06-17-2015 12:04 AM
Hi there,
we're running the following setup:
trusted zone | DC zone | Internet
Client/Proxy/some old DNS Server| DNS Server| Internet
I see that the PA is blocking malware traffic (app DNS). But the attacker is either the proxy, asking the DNS in the DC zone, or the old DNS server, asking DNS servers in the Internet.
Unforunately that way I don't get the compromised machine.
What do you guys have in place to identify such computers? Put the proxy and the old DNS in a different zone? Or is the DNS sinkhole the way to go?
Thanks for your suggestions.
Cheers,
Sven
06-17-2015 03:32 AM
In order for the PA to identify the computer the traffic would have to cross the PA from the computer to the DNS server or from the computer to the proxy.
For the proxy server requests I would check the proxy logs for the DNS record and see if it logs that site as visited by a user.
For the DNS server if you did put this into its own dmz like zone then all traffic to the DNS would get seen and logged. But be careful what you ask for. This will generate a LOT of logs and will thus shorten the time frame of available logs on the PA. DNS is used very frequently on a modern network. A single page load can generate 10 dns requests easily.
06-18-2015 07:47 AM
Hi Steven,
thanks for your answer!
We're not logging allowed traffic to avoid logs blowing our firewall. So that would be fine.
So I've the following options:
- put proxy's into another zone
- scan the proxy logs
Cheers,
Sven
06-18-2015 12:27 PM
Sven,
Would using the sinkhole feature within your Anti-spyware Profile help? We have a situation where the user to DNS server communication does not traverse the firewall. By using the sinkhole response on DNS signatures you can see who is going to the sinkhole IP address (because you define it and force the traffic to it to traverse the firewall ). Certainly this is useful in helping you to look a bit more closely at specific source IP addresses on your network. DNS sinkhole is one of those red flags to help you identify unusual or suspicious traffic.
Hope this helps,
Phil
06-21-2015 01:07 PM
I was wondering the same thing. (DNS Sinkhole)
I'm getting ready to implement it on our firewall.
06-22-2015 08:48 AM
I have implemented SinkHole and it works awesome.
thanks
06-22-2015 03:36 PM
Thanks for the update. Sink hole has been on my list to get rolled out for a while. I need to get this setup.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
