Date: 17-Feb :38

Similar documents
Enable Auditing in Open LDAP on Linux Server

IT Domain Name System Revisited

Netfilter Iptables for Splunk Documentation

ESS Linux Sys Admin - Guide to running ESS from the AWS AMI

DEPLOY A DNS SERVER IN A SECURE WAY

Netwrix Auditor Add-on for Privileged User Monitoring

Copyright 2018 PTC Inc. and/or Its Subsidiary Companies. All Rights Reserved.

SECURE FILE TRANSFER PROTOCOL. EventTracker v8.x and above

BIG-IP DNS Services: Implementations. Version 12.1

GVP Deployment Guide. Maintaining GVP

SAS 9.4 Foundation Services: Administrator s Guide

Upgrading to ThingWorx 7.3. Version 1.0

Copyright 2016 PTC Inc. and/or Its Subsidiary Companies. All Rights Reserved.

BIG-IP DNS Services: Implementations. Version 12.0

SAS Contextual Analysis 13.2: Administrator s Guide

Crestron Virtual Control Server-Based Control System

VSP16. Venafi Security Professional 16 Course 04 April 2016

Siemens PLM Software. HEEDS MDO Setting up a Windows-to- Linux Compute Resource.

SAS Contextual Analysis 14.3: Administrator s Guide

Buzztouch Server 2.0 with Amazon EC2

Managing DNS Firewall

VMware AirWatch Content Gateway Guide for Linux For Linux

Skybox Product Tour. Installation and Starting Your Product Tour Tour Login Credentials: User Name: skyboxview Password: skyboxview

Installing MooseFS Step by Step Tutorial. Core Technology Development & Support Team

VIRTUAL GPU LICENSE SERVER VERSION , , AND 5.1.0

Infor LN HTML5 Workbench Administration Guide

Software Token. Installation and User Guide. 22 September 2017

Virtual Appliance User s Guide

Tanium IaaS Cloud Solution Deployment Guide for Microsoft Azure

Request Manager User's Guide

Novatel Wireless SA-2100 Edge MicroServer Installation and Setup Guide. Version [1.0]

DNS Firewall with Response Policy Zone. Suman Kumar Saha bdcert Amber IT Limited

Windows Installation Guide 8.2

Getting Started Install and Configuration ThingWorx Studio Trial Version 8.2.1

SAS Factory Miner 14.2: User s Guide

Infor LN HTML5 Workbench Administration Guide

DNS Configuration Guide. Open Telekom Cloud

Downloading and installing Db2 Developer Community Edition on Ubuntu Linux Roger E. Sanders Yujing Ke Published on October 24, 2018

COLD WALLET + MASTERNODE SETUP ON LINUX

Infoblox Kubernetes1.0.0 IPAM Plugin

VMware AirWatch Tizen Guide

CA GovernanceMinder. CA IdentityMinder Integration Guide

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

WAM!NET Submission Icons. Help Guide. March 2015

Vantron VT-M2M-TC-VM ThingWorx Setup Guide

Centrify Infrastructure Services

EMS MASTER CALENDAR Installation Guide

Installation Guide Install Guide Centre Park Drive Publication Date: Feb 11, 2010

How to run NoMachine server inside Docker

Upgrading to ThingWorx 7.2. Version 1.0

Setting Up and Using WebDrive

Stonesoft 5.4. Stonesoft Management Center Installation Guide. Management Center

Purpose. Target Audience. Solution Overview NCPA. Using NCPA For Passive Checks

Appliance Guide. Version 1.0

Getting Started with VMware View View 3.1

DNS & DHCP CONFIGURATION

Integrate Apache Web Server

Deltek Touch Expense for Ajera. Touch 1.0 Technical Installation Guide

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft SharePoint on IIS 7/8. Technical Manual Template

LifeSize Gatekeeper Installation Guide

Automation Anywhere Enterprise 10 LTS

Centrify Identity Services Platform SIEM Integration Guide

CA MIA Tape Sharing for z/vm

Administration Dashboard Installation Guide SQream Technologies

Dell SupportAssist Version 2.1 for Dell OpenManage Essentials Quick Setup Guide

Installing Perseus SurveySolutions/EFM 1.4 for Windows 2000 (Microsoft Internet Information Services and Oracle Server) January 2006

VMware AirWatch Memcached Integration Guide Integrating Memcached functionality into your AirWatch deployment

Horizon DaaS Platform 6.1 Service Provider Installation - vcloud

Installation Guide. EventTracker Enterprise. Install Guide Centre Park Drive Publication Date: Aug 03, U.S. Toll Free:

Users, Groups and Permission in Linux

Linux Administration

FUJITSU Cloud Service S5 Setup and Configuration of the FTP Service under Windows 2008/2012 Server

Flexera Software Product Licensing Guide for InstallAnywhere 2010 and Earlier

SAS Event Stream Processing for Edge Computing 4.3: Deployment Guide

Dell SupportAssist Agent User s Guide

Centrify for Dropbox Deployment Guide

System Monitoring Plug-in User s Guide Release for Audit Vault and Database Firewall

Scan to Digitech v1.0

Integrate NGINX. EventTracker v8.x and above

Bitnami OroCRM for Huawei Enterprise Cloud

Running Kmeans Spark on EC2 Documentation

CA ehealth Integration for HP OpenView

Table of Contents. HotSpot Installation. Windows 7, 8.1 and 10. Windows Server OS. DNS Web Filter Setup. Windows Configuration. Antamedia HotSpot?

VMware AirWatch Content Gateway Guide For Linux

Log Management Part 1: Using rsyslog

Contents Overview... 5 Upgrading Primavera Gateway... 7 Using Gateway Configuration Utilities... 9

Standalone Scheduler Property File Creation Oracle FLEXCUBE Universal Banking Release [December] [2016]

About Backup and Restore, on page 1 Supported Backup and Restore Procedures, on page 3

Installing Connector on Linux

Installing Enterprise Switch Manager

Crestron Mercury Tabletop UC Audio Conference Console for Microsoft Teams

Running the Setup Web UI

Installing and Configuring vcloud Connector

VMware AirWatch Cloud Connector Guide ACC Installation and Integration

Dell EM+S Intune. Android Enrollment Guide. Version 1.5

EnterpriseTrack Reporting Data Model Configuration Guide Version 17

PMOD Installation on MacOSX Systems

New Features Guide EventTracker v6.2

Arcserve Backup for Windows

Instructions for Partner- Signing Key Generation and Certificate Creation and Renewal

Transcription:

Date: 17-Feb-2017 21:38

Copyright Copyright(c) 2006-2015 ThreatSTOP, Inc. All Rights Reserved NOTICE: All information contained herein is, and remains the property of ThreatSTOP, Inc. and its suppliers, if any. The intellectual and technical concepts contained herein are proprietary to ThreatSTOP, Inc. and its suppliers and certain aspects thereof are protected by United States Patent No. 8,533,822 and United States Patent No. 8,869,237, and are protected by trade secret or copyright law. US Government Entities: The ThreatSTOP service, software and documentation, as applicable, are "commercial computer software" and "commercial computer software documentation" developed exclusively at private expense by Threatstop, Inc. ("Threatstop"). Pursuant to FAR 12.212 or DFARS 227 7202 and their successors, as applicable, use, reproduction and disclosure of the software and documentation is governed by the terms of Threatstop's commercial agreement. 2

Table of Contents Overview 5 Step-by-step guide 6 In the ThreatSTOP Portal 6 In the DNS Firewall Device 7 Logging and Restarting the Service 11 Sending Log Information to More Than One Destination 14 Testing 15 Index 16 3

Integrating with an Existing BIND 9.8+ Deployment 4

Overview The purpose of this document is to describe the integration process for ThreatSTOP DNS Firewall into an existing BIND 9.8+ deployment. This document is written under the condition that you have an existing DNS deployment and are looking to add the ThreatSTOP DNS Firewall to your existing network infrastructure. This is done by placing the DNS Firewall between your existing DNS configuration and your external connection. This will allow ThreatSTOP DNS Firewall to guard against hostile connections. A birds-eye view of the setup procedure is: 1. 2. Open a ThreatSTOP account if you have not already done so. Specify that you are setting up a DNS Firewall in order to receive any needed materials. In the Device section of the Portal, configure a new device with the following settings: Manufacturer: DNS Server Model: BIND 9.8+ Note: More information about setting up Devices in the Portal can be found in the Introduction. 3. 4. You will then need to configure the rest of the Portal to service a ThreatSTOP DNS Firewall as explained in ThreatSTOP DNS Firewall. Configure BIND itself to act as a slave server for the zone that contains your policy. 5. Configure the client machines to be protected to use the ThreatSTOP DNS Firewall for address resolution. 5

Step-by-step guide The following steps will walk you through the configuration of BIND to serve you ThreatSTOP DNS Firewall. Note that these steps begin after the account creation process has finished. In the ThreatSTOP Portal 1. In the ThreatSTOP portal add a DNS Firewall policy. To do this: Click on Policies & Lists. Then on the DNS FW Policy tab. Select + Add Policy. Set a Policy name: in the corresponding field. If you want to change the default behavior of the RPZ Target Lists being used set it in the Default Behavior field. Note: The available behaviors are: NXDOMAIN NODATA PASSTHRU DROP Select the RPZ Target Lists you want to block. For our example we'll use the BASIC list with the default behavior. If you want a specific list to be treated differently from other included lists, change the Behavior dropdown to the desired action. Caution: This dropdown will override the Default Behavior field. Click on Submit to save your changes. 6

2. Click on Devices and then on + Add Device. Enter a Nickname for the device, this should probably be something descriptive of the device. Set the Manufacturer and Model to: Manufacturer: DNS Server Model: BIND 9.8+ Set the IP Type as defined by your network needs. Warning: Using a Dynamic IP address is far outside of best practices and is not recommended. Unexpected results can occur if this setting is used. The IP Address of the device is the external IP address (unsecured side of the firewall). This can be determined by visiting: http://www.threatstop.com/cgi-bin/validip.pl Select the DNS Firewall policy you defined previously in the Policy drop down. In the DNS Firewall Device 1. 2. 3. 4. Login to the device as normal. Change to the BIND configuration directory cd /etc/bind Enter cat named.conf Verify that named.conf contains the following lines. If they are not present they will need to be added to the file: 5. /etc/bind/named.conf.options /etc/bind/named.conf.local After verifying that named.conf has the needed entries (or adding the same) you will need to adjust named.conf.options. To do this: Enter sudo vi named.conf.options Then add the following to the file: response-policy { zone "<RPZ Zone Name>"; 6. You'll also need to add the following information to named.conf.local 7

zone authorization (secret/key) logging Caution: You can only use one master IP. You will also need to contact ThreatSTOP support to receive your TSIG key. This is required to complete deployment. // // Do any local configuration here // key threatstop-threatstop { algorithm hmac-md5; secret "<insert TSIG key here>"; server 192.124.129.51 { keys { threatstop-threatstop ; zone "<RPZ Zone Name>" { type slave; masters { 192.124.129.51; file "/var/cache/bind/zones/<rpz Zone Name>"; allow-query { localhost; allow-transfer { localhost; allow-notify { none; logging { channel normal-log { file "/var/log/named/named.log" versions 3 size 1m; severity info; category default { normal-log; 8

channel named-rpz { file "/var/log/named/rpz.log"; severity debug; print-time yes; category rpz { named-rpz; Note: Eventually you'll want to change allow-query to something similar to the following: allow-query { localhost; our_clients; You can then add a section similar to the following above the zone policy definition: acl our_clients { 10.0.0.0/24; This will allow your internal client DNS servers to update their lists based on our RPZ data. 7. After adding the information above to named.conf, you will need to add the following line into a file called logrotate-ts in the /etc/cron.hourly/ directory. To do this enter the following from the command prompt: Type cd /etc/cron.hourly and press ENTER. Type sudo vi logrotate-ts and press ENTER. This may require you re-enter your login password. Tap the i key to enter Insert mode. Add the opening statement #!/bin/sh and tap ENTER Type /usr/sbin/logrotate -f /etc/logrotate.d/threatstop Tap Esc, then press :wq and ENTER 9

8. The following commands will setup the directory structure for deployment, and set the appropriate permissions for each directory: sudo mkdir /var/cache/bind/zones sudo chmod 755 /var/cache/bind/zones sudo chown bind:bind /var/cache/bind/zones sudo mkdir /var/log/named sudo chmod 755 /var/log/named sudo chown bind:bind /var/log/named This will be useful if you decide to uninstall, and choose to remove BIND completely. 9. Finally, enter sudo service bind9 restart and press ENTER. Note: sudo is not required for users logged in with administrative privileges. 10

Logging and Restarting the Service After configuring the BIND server to use ThreatSTOP's Threat Intelligence lists, you can start sending your logs to ThreatSTOP, which will then be used to help re-enforce our community's Threat Intelligence. Before starting in on this section, certain prerequisites need to be met: Your system will need to be configured to run logrotate, and must have curl, stat, md5sum, and cut utilities. Note: The following packages are available for these utilities on Ubuntu 14.04: curl: sudo apt-get install curl logrotate: sudo apt-get install logrotate stat, md5sum, and cut are all part of the core Ubuntu 14.04 distribution, and should automatically install with the OS. After ensuring these programs are present you can start uploading logs back to ThreatSTOP using logrotate to do this: 1. Change directory to the logrotate.d folder and create a new file called threatstop cd /etc/logrotate.d sudo vi threatstop 11

2. Copy and paste the example below to /etc/logrotate.d/threatstop /var/log/named/rpz.log { rotate 7 size 100k missingok notifempty delaycompress compress create 0644 bind postrotate /usr/sbin/service bind9 restart > /dev/null /usr/bin/curl -v -F "upfile=@$1.1" -F "upfile_size=`/usr/bin/stat -c %s $1.1`" -F "md5_client=`/usr/bin /md5sum $1.1 /usr/bin/cut -d' ' -f 1`" -F "fw_ip=<device IP>" https://www.threatstop.com/cgi-bin/logupload. pl #insert command to send to SIEM system endscript } Adjust the value fw_ip to match the IP address entered on the portal. This is typically the external IP provided by https://www.threatstop.com/cgi-bin/validip.pl Note: The curl solution above assumes the following: The system has curl, stat, md5sum and cut and they are located at the paths specified logrotate, rotates logs and the latest rotated log is $1 with ".1" appended. In this example it would be: /var/log/named/rpz.log.1 The user will update the fw_ip value to the actual value for their device 3. Enter sudo service bind9 restart and press ENTER. 12

4. Enter sudo service bind9 reload and press ENTER. Note: sudo is not required for users logged in with administrative privileges. 13

Sending Log Information to More Than One Destination The configuration above will upload the rotated file to ThreatSTOP and if specified wherever the second command in the postrotate section sends it. If the data is to be sent to a syslog server however, the process is simplified by adding a second BIND channel in rpz.log as shown in the configuration below: /etc/bind/named.conf(.local) logging { channel remote_syslog_rpz { syslog local4; severity debug; print-time yes; category rpz { named-rpz; remote_syslog_rpz; Follow this up with forwarding the syslog configuration to the SIEM (based on your setup). For example, with rsyslog: /etc/rsyslog.d/50-default.conf local4 @10.100.254.130:514 14

Testing To test that your configuration is up and running you'll need to setup a temporary test policy in the ThreatSTOP portal. Any policy added to this list should have the RPZ behavior set to NXDOMAIN or DROP. After setting this: 1. Go to known good website (i.e., www.google.com) to verify that you are able to connect. 2. Go to a known bad website (i.e., bad.threatstop.com). Based on your testing policy's settings you should receive a rejection screen (for NXDOMAIN) or have your connection time out (DROP). 15

Index 16

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback