Open Source Projects DIMA Business Solutions Pvt Ltd 3 Raja Street, Trichy Rd, Kallimadai, Singanallur, Tamil Nadu 641005 Document Update Version : 12_Sep_2020_1251PMIST Document Authors : Sowmya Jegan (CEO) and Jegan (CTO) Contact CEO/CTO : sowmya.j@dimabusiness.com , jegan@dimabusiness.com Mobile : Sowmya Jegan +91-8220381514, Jegan +91-9790239061 About DIMA Warrior and Deployment methods DNS Vulnerabilities DIMA Public Cloud Intelligence About DIMA Warrior - DNS Firewall built with Open Source BIND DNS Server Dima Warrior as a DNS Firewall/Server Compatibility Deployment Method 1 : DIMA Warrior in Public Cloud Deployment Method 2 : DIMA Warrior in Public Cloud - With on premise proxy and firewall Deployment Method 3 : DIMA Warrior in Public Cloud - With Proxy Server in Public Cloud Deployment Method 4 : DIMA Warrior in Public Cloud - With http proxy on premise and VPN access server in public cloud Deployment Method 5 : DIMA Warrior in Public Cloud - With VPN access server in public cloud Deployment Method 6 : DIMA Warrior in Public Cloud - With VPN access server in public cloud serving on premise WRT routers Deployment Method 7 : DIMA Warrior in Private Cloud or On Premise Deployment Method 8 : DIMA Warrior in Private Cloud or On Premise as primary and secondary Deployment Method 9 : DIMA Warrior in Private Cloud or On Premise secondary with on premise proxy server Deployment Method 10 : DIMA Warrior in Public Cloud providing web application security and on premise network security along with DIMA Authentic Server Deployment Method 11 : DIMA Route Zero Network Design (90% Security Assured) DNS Vulnerabilities GoToIndex 1) You own a Firewall and you use third party DNS IP 2) You own a Proxy server and you use third party DNS IP 3) You own a VPN Access Server and you use third party DNS IP 4) You own a Domain Controller/Active Directory and you use third party DNS IP 5) User DNS Queries are resolved by a third party DNS Server which is not in their control 6) DNS Becomes a Data Channel 7) DNS 'A' record has 4 bytes of data, with 100 DNS Queries it can becomes 400 bytes of data which can be transferred or received 8) DNS 'AAAA' record has 16 bytes of data which can be transferred or received 9) DNS 'TXT' record has 255 character space which payload out from your network with private key (Example-Ransomware) 10) All the Browser does is WGET (HTTP GET/POST), there by downloading pictures/any executable files (Example-malware) at the backend which gives pathway to your network to the outside world in the form of DNS Queries. DIMA Public Cloud Intelligence GoToIndex 1) It has two components Intelligent Threat vector (ITV) and Secure API 2) Intelligent Threat vector (ITV) has predefined threat database (Open Source Threat Intelligence) 3) Intelligent Threat vector (ITV) prepares DNS Zone file for every 60 minutes and pushes it to the target DNS Server 4) Secure API does Live traffic inspection (Inepects DNS Queries from target DNS Server) 5) Secure API is powered by AI-ML prediction techniques (Good/Bad decision maker on DNS queries) About DIMA Warrior - DNS Firewall built with Open Source BIND DNS Server GoToIndex 1) Dima Warrior has 5 Zone Files 2) The 5 Zone files are Whitelist,Blacklist,Genius,Category and RPZ 3) Whitelist Zone file is for manual whitelisting of DNS Queries 4) Blacklist Zone file is for manual blacklisting of DNS Queries 5) Genius Zone file is powered by Secure API from DIMA Public Cloud Intelligence 6) Category Zone file is powered by Intelligent Threat vector (ITV) from DIMA Public Cloud Intelligence 7) RPZ Zone file is powered by Intelligent Threat vector (ITV) from DIMA Public Cloud Intelligence 8) DNS Service Config file is powered by DNS IP based Access Control Lists to inspect destination based IP address queries, this is also governed by Intelligent Threat vector (ITV) from DIMA Public Cloud Intelligence Dima Warrior as a DNS Firewall/Server Compatibility GoToIndex Can be a Standalone Server either in Public/Private cloud. Use Case 1 : DNS IP can be used directly as prefered DNS Server in Laptop/Desktop..etc., Use Case 2 : DNS IP can be used in OnPremise Firewall (Instead of Depending on third party DNS IP which is a vulnerability) Use Case 3 : DNS IP can be used in OnPremise Proxy Server (Instead of Depending on third party DNS IP which is a vulnerability) Use Case 4 : DNS IP can be used in VPN Access Server (Instead of Depending on third party DNS IP which is a vulnerability) Deployment Method 1 : DIMA Warrior in Public Cloud GoToIndex 1) Dima warrior will be hosted in the public cloud, which will have a public IP 2) The public IP can be used on - On Premise Firewall, Cloud Application Servers, On Premise / Cloud Proxy Server if the IP is reachable. 3) Once the IP is reachable from On Premise LAN or Remote WiFi , we can use the IP in host computers and servers also. 4) The IP can also be used in WIFI routers if it is reachable from home or SOHO Deployment Method 2 : DIMA Warrior in Public Cloud - With on premise proxy and firewall GoToIndex 1) Dima warrior will be hosted in the public cloud, which will have a public IP 2) The public IP can be used on - On Premise Firewall, Cloud Application Servers, On Premise / Cloud Proxy Server if the IP is reachable 3) Once the IP is reachable from On Premise LAN or Remote WiFi , we can use the IP in host computers and servers also 4) The IP can also be used in WIFI routers if it is reachable from home or SOHO Deployment Method 3 : DIMA Warrior in Public Cloud - With Proxy Server in Public Cloud GoToIndex 1) Dima warrior will be hosted in the public cloud, which will have a public IP 2) The public IP can be used on - On Premise Firewall, Cloud Application Servers, On Premise / Cloud Proxy Server if the IP is reachable 3) Once the IP is reachable from On Premise LAN or Remote WiFi , we can use the IP in host computers and servers also 4) The IP can also be used in WIFI routers if it is reachable from home or SOHO Deployment Method 4 : DIMA Warrior in Public Cloud - With http proxy on premise and VPN access server in public cloud GoToIndex 1) DIMA Warrior will be hosted in the public cloud, which will have a public IP 2) This IP will be integrated to VPN access servers in the public cloud 3) Users on premise will connect to HTTP proxy and parallely via VPN to access the Internet via DIMA Warrior 4) The user will have two credentials one for VPN and another for on premise HTTP proxy server Deployment Method 5 : DIMA Warrior in Public Cloud - With VPN access server in public cloud GoToIndex 1) DIMA Warrior will be hosted in the public cloud, which will have a public IP 2) This IP will be integrated to the VPN access server in the public cloud. 3) Users on premise or remote will install the software and use the credentials given by DIMA in the same software. 4) Once connected the users devices will have their internet traffic routed via VPN tunnel and then access internet via DIMA warrior. Deployment Method 6 : DIMA Warrior in Public Cloud - With VPN access server in public cloud serving on premise WRT routers GoToIndex 1) DIMA Warrior will be hosted in the public cloud, which will have a public IP 2) This IP will be integrated to VPN access server in public cloud 3) Users will have a WRT WiFi router. 4) SOHO or Home users will have client based configuration file integrated to WRT WiFi router which is a Dima Self Signed VPN License 5) On activation the WRT WiFi router will establish a secure tunnel to VPN access server in the cloud, which enables the traffic to pass through the router and then the VPN tunnel. 6) Thereby the traffic reaches securely Dima warrior for Internet access Deployment Method 7 : DIMA Warrior in Private Cloud or On Premise GoToIndex 1) DIMA Warrior will be hosted in the private cloud, which will have a private IP 2) This IP address can be used by users as a local primary DNS server via DHCP (WiFi) or static. 3) This IP address can also be used by Servers on premise. 4) If the LAN or On premise users already have a DNS / domain controller, we can create a zone in Dima warrior on premise to point local requests or local application requests pointing to local DNS / domain controller. Deployment Method 8 : DIMA Warrior in Private Cloud or On Premise as primary and secondary GoToIndex 1) Dima warrior hosted on premise hardware or private cloud as Primary and Secondary DNS Servers 2) The two IP addresses can be used by users as local primary/secondary DNS server via DHCP (WiFi) or static 3) The two IP addresses can also be used by Servers as primary/secondary on premise 4) If the LAN or On premise users already have DNS / domain controller, we can create a zone in Dima warrior on premise (Primary / Secondary) to point local requests or local application requests pointing to local DNS / domain controller Deployment Method 9 : DIMA Warrior in Private Cloud or On Premise secondary with on premise proxy server GoToIndex 1) Dima warrior hosted on premise hardware or private cloud as Primary and Secondary DNS Servers 2) The two IP addresses can be used by users as local primary/secondary DNS server via DHCP (WiFi) or static 3) The two IP addresses can also be used by Servers as primary/secondary on premise 4) If the LAN or On premise users already have DNS / domain controller, we can create a zone in Dima warrior on premise (Primary / Secondary) to point local requests or local application requests pointing to local DNS / domain controller 5) The IP address of Primary and secondary Dima warrior can be integrated to On premise Proxy server Deployment Method 10 : DIMA Warrior in Public Cloud providing web application security and on premise network security along with DIMA Authentic Server GoToIndex 1) If you have a critical web application hosted on premise or public cloud, you can use Dima warrior as DNS to a critical web application server 2) The same Dima warrior is used as DNS in Dima Authentic server also 3) Dima Authentic server provides URL masking, mutual SSL authentication and LDAP 4) The same Dima Warrior can be used on premise firewall, cloud applications servers , on premise/cloud proxy server if the IP is found to be reachable 5) If the IP is reachable from on premise LAN or remote WiFi , we can use this IP in host computers and servers also 6) If the IP is reachable from Home or SOHO, the same IP can be used in wifi routers Deployment Method 11 : DIMA Route Zero Network Design (90% Security Assured) GoToIndex 1) On a manageable layer 3 switch writing a default route pointing to Firewall/Router/Modem LAN interface is very vulnerable 2) Meaning you say a hacker very clearly which way to come inside and go outside (Data Infiltration and Exfiltration) 3) To fix the above, you need to define specific routes to destination access needed and mention default route to Null0 (Discard Interface) at the end in manageable layer 3 switch 4) Example , Best practise is to write a route to Proxy alone and mention default route to Null0 (Discard Interface) at the end in manageable layer 3 switch