Versions Compared

Old Version 1

changes.mady.by.user Shirly Tsang

Saved on

compared with

New Version 2

changes.mady.by.user Shirly Tsang

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The following sections describe the security components and their usage.

Security Policies 

A security policy is a set of rules and actions that you define to balance access and constraints, so you can mitigate malicious attacks and provide security for your networks. BloxOne Threat Defense provides a default global policy that gives you a head start in protecting your networks. You can review the default global policy and decide whether you want to add or remove some of the rules based on your business requirements.

In addition to the default global policy, you can add new security policies from scratch or clone an existing policy to complement the default policy. When you create a new security policy, you must first define a network scope to which you add external networks, user groups, DNS forwarding proxies, DDI IPAM, and Endpoint groups. BloxOne Threat Defense applies the security policy to all the network entities that you include in the network scope. After you define the network scope, you can add policy rules and specify actions and their precedence order.  For information on setting up and configuring security policies, see Configuring Security Policies.Active Thread FeedsBloxOne Threat Defense provides thread feeds based on your subscription level. For information, see Viewing Active Thread Feeds and Threat Insight.

Custom Lists 

You can create custom lists containing domains and IP addresses to define allow lists and bock lists for additional protection. You can use a custom list to complement existing feeds or override the Block, Allow, Log, or Redirect action that is currently defined for an existing feed. You can also add a custom list to multiple security policies or multiple custom lists to one security policy based on your business needs. When using your own threat intelligence feeds with BloxOne Threat Defense Cloud, allow lists and block lists, you can apply your own security policies. Each custom list can contain as many as 50,000 records, and BloxOne Thread Defense supports up to 500,000 records across al customer lists. For information on setting up and configuring custom lists, see Custom Lists.

Filters 

BloxOne Threat Defense provides two types of filters you can use to control internet content for users: category and application filters. Category filters are content categorization rules that BloxOne Threat Defense uses to detect and filter specific internet content. Based on your configuration, specific actions such as Allow or Block will be taken on the detected content. Application filters are rules that BloxOne Threat Defense Cloud uses to allow or deny specific applications, such as email, video conferencing, and others.   For information on setting up and configuring filters, see Using Filters.

Intelligence Threat Feeds

BloxOne Threat Defense provides threat feeds based on your subscription level. For information, see Licensing and Subscriptions.

Default and Custom Redirects 

You can configure BloxOne Threat Defense to redirect traffic to display the default or custom redirect page. If you want to redirect traffic to a custom destination, you must first add the redirect IP or domain to the Redirect page. For  For information on setting up and configuring redirects, see Defining the Redirect Page.

On-Prem DNS Firewall

Infoblox on-prem DNS firewall employs DNS RPZs (Response Policy Zones), a technology developed by the ISC (Internet System Consortium). DNS RPZs enable reputable sources to dynamically communicate domain name reputation, and this helps you implement policy controls for DNS lookups. You configure on-prem DNS firewall so your NIOS Grid can receive threat feeds offered by BloxOne Threat Defense.

For information on how to configure on-prem DNS firewall for your NIOS networks, see Configuring On-Prem DNS Firewall.

Intelligence Threat Feeds

BloxOne Threat Defense provides threat feeds based on your subscription level. For information, see Licensing and Subscriptions.

For more information, see the following:

Child pages (Children Display)
depth1

Excerpt
hiddentrue

Threat Insight

Threat Insight provides protection against data exfiltration that uses sophisticated DNS-tunneling techniques and against DNSMessenger, DGA, and fast flux by utilizuing built-in statistics of the DNS infrastructure, where these statistics can be used to detect and block data exfiltration by using only DNS and no additional endpoint software, security appliances, or network infrastructure.. Threat Insight is always active in your subscription but your organization can elect to use or not to use the threats it detects to block traffic.  

Threat Insight uses patented technology that detects and automatically blocks data exfiltration via DNS without requiring endpoint agents or extra network infrastructure. It uses real-time streaming analytics of live DNS queries and machine learning to accurately detect the presence of potential data exfiltration activity within data queries.

Active Blocking of Data Exfiltration Attempts

By adding the destinations to a list for the RPZ-based mitigation, Threat Insight automatically blocks communications to destinations associated with attempts to exfiltrate data. Through the Infoblox Grid, which distributes updates to all Infoblox members with DNS Firewall and RPZ capability, Threat Insight scales enforcement to all parts of the network. Threat Insight provides visibility into infected devices and employees who try to steal data, and it provides identifying information, such as username (through Identity Mapping), device IP and MAC addresses, and device type. Reports generated by Threat Insight can be accessed through the Infoblox Reporting and Analytics server.

Unique Patented Technology 

Threat Insight is a patented technology that uses machine learning and performs real-time streaming analytics on live DNS queries to detect data exfiltration. It examines host.subdomain and TXT records in DNS queries and uses entropy, lexical analysis, time series and other factors to determine the presence of suspicious data in queries.

Automated Security Response with Integrations 

When an endpoint is trying to exfiltrate data, Infoblox provides indicators of compromise to endpoint remediation solutions such as Carbon Black. Using this intelligence, Carbon Black automatically bans the malicious processes from future execution and quarantines the infected endpoint. These actions accelerate security responses. Infoblox also exchanges security event information with Cisco Identity Services Engine (ISE) and provides robust restful APIs, which can enrich an enterprise’s SIEM with additional contextual data.

  • Other Products Needed with Threat Insight: To ensure not just detection of data exfiltration, but also enforcement of protection, Threat Insight must be deployed with BloxOne Threat Defense. Threat Insight will create an RPZ entry in all Infoblox appliances running security.

  • Hardware or Software Delivery Options: Threat Insight can run on physical or virtual Infoblox appliances, and it works on the following models of Infoblox appliances: PT-1405, TE-1415/V1415, TE-1425/V1425, TE-2210/v2210, 2215/v2215, TE- 2220/v2220, 2225/ v2225, PT-2200, PT-2205, IB-4010/v4010, V4015, TE-V4010/V4015, PT4000, IB-4030-DCAGRID-AC/DC, IB-4030- DCAGRID-T1-AC/DC, IB4030-DCAGRID-T2-AC/DC and IB-4030- DCAGRID-T3-AC/DC.

 For additional information on Infoblox Threat insight, see About Infoblox Threat Insight