DNS Security Palo Alto Networks

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] okay let's talk about dns security so dns is one of the most required things there is in a network everything runs on dns and therefore it's also one of the main things to get attacked so in order to protect your dns and when you protect your dns you are effectively protecting your network we can use palo alto networks of course because that's what i do so the license is required for this the threat prevention license and the dns security license sort of intuitive so what is dns security well i'm not going to read it word for word but basically it's an evolving threat detection service that is designed to protect your network from malicious domains so it's maintained on database shared between all um palo alto networks endpoints when they use wildfire you get them down in your um anti-antivirus subscription you get them down the content packs so that's all your signatures that are fixed and on the box because dns is often used for malware to call home and receive instructions it is one of the most important things and for that reason palato networks have a signature based system as i say that's downloaded onto the box but then also it uses a cloud-based system and only refers to the signatures that are on the box if it can't connect to the cloud then the idea is to do dns in colon for malicious domains so that actually that then cuts their connectivity off but it also provides another route for us to potentially identify infected hosts an overview of how the solar system works together is you've got the wildfire traffic analysis data you can see there you've got the firewall telemetry remember that box at the start do you want to enable telemetry or do you want to not so uses that then you've got malicious web content analysis active crawling manual submissions and who is database that's all the stuff that they're doing then cyber threat alliance and honey net as well as unit 42's own research data that all comes up into this lovely looking blue and orange block which does machine learning predictive detection and then that pops out the dns signages and protections so what do you get protection from well including but not limited to domain generation algorithms which are used as suggested in this slide to generate domains in large quantities this is going to be for command and control channels it's going to give them a resiliency and as you know if you've looked into security at any point botnets cnc they're so resilient it is very difficult to take them down once and become established dns tunneling of course everybody knows every attacker knows that dns is going to be allowed on a network it's not not going to be allowed in one form or another and so if you can encode non-dns programs into dns crews and responses you can effectively give yourself a backdoor into operating systems into um file servers so on and so forth and of course we've got the good old known malicious domains which makes sense and as the name suggests domains are known to be malicious um and this is going to be your instantaneous protection so somebody gets a phishing email they go to click the link they click the link your firewall knows it's malicious and it blocks it immediately and alerts to it so that's pretty much what it is it makes a lot of sense to use it uh and yeah not only that it's very easy to set up so i'm gonna go ahead now and set it up and then we're gonna trigger a couple and have a look and see what what it looks like when it's triggered so the dns security is enforced through the anti-spyware profile and that is under objects anti-spyware so what we're going to do is going to look at the the strict is palo alto's um best practice so that's what's included on all of them okay but obviously we can't edit that because it's one of the default profiles so we clone it okay give it a name okay so for our rules these are our rules for logging so and our actions as well so threat name any category any and you can choose any of these so dns security dns wildfire web shell action is to reset both which will send a reset to either side both client and the server packet catcher disable you can do single packet or extended capture on that one and you can select uh which ones you're gonna you're gonna alert on or you're gonna block so for critical you want to reset both that makes sense all these will log simple high reset both uh default low default exceptions you'll find a lot of exceptions here so and here we see how many signatures we've got so if we do a show all signatures so currently within the threat database it did immediately there for the firewall to use is 13 337 threats in here i always put these two as an exception the reason is because they come up so often and it is just it's just a false positive and the way you do that you simply enable that as an exception dns signatures so the palo alto network's content dns signatures that's the ones that it downloads in the the content updates and the palo alto network's dinner security that is the cloud security side i don't quite know why it says to sinkhole that one and not this one but best practice is to sink all both and by default this will be filled in you can change that to um whatever you want you can send it back to your loopback and then log on to loopback or you can send it to there it might as well send it to there click ok and then to apply that to a policy not in that policy because that should be daft so we can now apply this to a policy and we'll use our monitoring because that's got no policies attached to it profile setting profiles anti-spyware and then we can put that in there if we log at session end blog forwarding going to plex splunk um i'll log at the session end it makes sense you log out the session and don't log the session start because your logs will just get absolutely hammered regardless of whether the traffic's allowed or not so log at session end and then um i have the plug-in panel to plug in on splunk so we can have a look at that to show the the threats and then i'll show you on the acc as well and the monitor here because palo alto supplies some test urls that you can go to to make sure this is all been sinkholed okay it is on time and then good old commit so this is on my splunk instance and we can see that the firewall is now registering three network instances per hour we can see the times when it's it's tried these are the urls it tried to go to the severity the fact that it was dropped and then strangely oddly enough i went looking for the ip address so that we could do the finding compromised hosts part of this and just tried ns lookup and it actually he dropped that as well as being spyware so um sorry it's been a malicious domain so there's that as well um and this allows you to to drill down into it as well you can look at the record instant context as they call it except instant details where it's going vendor action scene call so on so now we can test the configuration and to do this palo alto provides some test urls so we can just fire off against those and we can see that it's going to be sinkhold and then we need to get an alert from that so that we know it then moving from there we're then going to look at the detection of the host making the calls um set up a report so that we can have a report that we can run and then later um hopefully next week there'll be another another video where we can do this automatically through xor and then fire off email reports okay so let's get going okay so here we are on the reports page manage customer reports i've created the report already but let's go and have a look and see if we can get some some results into it first hey so we'll try the first of the urls and that should just give us that we'll try this one which is for the command and control this one which is to simulate um dynamic domain creation cognitive words out then finally this one for testing dns tunneling as the url would tend to suggest okay so none of those were successful so let's go with a look at our threat logs on here and we can see the results here but he always at the time and how it's been sinkhole okay that's the action but in this particular instance as you can see sorry it is midnight cup of coffee the source address is my firewall address so it's not my firewall address it's my gateway and that is because i'm using dns proxy so you may well ask how then are we supposed to find out who's making the calls and thus who is a potentially compromised host well as i already alluded to if we go to custom reports this is going to be the best way of showing this so i happen to know that the address the ip address that the url the sinkhole url goes to or resolves to is this one here so yes of course the dns request is going to come from my dns proxy address because that's where it's going to come from however the subsequent call trying to reach this address for the dns lookup will come from the host so if we run this report now take a bit of time we can see that these two badges right here are the ones that are making the call and where they're making it to and then you can do what you wish without you can export it to pdf csv or xml uh that's all good and then there's a report you you can show to whoever as i say the plan is now to do a video based on xor because although that's fine and you can do that is a bit old school what would be nice you can of course schedule the reports and then you can email that report on a scheduled basis it's one way you could look at it if you don't want to put xor in but you know i mean we're moving forward and as we always say detection really is 99 of the game one if you can detect something quickly you can act on it if you have a compromised host that's making that's making calls out for a week before you want to run a report well then you know you could potentially end up with issues however that said it's also important to realize that those dns requests are being sinkholed anyway so whoever they're trying to reach they're not reaching okay so i hope that's been helpful please like and subscribe leave comments below if there's anything you want to see anything you didn't like i'm boring whatever and i will see for the next video which hopefully won't take as long to come out as this one did
Info
Channel: Mode44
Views: 1,516
Rating: undefined out of 5
Keywords: palo alto, dns, dnssec, mode44, tutorial
Id: KZKO5r4PWlQ
Channel Id: undefined
Length: 15min 11sec (911 seconds)
Published: Mon Feb 22 2021
Related Videos
Zone Protection Profiles Palo Alto Networks
Mode44
481
Bypassing Firewalls with DNS Tunnelling (Defence Evasion, Exfiltration and Command & Control)
Attack Detect Defend
14K
PCSAE - Palo Alto Networks - Certification- Training- Domain 5
Mode44
49
Palo Alto Networks GlobalProtect 9.1 Part1
2LTech
998
Configuring SSL/TLS decryption on the Palo Alto
Ed Goad
5K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.