Security Connector as a DNS sinkhole

When Security Connector is set up as a DNS sinkhole, it receives suspicious or malicious traffic and identifies machines that:

  • Are infected with malware
  • Attempt to download malware
  • Make requests to command and control servers

Security Connector records information about the machine that made the request such as the machine name and internal IP address of the end user's machine. This information allows you or an IT administrator to identify compromised machines in your network and take the appropriate remediation steps.

Security Connector captures information sent by the client machine. This information includes:

  • Internal IP address
  • Machine name (internal client name)
  • Source port
  • Destination port
  • Hostname in an HTTP request or in the TLS Server Name Identification (SNI) field
  • User agent from an HTTP request

📘

The machine name is reported only if DNS Pointer (PTR) records are configured on the DNS name server that is used to communicate with the security connector. ETP performs a reverse IP address lookup to identify this information.

Traffic is directed to Security Connector based on the policy configuration in ETP. In a policy, you can assign Security Connector to a threat category or a list. A security connector is available for assignment when:

  1. Block is the policy action selected for a category or custom list.

  2. Error Page is set as the response to users.

After setting the Error Page response, you can then select a specific Security Connector.

👍

As a best practice, assign a security connector to the malware and C&C categories. A C&C threat indicates that a user's machine is already compromised by the time it's detected. To clean compromised machines, you can use Security Connector to identify infected machines and get the information you need for remediation.

Depending on whether ETP Proxy is enabled in the policy, different network flows apply. For more information, see Network flow of DNS sinkhole.

The information and events that are captured by the security connector are available for analysis in ETP. ETP correlates Security Connector event data with threat event data. You can view this data on the Security Connector activity report.

If the proxy is disabled, these conditions apply:

  • As a performance optimization, many browsers may prefetch the DNS names in all links on a webpage. Although not all these links are accessed by a user, the prefetched resolutions generate DNS events in ETP. If a user accesses any of these links, correlated security connector events and the user's internal IP address are also reported.

  • Not all malicious DNS traffic originating from a user will have a corresponding Security Connector event. DNS resolutions may be cached on the user's computer and Enterprise DNS Resolvers. As a result, there may be situations when traffic is resolved by these cached responses and no new DNS event is generated.

Network flow of DNS sinkhole

Depending on whether ETP Proxy is enabled or disabled, these network flows apply:

Network flow when ETP Proxy is enabled

  1. The end user requests a URL, and the first DNS resolution occurs:

    1. The browser makes a DNS request. The corporate network egress IP address is associated with a location configuration in ETP. As a result, the policy assigned to that location is applied.

    2. ETP identifies the domain as malicious. Based on a policy configuration, the malicious domain is resolved to the IP address of ETP Proxy.

  2. These steps apply to HTTP traffic:

    1. The browser sends the HTTP or HTTPS request to ETP Proxy. The corporate network egress IP address is associated with a location configuration in ETP. As a result, the policy assigned to that location is applied.

    2. ETP identifies the HTTP resource as malicious. Based on a policy configuration, the client is redirected to the security connector on the corporate network.

  3. Malicious HTTP and HTTPS requests that were directed to the proxy are redirected to Security Connector. The end user's machine sends a request to Security Connector.

    📘

    HTTP and HTTPS traffic is redirected to Security Connector 2.5.0 or later.

  4. Security Connector collects the internal IP address of the end user's machine and other event information. Access to the malicious domain is blocked and the end user is redirected to the custom error page that corresponds to the threat type or category. For more information on error pages, see the Error pages help topic.

  5. Security Connector sends the internal IP address and other collected machine information to ETP. ETP Proxy and ETP DNS also sends information to ETP reporting. ETP reporting correlates data and shows the internal IP address and machine name in each threat event.

Network flow when ETP Proxy is disabled

  1. For a DNS request:

    1. An end user makes a DNS request. The corporate network egress IP address is associated with a location configuration in ETP. As a result, the policy assigned to that location is applied.

    2. ETP identifies the domain as malicious. Based on a policy configuration, the malicious domain is resolved to the IP address of the security connector on the corporate network.

  2. The end user's machine sends a network request to Security Connector.

  3. Security Connector collects the internal IP address of the end user's machine and other event information. Access to the malicious domain is blocked and the end user is shown the Website Access is Prohibited custom error page. For more information on error pages, see the Error pages help topic.

  4. Security Connector sends the internal IP address and other collected machine information to ETP reporting. ETP DNS also sends information to ETP reporting where data correlation occurs. ETP reports show the internal IP address and machine name in each threat event.


Did this page help you?