Secure Your Network With TCPWave

As more devices proliferate into your network, the infrastructure of your network becomes more complex. Fragmented legacy tools lack the capability and intelligence to secure you from existing and future network threats. While DNS is the backbone of internet application reachability, it also serves as a threat vector for malware, DDOS, and data exfiltration that can take down your enterprise, large or small, in no time. TCPWave has relentlessly worked to devised future - risk proof solutions to safeguard your network. Our IPAM is capable to protect your DNS infrastructure at multiple layers through state of the art monitoring, robust and intelligent firewalls, and hardened appliances. TCPWave IPAM supports TACACS+, Active Directory, Radius, PAM, and Single Sign On Authentication Mechanisms. Our appliances have passed the most stringent ethical hacking and penetration test and our Non-BIND solutions in addition to BIND protects your DNS infrastructure from DNS exploits.

Security Features
Top Talker Engine

Detects abusive number of queries and sends alert.

Deep packet DNS Inspection Engine

Blackholes offending address blocks.

Dynamic Firewall Engine

Applies Pre-existed or dynamic rules to control queries entering the server.

RRL

DNS Response rate limiting Pre or Dynamic setting to drop DNS queries before they hit the DNS server.

Dynamic RPZ

Response policy zones pre or dynamically configured to to block certain malicious zones.

Network Forensics.

Seamless auditing and forensic reports are integrated into the TCPWave IPAM at no extra cost.

DNS Solutions
Firewall - Deep Packet Inspection

We offer you robust and intelligent firewall that provides a deep packet inspection and protects the DNS application layer from malicious requests. It’s packet matching algorithm against the request and rejects it before it reaches the DNS server and also blocks all requests from a specific IP address or a subnet. TCPWave IPAM can enforce a rate limit to dilute a DDOS attack and our layer 3 firewall rules are dynamically configurable based on the threat detection from monitoring engine and combined with our RPZ feed, which mitigates the risk of DDoS attacks considerably on the DNS cache servers.

DNSSEC

DNS by default is security deficient, DNSSEC serves as that DNS extension which secures and protects the network from DNS spoofing. TCPWave has simplified DNSSEC implementation using superior encryption, it has automated the DNS key rollovers and removing the manual intervention. The DNSSEC signed zone ensure protection against Man - In - The - Middle attacks and secures Dynamic DNS updates.

RPZ

The DNS RPZ feature allows the network operator to control the behavior of responses to DNS queries. Using this feature, the known “bad guys” can be prevented from causing malicious damage by eliminating them at their source, DNS system.

DNS Proxy

DNS Proxy is a feature to mitigate DNS Cache Poisoning, it stores the result in the DNS Cache Appliance whenever it gets a request for the first time. The stored cache is used to get the subsequent requests from the same domain. It helps the network to improve its performance. DNS Proxy contains a set of regulation that is used to filter the DNS requests that are not accurately structured or the DNS requests that are proven to cause risks. DNS proxy helps mitigate issues such as DNS Cache poisoning that arise in a B2B relationship. The root appliance will delegate the third-party DNS to DNS Proxy Appliance and the DNS proxy will talk to the third-party DNS and fetch answers.

Core Network Solutions
Hardened DNS Appliance:

Our Dell TCPWave appliances use a hardened linux kernel with a fast operating system.

Packet Filter

The packet filtering module restricts the type of queries that end user can send.

Anycast

With smart anycast routing all appliance act as a backup for each other.

ISC BIND + TCPWave DNS Solution

While most DNS solutions use ISC BIND which is more vulnerable to attacks, TCPWave’s self developed DNS solution offers added DNS security.

Code Diversity

TCPWave provides DNS servers with different source code in each to maintain true diversity. TCPWave’s DNS Appliance monitors itself and if there is an unresolved issue, server shuts itself down and reroutes the traffic using BGP or OSPF. All the logs are captured for analysis.

Top-Talker Detection

When an abusive top talker is detected, the customer is notified with the IP address of the attacker to take necessary action.

DNS Query Scrubber

To eliminate cache poisoning, any unauthoritative data will not be added to the cache. DNS Proxy is used instead.

DNS Proxy

DNS Proxy appliance is an appliance that acts as an intermediary for requests from clients seeking resources from third parties or the Internet. A client connects to the proxy server, requesting DNS service, and the proxy appliance evaluates the request as a way to simplify and control its complexity. TCPWave DNS Proxy is designed to protect the internal caches from cache poisoning.

DDOS Attacks Shield

TCPWave appliances have hardened OS on top of it provides a backup DNS appliance for BIND DNS, in case of inoperability of the BIND DNS due to attacks.

SNMP Alerts

All TCPWave appliances are configured with SNMP MIB for fault and performance statistics for network monitoring. They are enabled to send SNMP alerts to SMARTS when a fault is detected, so that network admins can proactively make decisions. This enhanced monitoring will provide you automatic monitoring of all critical components of your network.

Secured Communication

TCPWave performs secure DNS Updates through TCP over SSL so that the transmissions cannot be intercepted by DNS spoof attack or man in the middle attack.

Authentication
TACACS+

Our TCPWave Appliance uses TACACS+ for authentication, authorization and accounting. This security application centralizes the process of validation of users who attempt to gain access to routers, servers etc. in your network infrastructure. TACACS+ eliminates the need to define a user as a local account on multiple appliances. You just define it once in foreign AAA server which will check for permissions and authenticate the user from each appliance it attempts to login from. This will simplify security authentication and management in your network infrastructure.

PAM

PAM stands for Pluggable Authentication Modules. These are authentication modules for services, such as LDAP or Radius, that can be 'plugged' into the authentication process on a Linux or Sun Solaris host. This functionality provides the ability to custom how and by what mechanism that users, applications and processes are authorized.

TSIG DNS Authentication

For securing communication between DNS servers TSIG authentication is used to provide secret keys to encrypt all DNS updates and zone transfers between DNS servers and for Active Directory updates. GSS-TSIG, a GSS-API algorithm which uses Kerberos for passing security tokens to provide authentication, integrity and confidentiality.

HMAC Authentication

This is a strong encryption algorithm used to secure the communications between DNS appliances. No foreign appliance can send updates to the servers or establish any communication with the servers in internal network without the the knowledge of security keys.

Chroot Environment

Our DNS Appliances have been hardened to fight against security risks of various degrees and send SNMP alerts. On top of this we run BIND as a non-root user in chroot directory to limit the access to chroot environment. Hence, dedicated to support you with impenetrable security.