Transcription
Protect your network fromDNS exfiltration attacksEdge Modernization 09/30/2021Vadim OmeltchenkoSr. Solution ArchitectAmazon Web ServicesVishal LakhotiaSolution ArchitectAmazon Web Services
Agenda Role of Amazon Route53 in AWS Edge services What is DNS data exfiltration Outbound Network Traffic inspection DNS Traffic Inspection Amazon Route 53 Resolver DNS Firewall Deployment patterns Deployment Steps
The role Route53 plays in AWS Edge servicesAmazon Route 53 is a highly available and scalable cloud Domain Name System (DNS) webservice. It is designed to give developers and businesses an extremely reliable and costeffective way to route end users to Internet applications Route 53 resolverTraffic flow rulesDNSSECLoad balancer integrationsApplication recover functionsGeo DNSIntegrated Route53 Resolver DNS firewall
2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is DNS data exfiltration?Unauthorized transfer of data from a compromised system to a remote host over DNS protocol. Target system is compromised Sensitive data is moved out of the environment Data transfer takes place over DNS Custom/exploited DNS server on the receiving end Can be prevented with Firewalls, IDS/IPS
How DNS data exfiltration works?Encode“secret”c2VjcmV0DNS Query: c2VjcmV0.123xyz.comCompromisedSystemAttacker’s DNS Serverc2VjcmV0.123xyz.comDecode“secret”
VPC Security OptionsTrafficmirroringDNS firewallVPCNACLNACLSubnetSubnetSecurity groupAWSShieldFlow logsAmazonGuardDutyAWSWAFAWS NetworkFirewall Gateway LoadBalancer3rd partyappliances
With AWS Network Firewall 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Centralized Security InspectionEgress VPCVPC 1InternetGatewayNATGatewayInstance 1Inspection VPCVPC 2Instance 2VPC 3Instance 3TransitGatewayFirewall EndpointAWS NetworkFirewall
With AWS GuardDuty 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
GuardDuty FindingsAmazon GuardDuty identifies threats by continuously monitoring the network activity, dataaccess patterns, and account behavior within the AWS environment. It comes integrated withup-to-date threat intelligence feeds from AWS, CrowdStrike, and Rebind
With AWS Route 53 Resolver DNS Firewall 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
DNS Firewall FeaturesDNS Filtering Domain name based filteringCreate: Denylists, allow listsCustom Deny ActionsFiltering on Resolver andResolver EndpointsManaged Domain Lists Domain name based listsmanaged by AWS Provide protection against: Malware Botnet (C & C)Visibility & Reporting Per Rule CloudWatch metrics Configurable logs sent to S3,CloudWatch, Kinesis
Deployment Model: Cloud-OnlyAWS CloudVPCAvailability ZoneInstancesVPC 2ResolverDNS FWAvailability ZoneInstancesVPC 2ResolverDNS FW
Deployment Model: HybridAWS CloudCorporateNetworkVPCAvailability ZoneServersInstancesVPC 2ResolverDNS onnectAvailability ZoneVPC 2ResolverDNS FW
CloudWatch Contributor Insights Surface outliers and top talkers Identify impacted users andresources Get actionable alerts & takeremedial actions
CloudWatch Anomaly DetectionUse CloudWatch Anomaly Detection to help avoid manual configuration of static thresholds, andto more clearly differentiate between normal and problematic behavior
DNS Firewall, Network Firewall, Guard Duty 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
InternetgatewayAvailability ZoneAvailability ZoneVPCInstances using an external DNS serverConsiderations NATGW Subnet 1NATGW 1Private Subnet 1Instance 1queriedNATGW Subnet 2NATGW 2Private Subnet 2Instance 2No visibility into what FQDNs are being Bypasses GuardDuty DNS query detections No visibility into C&C traffic
InternetgatewayAvailability ZoneAvailability ZoneVPCGWLB Subnet 1NetworkFirewallNATGW Subnet 1Instances using an external DNSserver with Network FirewallGWLB Subnet 2NetworkFirewallNATGW Subnet 2Considerations Network Firewall gives visibility andcontrol over DNS requests leveragingexternal DNS serversNATGW 1Private Subnet 1Instance 1NATGW 2Private Subnet 2Instance 2 Bypasses GuardDuty’s DNS querydetections
Availability ZoneInternetgatewayAvailability ZoneVPCGWLB Subnet 1Instances using Route 53 ResolverGWLB Subnet 2ConsiderationsNetworkFirewallNATGW Subnet 1NATGW 1Private Subnet 1Instance 1NetworkFirewall DNS requests bypass Network Firewall DNS Query Logging for FQDN visibility can beNATGW Subnet 2NATGW 2Private Subnet 2enabled No control over what queries are answered GuardDuty can provide visibility and alert to baddomains being queried, and DNS tunneling /exfiltrationInstance 2
InternetgatewayAvailability ZoneAvailability ZoneVPCGWLB Subnet 1Instances using Route 53Resolver DNSFWGWLB Subnet 2ConsiderationsNetworkFirewallNetworkFirewallNATGW Subnet 1NATGW Subnet 2 Defense in depth Visibility and control over requests to R53endpoint and external requestsNATGW 2NATGW 1Private Subnet 2Private Subnet 1DNSFWDNSFWInstance 1 Instance 2Maximum visibility and control
AWS Console 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Creating DNS Firewall Rule
Creating DNS Firewall Rule
Create DNS Firewall Policy
Describe Policy
Define Policy Scope
Review and complete
AWS Firewall Manager 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Centralized AWS Firewall Manager
AWS Partners supporting AWS Network Firewall
AWS Partners supporting DNS Firewall
Thank you!Vadim OmeltchenkoVishal Lakhotiavadimo@amazon.cmlakhov@amazon.com 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
server with Network Firewall Availability Zone VPC Private Subnet 2 Internet gateway Instance 1 Instance 2 NATGW Subnet 1 NATGW Subnet 2 NATGW 1 NATGW 2 Network Firewall Network Firewall Considerations Network Firewall gives visibility and control over DNS requests leveraging external DNS servers Bypasses GuardDuty'sDNS query detections
