runIP RADAR
security and visibility for your DNS-and DHCP-Environment
In modern TCP/IP networks, DNS is one of the most critical network services, as name resolution plays a central role in the connectivity of systems and applications. DNS is therefore also one of the preferred targets of malicious actors on the internet. This is mainly because by controlling a DNS server, users can be specifically redirected to servers of the attacker. In addition, DNS is also used for DDoS attacks, primarily via DNS amplification. In this case, an attacker sends small DNS queries with the spoofed address of his victim to a DNS server with the aim of generating the largest possible responses, which the DNS server then sends to the victim. In this way, the attacker can amplify his attack by a factor of up to 50 (hence amplification). Finally, DNS plays a role in many other attack scenarios, for example as a communication channel for command & control servers or in the exfiltration of data via DNS tunnels - i.e. a mostly inconspicuous data theft.
Securing DNS is especially important because a compromise of this service can significantly impact the availability of almost all applications. While DDI solutions simplify the operation of DNS and DHCP, they usually do not include targeted security measures to ensure the availability of the services at all times. runIP RADAR closes this gap and enables an efficient and robust protection of the DNS infrastructure.
Integration into the runIP SERVICES PLATFORM
runIP RADAR runs as a service on N3K's runIP appliances. It is managed and configured via a separate web interface. The RADAR server handles the entire configuration of runIP RADAR, which is replicated to all runIP appliances within the network.
Logging
runIP RADAR is capable of logging all DNS and DHCP traffic in the network in a decentralized manner or forwarding it centrally to an existing system at the customer's site. The technical attributes to be logged are freely configurable.
GUI-based Reporting
The RADAR server has an intuitive GUI, which is used to configure and control the RADAR server and all instances of runIP RADAR on the individual runIP appliances. The GUI offers a large number of predefined reports as well as easy options to create individual reports.
Alarmierung und Blockierung
runIP RADAR erlaubt die Definition von Rate Limits, bei deren Überschreitung Clients und/oder Ziele gezielt blockiert werden können. Bei Bedarf kann diese Blockierung auch den Client und die verwendete Domain umfassen.
runIP RADAR Features
unIP RADAR runs as a service on N3K's runIP appliances for efficient management of DDI solutions. The service reads all DNS traffic as well as all DHCP messages. The solution does not limit itself to DNS queries, but also logs the DNS server's responses, resulting in a comprehensive documentation of all DNS activities.
runIP RADAR uses optimized logging, which is more comprehensive than logging using BIND means and does not affect the name service even in case of logging problems. In addition, the recorded data can be automatically forwarded to SIEM solutions if required. The use of filters enables selective forwarding, since many SIEM solutions are licensed according to the number of events and otherwise there is a risk of a cost trap here. The transfer to SIEM systems usually takes place via Rsyslog.
Since runIP RADAR runs on all runIP appliances in the network, it enables decentralized detection of DNS anomalies such as DNS tunnels, through which attackers often try to exfiltrate data. Classical firewalls do generally not help against this, as they are usually configured to allow DNS traffic to flow unhindered. runIP RADAR automatically detects a variety of known DNS tunneling tools based on their signatures in real time, allowing DNS tunneling to be prevented very efficiently. Other anomalies, such as the sudden increase in DNS requests from individual clients, are also detected reliably and in real time, making it difficult or impossible for attackers to exchange data unnoticed via DNS.
Configurable thresholds allow administrators of runIP RADAR to limit the number of allowed requests to prevent misuse and to detect DNS anomalies. Limits can be set on the basis of IP addresses or IP address ranges, in order to prevent mail or proxy servers with their high number of legitimate queries from being affected. The type of technical attributes to be logged can also be freely defined by the administrator. In addition, it is possible to completely exclude trusted networks or domains from logging in order to increase performance and reduce data volume.
runIP RADAR runs as a service on N3K's runIP appliances. It is managed and configured via a separate web interface. The RADAR server handles the entire configuration of runIP RADAR, which is replicated to all runIP appliances within the network.
