In this article, you will learn everything you need to know about the Threat Prevention - Network module.
1. Description
2. How does Threat Prevention - Network work?
3. Threat Prevention - Network setup guide
4. Heimdal Threat Prevention Network LogAgent
5. Threat Prevention - Network view
6. Threat Prevention - Network settings
DESCRIPTION
HEIMDAL Security's Threat Prevention is the world’s most advanced DNS product, used to identify infected users and processes. Our cutting-edge Network & Endpoint Prevention, Detection, and Response solutions block attacks before they reach your network, servers, or endpoints. Thanks to their unique combination of local and cloud filtering, we guarantee a minimal system footprint. Now, in an unprecedented move, the Machine Learning (ML) engineers at HEIMDAL Security have successfully built and trained a neural network for DarkLayer Guard - Network (and for the DarkLayer Guard product) that enables the prediction of malicious DNS. Employing an outstanding amount of gradient-boosting decision trees and over 24 DNS features and criteria, the new neural network AI is state-of-the-art.
HEIMDAL Security has doubled the rate of correct detections and predicted future domains that are bound to be registered, and unlocked the algorithm’s capacity to detect malicious domains that would have normally escaped detection by the human eye. Combined with the VectorN Detection engine’s power, it will be it will virtually be unstoppable against all malicious attack attempts on enterprise security.
HOW DOES THREAT PREVENTION - NETWORK WORK?
The Threat Prevention - Network is configured on your DNS Server(s) and forward DNS queries to the HEIMDAL DNS Resolvers where it is responsible for filtering all network packages based on DNS request origin and destination. The engine, which blocks malicious packages from communicating across the network prevents man-in-the-browser attacks, detects zero-hour exploits, protects from data or financial exfiltration, and prevents data loss or network infections. Compatible with any existing Antivirus software, the Threat Prevention - Network feature is a solution for securing DNS traffic by pre-emptively blocking malicious domains and communications to and from C&C, Phishing, and generally malicious servers.
THREAT PREVENTION - NETWORK setup guide
To set up THREAT PREVENTION - Network please follow the steps below:
1. Log in to the HEIMDAL Dashboard.
2. Access the Network Settings section.
3. From the Threat Prevention tab, make sure the DarkLayer Guard module is turned ON.
4. In the Access Rule section, add your Public IP Address(es) (Name and Subnet required) and press the Update Network Settings button. You can add one or multiple Public IP Addresses with the following subnets: /32, /31, and /30. For wider ranges, please get in touch with corpsupport@heimdalsecurity.com. Access Rule changes are propagated every 30 minutes.
- You can add an Access Rule only if you are logged in the HEIMDAL Dashboard from the Public IP Address that you are trying to add as an Access Rule;
- If you need a wider range, please write at corpsupport@heimdalsecurity.com;
- Once a new Access Rule is added for a Public IP Address or Subnet, it will be whitelisted in our database. Removing it from the Access Rules will stop the filtering through our DNS Servers and could cause connectivity issues on your DNS Server if you are still forwarding traffic through the Threat Prevention - Network.
THREAT PREVENTION - Network DNS Forwarders (on Windows Server)
In order to implement Threat Prevention - Network in your organization, you will need to configure the DNS Server(s) in your organization to use the following IP Addresses as DNS Forwarders:
- 193.243.129.53
- 76.223.127.10
To set up DNS Forwarding on your DNS Server, you need to follow the steps below:
1. Open the DNS Manager from the Server Manager.
2. Right-click on the DNS Server and select Properties.
3. Select the Forwarders tab and click the Edit button.
4. Insert the DNS IP Addresses (193.243.129.53 and 76.223.127.10) and hit Enter after each IP Address. After entering both IP Addresses, press OK. Please know that HEIMDAL Security Forwarders will validate only if the Public IP Address of the DNS Server has been added as an Access Rule in the HEIMDAL Dashboard (30 minutes before validation).
The DNS Forwarders should look like this:
5. After configuring the DNS Forwarders, you can test if Threat Prevention - Network is working by accessing the website notblockedbyheimdalsecurity.com. If the text on the site says "Heimdal Security has blocked this page.", this means that Threat Prevention - Network is working properly.
Here is a how-to change the DNS Forwarder on Windows Server:
THREAT PREVENTION - Network DNS Forwarders (on Ubuntu/Debian)
In order to implement Threat Prevention - Network in your organization, you will need to configure the DNS Server(s) in your organization to use the following Threat Prevention - Network IP Addresses as DNS Forwarders:
- 193.243.129.53
- 76.223.127.10
To set up DNS Forwarding on your DNS Server, you need to follow the steps below:
1. Open the interfaces file (/etc/network/interfaces) for editing:
sudo nano /etc/network/interfaces
2. Add the following settings:
auto eth0
iface eth0 inet static
address 192.168.1.2 #an IP at your choice
netmask 255.255.255.0
gateway 192.168.1.1
dns-nameservers 185.113.230.53 185.113.231.53
3. Open the resolv.conf file (/etc/resolv.conf) for editing:
sudo nano /etc/resolv.conf
4. Add the following settings:
nameserver 193.243.129.53
nameserver 76.223.127.10
#options edns0
5. Reboot the machine.
6. Update the apt package cache by typing:
sudo apt-get update
7. Install BIND on the DNS Server.
sudo apt-get install bind9 bind9utils bind9-doc
8. Open the named.conf.options file (/etc/bind/named.conf.options) for editing:
sudo nano /etc/bind/named.conf.options
9. Add the following settings:
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
193.243.129.53;
76.223.127.10;
};
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation no;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
10. Restart bind using the following command line:
sudo systemctl restart bind9
11. In case there's a firewall rule blocking port 53, you can unblock it with the following command line:
sudo ufw allow 53
12. After configuring BIND, you can test if Threat Prevention - Network is working by accessing the website notblockedbyheimdalsecurity.com. If the text on the site says "Heimdal Security has blocked this page.", this means that Threat Prevention - Network is working properly.
If the page below returns, it means that the protection is not working yet.
IMPORTANT
Please note the fact that it can take 30 to 60 minutes from changing your DNS Forwarders until you see the correct blocking page. Your protection is, however, in place immediately after changing forwarders.
HEIMDAL THREAT PREVENTION NETWORK LOGAGENT
The HEIMDAL Threat Prevention Network LogAgent LogAgent allows you to associate the IP Addresses of the Allowed Requests and Prevented Attacks to the Hostnames on which the network filtering took place. The HEIMDAL LogAgent is installed on the DNS Server and reports the information collected on Prevented Attacks to the HEIMDAL Dashboard, thus helping the Administrator to see where the malicious behavior is started from by identifying the private (local) IP Address and the hostname of the endpoint in question.
REQUIREMENTS
1. The HEIMDAL Threat Prevention Network LogAgent is supported on 32-bit and 64-bit architectures and can be installed on Windows Server 2012/2012 R2, Windows Server 2016, Windows Server 2019, Ubuntu 18.04 (and above).
2. The HEIMDAL Threat Prevention Network LogAgent requires Npcap OEM and that is why we recommend you uninstall WinPcap (and the CSIS LogAgent) if it is already present on the DNS Server. Npcap will automatically get installed during the HEIMDAL LogAgent install operation. Other applications that interact with the Npcap driver (like Azure Advanced Threat Protection Sensor) might conflict with the HEIMDAL Threat Prevention Network LogAgent's flow, which could stop responding or stop ingesting data into the HEIMDAL Dashboard.
3. The HEIMDAL LogAgent requires access to our Log Agent API through port 443 on the following IP Addresses: 3.68.42.215 and 3.122.156.8 (logagent-api.heimdalsecurity.com).
The HEIMDAL Threat Prevention Network LogAgent can be installed using the following methods:
A. Installing it from the HEIMDAL Dashboard
To install the HEIMDAL LogAgent on your DNS Server from the HEIMDAL Dashboard you need to have the HEIMDAL Agent running on your specific server. If this condition is met, you can log in to the HEIMDAL Dashboard, click on Management -> Active Clients, select your DNS Server, and click Enable DNS Server from the dropdown menu.
This functionality will fire on the next HEIMDAL Agent Group Policy check and will install the HEIMDAL LogAgent on your DNS Server.
B. Installing the stand-alone HEIMDAL LogAgent (on Windows Server)
To install the HEIMDAL LogAgent on your DNS Server, log in to the HEIMDAL Dashboard, go to the Guide section -> Download and install tab and download the stand-alone HEIMDAL Threat Prevention Network LogAgent (for Windows). After downloading the HEIMDAL LogAgent, you can install it on your DNS Server. The HEIMDAL LogAgent can be uninstalled from Control Panel -> Programs and Features (together with Npcap OEM).
C. Installing the stand-alone HEIMDAL LogAgent (on Ubuntu)
To install the HEIMDAL LogAgent on your DNS Server, log in to the HEIMDAL Dashboard, go to the Guide section -> Download and install tab and download the stand-alone HEIMDAL Threat Prevention Network LogAgent (for Ubuntu). After downloading the LogAgent Script, unzip it and install it by running the command line below in the Terminal:
sudo sh install-ubuntu.sh
To see the HEIMDAL LogAgent's status, you can also run the following command line:
sudo systemctl status heimdal-logagent
The HEIMDAL LogAgent can be uninstalled from the Terminal using the command line below:
sudo sh uninstall-ubuntu.sh
IMPORTANT
The HEIMDAL LogAgent automatically updates when a new version is available.
THREAT PREVENTION - NETWORK view
The Threat Prevention - Network view displays all the information collected by HEIMDAL Agent/HEIMDAL Log Agent that is running on the DNS Server(s) in your organization. The collected information refers to the DNS queries that went through your DNS Server(s). On the top, you see a statistic regarding the number of Analyzed Traffic Requests, and the number of Prevented Attacks.
The collected information is placed in the following views: Standard view, Threat Type view, Latest Threats view, and Most Used Domains.
- Standard view
This view displays a table with the following details: Hostname (the HEIMDAL Log Agent is required to collect the hostname of the endpoint making the request), IP Address (the HEIMDAL Log Agent is required to collect the local/internal IP Address of the endpoint making the request), Approved Requests, Prevented attacks, and Risk Level (which is calculated according to the following formulas: Low-risk level - the number of prevented attacks is lower than the number of days, Medium-risk level - the number of prevented attacks is equal or higher than the number of days and lower than 1.66 * the number of days, High-risk level - everything else over these two levels). The data in this view updates every hour.
- Threat Type view
This view displays a table with the following details: Threat Type and number of Hits. The data in this view updates every hour.
- Latest Threats view
This view displays a table with the following details: Hostname (the HEIMDAL Log Agent is required to collect the hostname of the endpoint making the request), Client IP Address (the HEIMDAL Log Agent is required to collect the local/internal IP Address of the endpoint making the request), Domain, Threat Type, Date and Time. The data in this view updates in real-time.
Please note that hostnames that are listed in Standard View and Latest Threats View with the N/A tag instead of their name are not listed in the Forward Lookup Zones. In order to fix this, you will need to add those hostnames in the Forward Lookup Zones.
- Most Used Domains
This view displays a table with the following details: Domain and the Total Hits. The data in this view updates every hour.
- App Discovery view
This view displays a list of the applications discovered by the DarkLayer Guard engine in your environment and the following details: Application Name, Vendor, Risk Level, and Installed Endpoints. The data in this view updates in real-time.
The Download CSV functionality allows you to generate and download a CSV report that includes all the information corresponding to each view.
THREAT PREVENTION - NETWORK settings
In order to set up Threat Prevention - Network in the Heimdal Dashboard, you have to access the Network Settings section -> Threat Prevention tab.
DarkLayer Guard - turn on/off the Threat Prevention - Network module;
Domains Whitelist - allows you to whitelist a domain/sub-domain for the users in your network;
Domains Blacklist - allows you to blacklist a domain/sub-domain for the users in your network;
Block By Category - this feature allows you to block groups of domains that are included in a category (example: Social, Sports, Gambling, Finance, Health, and others):
Custom block pages - this feature allows you to add a custom HTML block page that will replace the default Heimdal block page when Threat Prevention - Network intercepts and blocks access to a malicious domain (or blacklisted domain):
Note: If you are using TPE and TPN, when it comes to whitelisting/blacklisting TPN will have priority. For example, if you blacklist a domain in TPN, but not in TPE, even if the endpoint has that domain whitelisted in the Group Policy, the user will get the block banner since TPN is the first to filter that domain.
Access Rule* - add your Public IP Address(es) to filter traffic through our DNS Servers. Here you can specify a Public IP Address or a Subnet;
FILL CURRENT IP - automatically add your current Public IP Address in the Subnet field, getting it ready for being added as an Access Rule.
- You can add an Access Rule only if you are logged in the HEIMDAL Dashboard from the Public IP Address that you are trying to add as an Access Rule;
- You can only add /32, /31, and /30 subnets;
- If you need a wider range, please write at corpsupport@heimdalsecurity.com;
- Once a new Access Rule is added for a Public IP Address or Subnet, it will be whitelisted in our database. Removing it from the Access Rules will stop the filtering through our DNS Servers and could cause connectivity issues on your DNS Server if you are still forwarding traffic through the Threat Prevention - Network.
*WARNING: Once a new Access Rule is added for a Public IP Address or Subnet, it will be whitelisted in our database. Removing it from the Access Rules will stop the filtering through our DNS Servers and could cause connectivity issues on your DNS Server if you are still forwarding traffic through the Threat Prevention - Network.
Log unknown hostnames - logs and displays unknown (N/A) hostnames in the Threat Prevention Network views (Standard view and Latest Threats view);
Log local domains - logs and displays intercepted local domains;
Policy check interval - sets the check interval of the Threat Prevention Log Agent;
Update Network Settings - updates all the configurations performed in the Threat Prevention Network module.