In this article, you will learn everything you need to know about the Threat Prevention - Network module.
1. Description
2. How does DarkLayer Guard - Network work?
3. DarkLayer Guard - Network setup guide
4. Heimdal LogAgent
5. Threat Prevention - Network view
6. Threat Prevention - Network settings
DESCRIPTION
HEIMDAL Security's Threat Prevention is the world’s most advanced DNS product, used to identify infected users and processes. Our cutting-edge Network & Endpoint Prevention, Detection, and Response solutions block attacks before they reach your network, servers, or endpoints. Thanks to their unique combination of local and cloud filtering, we guarantee a minimal system footprint. Now, in an unprecedented move, the Machine Learning (ML) engineers at HEIMDAL Security have successfully built and trained a neural network for DarkLayer Guard - Network (and for the DarkLayer Guard product) that enables the prediction of malicious DNS. Employing an outstanding amount of gradient-boosting decision trees and over 24 DNS features and criteria, the new neural network AI is state-of-the-art.
HEIMDAL Security has doubled the rate of correct detections and predicted future domains that are bound to be registered, and unlocked the algorithm’s capacity to detect malicious domains that would have normally escaped detection by the human eye. Combined with the VectorN Detection engine’s power, it will be it will virtually be unstoppable against all malicious attack attempts on enterprise security.
HOW DOES DARKLAYER GUARD - NETWORK WORK?
The DarkLayer Guard - Network is configured on your DNS Server(s) and forward DNS queries to the HEIMDAL DNS Resolvers where it is responsible for filtering all network packages based on DNS request origin and destination. The engine, which blocks malicious packages from communicating across the network prevents man-in-the-browser attacks, detects zero-hour exploits, protects from data or financial exfiltration, and prevents data loss or network infections. Compatible with any existing Antivirus software, the DarkLayer Guard - Network feature is a solution for securing DNS traffic by pre-emptively blocking malicious domains and communications to and from C&C, Phishing, and generally malicious servers.
DARLAYER GUARD - NETWORK setup guide
To set up DarkLayer Guard - Network please follow the steps below:
1. Log in to the HEIMDAL Dashboard.
2. Access the Network Settings section.
3. From the Threat Prevention tab, make sure the DarkLayer Guard module is turned ON.
4. In the Access Rule section, add your Public IP Address(es) (Name and Subnet required) and press the Update Network Settings button. You can add one or multiple Public IP Addresses with the following subnets: /32, /31, and /30. For bigger ranges, please get in touch with corpsupport@heimdalsecurity.com. Access Rule changes are propagated every 30 minutes.
DarkLayer Guard - Network DNS Forwarders (on Windows Server)
In order to implement DarkLayer Guard - Network in your organization, you will need to configure the DNS Server(s) in your organization to use the following IP Addresses as DNS Forwarders:
- 193.243.129.53
- 76.223.127.10
To set up DNS Forwarding on your DNS Server, you need to follow the steps below:
1. Open the DNS Manager from the Server Manager.
2. Right-click on the DNS Server and select Properties.
3. Select the Forwarders tab and click the Edit button.
4. Insert the DNS IP Addresses (193.243.129.53 and 76.223.127.10) and hit Enter after each IP Address. After entering both IP Addresses, press OK. Please know that HEIMDAL Security Forwarders will validate only if the Public IP Address of the DNS Server has been added as an Access Rule in the HEIMDAL Dashboard (30 minutes before validation).
The DNS Forwarders should look like this:
5. After configuring the DNS Forwarders, you can test if DarkLayer Guard - Network is working by accessing the website notblockedbyheimdalsecurity.com. If the text on the site says "Heimdal Security has blocked this page.", this means that DarkLayer Guard - Network is working properly.
Here is a how-to change the DNS Forwarder on Windows Server:
DarkLayer Guard - Network DNS Forwarders (on Ubuntu/Debian)
In order to implement DarkLayer Guard - Network in your organization, you will need to configure the DNS Server(s) in your organization to use the following DarkLayer Guard - Network IP Addresses as DNS Forwarders:
- 193.243.129.53
- 76.223.127.10
To set up DNS Forwarding on your DNS Server, you need to follow the steps below:
1. Open the interfaces file (/etc/network/interfaces) for editing:
sudo nano /etc/network/interfaces
2. Add the following settings:
auto eth0
iface eth0 inet static
address 192.168.1.2 #an IP at your choice
netmask 255.255.255.0
gateway 192.168.1.1
dns-nameservers 185.113.230.53 185.113.231.53
3. Open the resolv.conf file (/etc/resolv.conf) for editing:
sudo nano /etc/resolv.conf
4. Add the following settings:
nameserver 193.243.129.53
nameserver 76.223.127.10
#options edns0
5. Reboot the machine.
6. Update the apt package cache by typing:
sudo apt-get update
7. Install BIND on the DNS Server.
sudo apt-get install bind9 bind9utils bind9-doc
8. Open the named.conf.options file (/etc/bind/named.conf.options) for editing:
sudo nano /etc/bind/named.conf.options
9. Add the following settings:
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
193.243.129.53;
76.223.127.10;
};
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation no;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
10. Restart bind using the following command line:
sudo systemctl restart bind9
11. In case there's a firewall rule blocking port 53, you can unblock it with the following command line:
sudo ufw allow 53
12. After configuring BIND, you can test if DarkLayer Guard - Network is working by accessing the website notblockedbyheimdalsecurity.com. If the text on the site says "Heimdal Security has blocked this page.", this means that DarkLayer Guard - Network is working properly.
IMPORTANT
Please note the fact that it can take 30 to 60 minutes from changing your DNS Forwarders until you see the correct blocking page. Your protection is, however, in place immediately after changing forwarders.
HEIMDAL LOGAGENT
The HEIMDAL LogAgent (Threat Prevention Network LogAgent) allows you to associate the IP Addresses of the Allowed Requests and Prevented Attacks to the Hostnames on which the network filtering took place. The HEIMDAL LogAgent is installed on the DNS Server and reports the information collected on Prevented Attacks to the HEIMDAL Dashboard, thus helping the Administrator to see where the malicious behavior is started from by identifying the private (local) IP Address and the hostname of the endpoint in question.
The HEIMDAL LogAgent requires Npcap OEM and that is why we recommend you uninstall WinPcap (and the CSIS LogAgent) if it is already present on the DNS Server. Npcap will automatically get installed during the HEIMDAL LogAgent install operation. The HEIMDAL LogAgent can be installed using the following methods:
A. Installing it from the HEIMDAL Dashboard
To install the HEIMDAL LogAgent on your DNS Server from the HEIMDAL Dashboard you need to have the HEIMDAL Agent running on your specific server. If this condition is met, you can log in to the HEIMDAL Dashboard, click on Management -> Active Clients, select your DNS Server, and click Enable DNS Server from the dropdown menu.
This functionality will fire on the next HEIMDAL Agent Group Policy check and will install the HEIMDAL LogAgent on your DNS Server.
B. Installing the stand-alone HEIMDAL LogAgent (on Windows Server)
To install the HEIMDAL LogAgent on your DNS Server, log in to the HEIMDAL Dashboard, go to the Guide section -> Download and install tab and download the stand-alone HEIMDAL Threat Prevention Network LogAgent (for Windows). After downloading the HEIMDAL LogAgent, you can install it on your DNS Server. The HEIMDAL LogAgent can be uninstalled from Control Panel -> Programs and Features (together with Npcap OEM).
C. Installing the stand-alone HEIMDAL LogAgent (on Ubuntu)
To install the HEIMDAL LogAgent on your DNS Server, log in to the HEIMDAL Dashboard, go to the Guide section -> Download and install tab and download the stand-alone HEIMDAL Threat Prevention Network LogAgent (for Ubuntu). After downloading the LogAgent Script, unzip it and install it by running the command line below in the Terminal:
sudo sh install-ubuntu.sh
To see the HEIMDAL LogAgent's status, you can also run the following command line:
sudo systemctl status heimdal-logagent
The HEIMDAL LogAgent can be uninstalled from the Terminal using the command line below:
sudo sh uninstall-ubuntu.sh
IMPORTANT
The HEIMDAL LogAgent automatically updates when a new version is available.
THREAT PREVENTION - NETWORK view
The Threat Prevention - Network view displays all the information collected by HEIMDAL Agent/HEIMDAL Log Agent that is running on the DNS Server(s) in your organization. The collected information refers to the DNS queries that went through your DNS Server(s). On the top, you see a statistic regarding the number of Analyzed Traffic Requests, and the number of Prevented Attacks.
The collected information is placed in the following views: Standard view, Threat Type view, Latest Threats view, and Most Used Domains.
- Standard view
This view displays a table with the following details: Hostname (the HEIMDAL Log Agent is required to collect the hostname of the endpoint making the request), IP Address (the HEIMDAL Log Agent is required to collect the local/internal IP Address of the endpoint making the request), Approved Requests, Prevented attacks, and Risk Level.
- Threat Type view
This view displays a table with the following details: Threat Type and number of Hits.
- Latest Threats view
This view displays a table with the following details: Hostname (the HEIMDAL Log Agent is required to collect the hostname of the endpoint making the request), Client IP Address (the HEIMDAL Log Agent is required to collect the local/internal IP Address of the endpoint making the request), Domain, Threat Type, Date and Time.
- Most Used Domains
This view displays a table with the following details: Domain and the Total Hits.
- App Discovery view
This view displays a list of the applications discovered by the DarkLayer Guard engine in your environment and the following details: Application Name, Vendor, Risk Level, and Installed Endpoints.
The Download CSV functionality allows you to generate and download a CSV report that includes all the information corresponding to each view.
THREAT PREVENTION - NETWORK settings
In order to set up DarkLayer Guard - Network in the Heimdal Dashboard, you have to access the Network Settings section -> Threat Prevention tab.
DarkLayer Guard - turn on/off the Threat Prevention - Network module;
Whitelist - allows you to whitelist a domain/sub-domain for the users in your network;
Blacklist - allows you to blacklist a domain/sub-domain for the users in your network;
Access Rule* - add your Public IP Address(es) to filter traffic through our DNS Servers. Here you can specify a Public IP Address or a Subnet;
FILL CURRENT IP - automatically add your current Public IP Address in the Subnet field, getting it ready for being added as an Access Rule.
*WARNING: Once a new Access Rule is added for a Public IP Address or Subnet, it will be whitelisted in our database. Removing it from the Access Rules will stop the filtering through our DNS Servers and could cause connectivity issues on your DNS Server if you are still forwarding traffic through the DarkLayer Guard - Network.
