How a “tower” turns into a “pyramid” - on the example of the topic of DNS analysis and filtering

  • Tutorial
In the previous article, we examined how to present students a course / diploma project or build a “tower” from the second floor . Let's build a “tower” together with the example of the topic of analyzing and filtering DNS traffic that does not lose its relevance, we will see how the “tower”, expanding in the lower floors, turns into a “pyramid” and how this helps the teacher.

What we already know from the previous article


We summarize the stages of preparation and presentation in a table, distribute them among the floors of the future “tower”. Recall that in this methodology:

  • the teacher’s work begins on the second floor of the training (left column of the table);
  • the fifth, fourth, and sometimes third floors can be used practically unchanged for a number of term / degree projects.

Preparation and study of the topic
(bottom to top)
"Floors"Presentation of the topic
(top to bottom)
A selection of relevant companies that [most likely] use similar business tasks5A business task with examples of market demand
Summarizing a single business function to a large business task4Decomposition of a business task, it is divided into separate simple business functions, usually available to one specialist / developer
Projection onto a Business Function3Formalization [with the necessary simplification] of a business function as a transition to educational / study material
Main learning task2Getting a formalized task (and restrictions for it)
Set of simple tasks1Decomposition of a task into a set of simple [sub] tasks
[alleged] student knowledge0
foundation
Discussion and questions for understanding the material

When the "tower" is built


5th floor


In the market of information security tools, solutions for protecting enterprise networks and the organization, including network providers. Many of the presented solutions have functionality for monitoring, analyzing and filtering DNS traffic. Not only the boxed software solutions that the customer places at home, but also the service when the DNS traffic is processed on external servers are in demand.

Service Examples
Obviously, DNS traffic filtering service providers, especially those providing it for free, can pursue other goals, in addition to disinterested assistance in the fight against unwanted network activity.
Comodo Secure DNS
Norton DNS
OpenDNS
Rejector.ru
SkyDNS
Yandex.DNS

4th floor


Monitoring must be carried out on the fly, so that this does not affect the speed of consumers. This means that the decision and the “good” or “bad” request were received and how the system should respond to it immediately, without delay, because then it is almost impossible to influence the situation (the cache on the clients, only the DNS can get to the monitoring system, but not all the traffic).

The system must be productive, scalable, fault tolerant. At the same time, it is necessary to be able to use various filtering techniques - user lists, custom lists and classifications, regulator requirements, to identify abnormal activity (dns-tunneling, enumeration of names in search of C & C servers).

3rd floor


It is impossible to use only black / white lists, as they become outdated too quickly and require tremendous efforts for constant updating, heuristic methods are necessary. For example, a combination of several simple methods, while each of them individually does not give a reliable answer.

2nd floor


Each domain has a number of characteristics, for example, creation date, hosting, owner, similarity to domains from black / white lists, length, usage statistics, etc. Obviously, some characteristics belong to a specific domain, and some to other objects - the domain zone, clients (statistics, typical use), hosting / registrars / owners, received IP addresses / ranges, etc.

You need to select a certain set of similar characteristics, enter metrics on them (how old is for the creation date, reputation for a hosting or zone, the owner of an individual or a large company) and calculate the effect, for example, through weighting factors on the final integrated domain score, set a threshold value .

The solution options can be various, from neural networks, to a set of tables recalculated on a separate cluster.

2nd floor ver 2.0


No, we will not go down to the 1st floor and go deep into separate subtasks now, this is done in conjunction with the course being taught (more bias towards mathematics or programming or administration). In addition, it is necessary to take into account the interests, hobbies, strengths and weaknesses of students.

We draw attention to the fact that there can be several solutions, more precisely even that - there are many solutions, and there are even more possible implementations.

These solutions can and should be compared with each other:
  • according to the selected algorithm;
  • by productivity;
  • by errors of the first and second kind;
  • by the complexity of support, by scalability, by the cost of ownership, etc.

Thus, previously performed work does not lose relevance - they can be used in comparisons, can serve as tasks for optimization, can serve as a standard by some criteria (speed, errors, etc.).

The tasks of comparison themselves - this is the choice of a criterion and the justification of the methodology, the preparation and implementation of comparisons (complexity assessments, stress testing, relevant materials to identify errors of the first and second kind) - can also become separate projects.

Instead of a conclusion


IT and information security specialists often have to choose one of the products similar in functionality on the market and experience of meaningful comparison, when there is not only a plate from the supplier, it is needed and useful.

Repeatedly using the accumulated material, you can improve the result, and not slide down to REPETITIO EST MATER STUDIORUM. So the "tower" and turns into a "pyramid".

Constructive suggestions and criticism are welcome.

Also popular now: