ox protect deep-dive - open-xchange · 2018-10-01 · deep-dive ox summit rome neil cook september...

OX ProtectDeep-Dive

OX Summit Rome

Neil Cook

September 28th 2018

• Provides a secure connectivity experience:

• Protects all devices using the broadband/mobile

network

• Protects against malware and phishing

• Malware alerts via SMS or Push Notifications

• Works even with encrypted traffic

• Detects infected devices, attempts to download

malware, attempts to go to phishing site etc.

OX Protect for Malware

Security

Protection

Pure Service – No software or special devices needed

Core Features:

• Full control over content categories allowed

• “Pause Internet” capability

• Bedtime/Homework Time

• Subscriber Black & Whitelists

• Optional Mobile App for Settings, Supervision &

Notification

• Blocking alerts via Push Notifications or SMS

OX Protect for Families

• Parents can manage settings for different profiles individually

• Configure Multiple Filtering Profiles

• E.g. Mom, Dad, Child1, Child2

• Devices are typically auto-detected and provisioned

• Each device is associated with a profile

• E.g. “Neil’s iPhone X”

• E.g. “Panasonic TV”

Advanced Features

OX Protect for Families

Wait what? I thought DNS was just a lookup protocol…

Using DNS to Filter Traffic

• The main purpose of DNS is to turn names like “open-xchange.com” into IP addresses “1.2.3.4”

The basis of OX Protect is DNS Filtering

Lookup “open-xchange.com”

DNS

Answer “62.146.90.68”

• DNS underlies almost all traffic on the Internet

• It is critical to almost every legitimate service

• not just Web but also Email, Chat services, Mobile Apps etc.

• Also critical to almost every malicious service

• DNS is used by the bad guys too

• DNS is also (currently) usually unencrypted

• This is changing with DNS over TLS (and DNS over HTTPS)

• Even then not end-to-end encrypted

DNS is Ubiquitous and Un-Encrypted

Thus DNS is Perfect for Filtering

Lookup “illegaldrugs.tv”

DNS

Answer “10.3.2.4”

Walled Garden Proxy

Including Malware/Malicious Sites

Lookup “xyz123.cn”

DNS

Answer “10.3.2.4”

Send Video Capture

DNS vs other Consumer Security MethodsSecurity solution approach DNS Deep Packet

Inspection (DPI)

Home Device Client on Customers

Premises Equipment

Example Vendors Open-Xchange,

Akamai, Cisco

Allot Circle Norton. McAfee

Works with any service and protocol

and encrypted traffic ☺ ☺ ☺

Traffic routing efficiency☺ ☺ ☺

Scalability☺

Costs of setup, rollout and

management ☺ ☺

Open-Source availability ☺

Strengthens service providers position☺ ☺

Works for embedded IoT devices☺ ☺ ☺ ☺

More than just PowerDNS…OX Protect Architecture

• PowerDNS Recusor answers DNS queries

• Can be deployed without filtering initially

• Highly Scalable, Extremely Low Latency DNS

Solution

• Easy to add on Filtering Components at a later

date

Basic DNS Only

Core of Solution is PowerDNS

PowerDNS

Recursor &

DNSdist

DNS

Traffic

DNS

Traffic

Internet

Network Focused

PowerDNS Plus Filtering

PowerDNS

Recursor &

DNSdist

DNS

Traffic

DNS

Traffic

Internet

Filtering

Module

Filtering

Proxy

Dstore

Threat

Intelligence

Feeds

OSS/BS

S APIs

End-User Focused

Full OX Protect Architecture

PowerDNS

Recursor &

DNSdist

DNS

Traffic

DNS

Traffic

Internet

Filtering

Module

Subscriber

DB

Filtering

Proxy

Dstore

Threat

Intelligence

FeedsClient

REST

APIs

Notification

Server

Optional

Mobile

Apps

Notification

DBOSS/BS

S APIs

End-User

Reporting

APIs

Mobile Apps and APIs

OX Developed Mobile Apps

• User Centric mobile control apps

• For IOS and Android

• Centralized End-User Notifications and Control

• Configuration management

• Control Filtering settings for household and

individual devices

• Real-time Permissions

• Alerting

• Real-time alerting of suspicious events

Customer Developed Mobile Apps

•OX Protect provides multiple options to enable this:

• Mobile-Centric web application that can easily be embedded in a native

app for easy integration

• End-User Centric REST APIs to integrate fully into native apps

• Both options support:

- Authorization via OAUTH2

- Support for Push Notifications (new devices, blocked website, malware

etc.)

Threat Intelligence

Threat Intelligence Feeds

Open Threat Intelligence Platform

OX Protect

Built-In

Threat Intel

Internal

Threat Intel

Third-Party

Threat Intel

Deploying OX Protect

PowerDNS or

OX Protect

DNS Replacement

Existing DNS System

(Unbound, Bind, Nominum

etc.)

DNS Queries

Side-By-Side with Legacy DNS

Existing DNS System

(Unbound, Bind, Nominum

etc.)

DNS Queries

OX Protect

PowerDNS

Proxy

Integration Requirements

• Features of Basic Protection

• All features apply to the whole household/subscriber line

• Malware Filtering

• Block Attempts to access malware, phishing sites, command and

control servers

• Content Filtering

• Block access to unwanted content like Adult, Gambling, etc.

• Notifications

• Control when to receive notifications and how

Integration for Basic Protection(no Per-Device)

• Requires no changes to customer premise equipment

• Works for 100% of subscriber base

• Provisioning Integration

• Need to provision subscribers (e.g. RADIUS IDs)

• RADIUS Integration

• Start/Stop Accounting Feed

• OSS/BSS API Integration

• Web Portal for subscriber settings

• Customise Protect Proxy Landing Pages

Integration for Basic Protection(no Per-Device)

• Per-device features include:

• Automatic detection and provisioning of new devices

• Including device family

• Including device name

• Assigning devices to profiles (family members)

• Moving devices between profiles

• Detecting threats and filtering content on a per-device basis

• Information about which device is included in notifications

• Bedtime/Homework Time

Integration for Per-Device Features

• This is achieved with CPE integration

• dnamasq is the most widely used DHCP Server/DNS Proxy on CPEs

• Already supports EDNS0 options

• dnsmasq already has capability to provide mac address using EDNS0

• This allows per-device capabilities, and device-type recognition

• OX currently working with IETF & dnsmasq maintainer

• To standardize the transmission of per-device data including

hostname

On Fixed-Line Networks

Integration for Per-Device Features

Event Notifications

•Push notifications for malware or content filtering

events

• Frequency and timing of notifications is

configurable

• Can be disabled if required

• Support for iOS and Android

•Notifications are in real-time

• Particularly useful when using new devices for

the first time (e.g. new IOT devices)

OX Protect Roadmap

• PowerDNS Filtering Platform is released and deployed

already

• First version of OX Protect (End-User Features)

• NOW

• Includes all features described

• Completely new Web/Mobile App UI

• Version 2.0 scheduled for 1H 2019

• Improved Reporting Engine & APIs

• Event Aggregation Engine

• Support for SMEs – Portal, Reporting

OX Protect Roadmap

Open-Xchange AG

Rollnerstraße 14

D-90408 Nuernberg

Phone: +49 2761-8385-0

Fax: +49 2761-8385-30

info@open-xchange.com

www.open-xchange.com