SCORING QUERY RATE SCORING
  • 30. © F5 Networks, Inc 30 DNS Service Protection Policing Requests for Fairness and Availability Service Providers need to ensure availability of DNS services to customers according to their service level. Intelligent per-Client IP Rate Limiting gives SPs the tools to inhibit bad actors including DNS tunneling, without adversely affecting performance. MALICIOUS ACTOR COMPROMISE D CLIENT REGULAR CLIENT SUSPEND DNS SERVICE RATE LIMIT CLIENT LOG MALICIOUS IDENTITY ACTION S CACHE RESOLVE R Per-client DNS rates Rate limits DNS RATE LIMITER
  • 31. © F5 Networks, Inc 31 DNS Tuneling
  • 32. © F5 Networks, Inc 32 DNS Tunnelling Enforcement
  • 33. © F5 Networks, Inc 33 DNS use case – Service Provider User Black List RPZ IPIOpt in/out Policy and Charging Rules Function Portal User Internet DNS • User Query request • PCRF request / response • Vip choice for protection profiles for: • Adult • Family • Child Exception Match DNS Query
  • 35. © F5 Networks, Inc 35
  • 36. © F5 Networks, Inc 36 Lifecycle Costs for Traditional DNS Resolver Infrastructure Fixed and wireless ISP with 1M customers, 200K RPS today to 2M+ by 2016 Traditional DNS Resolver Topology CapExPatchOpEx 3M RPS caching resolver with discrete firewall, load balancer, and 60 DNS servers Investigate threat Design FW rules Review FW rule Test FW rule Deploy FW rule Administrative overhead 2 days 2 days 1 day 2 days 2 days 1 day Vulnerability identified Test patch in lab Deploy patch Revise firewall rules Administrative overhead 3 days 10 days 1 day 1 day Initial patch issued Test patch in lab Deploy patch Administrative overhead 3 days 10 days 1 day Final patch issued 39 days of effort per patch: Historically, traditional DNS servers are patched 6-10 times annually Numbers 39 Days annually @ $40 / hour x9 Patches per year Administration staff (team of 3) Total cost of hardware and maintenance (firewall, load balancer, and 60 servers) $424,800 $12,480 $112,320 $249,600 Total in year 1: $799,200 Total in year 2 onwards: $439,200 vs DNS Resolver Model Local zones 3M RPS caching resolver Test release in lab Deploy firmware 3 days 1 day Annual firmware release Annual maintenance: 4 days Total cost of hardware and maintenance $354,000 4 days annually $1,280 Total in year 1: $355,280 Total in year 2 onwards: $55,280
  • 38. © F5 Networks, Inc 38 • Internet of Things • Use cases – Internal and external • Architecture changes • Security a DNS Firewall • User protection and Protocol abuse • CapEx vs OpEx Summary