IpTL’s DNS SecureSwitch™ Feature for
DNS/URL Based Dynamic Firewall ACL’s & Path Switching
Get Control Over Your Comms Even when IP’s are Changing!
Control of your data flows and connections is a key point of security operations. Today, IP-only-based firewall rules just can’t account for URL connections to servers and services…especially when the IP address isn’t always the same.
When a device or application needs to connect to a server on the Internet it will try to connect with name like www.youtube.com. As all communications on the Internet is by IP address, your device needs to resolve this name to IP address. This is what DNS servers exactly do.
IpTL’s DNS SecureSwitch™ feature watches DNS requests and responses and then automatically updates its ACL rules to allow, block, or switch based on your access policy at the immediate moment of communications.
Headless devices like IP Cams have revolutionized the security industry. But like all network-enabled devices, introduce security vulnerabilities. It is well known that there are backdoors and “phoning-home” in addition to standard hacking.
With IpTL SecureSwitch™, we can help give you control over headless devices and make sure they are only talking to authorized hosts.
In the example below, an Anpviz IP camera is connected to an IpTL appliance running SecureSwitch™ in a Zero Trust Microsegmentation type configuration (click here to learn more about our microsegmentation features.) We can see that the camera immediately wants to talk to seven (7) servers outside of our network. Using SecureSwitch™, we can permit the camera to connect to an NTP server for time but block any other outbound communications.
In addition to server-based DNS names that are filtered, we also check our standard IP rule logging. We see the camera is trying to talk to many servers all over the world. Of course, we block these as well.
Cloud services, MSSP’s, and content delivery networks can bring security challenges, especially when controlling and limiting communications. When a device is accessing a service, the IP addresses of the server can change at a moment’s notice and on a per-connection basis.
Updating IP ACL rules to allow access is impractical as you’ll never keep up. IpTL’s SecureSwitch™ tracks DNS requests and automatically updates its ACL allow, block, switch rules to match the current request. With SecureSwitch™, it is easy to permit domain names and services without having to manually track any IP addresses or require updates to your ACL tables.
The example below shows one of the service names of a popular hosted video system. While you put these video devices on the inside of your network, it is prudent to put limits on where the camera can communicate. Multiple DNS requests to the name update.control.verkada.com return multiple sets of different IPs. SecureSwich™ captures these IP’s and updates its tables helping to ensure your rules and policies are always the way you want…automatically.
From https://help.verkada.com/en/articles/3712294-local-stream-on-verkada-cameras 2021-07-07 – All product names, logos, and brands are property of their respective owners. All company, product, and service names used in this website are for identification/Fair-use purposes only. Use of these names, logos, and brands does not imply endorsement nor any evaluation being made about the product, service, or company.
With users and devices no longer in a central location, it is often required to be able to provide URL named-based forwarding. With SecureSwitch™ you can automatically have requested URL’s switched down a secure tunnel. SecureSwitch™ will learn the IP address of the selected domain names and automatically update ACL rules.
For example, it may be desired to have a corporate intranet that is isolated from the general WAN. But users may need to access generic internet services as well. Additionally, there may be select services that should be forwarded towards a segmented service.
In this example, we’ve set up a branch office IpTL appliance to provide both block and permit actions based on the traffic. Here Outlook Web Access (OWA) is permitted over the Internet. Also, popular social media sites are blocked at the same time. Again, the actual IP addresses are dynamically learned and automatically updated within the appliance.
All product names, logos, and brands are the property of their respective owners. All company, product, and service names used on and within this website are for identification/Fair-usee purposes only. Use of these names, logos, and brands does not imply endorsement nor conveys any evaluation about the product, service, or company.