What BlueCat brings to CDM Phase 3
BlueCat is part of the CDM Phase 3 BOUND offering. Our DNS security system offers unique value which goes beyond standard filters and firewalls.
Key takeawaysThis key takeaway was generated through LLMs crawling the page and coming up with an overview of the content.This article explains BlueCat’s participation in DHS’s Continuing Diagnostics and Mitigation (CDM) program by positioning its DNS security products in Phase 3 (Network Security Management) under the boundary protection (BOUND) category to help Federal agencies monitor and manage network activity. It describes the operational problem that traditional external firewalls and filters cannot see or control internal device-originated DNS queries, hindering forensic investigations and threat hunting, and contrasts that with BlueCat’s approach of treating the client device as the network boundary to provide first-hop visibility, granular query context, and blocking of malicious domains. The article also highlights that DNS is most effective when combined with other security data sources to form a complete CDM security stack and points readers to contact BlueCat or the EC America GSA contract for more information.
How does BlueCat’s definition of the network boundary differ from traditional boundary filters and firewalls in CDM Phase 3?
BlueCat defines the network boundary at the client device — the first hop for any DNS query — whereas traditional boundary filters and firewalls sit at the external perimeter of the network. Perimeter devices can report only that a recursive server processed a query and cannot link queries back to the originating device or trace intermediate handling inside the network. BlueCat’s first-hop approach provides visibility into the client, query type, response data, and destination IP, enabling more precise forensic investigations, real-time threat hunting, and policy enforcement on internal traffic and device-originated queries that perimeter filters would miss.
What specific DNS-based threats or behaviors can BlueCat’s products detect and mitigate within the CDM BOUND category?
BlueCat’s DNS security products identify behaviors such as DNS tunneling and domain generation algorithms, both common indicators of malicious activity, and can detect queries to newly registered domains or suspicious geographic destinations. Using detailed context — including query type, response data, and destination IP — BlueCat enables policies to block or redirect malicious queries before they resolve, stop devices from contacting risky domains (for example, domains in a specified country), and prevent internal devices or compromised hosts from exfiltrating data via DNS. This granular control addresses threats that perimeter filters cannot see or mitigate.
How should BlueCat DNS security be integrated into a CDM security stack for Federal agencies?
The article recommends integrating BlueCat DNS security as a complementary component within CDM Phase 3 rather than as a standalone silver bullet. Because DNS spans the network and crosses OSI layers, pairing BlueCat’s first-hop DNS visibility and policy controls with other data types — such as asset discovery, identity/access management (Phases 1 and 2), data integrity, and application security — yields a more complete topology for threat detection and mitigation. This combined approach provides comprehensive visibility and enables coordinated policies across the security stack; agencies can contact BlueCat or consult the EC America GSA contract (SIN 132-44) for procurement details.
BlueCat is pleased to be a part of the Continuing Diagnostics and Mitigation (CDM) program run by the Department of Homeland Security (DHS), which offers Federal government agencies a set of pre-approved technologies to increase the security of agency networks.
BlueCat in the CDM context
CDM is organized into four phases which roughly correspond to categories of network security tools. BlueCat’s DNS security products are in Phase 3 – the Network Security Management section. In this phase, agencies have already implemented (or are nearly finished implementing) asset management tools to discover what is on the network (Phase 1) as well as identity and access management tools to discover who is on the network (Phase 2). Phase three provides agencies the ability to monitor and manage what is happening on the network.
DHS created additional sub-categories for CDM Phase 3 to distinguish between different types of solutions for continuous monitoring of network and perimeter components, host and device components, data at rest and in transit, and user behavior and activities. BlueCat’s DNS security products fall under the “boundary protection” (BOUND) category.
Distinguishing between CDM BOUND products
There are plenty of filters and firewalls in the CDM Phase 3 boundary protection category. So many, in fact, that security officers and procurement personnel are likely to find it difficult to distinguish between them.
What sets BlueCat apart? Our definition of “boundary”. Every other filter and firewall on the market sits on the external boundary of your network. That’s all well and good for filtering inbound traffic. In fact, it’s a necessary component of any security stack.
But what about traffic that originates from within your network? Standard boundary filters and firewalls can manage queries as they leave the network, but tell you nothing about all the steps between the client device and the internet. The best they can do is tell you which recursive server processed the query. They have no data on which device sent the query or how it was processed through the network. It’s the cyber equivalent of smelling smoke, but not knowing where the fire is.
That can be a problem when you’re doing a forensic investigation or hunting for cyberthreats in real time. It’s simply not enough to know that a potential threat exists somewhere on the network. Blocking malicious traffic is all well and good, but it doesn’t deal with the core problem of mitigating threats from actual devices.
Then there’s the problem of internal network traffic. Traditional boundary filters and firewalls are designed to manage external queries. They can’t do anything about queries from one agency server to another. They are blind to malicious insiders, advanced persistent threats, and any other piece of software which hunts for data within the network before attempting to exfiltrate it.
What the “boundary” in BOUND means to BlueCat
For BlueCat, the network boundary is right where the client device sits. BlueCat is the “first hop” in any DNS query, allowing our software to monitor, block, and/or redirect any query before it goes anywhere else on the network. This provides visibility into far more, at a much more granular level, than what boundary-level filters and firewalls can see.
With BlueCat, you get the full context and intent behind every DNS query. The query type, response data, destination IP – all of these things are incredibly valuable for identifying and mitigating cyber threats. BlueCat also identifies DNS tunneling and domain generation algorithms, which are often signs of malicious activity.
Using this data, BlueCat also allows users to create security policies which stop malicious queries from resolving before they do any harm. Querying a domain in Russia? We can stop that. Connected security camera suddenly querying a finance server? No thank you. Infected computer using a domain that was registered just seconds ago? Get out of here.
Incorporating DNS into a CDM security stack
There is no silver bullet in cybersecurity, and DNS is no exception. DNS is a vital part of the “cyber kill chain”, but it cannot carry the burden of cybersecurity on its own. Like every tool in the BOUND category and CDM writ large, DNS is most effective when placed in context. DNS security provides comprehensive visibility into what’s happening on the network. At the same time, multiple types of data are often required to create a complete topology of cybersecurity.
The advantage of DNS is that it is everywhere on the network, cutting across different layers of the Open Systems Interconnection (OSI) network model and typical security architectures. Pairing DNS security from BlueCat with data integrity and application security software would provide a comprehensive security picture which protects against a wide variety of threats.
Contact BlueCat for more information on our DNS security products or see what we have to offer under the EC America GSA contract (SIN 132-44).
BlueCat provides core services and solutions that help our customers and their teams deliver change-ready networks. With BlueCat, organizations can build reliable, secure, and agile mission-critical networks that can support transformation initiatives such as cloud adoption and automation. BlueCat’s growing portfolio includes services and solutions for automated and unified DDI management, network security, multicloud management, and network observability and health.
Related content
How to map your network with user-defined links in Integrity X
Map your network with user-defined links in Integrity X to define and manage custom relationships, such as dual-stack and NAT environments.
Automate your DDI modernization path by migrating with Micetro
Automate cross-platform DNS and DHCP migration with Micetro to reduce risk, eliminate manual effort, and modernize infrastructure faster.
Your journey to intelligent NetOps begins at Cisco Live
Visit BlueCat’s booth or book a meeting now to learn more about how our solutions can help you build a network that supports constant change.
Replace BIND and ISC with Micetro DNS/DHCP Server (MDDS)
Tired of patching and manually configuring BIND DNS and ISC DHCP? Discover how Micetro MDDS appliances can replace them for modern DDI.