DNS: High security with low costs

For more than a decade, OpenDNS has been among the world’s most used DNS services and is still seen to be one of the best ways to get the most security for your money. Cloud-based DNS-security is easy to implement and maintain. Let’s look at Cisco Umbrella –previously OpenDNS.

We might as well make it clear right from the start: 100% IT security is impossible to achieve. It is quite simply impossible to buy and establish a security level that makes the cybercriminal’s self-defining job of stealing and/or destroying data, impossible.

This fact has led to the cost of IT security solutions often ending up on the higher end, with the expectation that the more we pay the more (security) we get.

This is not necessarily a wrong assumption – but regardless how high the level of security we pay for, it can still be bound by enormous challenges if hackers succeed in accessing our data anyway.

Therefore, it is important to focus efforts where the solution has the greatest effect. Meaning where with a relatively limited effort you come quite far – and that’s where securing the company’s DNS lookup comes in.

Domain Name System

All queries on the internet require a known IP address for the host we want to access. It is not enough to know the name or website address to access the host in question. An IP address must also be used.

The task for DNS, Domain Name System, in this regard is to translate the domain name into an IP address. When a website is accessed a DNS lookup is performed which generates the IP address of the server hosting the website. A query is then sent to the IP address and the website comes back as the answer to the query.

Why secure DNS lookup?

The principle behind DNS security is that we use our knowledge on what types of hosts actually lie behind IP addresses. If, for example, a user accesses www.ondt-malware-site.ru, we use DNS security to see whether the reputation of this website allows us to send traffic there. Or if we want traffic to this site to be blocked.

Blocking is done by the DNS server returning the IP address to a predefined server which returns a response to the user that traffic is not allowed.

We can use the same knowledge to categorise sites on the internet, such as Gambling or Adult. In this way, the company has the possibility to predefine types of hosts it wants to allow or block access to.

We started this blog post by pointing out that it is impossible to achieve 100 % security. Therefore, you must expect that at some point malware could sneak in. However, in this case DNS security could be of good help because it can prevent malware from communicating with its Command & Control server. This means that malware can neither receive instructions nor send data from the company’s system.

These are the reasons it is a really good idea to secure the company’s DNS Lookup:

  • Avoids traffic to known malware hosts
  • The impact of users’ risk behaviour is reduced
  • Any received malware is prevented from communicating with the Command & Control server

Contributes to the community

It is our recommendation to use Cisco Umbrella for DNS security. The previous OpenDNS has delivered global DNS security since 2006 and was acquired by Cisco at the end of 2015.

Second to Google DNS, the Cisco Umbrella is the world’s most used DNS solution. That is why Cisco Umbrella gives great insight into which domains and IP addresses the cybercrooks are using. Cisco Umbrella can also use Big Data models for quick identification when cybercriminals start using new domains – even if this happens from new IP addresses which have not previously been used for fraud and scams.

It is also worth noting that it is free to get started with Cisco Umbrella. All you need to do is point the company’s DNS settings to one of the following IP-addresses:

  • 208.67.220.220
  • 208.67.222.222

By doing this the company will typically experience faster DNS lookups. However, it is important to add that the free Cisco Umbrella does not perform blocking, and it provides no opportunities for insight into DNS traffic.

On the other hand, there is the safety that DNS traffic is not used to track user habits for the purpose of advertising. The contribution here entails that data about the company’s DNS traffic is then shared with the large malware community, which benefits all Cisco Umbrella paying customers.

Always updated

As mentioned, the only thing you need to do to use Cisco Umbrella is change the company’s DNS settings to point to Cisco’s servers. Then Cisco Umbrella will not be a strain on the company’s infrastructure.

No investment in extra hardware is needed to get the solution to work since all the scanning and blocking is cloud-based.

The clear advantage of Cisco Umbrella as a cloud-based tool is that you don’t need to worry about performing updates, because the solution will always be updated.

It is worth mentioning also, that since the beginning of 2006 Cisco Umbrella has had 100% uptime. This is achieved through load-balancing between the IP addresses that point to several hundred servers in 26 data centres all over the world. For this, a technology called AnyCast is used, which you can read more about on the blog.

Visibility gives insight

When we in the industry talk about IT security, often we also focus on visibility. Visibility means – apart from conspicuousness – also insight into our industry. Meaning, insight into what is happening:

  • How many DNS lookups?
  • Will users or services perform these?
  • How many are blocked?
  • Why are they blocked?

The Cisco Umbrella dashboard gives full visibility over the company’s DNS security. And when, for example, you only need to see security events, all other events can be filtered out.
It is possible at the same time to see which IP addresses have generated the non-secure DNS lookups, giving knowledge about where it might be relevant to investigate if there is really something to worry about.

Does it involve an employee whose laptop has been hit by malware? Or could it be one or more employees who need a quick refreshing on safe traffic in Cyberspace?

A three-storey rocket

The company’s Cisco Umbrella license is based on the number of users with internet access, and split into three different solutions like a three-storey rocket:

  • Cisco Umbrella Professional is the lowest rung on the ladder. With DNS lookup, blocking and insight into the company’s DNS traffic, this solution will often be adequate for most companies.
  • Cisco Umbrella Insights has the same contents as Professional in addition to Secure Internet Gateway (SIG) functionality, which sends the user through an invisible proxy if there is doubt about the reputation of the site attempted be accessed. Additionally, it also includes a reporting tool on the company’s use of cloud services which is also a great tool for countering shadow IT.
  • Cisco Umbrella Platform supplements Professional and Insights with Threat Intelligence Feeds and integration with third party solutions.

An increasing number of companies have employees working out in the field every day, using other networks than the company’s. These employees can install a roaming client, Cisco Umbrella roaming client on their mobile devices, which then ensures the same security level as the mobile devices for the company’s units otherwise.

Presently, the roaming client supports:

  • Windows 7, 8, 10
  • Mac OS X 10.9+

Should we be doing something?

I started out by saying that IT security is often a combination of complexity and high cost.

A somewhat trite industry term would then be a matter of low-hanging fruit. We’re jumping on the bandwagon and pointing out that DNS security in our estimation is such low-hanging fruit that you barely need to bend to pick it up.

Moreover, cloud-based DNS security is both easy to implement and operate and therefore does not require IT staff to use great amounts of time on acquiring new competence.

By using the opportunities offered by Cisco Umbrella and DNS security, it is possible to achieve a very high degree of security with relatively few resources – even if the security level can never reach 100 percent.

By Torben Nissen Ernst, Security Sales Lead, Conscia
With special focus in threats in Information and Operational Technology, Torben Nissen Ernst has in the course of his career acquired vast knowledge and experience in how business can achieve major success through these technologies. Torben Nissen Ernst is a specialist in the entire cycle before, during and after an attack, and how businesses can stay ahead by protecting and controlling all operating systems against, for example, malware, C2 and phishing.