ox protect deep-dive - open-xchange · 2018-10-01 · deep-dive ox summit rome neil cook september...
TRANSCRIPT
![Page 1: OX Protect Deep-Dive - Open-Xchange · 2018-10-01 · Deep-Dive OX Summit Rome Neil Cook September 28th 2018 ... • The main purpose of DNS is to turn names like “open-xchange.com”](https://reader033.vdocuments.mx/reader033/viewer/2022042009/5e717c44ae4be238fc7f7030/html5/thumbnails/1.jpg)
OX ProtectDeep-Dive
OX Summit Rome
Neil Cook
September 28th 2018
![Page 2: OX Protect Deep-Dive - Open-Xchange · 2018-10-01 · Deep-Dive OX Summit Rome Neil Cook September 28th 2018 ... • The main purpose of DNS is to turn names like “open-xchange.com”](https://reader033.vdocuments.mx/reader033/viewer/2022042009/5e717c44ae4be238fc7f7030/html5/thumbnails/2.jpg)
• Provides a secure connectivity experience:
• Protects all devices using the broadband/mobile
network
• Protects against malware and phishing
• Malware alerts via SMS or Push Notifications
• Works even with encrypted traffic
• Detects infected devices, attempts to download
malware, attempts to go to phishing site etc.
OX Protect for Malware
Security
Protection
![Page 3: OX Protect Deep-Dive - Open-Xchange · 2018-10-01 · Deep-Dive OX Summit Rome Neil Cook September 28th 2018 ... • The main purpose of DNS is to turn names like “open-xchange.com”](https://reader033.vdocuments.mx/reader033/viewer/2022042009/5e717c44ae4be238fc7f7030/html5/thumbnails/3.jpg)
Pure Service – No software or special devices needed
Core Features:
• Full control over content categories allowed
• “Pause Internet” capability
• Bedtime/Homework Time
• Subscriber Black & Whitelists
• Optional Mobile App for Settings, Supervision &
Notification
• Blocking alerts via Push Notifications or SMS
OX Protect for Families
![Page 4: OX Protect Deep-Dive - Open-Xchange · 2018-10-01 · Deep-Dive OX Summit Rome Neil Cook September 28th 2018 ... • The main purpose of DNS is to turn names like “open-xchange.com”](https://reader033.vdocuments.mx/reader033/viewer/2022042009/5e717c44ae4be238fc7f7030/html5/thumbnails/4.jpg)
• Parents can manage settings for different profiles individually
• Configure Multiple Filtering Profiles
• E.g. Mom, Dad, Child1, Child2
• Devices are typically auto-detected and provisioned
• Each device is associated with a profile
• E.g. “Neil’s iPhone X”
• E.g. “Panasonic TV”
Advanced Features
OX Protect for Families
![Page 5: OX Protect Deep-Dive - Open-Xchange · 2018-10-01 · Deep-Dive OX Summit Rome Neil Cook September 28th 2018 ... • The main purpose of DNS is to turn names like “open-xchange.com”](https://reader033.vdocuments.mx/reader033/viewer/2022042009/5e717c44ae4be238fc7f7030/html5/thumbnails/5.jpg)
Wait what? I thought DNS was just a lookup protocol…
Using DNS to Filter Traffic
![Page 6: OX Protect Deep-Dive - Open-Xchange · 2018-10-01 · Deep-Dive OX Summit Rome Neil Cook September 28th 2018 ... • The main purpose of DNS is to turn names like “open-xchange.com”](https://reader033.vdocuments.mx/reader033/viewer/2022042009/5e717c44ae4be238fc7f7030/html5/thumbnails/6.jpg)
• The main purpose of DNS is to turn names like “open-xchange.com” into IP addresses “1.2.3.4”
The basis of OX Protect is DNS Filtering
Lookup “open-xchange.com”
DNS
Answer “62.146.90.68”
![Page 7: OX Protect Deep-Dive - Open-Xchange · 2018-10-01 · Deep-Dive OX Summit Rome Neil Cook September 28th 2018 ... • The main purpose of DNS is to turn names like “open-xchange.com”](https://reader033.vdocuments.mx/reader033/viewer/2022042009/5e717c44ae4be238fc7f7030/html5/thumbnails/7.jpg)
• DNS underlies almost all traffic on the Internet
• It is critical to almost every legitimate service
• not just Web but also Email, Chat services, Mobile Apps etc.
• Also critical to almost every malicious service
• DNS is used by the bad guys too
• DNS is also (currently) usually unencrypted
• This is changing with DNS over TLS (and DNS over HTTPS)
• Even then not end-to-end encrypted
DNS is Ubiquitous and Un-Encrypted
![Page 8: OX Protect Deep-Dive - Open-Xchange · 2018-10-01 · Deep-Dive OX Summit Rome Neil Cook September 28th 2018 ... • The main purpose of DNS is to turn names like “open-xchange.com”](https://reader033.vdocuments.mx/reader033/viewer/2022042009/5e717c44ae4be238fc7f7030/html5/thumbnails/8.jpg)
Thus DNS is Perfect for Filtering
Lookup “illegaldrugs.tv”
DNS
Answer “10.3.2.4”
Walled Garden Proxy
![Page 9: OX Protect Deep-Dive - Open-Xchange · 2018-10-01 · Deep-Dive OX Summit Rome Neil Cook September 28th 2018 ... • The main purpose of DNS is to turn names like “open-xchange.com”](https://reader033.vdocuments.mx/reader033/viewer/2022042009/5e717c44ae4be238fc7f7030/html5/thumbnails/9.jpg)
Including Malware/Malicious Sites
Lookup “xyz123.cn”
DNS
Answer “10.3.2.4”
Send Video Capture
![Page 10: OX Protect Deep-Dive - Open-Xchange · 2018-10-01 · Deep-Dive OX Summit Rome Neil Cook September 28th 2018 ... • The main purpose of DNS is to turn names like “open-xchange.com”](https://reader033.vdocuments.mx/reader033/viewer/2022042009/5e717c44ae4be238fc7f7030/html5/thumbnails/10.jpg)
DNS vs other Consumer Security MethodsSecurity solution approach DNS Deep Packet
Inspection (DPI)
Home Device Client on Customers
Premises Equipment
Example Vendors Open-Xchange,
Akamai, Cisco
Allot Circle Norton. McAfee
Works with any service and protocol
and encrypted traffic ☺ ☺ ☺
Traffic routing efficiency☺ ☺ ☺
Scalability☺
Costs of setup, rollout and
management ☺ ☺
Open-Source availability ☺
Strengthens service providers position☺ ☺
Works for embedded IoT devices☺ ☺ ☺ ☺
![Page 11: OX Protect Deep-Dive - Open-Xchange · 2018-10-01 · Deep-Dive OX Summit Rome Neil Cook September 28th 2018 ... • The main purpose of DNS is to turn names like “open-xchange.com”](https://reader033.vdocuments.mx/reader033/viewer/2022042009/5e717c44ae4be238fc7f7030/html5/thumbnails/11.jpg)
More than just PowerDNS…OX Protect Architecture
![Page 12: OX Protect Deep-Dive - Open-Xchange · 2018-10-01 · Deep-Dive OX Summit Rome Neil Cook September 28th 2018 ... • The main purpose of DNS is to turn names like “open-xchange.com”](https://reader033.vdocuments.mx/reader033/viewer/2022042009/5e717c44ae4be238fc7f7030/html5/thumbnails/12.jpg)
• PowerDNS Recusor answers DNS queries
• Can be deployed without filtering initially
• Highly Scalable, Extremely Low Latency DNS
Solution
• Easy to add on Filtering Components at a later
date
Basic DNS Only
Core of Solution is PowerDNS
PowerDNS
Recursor &
DNSdist
DNS
Traffic
DNS
Traffic
Internet
![Page 13: OX Protect Deep-Dive - Open-Xchange · 2018-10-01 · Deep-Dive OX Summit Rome Neil Cook September 28th 2018 ... • The main purpose of DNS is to turn names like “open-xchange.com”](https://reader033.vdocuments.mx/reader033/viewer/2022042009/5e717c44ae4be238fc7f7030/html5/thumbnails/13.jpg)
Network Focused
PowerDNS Plus Filtering
PowerDNS
Recursor &
DNSdist
DNS
Traffic
DNS
Traffic
Internet
Filtering
Module
Filtering
Proxy
Dstore
Threat
Intelligence
Feeds
OSS/BS
S APIs
![Page 14: OX Protect Deep-Dive - Open-Xchange · 2018-10-01 · Deep-Dive OX Summit Rome Neil Cook September 28th 2018 ... • The main purpose of DNS is to turn names like “open-xchange.com”](https://reader033.vdocuments.mx/reader033/viewer/2022042009/5e717c44ae4be238fc7f7030/html5/thumbnails/14.jpg)
End-User Focused
Full OX Protect Architecture
PowerDNS
Recursor &
DNSdist
DNS
Traffic
DNS
Traffic
Internet
Filtering
Module
Subscriber
DB
Filtering
Proxy
Dstore
Threat
Intelligence
FeedsClient
REST
APIs
Notification
Server
Optional
Mobile
Apps
Notification
DBOSS/BS
S APIs
End-User
Reporting
APIs
![Page 15: OX Protect Deep-Dive - Open-Xchange · 2018-10-01 · Deep-Dive OX Summit Rome Neil Cook September 28th 2018 ... • The main purpose of DNS is to turn names like “open-xchange.com”](https://reader033.vdocuments.mx/reader033/viewer/2022042009/5e717c44ae4be238fc7f7030/html5/thumbnails/15.jpg)
Mobile Apps and APIs
![Page 16: OX Protect Deep-Dive - Open-Xchange · 2018-10-01 · Deep-Dive OX Summit Rome Neil Cook September 28th 2018 ... • The main purpose of DNS is to turn names like “open-xchange.com”](https://reader033.vdocuments.mx/reader033/viewer/2022042009/5e717c44ae4be238fc7f7030/html5/thumbnails/16.jpg)
OX Developed Mobile Apps
• User Centric mobile control apps
• For IOS and Android
• Centralized End-User Notifications and Control
• Configuration management
• Control Filtering settings for household and
individual devices
• Real-time Permissions
• Alerting
• Real-time alerting of suspicious events
![Page 17: OX Protect Deep-Dive - Open-Xchange · 2018-10-01 · Deep-Dive OX Summit Rome Neil Cook September 28th 2018 ... • The main purpose of DNS is to turn names like “open-xchange.com”](https://reader033.vdocuments.mx/reader033/viewer/2022042009/5e717c44ae4be238fc7f7030/html5/thumbnails/17.jpg)
Customer Developed Mobile Apps
•OX Protect provides multiple options to enable this:
• Mobile-Centric web application that can easily be embedded in a native
app for easy integration
• End-User Centric REST APIs to integrate fully into native apps
• Both options support:
- Authorization via OAUTH2
- Support for Push Notifications (new devices, blocked website, malware
etc.)
![Page 18: OX Protect Deep-Dive - Open-Xchange · 2018-10-01 · Deep-Dive OX Summit Rome Neil Cook September 28th 2018 ... • The main purpose of DNS is to turn names like “open-xchange.com”](https://reader033.vdocuments.mx/reader033/viewer/2022042009/5e717c44ae4be238fc7f7030/html5/thumbnails/18.jpg)
Threat Intelligence
![Page 19: OX Protect Deep-Dive - Open-Xchange · 2018-10-01 · Deep-Dive OX Summit Rome Neil Cook September 28th 2018 ... • The main purpose of DNS is to turn names like “open-xchange.com”](https://reader033.vdocuments.mx/reader033/viewer/2022042009/5e717c44ae4be238fc7f7030/html5/thumbnails/19.jpg)
Threat Intelligence Feeds
![Page 20: OX Protect Deep-Dive - Open-Xchange · 2018-10-01 · Deep-Dive OX Summit Rome Neil Cook September 28th 2018 ... • The main purpose of DNS is to turn names like “open-xchange.com”](https://reader033.vdocuments.mx/reader033/viewer/2022042009/5e717c44ae4be238fc7f7030/html5/thumbnails/20.jpg)
Open Threat Intelligence Platform
OX Protect
Built-In
Threat Intel
Internal
Threat Intel
Third-Party
Threat Intel
![Page 21: OX Protect Deep-Dive - Open-Xchange · 2018-10-01 · Deep-Dive OX Summit Rome Neil Cook September 28th 2018 ... • The main purpose of DNS is to turn names like “open-xchange.com”](https://reader033.vdocuments.mx/reader033/viewer/2022042009/5e717c44ae4be238fc7f7030/html5/thumbnails/21.jpg)
Deploying OX Protect
![Page 22: OX Protect Deep-Dive - Open-Xchange · 2018-10-01 · Deep-Dive OX Summit Rome Neil Cook September 28th 2018 ... • The main purpose of DNS is to turn names like “open-xchange.com”](https://reader033.vdocuments.mx/reader033/viewer/2022042009/5e717c44ae4be238fc7f7030/html5/thumbnails/22.jpg)
PowerDNS or
OX Protect
DNS Replacement
Existing DNS System
(Unbound, Bind, Nominum
etc.)
DNS Queries
![Page 23: OX Protect Deep-Dive - Open-Xchange · 2018-10-01 · Deep-Dive OX Summit Rome Neil Cook September 28th 2018 ... • The main purpose of DNS is to turn names like “open-xchange.com”](https://reader033.vdocuments.mx/reader033/viewer/2022042009/5e717c44ae4be238fc7f7030/html5/thumbnails/23.jpg)
Side-By-Side with Legacy DNS
Existing DNS System
(Unbound, Bind, Nominum
etc.)
DNS Queries
OX Protect
PowerDNS
Proxy
![Page 24: OX Protect Deep-Dive - Open-Xchange · 2018-10-01 · Deep-Dive OX Summit Rome Neil Cook September 28th 2018 ... • The main purpose of DNS is to turn names like “open-xchange.com”](https://reader033.vdocuments.mx/reader033/viewer/2022042009/5e717c44ae4be238fc7f7030/html5/thumbnails/24.jpg)
Integration Requirements
![Page 25: OX Protect Deep-Dive - Open-Xchange · 2018-10-01 · Deep-Dive OX Summit Rome Neil Cook September 28th 2018 ... • The main purpose of DNS is to turn names like “open-xchange.com”](https://reader033.vdocuments.mx/reader033/viewer/2022042009/5e717c44ae4be238fc7f7030/html5/thumbnails/25.jpg)
• Features of Basic Protection
• All features apply to the whole household/subscriber line
• Malware Filtering
• Block Attempts to access malware, phishing sites, command and
control servers
• Content Filtering
• Block access to unwanted content like Adult, Gambling, etc.
• Notifications
• Control when to receive notifications and how
Integration for Basic Protection(no Per-Device)
![Page 26: OX Protect Deep-Dive - Open-Xchange · 2018-10-01 · Deep-Dive OX Summit Rome Neil Cook September 28th 2018 ... • The main purpose of DNS is to turn names like “open-xchange.com”](https://reader033.vdocuments.mx/reader033/viewer/2022042009/5e717c44ae4be238fc7f7030/html5/thumbnails/26.jpg)
• Requires no changes to customer premise equipment
• Works for 100% of subscriber base
• Provisioning Integration
• Need to provision subscribers (e.g. RADIUS IDs)
• RADIUS Integration
• Start/Stop Accounting Feed
• OSS/BSS API Integration
• Web Portal for subscriber settings
• Customise Protect Proxy Landing Pages
Integration for Basic Protection(no Per-Device)
![Page 27: OX Protect Deep-Dive - Open-Xchange · 2018-10-01 · Deep-Dive OX Summit Rome Neil Cook September 28th 2018 ... • The main purpose of DNS is to turn names like “open-xchange.com”](https://reader033.vdocuments.mx/reader033/viewer/2022042009/5e717c44ae4be238fc7f7030/html5/thumbnails/27.jpg)
![Page 28: OX Protect Deep-Dive - Open-Xchange · 2018-10-01 · Deep-Dive OX Summit Rome Neil Cook September 28th 2018 ... • The main purpose of DNS is to turn names like “open-xchange.com”](https://reader033.vdocuments.mx/reader033/viewer/2022042009/5e717c44ae4be238fc7f7030/html5/thumbnails/28.jpg)
• Per-device features include:
• Automatic detection and provisioning of new devices
• Including device family
• Including device name
• Assigning devices to profiles (family members)
• Moving devices between profiles
• Detecting threats and filtering content on a per-device basis
• Information about which device is included in notifications
• Bedtime/Homework Time
Integration for Per-Device Features
![Page 29: OX Protect Deep-Dive - Open-Xchange · 2018-10-01 · Deep-Dive OX Summit Rome Neil Cook September 28th 2018 ... • The main purpose of DNS is to turn names like “open-xchange.com”](https://reader033.vdocuments.mx/reader033/viewer/2022042009/5e717c44ae4be238fc7f7030/html5/thumbnails/29.jpg)
• This is achieved with CPE integration
• dnamasq is the most widely used DHCP Server/DNS Proxy on CPEs
• Already supports EDNS0 options
• dnsmasq already has capability to provide mac address using EDNS0
• This allows per-device capabilities, and device-type recognition
• OX currently working with IETF & dnsmasq maintainer
• To standardize the transmission of per-device data including
hostname
On Fixed-Line Networks
Integration for Per-Device Features
![Page 30: OX Protect Deep-Dive - Open-Xchange · 2018-10-01 · Deep-Dive OX Summit Rome Neil Cook September 28th 2018 ... • The main purpose of DNS is to turn names like “open-xchange.com”](https://reader033.vdocuments.mx/reader033/viewer/2022042009/5e717c44ae4be238fc7f7030/html5/thumbnails/30.jpg)
Event Notifications
•Push notifications for malware or content filtering
events
• Frequency and timing of notifications is
configurable
• Can be disabled if required
• Support for iOS and Android
•Notifications are in real-time
• Particularly useful when using new devices for
the first time (e.g. new IOT devices)
![Page 31: OX Protect Deep-Dive - Open-Xchange · 2018-10-01 · Deep-Dive OX Summit Rome Neil Cook September 28th 2018 ... • The main purpose of DNS is to turn names like “open-xchange.com”](https://reader033.vdocuments.mx/reader033/viewer/2022042009/5e717c44ae4be238fc7f7030/html5/thumbnails/31.jpg)
OX Protect Roadmap
![Page 32: OX Protect Deep-Dive - Open-Xchange · 2018-10-01 · Deep-Dive OX Summit Rome Neil Cook September 28th 2018 ... • The main purpose of DNS is to turn names like “open-xchange.com”](https://reader033.vdocuments.mx/reader033/viewer/2022042009/5e717c44ae4be238fc7f7030/html5/thumbnails/32.jpg)
• PowerDNS Filtering Platform is released and deployed
already
• First version of OX Protect (End-User Features)
• NOW
• Includes all features described
• Completely new Web/Mobile App UI
• Version 2.0 scheduled for 1H 2019
• Improved Reporting Engine & APIs
• Event Aggregation Engine
• Support for SMEs – Portal, Reporting
OX Protect Roadmap
![Page 33: OX Protect Deep-Dive - Open-Xchange · 2018-10-01 · Deep-Dive OX Summit Rome Neil Cook September 28th 2018 ... • The main purpose of DNS is to turn names like “open-xchange.com”](https://reader033.vdocuments.mx/reader033/viewer/2022042009/5e717c44ae4be238fc7f7030/html5/thumbnails/33.jpg)
Open-Xchange AG
Rollnerstraße 14
D-90408 Nuernberg
Phone: +49 2761-8385-0
Fax: +49 2761-8385-30
www.open-xchange.com