DNS over HTTPS (DoH) - DNS over TLS (DoT)

I wrote about DNS Security weeks ago because there are increasingly remote users working outside the protected walls and companies want to increase the security of their activities and resources. The DNS-layer security should be the first line of defense against threats because DNS resolution is the first step in Internet access. Some web browsers are already relying on DoH (DNS over HTTPS) for their own IP resolution. But using DoH with an untrusted public DNS service risks misuse of browsing data and reveals applications being utilized. In order to better protect remote workers, companies should therefore instead consider extending their private DNS recursive service and manage the DoH themselves.

Building a private DoH infrastructure

On the one hand, if you are going to install a DNS over HTTPS (DoH) infrastructure, you’ll need to configure a proxy farm to take HTTPS requests and sending it to traditional DNS servers. F5 BIG-IP can work as a proxy farm to transpose the data from HTTPS requests and translate into a traditional DNS request. Thanks to iRulesLX engine based on Node.js, BIG-IP can handle DoH translations. DoH requests either arrive at the BIG-IP in an HTTPS POST with a binary payload or a base64url-encoded GET request parameter. These requests are translated from HTTPS to DNS easily by F5 BIG-IP.

DoH to DNS Proxy

On the other hand, if you are going to deploy a DNS over TLS (DoT) infrastructure, you’ll also need to configure a proxy farm to take TLS requests and sending it to traditional DNS servers. BIG-IP can also work as a proxy farm to transpose the data from TLS requests and translate into a traditional DNS request. However, DoT-to-DNS configuration is easier than DoH-to-DNS configuration because proxying DoT queries to traditional DNS only require a classic BIG-IP high-performance SSL offloading profile and no iRule is needed.

DoT to DNS Proxy

These infrastructures are not difficult to configure but if you don’t know how to do it, iApps can help you. There is already a DNS over HTTP iApp which creates an iRule to perform resolution of DoH traffic. Firstly, you have to create a pool containing DNS resolvers. Secondly, install the iApp as a template. Thirdly, create the application service with the iApp. Fourthly, create a virtual server listening on port 443 with TCP, HTTP and Client SSL profile. Finally, test the deployment.

DNS over HTTP iApp

Testing the deployment is really simple because most browsers support DoH. For instance, Firefox can be used as a DoH client. It is configured in the about:config page. Firstly, we set network.trr.uri to our custom virtual server URL. Secondly, we should also enable network.trr.useGET as it’s a bit faster than using POST. Thirdly, we set network.trr.mode to 3, which means we want Firefox to only use DoH. Finally, the network.dns.skipTRR-when-parental-control-enabled disables Firefox’s feature that disables DoH when parental control via DNS is sensed on the network.

Test Driving DNS over TLS to Traditional DNS

To sum up, proxying DoH and DoT queries to traditional DNS is easy to configure and test with a BIG-IP proxy farm. It’s up to you if you want to protect your remote workers and extend your private DNS recursive service.

Have a nice day!! Would you like to deploy a DoH or DoT infrastructure?

Data Access Governance

I remember once a customer asked me to audit a large file system with lots of folders and files. He wanted to know who had access to each file, when files were created and when they were changed for the last time, as well as, he wanted to know the categorization of each file, what kind of files (text, image, video, etc) were in NAS systems and how much space these files were using in the file system. We installed Data Access Governance (DAG) tools for that project and it was really successful. Today, DAG tools are increasingly deployed and it seems they will be quite useful for most companies in the near future.

Data Access Governance solutions help companies understand and secure their Structured and Unstructured Data. On the one hand, structured data is stored in databases and business applications and user access is usually provisioned to these systems by an Indentity and Access Management (IAM) platform. On the other hand, unstructured data are documents, spreadsheets, presentations and other files created by end users. These files are tipically contained in shared folders, network filers and cloud repositories such as DropBox and Amazon S3. As a result, Data Access Governance solutions help you to implement controls of your data.

Data Access Governance Solution

There are lots of use cases where Data Access Governance solutions are useful for organizations. One use case is to identify open access locations where permissions are granted to “Everyone” or “Authenticated Users” and close them down to put them under control. Another use case is to control privileged access to business applications and file systems as well as gaining visibility into what these users are doing with those permissions. One of the use case I really like is gaining visibility into Active Directory groups to know how these groups are used to grant the properly access to data. However, there are many other use cases.

Here the report you asked for boss

How this kind of solutions are deployed? Data Access Governance projects are mainly five steps. The first step is to discover where data lives to obtain a complete view of the data footprint. We have to know if data are stored in shared folders, network filers, such as NetApp or EMC, SharePoint or cloud repositories. The second step is to collect and analyze relevant data points to answer critical questions like sensitivity, access, ownership, age, etc, as well as, obtain categorization and statistics of data used.. The third step is to monitor activity to understand user interactions with data. The fourth step is to restructure access to achive least privilege principles and position for effective governance. We are going to improve security policies and modify permissions in this fourth step. Finally, the fifth and last step is to govern access ongoing to ensure security, compliance, and operational standards are met.

Securing data access begins with access to data

If you are interested in Data Access Governance, you may also be interested in Active Directory Security solutions to protect critical objects from unauthorized change or access, Data Privacy solutions to mitigate, prevent, detect and respond to advanced threats to credentials and sensitive data in real-time, and Privileged Access Management solutions to remove the user’s access completely and clean the system to match desired state.

A fresh perspective on your data

Have a nice day!! Do you govern your data?

SASE - Secure Access Service Edge

There are lots of useful tools for securing the endpoint. We know lots of tools for securing servers. There are lots of tools for securing the company as well as the data which are used by employees, customers and providers. We may think we know everything for securing companies such as firewall, antivirus, SIEM, etc but the pandemic is changing companies and how we work today. There are lots of people working from home, consequently, there are new technologies for securing companies.

One of the new technology that companies are installing lately with the pandemic is SASE. This is not a product but a new architecture in security and networking. Actually, SASE consolidates several security and networking technologies, which were usually deployed one at a time. However, SASE intetrages all of them. The SASE primary functions are SD-WAN, FWaaS, SWG, CASB and ZTNA.

Components of the SASE Model

SD-WAN is one of the SASE primary function. I installed SD-WAN for the first time six years ago when a customer needed to connect eight WAN routers to a firewall. They wanted to create rules by applications in the firewall because some applications had to use specific WAN links. For instance, there was a link for VPN, another link for the webpage, another for mail and another for Internet access. SD-WAN for SASE is similar than that but for endpoints. The remote laptops, computers and smartphones are going to know whether they have to access to the datacenter throught VPN or access to SaaS applications directly. This is a great benefit because endpoints won’t have to access to the datacenter to access to SaaS applications and there is an important bandwidth savings. 

Secure SD-WAN + CASB

Most operating systems have a firewall by default which provides control for outbound and inbound internet traffic across all ports and protocols, but if we need visibility, reporting and application control, we’ll have to disable the default firewall to install a new powerful firewall. In addition, centralized management from the cloud is really useful. Therefore, Cloud-delivered firewall (CDFW) or FWaaS is another primary function in SASE architectures.

Firewall as a Service

I’ve configured lots of web filtering profiles in UTM firewall. They are useful to block access to malicious websites. We can even configure SSL inspection to protect the organization from hidden attacks. This is another primary function for SASE. We should be able to configure a Secure Web Gateway (SWG) to protect enpoints to access to malicious websites. This is another feature which requires visibility, reporting and configuration from a centralized management system when we have lots of devices.

Secure Web Gateway

The Cloud Access Security Broker (CASB) functionality and the Zero Trust Network Access (ZTNA) functionality are also two primary function of the SASE architecture. The aim of CASB is to extend visibility into cloud applications in use as well as application details and risk information. On the other hand, ZTNA has a strategic approach of eliminating trust, as a result, all resources are considered external and continously verifies trust before granting only the required access.

A typical ZTA user identity and access management implementation

Be happy my friends! Did you know SASE?

DNS Security

We don’t know yet how is going to be the next years after the pandemic. It seems there will be lots of remote users working from home. There will be lots of people working out of the office. As a result, there will be more and more services published on the Internet instead of the Intranet because remote users have to access to these services for their daily working. In addition, these remote users are out of the scope of the security perimeter. Therefore, they are going to have, from time to time, direct access to the Internet.

One of the services which is mandatory required to published on the Internet is the DNS service because remote users have to resolve domain names to IP addresses for working from home. This new requirement is dangerous for DNS servers because they are going to be the target of all types of DNS-based attacks, from stealth to volumetric attacks, including cache poisoning, DDoS attacks, DNS tunneling, DGA malware and UDP flood. Consequently, DNS servers have to be protected with a DNS Guardian.

DNS Guardian

On the other hand, remote users are mainly working from home and, therefore, they are going to have direct access to the Internet. This decentralization has security challenges for the IT security team such as visibility, complexity and security. Companies want security protection on and off network for employees as well as rapid deployment and flexible enforcement levels for all ports and protocols. These security challenges can be achieved with a DNS-layer security, a secure web gateway, a security broker and a firewall.

DNS-layer Security

The DNS-layer security should be the first line of defense against threats because DNS resolution is the first step in Internet access. The aim is blocking requests to malicious and unwanted destinations before a connection is established. In addition, most IT security teams like visibility and statistics to know the DNS activity. However, most DNS-layer security tools require an agent installed on the computer where we are going to enforce the categories allowed and denied. What’s more, central management and visibility is always required when we have to manage lots of computers.

DNS Filter

I would like to highlight two useful technologies for companies who don’t want to install an agent on users’ computers for blocking requests to malicious sites. DNS over HTTPS (DoH) and DNS over TLS (DoT). Both technologies are security protocols designed to increase user privacy and security by preventing eavesdropping and manipulation of DNS data via MITM. These protocols are supported by most operating systems and browsers, as a result, we can easily configure DNS servers and proxy servers to resolve the remote users’ DNS request and thus protect users from malicious sites.

DoH - DNS query and response transported over a secure HTTPS stream

To sum up, I think the DNS layer is increasingly important for the endpoint protection because it is the first step in Internet access but we should take into account that both, servers and clients, should be protected from malicious attacks.

Have a nice day! Are your clients and DNS servers secure?

Cybersecurity Training

If you want to learn about cybersecurity, you can take training for free at FEVAL in Extremadura. This year is the fourth edition and there will be six courses. Moreover, the training is online and I’m the teacher. It’s great! Fantastic! I’m happy! In fact, there will be virtual lessons where I’m going to talk about security, systems, networks, forensics and lots of good tech things. Therefore, if you like cybersecurity, go ahead, I’m waiting for you!

Cybersecurity Training Schedule

The first two modules are about Security on Networks and Systems. I’m talking about security awareness, methodologies and tools in the basic course. For instance, we have been talking about ISO 27001 and we have also configure a virtual firewall. On the other hand, we’ll talk about Information Security Governance in the advanced course but there will also be labs with Web Application Firewall, Wireshark and web debugging proxy. Actually, I like to talk about the security stuff I’m working on.

If you love security, you can continue with the Hacking courses. There will be two modules about hacking where you can learn technical skills such as vulnerability assessment, DoS attacks or Buffer Overflow. There will be lots of labs with Kali Linux, Greenbone and the Social-Engineering Toolkit (SET). We will even develop a malicious WhatsApp Messenger where students are going to test their own malware into the smartphone. Therefore, I think these hacking training courses are for people who love attacking and protecting systems.

If you really love security, you maybe would also like learning about Forensics. Students will learn methodologies, procedures and techniques to look for electronic evidences in this course. We are going to use forensics tools such as FTG Imager, fcrackzip or exiftool. In addition, students will search CTF (Capture The Flag). I have some CTF ready for them. What’s more, we are going to dig into a Fileless Malware. It will be amazing!!

Finally, this fourth edition has a new course about Mobile Device Security. Students will learn concepts and techniques to secure mobile devices such as smartphones and tablets. In addition, they are going to learn tools to connect to remote networks and servers. We will also learn mobile architectures as well as risks and threats. I think, this is a course with lots of new interesting things where students will enjoy learning security.

To sum up, there is a cybersecurity training waiting for you. There are lots of labs, attacks and techniques ready for you in these lessons. This is maybe the beginning of your career as a security consultants. As a result, you will realise there are still lots of thing for learning. I hope see you soon in the virtual lessons.

Have a nice day! Keep studying!