DNS filtering: securing web traffic from uncontrolled devices
In January 2019, CESIN published its corporate cybersecurity barometer, which revealed that 80% of companies had suffered a cyberattack in the previous 12 months. Cases are on the rise, and even large companies, reputed to be ultra-secure, are not immune, as demonstrated by the recent attack on Airbus, which confirmed "unauthorized access" to its computer networks, allowing hackers to access employees' professional contact details and login credentials.
Strengthening cybersecurity effectiveness is a strategic priority for the IT department.
This priority is also reinforced by the digital transformation being carried out by these same IT departments, as it encourages the emergence of new risks with the widespread use of the cloud, SaaS applications, and, above all, interconnectivity between internal and external IT systems. The Payment Services Directive (PSD2), which has been in force since September 2019, is a perfect example of this in the banking sector.
It is therefore essential to build and maintain a comprehensive web security chain within the company, effectively protecting users, the information system, and all the IT resources that comprise it, from internal or mobile workstations to connected objects. Despite this, CIOs and CISOs must contend with budget constraints that are not always in line with the increasing sophistication of the malware used and the resurgence of attack attempts.
Budgets obviously weigh heavily in the debate: we have to do as much, if not more, with less. When the question of upgrading equipment arises, it is sometimes convenient to consider replacing the standalone proxy with the filtering functions built into the UTM and firewall. At first glance, this seems more economical and easier to implement and maintain... but is it really a good idea to rely on a single solution to protect your information system?
We could also ask the question differently by wondering whether it is really reasonable to put all your eggs in one basket when it comes to cybersecurity. In any case, this is not one of the recommendations made by ANSSI, which instead advocates decentralizing the various cybersecurity processes across several machines.
UTM VS PROXY: a debate that cannot ignore the issue of performance
The performance aspect, with the increase in HTTPS internet traffic, should also be taken into account in the debate. The UTM device has more and more processing to perform, and adding SSL-TLS decryption would increase its resource consumption to the point of slowing it down, which could then affect its main function: the firewall. Moreover, the resurgence of DDOS attacks in recent months could quickly penalize it, and the rest of the operations it is supposed to manage would be further degraded. The scalability of UTM is therefore sometimes quickly limited, whereas the standalone Olfeo Proxy can be installed in virtualization, which makes it easy to increase its processing capacity without any additional licensing costs for the customer, since the price is calculated per user and not per appliance.
The standalone proxy is therefore a valuable ally for the firewall: by handling web filtering, SSL-TLS decryption, and even DNS filtering, it enhances the firewall's effectiveness. With a security architecture based on both a firewall and a standalone proxy working in complete synergy, tasks and risks associated with cyber threats are better distributed.
Discover Damien Billy's tips, pre-sales consultant at Olfeo, to strengthen your cybersecurity chain with your UTM and a standalone proxy:
The URL database at the heart of DNS filtering
The effectiveness of DNS filtering will be closely linked to the quality of the URL database used. DNS is a scalable protocol that can handle tens of thousands of requests every day, so the same filtering rules must be applied to it as to conventional internet traffic in order to instantly eliminate any threats and/or risks of inappropriate browsing.
For example, the Olfeo URL database, which has been updated for 20 years by a dedicated team, makes all the difference: 99% of legitimate websites are known; the legal categories of surfing authorized in France are controlled and DNS traffic is blocked in real time.
What are the use cases for DNS filtering?
School tablets
Many schools distribute devices such as tablets to their students to aid learning through digital tools. These devices must, of course, contain filtering systems to prevent young students from viewing content that is inappropriate, illegal, or dangerous to the integrity of the equipment.
Given the large number of these devices, it is difficult to deploy and maintain agent- and proxy-based filtering systems on these fleets, especially in nomadic situations—students take their tablets or PCs home with them.
DNS filtering, which does not require an agent, is the ideal solution. Easy to deploy, configure, and maintain for schools or town halls, and requiring no local agent on machines, DNS filtering provides effective and easy protection for students' web browsing.
Guests on corporate networks / BYOD
Companies provide their guests (visitors, consultants, service providers) with access to their internet network (particularly Wi-Fi) to access the web. Having no control and therefore no possibility of installing web filtering agents, visitors' devices may pose a significant risk.
DNS filtering allows you to secure these devices without needing to have control over the machines. By connecting them to the internet through a captive Wi-Fi portal, for example, it is possible to filter their DNS requests in order to secure their traffic and enforce the company's internet policy.
Connected business equipment – Internet of Things
With the advent of the Internet of Things (IoT), hundreds of millions of devices are now connected to the internet with weak cyber protection and high exposure to attacks. Cameras, thermostats, parking sensors, etc. are all devices with simple and limited hardware—for energy consumption reasons—and cannot benefit from the protection of a filtering agent running on them.
Redirecting their web traffic through a DNS filtering solution is an effective solution that protects IoT devices without having to install an agent and monitor a large fleet of machines.
Conclusion
DNS filtering is an effective solution for easily securing web traffic from uncontrolled devices such as tablets, BYOD, or IoT. Used in conjunction with URL filtering, it protects all of an organization's IT assets and limits the risk of exposure to malicious domains that may pose a security risk.
To learn more about Olfeo's DNS Filtering service, click here to visit our dedicated page.
