Customizing the DNS Protections for IPS

This article explains how to choose which DNS protections your account enforces as part of the IPS service.

Overview of DNS Protection

Cato's DNS Protection enhances the IPS service and gives you granular control over the level of security for DNS traffic in your account. The different types of DNS protection that Cato provides are listed in the DNS Protection screen (Security > DNS Protections) and you can enable or disable specific protections to meet the needs of your organization.

Cato continually updates DNS domains and categories and adds new types of protections to the DNS Protection screen.

DNS Protection provides robust security by blocking DNS requests before there is a connection between the host and the malicious server (no TCP or UDP handshake). When DNS Protection is disabled, the IPS service still provides some protections for DNS threats, however it doesn't cover all the threats covered by DNS Protection, and they are blocked at a later stage, when the destination is accessed. Therefore, we recommend as a best practice to enable both IPS and DNS Protection.

You can use the Threat Catalog to see the DNS protections included in the basic IPS service and those included in DNS Protection.

Prerequisites

  • DNS Protection is included in the IPS license. For more about purchasing the IPS license, please contact your Cato representative.

Sample Workflow for Malicious Domains

This is an example of the workflow for the Malicious Domains DNS protection, and when a host tries to access a malicious domain.

  1. The host device tries to access a malicious domain from the browser.

  2. The IPS engine identifies that there is a DNS request to a malicious domain and blocks the DNS request.

  3. The DNS request is blocked before there is a connection between the host and the malicious server (no TCP or UDP handshake).

Defining the DNS Protections for Your Account

Use the DNS Protection screen to select which types of DNS Protections the IPS engine enforces for your account. When you enable DNS Protection for your account, the IPS engine inspects every DNS request sent over the Cato Cloud. DNS requests are inspected also for accounts that don't use Cato as their DNS server, and use a private DNS server instead.

Default Action for DNS Protections

The Cato Security team defines the default action for each DNS protection based on the potential to impact legitimate traffic in your organization.

  • Default Block action - These protections generally have few false positives, and do not impact legitimate traffic. We recommend that you leave these DNS protections with the default Block action.

  • Default Allow action - These protections may generate false positives and as a result block legitimate traffic in your organization. We recommend that before you change these protections to the Block action, first run these DNS protections for a few weeks with the Allow action and review the events to monitor the number of false positive matches.

End-user Experience of the Block Action

When the IPS engine blocks a DNS request, the connection to the domain is dropped before the end-user receives a DNS response.

DNS_Protection_Policy.png

To define the DNS Protections for your account:

  1. From the navigation pane, select Security > DNS Protection.

  2. Click the slider to enable (green) or disable (gray) the DNS Protection policy for the account.

  3. To customize a DNS protection type, click the Action or Track for that row.

    The panel opens for that DNS protection type.

    1. In the Action section, select to Allow or Block DNS traffic that matches the protection.

    2. In the Track section, select if you want to send email notifications for DNS traffic that matches the protection.

  4. Click Apply and then click Save.

Allowlisting DNS Traffic

You can create an IPS Allowlist rule on the IPS screen to define an exception and allow DNS traffic with a specific DNS Protection signature, or you can allowlist a DNS Protection signature from a block event log. For more about creating IPS Allowlist rules, see Allowlisting IPS Signatures.

You can also allowlist specific trusted domain names in the IPS Allow List to exclude them from DNS Protection scans.

To allowlist specific domain names:

  1. From the navigation menu, click Security > IPS.

  2. Click New. The New Allow List panel opens.

  3. Enter the Name for the rule.

  4. Select the Scope of the rule as Outbound.

  5. Under Destination , select Domain, and add the required domain name.

  6. Click Apply. The IPS allowlist rule is added to the rulebase.

  7. Click Save.

Monitoring DNS Protections with the Threats Dashboard

The Threats Dashboard includes the following three widgets to help you monitor the status of the DNS protections in your account:

  • Threats Type - Shows the name of the type of DNS category and the number of events for each type

  • Top Domains - Shows a list of the top domains that were blocked with the number of DNS protection events for each domain

  • Top Hosts - Shows a list of the top hosts (source IP address) with the number of DNS protection events for each host

Threats_Dashboard_-_DNS.png

Analyzing DNS Protection Events

The Monitoring > Events screen shows all the DNS Protection events for your account. The powerful search tools let you drill-down and identify the key events that contain the relevant data that you need.

DNS Protection events can be identified by the following fields:

  • Event Type - Security

  • Sub-Type - DNS Protection

  • DNS Protection Category - Cato’s DNS Protection type that matched the DNS request

  • DNS Query - Domain queried in the DNS request

You can learn more about using the Events screen here. You can use the DNS Protection preset to filter the events.

Was this article helpful?

5 out of 5 found this helpful

0 comments

Add your comment