Page Comparison

Infoblox DNS Firewall provides a mechanism to further protect your network from malware and APTs (Advanced Persistent Threats) through the integration of FireEye appliances. When your NIOS appliance is properly integrated with a FireEye appliance, it receives periodic alerts and APTs from the FireEye appliance when it identifies such threats. Based on your configuration, the NIOS appliance translates these alerts into RPZ rules that not only further protect your network from malicious attacks, but also aid in identifying clients that have been compromised.
As illustrated in Figure 42.2, after installing the required RPZ and FireEye licenses on the NIOS appliance, you can configure a FireEye integrated RPZ in which you map RPZ rules to FireEye alert types. While creating the FireEye RPZ, the appliance generates a URL to which the FireEye appliance sends alerts. Ensure that you enter this URL when configuring the FireEye appliance. The NIOS appliance also creates the fireeye-group admin group after you define the first FireEye RPZ. You can add multiple admin users to this admin group. Note that users in the fireeye-group can only send alerts to the NIOS appliance; they cannot access the Infoblox GUI, CLI, API and RESTful API. They also do not have permissions to perform other tasks on the appliance. Ensure that you record the usernames and passwords for all user accounts so you can enter them correctly when you configure the FireEye appliance. You can map a single or multiple FireEye appliances to a NIOS appliance where multiple users or zones exist.

1. Create a new FireEye integrated RPZ, as described in Configuring FireEye RPZs.
2. Create FireEye admin users, as described in For FireEye Integrated RPZs.
3. Add URL and user credentials on the FireEye appliance, as described in Configuring the FireEye appliance.
4. When a malware or threat is detected, the FireEye appliance sends an alert message to the NIOS appliance, which is stored in the syslog. For more information, see Handling Alerts from the FireEye appliance.

...

1. Install required license on the NIOS appliance. For more information about license, see License Requirements and Admin Permissions.
2. Create a new FireEye RPZ zone. For more information, see Configuring FireEye RPZs.
3. Create FireEye admin users. For more information, see For FireEye Integrated RPZs.
4. Get the URL from the NIOS appliance and record it. You need this to configure the FireEye appliance. For more information about the Server URL, see Configuring FireEye RPZs. If you have already configured a FireEye integrated RPZ, then you can retrieve the URL through the FireEye tab of the corresponding FireEye RPZ zone. For more information about managing and retrieving the URL, see Modifying RPZs.
5. Record the usernames and passwords on the NIOS appliance. You must use these credentials when configuring FireEye alerts to enable the alerts to be received by NIOS. For more information, see Configuring the FireEye appliance to send alerts to NIOS.

...

1. Login to the FireEye appliance with your username and password.
2. In the FireEye GUI, click Settings tab and then click the Notifications tab on the left panel.
3. In the Notification Settings page, click the http link and then enter the name of the HTTP server you want to add. Click Add HTTP Server and complete the following:
   • Name: When you click add, the HTTP server name that you specified is listed in this column.
   • Enabled: Select the check box to enable alerts and notifications for the HTTP server.
   • Server Url: Enter the URL you received on the NIOS appliance. The alerts and notifications are sent using this URL by the FireEye appliance.
   • Auth: Select this check box if authentication is required for the server.
   • Username and Password: Enter the Username and Password of the user that you have configured for the fireeye-group on the NIOS appliance. For more information, see For FireEye Integrated RPZs.
   • Notification: Select a notification from the drop-down list. You can choose to include notifications for all events or only events of a selected type. The FireEye appliance will send an alert to the NIOS appliance only when selected event is encountered. When you select All Events, alerts are sent when each event is encountered by the FireEye appliance.
   • Delivery: Select Per Event from the drop-down list. Note that the NIOS appliance supports only Per Event selection. The FireEye appliance sends an alert each time it encounters an event.
   • Account: You can specify a user account name for this notification.
   • SSL Enable: Select this check box to enable SSL for secure transmission of alerts from the FireEye appliance to NIOS.
   • Default Provider: Select a default provider from the list.
   • Message Format: Select JSON Normal from the drop-down list. Note that the NIOS appliance supports only this message format.
4. Click Update at the bottom of the page.

...

1. Install the RPZ license. For more information, see License Requirements and Admin Permissions.
2. Enable recursive queries for a DNS view, member, or Grid, as described in Enabling Recursion for RPZs.
3. Enable RPZ logging in the Grid DNS Properties editor to view syslog entries for RPZ queries. For more information, see Setting DNS Logging Categories.
4. Create a local RPZ. For more information, see Configuring Local RPZs.
5. Define a Substitute (PTR Record) Rule for domain name 3.3.3.5.in-addr.arpa, which is substituted with the domain name ptr1.com. For more information, see Defining Substitute Rules for PTR Records.
6. Execute the dig command to view output. The output contains the substituted domain name ptr1.com. Following is the output of an RPZ query for Substitute (PTR Record) Rule:

...