PA blocks spyware - identify compromised computer

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PA blocks spyware - identify compromised computer

L2 Linker

Hi there,

we're running the following setup:

trusted zone | DC zone | Internet

Client/Proxy/some old DNS Server| DNS Server| Internet

I see that the PA is blocking malware traffic (app DNS). But the attacker is either the proxy, asking the DNS in the DC zone, or the old DNS server, asking DNS servers in the Internet.

Unforunately that way I don't get the compromised machine.

What do you guys have in place to identify such computers? Put the proxy and the old DNS in a different zone? Or is the DNS sinkhole the way to go?

Thanks for your suggestions.

Cheers,

Sven

6 REPLIES 6

L7 Applicator

In order for the PA to identify the computer the traffic would have to cross the PA from the computer to the DNS server or from the computer to the proxy.

For the proxy server requests I would check the proxy logs for the DNS record and see if it logs that site as visited by a user.

For the DNS server if you did put this into its own dmz like zone then all traffic to the DNS would get seen and logged.  But be careful what you ask for.  This will generate a LOT of logs and will thus shorten the time frame of available logs on the PA.  DNS is used very frequently on a modern network.  A single page load can generate 10 dns requests easily.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Hi Steven,

thanks for your answer!

We're not logging allowed traffic to avoid logs blowing our firewall. So that would be fine.

So I've the following options:

- put proxy's into another zone

- scan the proxy logs

Cheers,

Sven

L4 Transporter

Sven,

Would using the sinkhole feature within your Anti-spyware Profile help?   We have a situation where the user to DNS server communication does not traverse the firewall.  By using the sinkhole response on DNS signatures you can see who is going to the sinkhole IP address (because you define it and force the traffic to it to traverse the firewall ).  Certainly this is useful in helping you to look a bit more closely at specific source IP addresses on your network.  DNS sinkhole is one of those red flags to help you identify unusual or suspicious traffic.

Hope this helps,

Phil

I was wondering the same thing. (DNS Sinkhole)

I'm getting ready to implement it on our firewall.

I have implemented SinkHole and it works awesome.

thanks

Thanks for the update.  Sink hole has been on my list to get rolled out for a while.  I need to get this setup.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 4322 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!