Integrating Nominet NTXsecure into your technical environment

11th October 2018

Simon Whitburn
MD Cyber Solutions

You might be wondering what’s involved in connecting up to the Nominet NTXsecure service. It’s a straightforward process, easy and hassle-free for any customer, regardless of size of organisation, complexity, and minimising any impact to business performance.

Nominet NTXsecure is a fully managed DNS service with security analytics and active blocking capabilities, delivered by our team of experts. We do the work for you and provide the expertise to keep your organisation safe from cyber threats. At the heart of the service is our threat monitoring and analytics platform, uniquely built to spot a single malicious packet of data hidden in the vast amount of your DNS traffic.

Because your DNS traffic is managed by us, we will instantly detect anomalies and proactively block them, before they harm your business. NTXsecure is run by some of the top DNS experts in the country. Nominet has a strong heritage, running the UK internet for over 20 years and gathered unique DNS expertise and talent during those two decades.

As you would also expect, the service comes with all the attendant SLAs that any good service does and daily, weekly and monthly reporting to ensure that customers have complete visibility of their threat landscape. Our reports are also built in such a way that they can provide the right amount of detail relevant to the Heads of Business and to the Board.

This same service already protects the heart of the UK’s internet infrastructure, keeping 3 million UK organisations up and running.

For the second year now, Nominet has run the Protected DNS services for the UK public sector, as part of the Active Cyber Defence Programme implemented by the National Cyber Security Centre in the UK. A detailed report of the service and the level of protection it has provided can be read here.

Nominet NTXsecure architecture

The following diagram and table outline the core components of a typical NTXsecure installation, in this case for an organisation with network infrastructure in three global locations.

Figure 1: NTXsecure architecture and components

In order for the service to access your traffic and have visibility of your network, you only need to take the following two actions:

  1. Point your DNS traffic to the Nominet Managed DNS Platform
  2. Install the data collector(s) on your network

In the illustrated example above, a data collector is installed in each location to give visibility of each network.

Analysis details

Your traffic is analysed in real time by the Nominet NTX platform – our threat monitoring and analytics tool. As the platform is analysing your traffic in real-time it does four things for you:

  1. Gives you real-time visibility into your network traffic, to quickly distinguish irregular versus baseline behaviour.
  2. Analyses vast volumes of DNS data using our machine learning techniques and interrogates anomalies against Nominet’s data science intelligence.
  3. Helps you understand your network’s point-in-time attack types and trends, and provides you with knowledge you can use to adapt to emerging threats.
  4. Blocks command and control malware, domains related with attack activity, targeted phishing and theft of data via DNS tunnelling.

The following table describes each component that makes up the Nominet NTX Platform:

Name  Description 
Aggregator Queries one or more Warehouses to answer queries about traffic data collected by Collectors. Results are cached in a MySQL database for reuse. Each Aggregator can handle up to 225,000 DNS queries per second.
Monitors traffic, using the Aggregator API, and checks for any anomalies or unusual activity (events) in traffic reported by Collectors.
Authenticator Authentication service for user accounts – verifies user names/passwords and provides multi-factor authentication.
Collector Captures DNS packet stream for analysis. The Collector(s) can be installed, on your network, either:
• On a separate, dedicated server, using port mirror to capture DNS traffic
• On each DNS Server to be monitored
Recommended hardware requirements: Intel® Xeon® processor or equivalent, at least dual-core CPU, 8GB RAM, 100GB HDD.Each Collector can accept up to 225,000 DNS queries per second.
Database Schema definitions for the MySQL database.
Feed Manager Handles threat intelligence feeds, from Nominet’s data science platform, used by the Analytics module.
Reports Handles generation and downloading of reports in PDF format.
RPZ Policy Handles Response Policy Zones (RPZ).
SIEM Connector Sends security events to a connected SIEM platform (see below).
Warehouse Stores files received from one or more Collectors, in a sharded structure for efficient access.

Table 1: individual NTX platform components

As part of the service, DNS traffic collected and analysed is kept for the length of the service contract, in compliance with regulations and good security practice. This becomes a goldmine that, should a breach occur, you can retrospectively analyse for post-breach forensics.

Whilst Nominet secures your DNS layer for you so that breaches don’t happen there, unfortunately cyber-criminals can attack and, sometimes, gain access through other layers of your infrastructure.

Notification and SIEM integration

As well as displaying events on the UI and sending alerts, you also have the option to enrich your SIEM with the intelligence gathered from the attacks seen and blocked at the DNS layer. Customers find this component of the service and platform very valuable.

The SIEM connector links with SIEM platforms such as IBM QRadar, Splunk and HP ArcSight. The SIEM connector can format our intelligence in various ways, for example: LEEF, syslog, or JSON-formatted files, to suit your SIEM.

System requirements

NTX components run on 64-bit Linux with Nominet supporting CentOS 6/7. Collector(s) are installed on your site(s), whilst all other components are usually hosted in a dedicated, secured cloud.

Configurations will differ depending on the size and nature of the network traffic your organisation experiences.

The collector is supplied as an RPM for installation on your target machine(s). There is little to no impact on your network infrastructure and no network downtime during installation and commissioning.

For more detailed information on NTXsecure please feel free to contact Nominet at [email protected].

Demystifying DNS for Cyber Security