PA blocks spyware - identify compromised computer

Reply
Highlighted
L2 Linker

PA blocks spyware - identify compromised computer

Hi there,

we're running the following setup:

trusted zone | DC zone | Internet

Client/Proxy/some old DNS Server| DNS Server| Internet

I see that the PA is blocking malware traffic (app DNS). But the attacker is either the proxy, asking the DNS in the DC zone, or the old DNS server, asking DNS servers in the Internet.

Unforunately that way I don't get the compromised machine.

What do you guys have in place to identify such computers? Put the proxy and the old DNS in a different zone? Or is the DNS sinkhole the way to go?

Thanks for your suggestions.

Cheers,

Sven

Highlighted
L7 Applicator

In order for the PA to identify the computer the traffic would have to cross the PA from the computer to the DNS server or from the computer to the proxy.

For the proxy server requests I would check the proxy logs for the DNS record and see if it logs that site as visited by a user.

For the DNS server if you did put this into its own dmz like zone then all traffic to the DNS would get seen and logged.  But be careful what you ask for.  This will generate a LOT of logs and will thus shorten the time frame of available logs on the PA.  DNS is used very frequently on a modern network.  A single page load can generate 10 dns requests easily.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Highlighted
L2 Linker

Hi Steven,

thanks for your answer!

We're not logging allowed traffic to avoid logs blowing our firewall. So that would be fine.

So I've the following options:

- put proxy's into another zone

- scan the proxy logs

Cheers,

Sven

Highlighted
L4 Transporter

Sven,

Would using the sinkhole feature within your Anti-spyware Profile help?   We have a situation where the user to DNS server communication does not traverse the firewall.  By using the sinkhole response on DNS signatures you can see who is going to the sinkhole IP address (because you define it and force the traffic to it to traverse the firewall ).  Certainly this is useful in helping you to look a bit more closely at specific source IP addresses on your network.  DNS sinkhole is one of those red flags to help you identify unusual or suspicious traffic.

Hope this helps,

Phil

Highlighted
L3 Networker

I was wondering the same thing. (DNS Sinkhole)

I'm getting ready to implement it on our firewall.

Highlighted
L4 Transporter

I have implemented SinkHole and it works awesome.

thanks

Highlighted
L7 Applicator

Thanks for the update.  Sink hole has been on my list to get rolled out for a while.  I need to get this setup.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!