Versions Compared

Old Version 21

changes.mady.by.user Gary Leicht

Saved on

compared with

New Version Current

changes.mady.by.user Gary Leicht

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

NIOS RPZ feed recommendations to use after the feed revamp release in December 2024.

...

To download the video, click NIOS_RPZ_Feed_Migration.mp4.

...

We are also upgrading our security feed structure to simplify the policy action on those feeds , to enable the right security posture. Beyond high quality feeds, it's equally important to have the right policy action in place for those detection to block and protect users. With new structure, feed names reflect the severity of the indicators it carries, per threat and confidence score of the indicator. So it's easy and intuitive to apply the right action for those feeds. General Availability: End of April, 2024. Earlier when a malicious domain’s TTL expires, the domain was added to the corresponding Extended feeds, extending their lifetime. We updated that logic to verify the validity of the domain, on expiry.

This guide aims to facilitate the transition from the soon-to-be deprecated BloxOne Threat Defense feeds approaching end of service to their updated versions which are to be integrated into NIOS Response Policy Zones (RPZ). Infoblox recommends that NIOS users currently relying on the soon-to-be-deprecated feeds switch to the new feeds as they become available in April 2024 to ensure continued comprehensive threat protection.

Best Practices

Infoblox recommends the following as best practices for customers currently using the feeds to be deprecated.

  • Remove all to-be-deprecated feeds from NIOS RPZ prior to their EOS date in December 2024. Replace the deprecated feeds with the recommendations as provided by Infoblox.  When the to-be-deprecated feeds reach EOS, NIOS will no longer be able to sync them from the Cloud Services Portal, leading to an error state.

  • When replacing feeds with the recommendations below, consider policy settings, eg., logging vs blocking, of currently used feeds and replicate them for the replacements.

RPZ Feeds Scheduled for Deprecation in December 2024

The following feeds are approaching end of service and are being deprecated. In their place, Infoblox offers a set of new RPZ feeds designed to replace the deprecated feeds. 

...

We also don’t see much value having a separate feed for Spam IPs. IPs can be reassigned and result in false positives. Those confirmed IPs that are part of malicious infrastructure are already part of Critical IP feeds that we monitor and update. This spambot IP feed had 0 indicators for a while now, that we can effectively deprecate this feed

  • Spambot IPs DNSBL

New NIOS RPZ Feeds Availability (April 2024)

The following NIOS RPZ feeds are available based on your subscription level. 

Feed Availability

Feed Name

Essentials

Business On-Prem

Advanced

Infoblox Base

Infoblox Base IP

NA

Infoblox High Risk

NA

NA

Infoblox Medium Risk

NA

NA

Infoblox Low Risk

NA

NA

Infoblox Informational

NA

For information for adding the new feeds and sizing requirements to your appliance, see  Sizing Guidelines for Trinzic Appliances

Feed Name

RPZ Feed Name

Description

Infoblox Base 

infoblox-base.rpz.infoblox.local

Infoblox Base feed enables protection against known malicious or compromised domains. This includes known Malware, Ransomware, APTs, exploit kits, malicious Name Servers, sinkholes etc. We recommend blocking them for all users.

Infoblox Base IP

infoblox-base-ip.rpz.infoblox.local

Infoblox Base IP feed enables protection against known malicious or compromised IP addresses. These IPs are known infrastructure to host threats that can act on or control a system by way of C&C malware downloads and active phishing sites. We recommend blocking them for all users

Infoblox High Risk

infoblox-high-risk.rpz.infoblox.local

Infoblox High Risk feed includes domains that are not confirmed yet but are highly suspicious. It's very likely to be used in a malicious act at some point. These domains though unconfirmed carry high threat and high confidence, so we recommend blocking them for most users. It includes Suspicious domains, Suspicious Lookalikes and Suspicous NOED (Newly Observed Emergent Domains) with high combined score of threat and confidence levels. 

Infoblox Medium Risk

infoblox-medium-risk.rpz.infoblox.local

Infoblox Medium Risk feed includes domains that are not confirmed yet but still pose medium risk. They are suspicious domains with lower combined score of Threat and Confidence level than High Risk feed but higher than Low Risk feed. It's still could likely be used in a malicious act, so we recommend blocking them for most users. It includes Suspicious domains, Suspicious Lookalikes and Suspicious NOED (Newly Observed Emergent Domains) with medium combined score of threat and confidence levels. 

Infoblox Low Risk

infoblox-low-risk.rpz.infoblox.local

Infoblox Low Risk feed includes domains that are not confirmed yet but are still suspicious. It's possible it can be used in a malicious act. These domains carry a lower combined score of threat and confidence levels. Its recommended to monitor with Allow-WithLog option for most users and have it in block mode for sensitive environments. It includes Suspicious domains, Suspicious Lookalikes and Suspicious NOED (Newly Observed Emergent Domains) with lower combined score of threat and low levels

Infoblox Informational

infoblox-informational.rpz.infoblox.local

Infoblox Informational: Infoblox Informational feed includes domains with low threat and confidence levels. These are for informational use per policy and sensitivity of the environment. This feed carries Newly Observed Emergent Domains (NOED). It's recommended to monitor with Allow-WithLog option for most users and have it in block mode for sensitive environments (as new domains are not mission critical for the most part and best to enable them when they are established for a longer time).

Recommended Replacement Feed Mapping for NIOS (based on subscription level)

The following are the recommended NIOS feed replacements based on subscription level. For BloxOne Threat Defense Advanced, special attention must be placed on your appliance capacity when selecting replacement feeds. 

BloxOne Threat Defense Essentials

BloxOne Threat Defense Essentials RPZ Feed Mapping

(old to new feeds)

Old Feeds

to

New Feed

Base Hostnames
AntiMalware
Ransomware
Malware DGA hostnames

=>

Infoblox Base

BloxOne Business On-Prem 

BloxOne Business On-Prem and Business Cloud subscriptions contain all feeds included with the  BloxOne Essentials subscription plus the following RPZ feeds:

BloxOne Threat Defense Business On-Prem and Business Cloud RPZ Feed Mapping

(old to new feeds)

Old Feeds

to

New Feeds

Infoblox Antimalware IP

=>

Infoblox Base IP

Newly Observed Emergent Domains (NOED)

=>

Infoblox Informational

BloxOne Business On-Prem contains all feeds included with BloxOne Essentials subscription in addition to the feeds listed above. 

BloxOne Threat Defense Advanced

Warning

For NIOS customers possessing a BloxOne Threat Defense Advanced subscription, attention must be placed on your appliance capacity when selecting your RPZ feeds.

The BloxOne Threat Defense Advanced subscription contains all feeds included with BloxOne Essentials and BloxOne Business tier subscriptions plus the following RPZ feeds: 

BloxOne Threat Defense Advanced RPZ Feed Mapping

(old to new feeds)

Old Feeds

to

New Feeds

Suspicious 
Suspicious Lookalikes
Suspicious NOED

=>

Infoblox High Risk
Infoblox Medium Risk
Infoblox Low Risk

The BloxOne Threat Defense Advanced subscription contains all feeds included with BloxOne Essentials and BloxOne Business tier subscriptions in addtion to the feeds listed above.  Do note that for NIOS subscribers of a BloxOne Threat Defense Advanced subscription, attention must be placed on your appliance capacity when selecting your RPZ feeds.

Removal of NIOS RPZ Feeds to be Deprecated in December 2024

Removal of NIOS RPZ Feeds to be Deprecated in December 2024

Note: The old feeds are being deprecated in December 2024; however, the new feeds that are intended to be their replacements are being released in April 2024.  

...

  1. In NIOS Grid Manager, navigate to Data Management > DNS > Response Policy Zones.

  2. Identify the current NIOS feeds for removal. These can be identified by their Names: infoblox-base.rpz.infoblox.local, infoblox-base-ip.rpz.infoblox.local, infoblox-high-risk.rpz.infoblox.local, infoblox-medium-risk.rpz.infoblox.local, infoblox-low-risk.rpz.infoblox.local, and infoblox-informational.rpz.infoblox.local.
    Note: The availabilty of the new RPZ feeds is dependent on subscription level. 

    The old NIOS RPZ feeds to be removed prior to replacing with the new feeds.

    Note: If you have a large number of RPZs, use the search function to locate the feeds to be removed.

    Searching for specific RPZs to be removed.

  3. Select the checkbox associated with one of the feeds to be removed.

  4. Click the trash can icon or the Delete button in the toolbar. 

    Removing the old RPZ feeds from NIOS.

      

  5. Click Yes in the Delete Confirmation dialogue. 

    Confirming the removal of the selected feeds. The removed feeds will be moved to the Recycle Bin.

  6. If you are removing multiple feeds, repeat steps 3-5 for each.

  7. Deletion of RPZs requires a service restart.  Click Restart located in the top, yellow banner to perform a system restart. 

    image-20240506-205106.png

  8. In the Restart Grid Services dialog, adjust Restart Method if desired and click Restart.

    Selecting a restart method from among the restart options.

Adding the New NIOS RPZ Feeds to be Released on April 2024  

Feed and Distribution Server Configuration Values

To get the configuration information for the new, replacement NIOS RPZ feeds, you need to find out the feed names and the configuration details for the distribution server.

  1. In the Cloud Services Portal, navigate to Policies > On-Prem DNS Firewall.

    Navigating to On-Prem DNS Firewall within the Cloud Services Portal.

  2. Click on Feed Configuration Values.

    Navigating to On-Prem DNS Firewall within the Cloud Services Portal.

  3. In the Threat Feed Details list, locate the first feed you will configure. Refer to the table in the Replacement Feed Mapping section for recommended feeds.

  4. Click the Copy button for the desired. Note: Paste this and other configuration data copied in this section into a text file for easy retrieval when configuring the feeds in NIOS.

    The Threat Feed Details list from the Cloud Services Portal.

  5. Repeat steps 3 and 4 for each Refer to the table in the Replacement Feed Mapping section for recommended feeds.

  6. Click Close.

  7. Click on Distribution Server Configuration Values.

    rpz4.PNGClick Distribution Server Configuration Values.

  8. Scroll down to locate the Distribution Server you will use and click the Copy button for the IPv4 or IPv6 Note: Paste this and other configuration data copied in this section into a text file for easy retrieval when configuring the feeds in NIOS.

  9. Scroll down to the TSIG

  10. Note the Key Algorithm that is configured.

  11. Copy the Key Note: Paste this and other configuration data copied in this section into a text file for easy retrieval when configuring the feeds in NIOS.

  12. Copy the TSIG. Note: Paste this and other configuration data copied in this section into a text file for easy retrieval when configuring the feeds in NIOS.

  13. Click Cancel to exit the Distribution Server. 

    The Distribution Server and TSIG details panel configuration.

Adding RPZ Feeds in NIOS 

To add the new, replacement RPZ feeds in NIOS, perform, the following.  

...