Search

US-12621343-B2 - Enhanced internal host detection protocol

US12621343B2US 12621343 B2US12621343 B2US 12621343B2US-12621343-B2

Abstract

Techniques for an enhanced internal host detection protocol are disclosed. In some embodiments, a system, a process, and/or a computer program product for an enhanced internal host detection protocol includes sending a response to a get configuration query from a portal for a cloud security service to an endpoint agent; routing a DNS reverse lookup query to a predetermined IP address associated with a DNS proxy associated with the cloud security service; sending a response to the DNS reverse lookup query from the DNS proxy associated with the cloud security service; and verifying that the response to the DNS reverse lookup query is not spoofed based on a match with the response to the get configuration query.

Inventors

  • Jiyuan Zhong
  • Remy Ouaini
  • Tripti Agarwal
  • Pratiksha Jain
  • Jose Carlos Sagrero Dominguez
  • Hao Long
  • Tao Lin
  • Damodar Jayram Banodkar
  • Vinod Kumar Balasubramanyam

Assignees

  • PALO ALTO NETWORKS, INC.

Dates

Publication Date
20260505
Application Date
20231222

Claims (14)

  1. 1 . A system, comprising: a processor configured to: send a response to a get configuration query from a portal for a cloud security service to an endpoint agent; route a DNS reverse lookup query to a predetermined IP address associated with a DNS proxy associated with the cloud security service, wherein the routing of the DNS reverse lookup query comprises to route the DNS reverse lookup query via an Internet Protocol Security (IPSEC) tunnel to a remote network (RN) that hosts the DNS proxy associated with the predetermined IP address, wherein the predetermined IP address associated with the DNS proxy associated with the cloud security service is an Anycast IP address, wherein an internal gateway is hosted on a remote network associated with the cloud security service; send a response to the DNS reverse lookup query from the DNS proxy associated with the cloud security service, wherein the response includes one or more of the following: 1) A first FQDN and an IPV4 address, and/or 2) a first FQDN and an IPV6 address, and wherein the response to the DNS reverse lookup query includes a second FDQN; and verify that the response to the DNS reverse lookup query is not spoofed based on a match with the response to the get configuration query, comprising to: determine that the first FDQN matches the second FDQN; and in response to a determination that the first FDQN and the second FDQN match, determine that the response to the DNS reverse lookup query is not spoofed; and a memory coupled to the processor and configured to provide the processor with instructions.
  2. 2 . The system of claim 1 , wherein the DNS proxy is hosted on a remote network associated with the cloud security service.
  3. 3 . The system of claim 1 , wherein a second DNS reverse lookup query is automatically routed through a secure tunnel that connects a branch office network to a remote network associated with the cloud security service.
  4. 4 . The system of claim 1 , wherein the processor is further configured to: establish a secure connection with an internal gateway of a remote network associated with the cloud security service.
  5. 5 . The system of claim 1 , wherein the processor is further configured to: establish a secure connection with an internal gateway of a remote network associated with the cloud security service, wherein the internal gateway is hosted on the remote network associated with the cloud security service.
  6. 6 . A method, comprising: sending a response to a get configuration query from a portal for a cloud security service to an endpoint agent; routing a DNS reverse lookup query to a predetermined IP address associated with a DNS proxy associated with the cloud security service, wherein the routing of the DNS reverse lookup query comprises to route the DNS reverse lookup query via an Internet Protocol Security (IPSEC) tunnel to a remote network (RN) that hosts the DNS proxy associated with the predetermined IP address, wherein the predetermined IP address associated with the DNS proxy associated with the cloud security service is an Anycast IP address, wherein an internal gateway is hosted on a remote network associated with the cloud security service; sending a response to the DNS reverse lookup query from the DNS proxy associated with the cloud security service, wherein the response includes one or more of the following: 1) a first FQDN and an IPV4 address, and/or 2) a first FQDN and an IPV6 address, and wherein the response to the DNS reverse lookup query includes a second FDQN; and verifying that the response to the DNS reverse lookup query is not spoofed based on a match with the response to the get configuration query, comprising: determining that the first FDQN matches the second FDQN; and in response to a determination that the first FDQN and the second FDQN match, determining that the response to the DNS reverse lookup query is not spoofed.
  7. 7 . The method of claim 6 , wherein the DNS proxy is hosted on a remote network associated with the cloud security service.
  8. 8 . The method of claim 6 , wherein a second DNS reverse lookup query is automatically routed through a secure tunnel that connects a branch office network to a remote network associated with the cloud security service.
  9. 9 . The method of claim 6 , further comprising: establishing a secure connection with an internal gateway of a remote network associated with the cloud security service.
  10. 10 . The method of claim 6 , further comprising: establishing a secure connection with an internal gateway of a remote network associated with the cloud security service, wherein the internal gateway is hosted on the remote network associated with the cloud security service.
  11. 11 . A computer program product embodied in a non-transitory computer readable medium and comprising computer instructions for: sending a response to a get configuration query from a portal for a cloud security service to an endpoint agent; routing a DNS reverse lookup query to a predetermined IP address associated with a DNS proxy associated with the cloud security service, wherein the routing of the DNS reverse lookup query comprises to route the DNS reverse lookup query via an Internet Protocol Security (IPSEC) tunnel to a remote network (RN) that hosts the DNS proxy associated with the predetermined IP address, wherein the predetermined IP address associated with the DNS proxy associated with the cloud security service is an Anycast IP address, wherein an internal gateway is hosted on a remote network associated with the cloud security service; sending a response to the DNS reverse lookup query from the DNS proxy associated with the cloud security service, wherein the response includes one or more of the following: 1) a first FQDN and an IPV4 address, and/or 2) a first FQDN and an IPV6 address, and wherein the response to the DNS reverse lookup query includes a second FDQN; and verifying that the response to the DNS reverse lookup query is not spoofed based on a match with the response to the get configuration query, comprising: determining that the first FDQN matches the second FDQN; and in response to a determination that the first FDQN and the second FDQN match, determining that the response to the DNS reverse lookup query is not spoofed.
  12. 12 . The computer program product of claim 11 , wherein the DNS proxy is hosted on a remote network associated with the cloud security service.
  13. 13 . The computer program product of claim 11 , wherein a second DNS reverse lookup query is automatically routed through a secure tunnel that connects a branch office network to a remote network associated with the cloud security service.
  14. 14 . The computer program product of claim 11 , further comprising computer instructions for: establishing a secure connection with an internal gateway of a remote network associated with the cloud security service.

Description

BACKGROUND OF THE INVENTION Nefarious individuals attempt to compromise computer systems in a variety of ways. As one example, such individuals may embed or otherwise include malicious software (“malware”) in email attachments and transmit or cause the malware to be transmitted to unsuspecting users. When executed, the malware compromises the victim's computer. Some types of malware will instruct a compromised computer to communicate with a remote host. For example, malware can turn a compromised computer into a “bot” in a “botnet,” receiving instructions from and/or reporting data to a command and control (C&C) server under the control of the nefarious individual. One approach to mitigating the damage caused by malware is for a security company (or other appropriate entity) to attempt to identify malware and prevent it from reaching/executing on end user computers. Another approach is to try to prevent compromised computers from communicating with the C&C server. Unfortunately, malware authors are using increasingly sophisticated techniques to obfuscate the workings of their software. As one example, some types of malware use Domain Name System (DNS) queries to exfiltrate data. Accordingly, there exists an ongoing need for improved techniques to detect malware and prevent its harm. Techniques for detecting malware may be performed locally by a firewall or via a cloud service. BRIEF DESCRIPTION OF THE DRAWINGS Various embodiments of the invention are disclosed in the following detailed description and the accompanying drawings. FIG. 1 is a block diagram of an environment in which a malicious traffic is detected or suspected in accordance with some embodiments. FIG. 2A illustrates an embodiment of a data appliance. FIG. 2B is a functional diagram of logical components of an embodiment of a data appliance. FIG. 3 illustrates a high-level architecture for an enhanced internal host detection protocol for authentication to a cloud security service in accordance with some embodiments. FIG. 4A illustrates an example of a getconfig request from an endpoint agent in accordance with some embodiments. FIG. 4B illustrates a typical response from the cloud security service portal to the getconfig request sent from the endpoint agent in accordance with some embodiments. FIG. 5 is a flow diagram of a process for an enhanced internal host detection protocol in accordance with some embodiments. FIG. 6 is a flow diagram of a process for configuring a cloud security service using an enhanced internal host detection protocol in accordance with some embodiments. FIG. 7 is another flow diagram of a process for configuring a cloud security service using an enhanced internal host detection protocol in accordance with some embodiments. DETAILED DESCRIPTION The invention can be implemented in numerous ways, including as a process; an apparatus; a system; a composition of matter; a computer program product embodied on a computer readable storage medium; and/or a processor, such as a processor configured to execute instructions stored on and/or provided by a memory coupled to the processor. In this specification, these implementations, or any other form that the invention may take, may be referred to as techniques. In general, the order of the steps of disclosed processes may be altered within the scope of the invention. Unless stated otherwise, a component such as a processor or a memory described as being configured to perform a task may be implemented as a general component that is temporarily configured to perform the task at a given time or a specific component that is manufactured to perform the task. As used herein, the term ‘processor’ refers to one or more devices, circuits, and/or processing cores configured to process data, such as computer program instructions. A detailed description of one or more embodiments of the invention is provided below along with accompanying figures that illustrate the principles of the invention. The invention is described in connection with such embodiments, but the invention is not limited to any embodiment. The scope of the invention is limited only by the claims and the invention encompasses numerous alternatives, modifications and equivalents. Numerous specific details are set forth in the following description in order to provide a thorough understanding of the invention. These details are provided for the purpose of example and the invention may be practiced according to the claims without some or all of these specific details. For the purpose of clarity, technical material that is known in the technical fields related to the invention has not been described in detail so that the invention is not unnecessarily obscured. Advanced or Next Generation Firewalls Malware is a general term commonly used to refer to malicious software (e.g., including a variety of hostile, intrusive, and/or otherwise unwanted software). Malware can be in the form of code, scripts, active content, and/or other sof