Versions Compared

Old Version 3

changes.mady.by.user Shwetha S

Saved on

compared with

New Version Current

changes.mady.by.user Shwetha S

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Infoblox Threat Insight identifies data exfiltration tunnels that bypass typical firewall systems. Some popular tunneling tools are OyzmanDNS, SplitBrain, Iodine, DNS2TCP, TCP-Over-DNS, and others. These types of DNS threats are identified as having high activities by using the TXT records in DNS queries. Infoblox Threat Insight also identifies tunnels that are used for C&C. These threats typically do not exhibit high activities or payloads. In general, NXDOMAIN responses fall into this category of threats.

You must have at least one RPZ license installed in your Grid (it can be installed on any Grid member) and the Threat Insight license installed on the Grid member on which you want to start the threat insight Threat Insight service. To download updates for threat insight Threat Insight module and allowlist sets, you must have at least one Threat Insight license installed in the Grid. When you enable the threat insight Threat Insight service, NIOS starts analyzing incoming DNS data and applying these algorithms to detect security threats that have the same or similar behavior as the known data. Once security threats are detected, NIOS blocklists the domains and transfers them to the designated mitigation RPZ (Response Policy Zone), and traffic from the offending domains is blocked and no DNS lookups are allowed for these domains from NIOS members on which RPZ are assigned to them. The appliance also sends an SNMP trap each time it detects a new blocklisted domain.

...

You can also add custom allowlisted domains or move blocklisted domains to the allowlist. For more information about how to configure Infoblox Threat Insight, see Configuring Infoblox Threat Insight below. Before you utilize Infoblox Threat Insight, there are a few guidelines you might need to consider. For more information about Guidelines for Using Infoblox Threat Insight, see below.

Infoblox Threat Insight came installed with a module set and a allowlist set. To receive subsequent module set and allowlist set updates, you can configure the appliance to automatically download and apply the updates for you, or you can manually upload the updates when the appliance displays a banner message notifying about available updates. For information about how to configure the update policy, see Defining the Threat Insight Update Policy below.

See Prerequisites to Integrate Cisco ISE with NIOS.

Licensing Requirements and Admin Permissions

...

Infoblox Threat Insight

To start the threat insight Threat Insight service, you must have at least one RPZ license installed in your Grid (it can be installed on any Grid member) and the Threat Insight license installed on the Grid member on which you want to start the threat insight Threat Insight service. To download updates for threat insight Threat Insight module and allowlist sets, you must have at least one Threat Insight license installed in the Grid.

Note that running the threat insight Threat Insight service might affect your system performance if the appliance has a small capacity and is taking on heavy traffic. Evaluate your Grid and Grid members to ensure that you select an appliance that is appropriate for running the threat insight Threat Insight service. For more information about  supported appliances, see Supported see Supported Appliances for Infoblox Threat Insight belowInsight below.

Admin Permissions

Superusers can configure all threat protection and insight related tasks. You can assign SecurityPermissions to specific admin groups and roles so these users can configure security related tasks. You can also add a global permission for managing Grid security properties or add an object permission for managing member security properties.

To manage the insight related tasks, you must assign appropriate read-only or read/write Threat InsightPermissions to the specified admin groups and roles. You can also add the GlobalThreat InsightPermission as a global permission or add MemberThreat InsightPermission to specific Grid members as an object permission. For more information about how to assign admin permissions, see Managing Permissions.

Anchor

...

GUITI

...

GUITI
Guidelines for Using Infoblox Threat Insight

Following are some guidelines to take into consideration when using Infoblox Threat Insight:

  • To start the threat insight Threat Insight service, you must have at least one RPZ license installed in your Grid (it can be installed on any Grid member) and the Threat Insight license installed on the Grid member on which you want to start the threat insight Threat Insight service. To download updates for threat insight Threat Insight module and allowlist sets, you must have at least one threat insightThreat Insight license installed in the Grid.

  • Infoblox recommends that you run the threat insight Threat Insight service for a limited time to monitor and preview what has been detected before actually blocking blocklisted domains. You can carefully review the list of detected domains and decide which domains you want to continue blocking and which domains you want to add to the insight allowlist. You should review the blocklisted domains on a regular basis to make sure that no legitimate use of DNS tunneling is blocked. Note that you can update the insight allowlist by adding new allowlisted domains, moving legitimate domains from the blocklisted domain list, or using CVS import and export. For more information about Configuring a Local RPZ as the Mitigation Blocklist Feed, see below.

  • Insight allowlist domains and supported DNS tunneling tools are updated periodically and are bundled with future NIOS releases. To ensure that your appliance is using the most up-to-date allowlist, upgrade to the next NIOS release or configure the appliance to download threat insight Threat Insight updates. For information about upgrades, see Upgrading NIOS Software. Note that this process may change in future NIOS releases.

  • There are no configurable parameters for Infoblox Threat Insight. Infoblox uses the build-in algorithms to analyze DNS statistics and blocks offending domains based on the analyzed data.

  • DNS tunneling detection is not instantaneous. It may take a few seconds to a few minutes for the insight to determine positive DNS tunneling activities.

  • During an HA failover, insight data that is in progress on the active node might be lost. Only new DNS queries on the new active node after a successful failover are being analyzed. It may take a few minutes for the insight to reach its normal state. If there is no connection between the Grid Master and Grid member, blocklisted domains detected by the insight cannot be transferred to the Grid Master as RPZ records for a pre-configured RPZ zone — this is not applicable to standalone appliances with RPZ license installed. In addition, ensure that the passive node must also have the RPZ license installed and that its hardware model is capable of running the threat insight Threat Insight service. For information about supported appliance models, see Supported Appliances for Infoblox Threat Insight below.

  • The threat insight Threat Insight service only works on recursive DNS servers and forwarding servers that use BIND as the DNS resolver. It does not support Unbound as the DNS resolver.

  • The insight allowlist only applies to Infoblox Threat Insight; it does not apply to signature-based tunneling detection. Anti-DNS tunneling threat protection rules are implemented to address signature-based tunneling analysis. For detailed information about threat protection rules, refer to the Infoblox Threat Protection Rules available on the Support web site.

  • Infoblox Threat Insight does not support RESTful APIs.

Anchor
SAITI
SAITI
Supported Appliances for Infoblox Threat Insight

Due to memory and capacity required to perform insight, ensure that you install the Threat Insight and RPZ licenses, and enable the threat insight Threat Insight service on an appliance that has a big enough capacity. Following are the supported Infoblox appliance models on which you can run the threat insight Threat Insight service:

  • PT-1405, and PT-2205.

  • IB-4015.

  • TE-1415, TE-1425, TE-2215, and TE-2225

  • TE-V1415, TE-V1425, TE-V2215, TE-V2225, TE-V4010, and TE-V4015.

  • TE-2326, TE-20152215, TE-2225, TE-4126, TE-4015 and TE-4025.

Note

Note

Using unsupported appliance models for Infoblox Threat Insight might cause performance issues.

Anchor
CITI
CITI
Configuring Infoblox Threat Insight

You must have at least one RPZ license installed in your Grid (it can be installed on any Grid member) and the Threat Insight license installed on the Grid member on which you want to start the threat insight Threat Insight service. You must also create a new RPZ and use it as the designated mitigation blocklist feed so the appliance can transfer all blocklisted domains to this feed.

...

  1. Obtain and install valid RPZ and Threat Insight licenses on the appliance that is used to support insight. Note that you must have the threat insight Threat Insight service running on the member serving recursive DNS queries or have recursive DNS queries forwarded to another DNS server. To generate reports that contain statistics about DNS tunneling, you must also configure a reporting appliance in the Grid.

  2. Create and add a new local RPZ and use it as the designated mitigation blocklist feed so the appliance can transfer all blocklisted domains to this feed. Ensure that you configure an appropriate policy for this RPZ. To monitor the threat insight Threat Insight service before actually blocking domains, set PolicyOverride to LogOnly(Disabled). When you are ready to block offending domains, set PolicyOverride to None(Given).

  3. Configure admin permissions so admin users can manage the threat insight Threat Insight service and insight related tasks. For information about how to configure admin permission, see About Administrative Permissions.

  4. Start the threat insight Threat Insight service on the appliance that has the Threat Insight license installed, as described in Starting and Stopping the Threat Insight Service.

...

  • View supported allowlisted domains for insight, as described in Viewing the Insight Allowlist below. Note that these domains are specific to insight only. They are not used in the anti-DNS tunneling threat protection rules.

  • Manually add a custom domain to the insight allowlist, as described in Adding Custom Allowlisted Domains below.

  • Review the blocklisted domains and make decisions about whether to move them to the insiight allowlist so future DNS activities will not be blocked. For more information, see Viewing Blocklisted Domains below.

  • Move a blocklisted domain to the insight allowlist, as described in Moving Blocklisted Domains to the Allowlist.

  • Monitor DNS tunneling activities and events using pre-defined reports and the syslog, as described in Monitoring DNS Tunneling Activities below.

Anchor
SSTIS
SSTIS
Starting and Stopping the Threat Insight Service

To start the threat insight Threat Insight service, you must have at least one RPZ license installed in your Grid (it can be installed on any Grid member) and the Threat Insight license installed on the Grid member on which you want to start the threat insight Threat Insight service. You can also stop the service when necessary.

To start or stop the threat insight Threat Insight service:

  1. From the Grid tab, select the GridManager tab -> Services tab, click the Threat Insight service link. Grid Manager displays only the member or members with the RPZ license installed. Select the member checkbox.

  2. From the Toolbar, click Start to start the service or Stop to stop the service.

When you stop the threat insight Threat Insight service, the appliance does not detect or protect against non-signature-based DNS tunneling. In addition, reports that you generate might not include statistics related to DNS tunneling.

Note

Note

After you enable the threat insight Threat Insight service, you must restart DNS service for the insight to start working.

...

Configuring a Local RPZ as the Mitigation Blocklist Feed

For the threat insight Threat Insight service to function properly and for NIOS to properly report detected backlisted domains, you must create and designate local RPZs as the mitigation for the Grid. You can add any Response Policy Zones to the list of RPZs from different Network and DNS Views. When a domain is detected as malicious, NIOS will update all RPZs in the list. If you assign an existing RPZ that is used for other purposes as the mitigation blocklist feed, you may experience the following:

  • Existing RPZ hits are reported as hits detected by the insight after an upgrade.

  • If you manually add rules to the RPZ, all RPZ hits are reported as hits detected by the insight, regardless of whether they match the manually created rules or are detected through the threat insight Threat Insight service.

Infoblox recommends that you run the threat insight Threat Insight service for a limited time to monitor and preview what has been detected before actually blocking domains. To do so, set PolicyOverride to LogOnly(Disabled) when you create the RPZ so you can monitor blocklisted domains without actually blocking them.

...

  1. Create a local RPZ by completing the procedure described in Configuring Local RPZs.

    Note to monitor the threat insight Threat Insight service without blocking domains, set Policy Override to Log Only (Disabled). When you are ready to block blocklisted domains, set Policy Override to None (Given).

  2. From the DataManagement tab, select the Threat Insight tab -> Allowlist tab, click the GridThreat InsightProperties from the Toolbar.

  3. In the GridThreat InsightProperties editor, click the DNS Threat Insight tab, and complete the following:

    • Click the Add icon to open the Zone Selector dialog box and select the RPZs. You must configure at least one local RPZ. To remove an RPZ, select it from the table and click Delete.

    • Save the configuration.

...

Note

Note

Whenever a new RPZ is added and NIOS requests Threat Insight results, Grid Manager displays a Warning dialog box to confirm that you wish to request all detected domains by Threat Insight in Infoblox Threat Defense Cloud. If you click No in the Warning dialog box, you can use the set cloud_services_portal_force_refresh CLI command in maintenance mode and set the flag to request all domains detected in Infoblox Threat Defense Cloud.

Anchor
VBD
VBD
Viewing Blocklisted Domains

To review the list of blocklisted domains, complete the following:

...

Infoblox periodically releases threat insight Threat Insight module and allowlist sets. To ensure that you can import threat insight Threat Insight updates, you must have at least one Threat Insight license installed in the Grid. The threat insight Threat Insight module set consists of the insight application .jar file, which delivers changes and updates for DNS tunneling detection; and the allowlist set consists of updated trusted domains that carry legitimate DNS tunneling traffic. You can download updates for the module set and allowlist set independently depending on how often Infoblox rolls them out. The appliance displays the version numbers of the module set and allowlist set that your Grid is currently using. To view this information before downloading updates, see Viewing Module and Allowlist Versions below.

...

Note

Note

Only the Grid Master receives module set and allowlist set updates. Grid member receives these updates through standard Grid replication from the Grid Master. Module and allowlist data is only replicated to Grid members that have the threat insight Threat Insight service enabled (an RPZ license is required to start this service on the members). The appliance uses the port 443 (HTTPS) for downloading the module set and allowlist data updates.

...

  1. On the Data Management tab ->Threat Insight tab -> Allowlist tab, expand the Toolbar, and then click Grid Threat Insight Properties.

  2. In the Grid Threat Insight Properties editor, click the Updates tab. This tab displays the following information:

    • Active Allowlist Version: Displays the version number of the threat insight Threat Insight allowlist set that is currently running on the Grid.

    • Active Module Set Version: Displays the version number of the threat insight Threat Insight module set that is currently active on the Grid.

...

  1. On the DataManagement tab -> Threat Insight tab -> Allowlist tab, expand the Toolbar, and then click GridThreat InsightProperties.

  2. In the GridThreat InsightProperties editor, click the Updates tab,

  3. In the Allowlist Updates section, complete the following:

    • Latest Available Allowlist: Displays the latest allowlist that is available for download.

    • Last Checked For Updates: Displays the timestamp when the Grid last checked for updates.

    • Allowlist Update Policy: When you select Automatic, the appliance automatically downloads the latest allowlist updates based on the default or custom schedule. The appliance checks allowlist files and automatically downloads only the files that have changed. When you select an automatic policy, latest updates are activated automatically. If you select Manual as the update policy, the appliance displays a banner message in Grid Manager to notify you when new updates are available. You must then decide whether to apply the updates to the Grid or not. For information about how to manually apply the updates, see Manually Uploading Threat Insight Updates below.

    • Enable Automatic Allowlist Updates: Select this checkbox to enable the automatic upload feature. When necessary, you can click Download Allowlist Now to override the automatic update policy.
      In the Schedule section, set up a recurring schedule for automatic updates as described in step 5.

  4. In the Module Set Updates section, complete the following:

    • LatestAvailableModuleSet: Displays the latest module set that is available for download.

    • LastCheckedForUpdates: Displays the timestamp when the Grid last checked for updates.

    • ModuleSetUpdatePolicy: When you select Automatic, the appliance automatically downloads the latest module set and/or allowlist set based on the default or custom schedule. The appliance checks both the module and allowlist files and automatically downloads only the files that have changed. When you select an automatic policy, the threat insight Threat Insight service on the Grid members is restarted automatically to activate the latest updates. If you select Manual as the update policy, the appliance displays a banner message in Grid Manager to notify you when new updates are available. You must then decide whether to apply the updates to the Grid or not. For information about how to manually apply the updates, see Manually Uploading Threat Insight Updates below.

    • EnableAutomaticModuleSetUpdates: Select this checkbox to enable the automatic upload feature. When necessary, you can click DownloadModuleSetNow to override the automatic update policy.
      set up a recurring schedule for automatic updates as described in step 5.

  5. In the Schedule section, select one of the following to set up a recurring schedule for automatic downloads:

    • Default: When you select this, the appliance downloads the updates between 12:00 a.m. and 6:00 a.m. local time based on the time zone configured on your appliance. The appliance automatically selects a time between this time window the first time it performs an automatic update. All subsequent updates then follow the same schedule based on the selected time.

    • Custom: Select this and click the calendar icon to configure a custom schedule. Based on the policy you are configuring, in the Automatic Allowlist Updates Scheduler or Automatic Module Set Updates Scheduler, you can select Hourly, Daily, Weekly, or Monthly based on how often you want to update the module set and allowlist set.

      Note that the scheduled time does not indicate the exact time for the download. Downloads occur during the mid-point during of a 30-minute time frame. Therefore, the actual download can happen 15 minutes before or after the scheduled time.

      • When you select Hourly, complete the following:

        • Schedule every hour(s) at: Enter the number of hours between each update instance. You can enter a value from 1 to 24.

        • Minutes past the hour: Enter the number of minutes past the hour. For example, enter 5 if you want to schedule the rule update five minutes after the hour.

        • Time Zone: Select the time zone for the scheduled time from the drop-down list.

      • When you select Daily, you can select either Everyday or EveryWeekday, and then complete the following:

        • Time: Enter a time in hh:mm:ss AM/PM (hours:minutes:seconds AM or PM) format. You can also select a time from the drop-down list by clicking the time icon.

        • Time Zone: Select the time zone for the scheduled time from the drop-down list.

      • When you select Weekly, complete the following:

        • Schedule every week on: Select any day of the week.

        • Time: Enter a time in hh:mm:ss AM/PM (hours:minutes:seconds AM or PM) format. You can also select a time from the drop-down list by clicking the time icon.

        • Time Zone: Select the time zone for the scheduled time from the drop-down list.

      • When you select Monthly, complete the following:

        • Schedule the day of the month: Enter the day of the month and the monthly interval. For example, to schedule the rule update on the first day after every 2 months, you can enter Day 1 every 2 month(s).

        • Time: Enter a time in hh:mm:ss AM/PM (hours:minutes:seconds AM or PM) format. You can also select a time from the drop-down list by clicking the time icon.

        • Time Zone: Select the time zone for the scheduled time from the drop-down list.

  6. Save the configuration.

...

When you configure a manual update policy, the appliance notifies you about newly available module set and/or allowlist set updates. You can manually upload the updated files and apply them to the Grid.

To manually upload threat insight Threat Insight updates:

  1. From the DataManagement tab, select the Threat Insight tab -> Allowlist tab, click Updates -> ManualUpdate from the Toolbar.

  2. The Threat InsightUpload dialog displays the following:

    • CurrentAllowlistVersion: Displays the version of the allowlist set that is currently running on the Grid.

    • LastAppliedOn: Displays the timestamp and time zone when the last allowlist set was applied to the Grid. This field changes each time when a allowlist set is applied.

    • LatestAvailableModuleSet: Displays the version string of the latest available module set. This field changes each time when the module set is updated.

    • LastAppliedOn: Displays the timestamp and time zone when the last module set was applied to the Grid. This field changes each time when a module is applied.

      To upload the module set or allowlist set:

    • File: Click Select to navigate to the file location, and then upload the file. The appliance displays the file name in this field. You can upload either a module set or a allowlist set. Check the current version numbers of the allowlist and module sets to verify if they have changed before uploading new files.

...