In our white paper, How Proactive Management Secures Businesses, we’ve previously talked about layers of security organizations should consider using to harden their cybersecurity posture.
While no solution is completely fool-proof, adding different layers to the environment makes attackers’ work that much more difficult and hardens systems against possible threats or intrusions.
As threats evolve, the Internet-based attack vector, in particular, has become increasingly more sophisticated requiring more advanced levels of threat identification and remediation to stay ahead of cybercriminals. Enter the concept of DNS filtering!
While there are a number of enterprise-level security solutions that leverage DNS filtering including Cisco Umbrella, DNSFilter, WebTitan Web Filter, Webroot DNS Protection, and others, the core concept between them is the same. DNS filtering uses the Domain Name System (DNS) protocol.
When applications make domain-name requests, these requests are routed through the DNS filter service’s servers, where they are matched against threat feeds and the policy settings configured in the security solution. If a request is to a malicious/blocked domain, the user is diverted. This ensures that unwanted activity is cut off at the root because the request never makes it to the blocked/infected domain.
Because DNS is essential for most network connections to be established, DNS filtering solutions are also capable of comprehensively covering all devices on a network, from servers and computers to printers and tablets.
Common benefits of DNS filtering solutions include:
- Web content may be filtered using a wide variety of categories to block or allow sites with questionable content based on the organization’s discretion.
- Domain-specific Allow list/Block list policy configuration, allowing complete control over which domains and subdomains users are able to access.
- Newly seen domains are categorized in real-time by the Artificial Intelligence scanning engine.
- DNS filtering is able to block sources of malware and phishing, as well as next-gen threats such as botnets and cryptomining.
- Malicious content filtering is based on threat feeds maintained by the global security community, and reported by humans resulting in highly reliable data.
- Newly registered domains, newly seen domains, and domains with suspicious characteristics are analyzed to provide heuristic blocking.
To offer this protection, there are two approaches to securing end-points with DNS level filtering. The first is at the site or physical location level leveraging a combination of Active Directory, DHCP, and router/firewall appliances. This approach is very effective at providing protection to devices connected to the local network but offers no protection to devices that travel.
Once an end-point, such as a laptop, leaves the site premises, it resorts to using the DNS servers of whatever new network it connects to leaving it vulnerable.
The second approach offers an answer to the risk of roaming devices by requiring the installation of endpoint software. This endpoint agent monitors all DNS requests on the device and then identifies whether the request should be allowed to proceed or whether it should be denied due to the organization’s policy configuration or the detection of a malicious domain.
As the endpoint agent resides on the local device, it doesn’t matter what network the device connects to, it maintains the same level of DNS protection as if it were attached to a protected physical location network described in the first approach.
For more information on managed DNS filtering or endpoint management solutions, please check out Mechdyne’s Proactive Desktop Management and Proactive Server Management product offerings.