Infoblox BloxOne Threat Defense is a SaaS offering designed to provide protection to devices on and off-premises, including roaming, remote, and branch offices. It provides visibility into infected and compromised devices, prevents DNS-based data exfiltration, and automatically stops device communications with command-and-control servers (C&Cs) and botnets, in addition to providing recursive DNS services in the cloud. You can deploy BloxOne Threat Defense using external networks, BloxOne Endpoint, or DNS forwarding proxy as the source.
This section explains the main components required to configure, deploy, and manage your network using BloxOne Threat Defense.
Infoblox Hosts
With the exception of BloxOne Endpoint, running BloxOne software usually, but not always requires deploying a host, which is available in virtual and pre-configured hardware options. You can download an installer package for VMware or for a Docker container. Virtual deployment allows you to run BloxOne on your equipment cost-effectively and with the greatest flexibility. When deploying DFP, keep in mind that or sites that require a dedicated BloxOne hardware solution or that do not have hardware already present, Infoblox has tested and certified several common server configurations.
Typically, the majority of organizations keep the default values when configuring host. However, if you are running a hybrid cloud environment, then you can deploy DNS forwarding proxy as a service on a host and connect it to BloxOne Threat Defense Cloud, so you can take advantage of the security features that BloxOne Threat Defense Cloud offers. You can deploy DNS forwarding proxies as a VM image or a docker container. Deployment of DNS forwarding proxy using HTTP Proxy to forward DNS queries to BloxOne Cloud is supported for management. DFP is also available on NIOS.
Infoblox provides the Docker Container and OVA deployment packages, so you can deploy hosts in a virtual infrastructure of your choice. Note that you can run multiple services on an host, including DNS forwarding proxies. Virtual hosts are automatically created when you use a join token to connect them to BloxOne Threat Defense Cloud.
For more information, see Deploying Hosts.
Configuring Service Instances
After you have deployed a host, you configure the BloxOne Threat Defense service instance and associate it with your host.
For more information, see Configuring Services.
Threat Insight
Threat Insight provides protection against data exfiltration that uses sophisticated DNS-tunneling techniques and against DNSMessenger, DGA, and fast flux by utilizuing built-in statistics of the DNS infrastructure, where these statistics can be used to detect and block data exfiltration by using only DNS and no additional endpoint software, security appliances, or network infrastructure.. Threat Insight is always active in your subscription but your organization can elect to use or not to use the threats it detects to block traffic.
Threat Insight uses patented technology that detects and automatically blocks data exfiltration via DNS without requiring endpoint agents or extra network infrastructure. It uses real-time streaming analytics of live DNS queries and machine learning to accurately detect the presence of potential data exfiltration activity within data queries.
Active Blocking of Data Exfiltration Attempts
By adding the destinations to a list for the RPZ-based mitigation, Threat Insight automatically blocks communications to destinations associated with attempts to exfiltrate data. Through the Infoblox Grid, which distributes updates to all Infoblox members with DNS Firewall and RPZ capability, Threat Insight scales enforcement to all parts of the network. Threat Insight provides visibility into infected devices and employees who try to steal data, and it provides identifying information, such as username (through Identity Mapping), device IP and MAC addresses, and device type.
Reports generated by Threat Insight can be accessed through the Infoblox Reporting and Analytics server.
Unique Patented Technology
Threat Insight is a patented technology that uses machine learning and performs real-time streaming analytics on live DNS queries to detect data exfiltration. It examines host.subdomain and TXT records in DNS queries and uses entropy, lexical analysis, time series and other factors to determine the presence of suspicious data in queries.
Automated Security Response with Integrations
When an endpoint is trying to exfiltrate data, Infoblox provides indicators of compromise to endpoint remediation solutions such as Carbon Black. Using this intelligence, Carbon Black automatically bans the malicious processes from future execution and quarantines the infected endpoint. These actions accelerate security responses. Infoblox also exchanges security event information with Cisco Identity Services Engine (ISE) and provides robust restful APIs, which can enrich an enterprise’s SIEM with additional contextual data.
Other Products Needed with Threat Insight: To ensure not just detection of data exfiltration, but also enforcement of protection, Threat Insight must be deployed with BloxOne Threat Defense. Threat Insight will create an RPZ entry in all Infoblox appliances running security.
Hardware or Software Delivery Options: Threat Insight can run on physical or virtual Infoblox appliances, and it works on the following models of Infoblox appliances: PT-1405, TE-1415/V1415, TE-1425/V1425, TE-2210/v2210, 2215/v2215, TE- 2220/v2220, 2225/ v2225, PT-2200, PT-2205, IB-4010/v4010, V4015, TE-V4010/V4015, PT4000, IB-4030-DCAGRID-AC/DC, IB-4030- DCAGRID-T1-AC/DC, IB4030-DCAGRID-T2-AC/DC and IB-4030- DCAGRID-T3-AC/DC.
For additional information on Infoblox Threat insight, see About Infoblox Threat Insight.
Security Policies
A security policy is a set of rules and actions that you define to balance access and constraints, so you can mitigate malicious attacks and provide security for your networks. BloxOne Threat Defense Cloud provides a default global policy that gives you a head start in protecting your networks. You can review the default global policy and decide whether you want to add or remove some of the rules based on your business requirements.
In addition to the default global policy, you can add new security policies from scratch or clone an existing policy to complement the default policy. When you create a new security policy, you must first define a network scope to which you add external networks, user groups, DNS forwarding proxies, DDI IPAM, and Endpoint groups. BloxOne Threat Defense Cloud applies the security policy to all the entities that you include in the network scope. After you define the network scope, you can add policy rules and specify actions and their precedence order.
For additional information on setting up and configuring security policies, see Configuring Security Policies.
Other BloxOne Threat Defense Components
BloxOne Endpoint
BloxOne™ Endpoint is a lightweight mobile agent that can be used to access BloxOne Threat Defense Cloud service to secure roaming end users in varying environments such as home offices, branch offices, public spaces, and more. Endpoint communicates with BloxOne Threat Defense Cloud using DNS over Transport Layer Security (DoT). Endpoint protects users, devices, and systems no matter where they are, extending enterprise-level security to remote locations, and work from home environments. It leverages the power of your core network services to provide a foundational layer of security for on-prem, cloud and hybrid networks, streamlining and automating of threat responses.
Deploying BloxOne Endpoint
BloxOne Endpoint can be deployed using many methods, both manually and via automation. If using an automated is selected, ensure BloxOne Endpoint has its own folder, the correct Customer ID, and that all files contained within the .zip file are present when it is distributed. Once installed, BloxOne Endpoint will automatically update when updates are available.
For additional information on the installation and deployment of BloxOne Endpoint, see Installing Endpoint.
DNS Forwarding Proxy
DNS Forwarding Proxy (DFP) is a DNS forwarder that forwards DNS queries to BloxOne Threat Defense Cloud or to a local DNS server. DFP runs on the Host where it continually monitors connectivity to BloxOne Threat Defense Cloud where it communicates with BloxPne Threat Defense Cloud using DNS over Transport Layer Security (DoT). For customers who purchased BloxOne Threat Defense, the Host cannot reach BloxOne Threat Defense Cloud Anycast DNS server for any reason, then DFP will send requests to a local DNS server which protects clients via security RPZ (DNS Firewall) feeds.
DNS Forwarding Proxy is a virtual appliance that redirects DNS traffic from remote devices when installing an endpoint agent is not desirable or possible (on internal networks or IoT devices). This solution enables an agentless deployment that embeds client IP and MAC into DNS queries before forwarding to Infoblox Cloud. DNS Forwarding Proxy fallback to the DNS server is used as an end point when the primary server is unavailable. Having the DNS Forwarding Proxy fallback to a local DNS server can be used in situations where BloxOne Threat Defense Cloud is unreachable.
For additional information on the installation and deployment of DNS Forwarding Proxy, see Configuring DNS Forwarding Proxy.
External Networks
Before you can apply security policies, you must first define the networks that you want to protect from malicious attacks. The first step in configuring BloxOne Threat Defense Cloud is to set up DNS Firewall by defining your remote networks. You identify these external networks by their IP addresses. A network can contain a group of IPv4 addresses or blocks. If you plan to use multiple external networks in your configuration, Infoblox recommends that you register all your networks as soon as possible. Pre-registering your networks ensures that they will be available when traffic is pointed at them and prevents IP space belonging to your company from being incorrectly assigned. Please be aware that no protection is provided for traffic pointed to a network that has not yet been registered.
For additional information on configuring your external networks, see Configuring External Networks.
Data Connector
Infoblox’s cloud-managed Data Connector automatically collects DNS query-and-response data and security logs from various sources. Through the SCP protocol, Data Connector then forwards this data to the NIOS reporting server and third-party indexers, such as a SIEM. This process filters the information and transfers it to security operations center (SOC) tools, such as a SIEM solution, for easy correlation of events. The data is used to enrich Infoblox reports and furnish a seamless, integrated view into network and security events across on-prem and cloud (hybrid) deployments.
Data Connector is available as part of BloxOne Threat Defense, the Infoblox solution suite that works with an organization’s existing defenses to protect the network and automatically extend security to digital imperatives, including SD-WAN, IoT and the cloud. Because it is managed in the cloud, the Data Connector utility offers flexible scalability and ease of use for administrators.
For additional information on the installation and deployment of Data Connector, see Data Connector.
TIDE
TIDE leverages highly accurate machine-readable threat intelligence data via a flexible Threat Intelligence Data Exchange (TIDE) to aggregate, curate, and enable distribution of data across a broad range of infrastructure. TIDE enables organizations to ease easily consume threat intelligence from various internal and external sources, and to effectively defend against and quickly respond to cyber threats. TIDE is backed by the Infoblox Cyber intelligence Unit (CIU) that normalizes and refines high-quality threat intelligence data feeds. TIDE collects and manages curated threat intelligence from internal and external sources in a single platform. It enables security operations to remediate threats more rapidly by sharing normalized TIDE data in real time with third-party security systems such as Palo Alto Networks, SIEM, etc. By leveraging highly accurate machine-readable threat intelligence (MRTI) data to aggregate and selectively distribute data across a broad range of security infrastructure, the end result is a highly refined feed with a very low historical false-positive rate.
TIDE is a subscription-based services available within the Infoblox Cloud Services Portal. There are no requirements for access to TIDE other than possessing a valid subscription.
For additional information on using TIDE for your threat intelligence needs, see Infoblox Quick Start Guide for Dossier and TIDE.
Dossier™
Dossier is a threat investigation and research tool providing analysts, threat researchers, security staff, and SOC team members with simultaneous contextual information on threats from multiple sources, including TIDE. The acquisition of immediate contextual information allows threat analysts to save precious time in taking action against any identified threats. Dossier automates the collection and correlation of threat intelligence from dozens of open-source proprietary and premium commercial resources and presents the aggregated data in a single view. By enabling analysts to quickly pivot between intelligence sources and complete investigations, Dossier helps the analysts respond to threats rapidly and effectively.
Dossier is a subscription-based services available within the Infoblox Cloud Services Portal. There are no requirements for access to TIDE other than possessing a valid subscription.
For additional information on using Dossier for your threat research, see the Infoblox Dossier User Guide.
Custom Lookalike Domain Monitoring
BloxOne Threat Defense supports custom lookalike domain monitoring for viewing and searching lookalike domains. Custom Lookalike Domain Monitoring provides the power of the global lookalike domain feature to be targeted for specific critical domains for the user. Using a customer-defined list of domains, an organization can now add the company's own domain, or domains frequently visited by or controlled by the organization in order to provide advanced warning of common attack vectors. Using Custom Lookalike Domain Monitoring, users can potentially avert unknown attacks, and prevent potentially 'brand-affecting" incidents.
Lookalike domains are domains that are found to be visually similar (homographs) when compared to the domains they are attempting to imitate. Lookalike domains are composed using methods such as replacing letters with visually confusing ones (e.g. o to 0, l to 1, w to vv), switching to different top-level domains (e.g. .com to .cc), or by using the IDN character set or Punycode characters to mimic the legitimate domains they are attempting to exploit. Lookalike domains are often found in cyber attacks seeking brandjacking, traffic redirection, "typosquatting," and phishing.
For additional information on setting up and configuring custom lookalike domain monitoring, see Custom Lookalike Domain Monitoring.
Custom Lists
You can create custom lists containing domains and IP addresses to define allow lists and bock lists for additional protection. You can use a custom list to complement existing feeds or override the Block, Allow, Log, or Redirect action that is currently defined for an existing feed. You can also add a custom list to multiple security policies or multiple custom lists to one security policy based on your business needs. When using your own threat intelligence feeds with BloxOne Threat Defense Cloud, allow lists and block lists, you can apply your own security policies. Each custom list can contain as many as 50,000 records, and BloxOne Thread Defense Cloud supports up to 500,000 records across al customer lists.
BloxOne Threat Defense Cloud automatically creates the following default global policies. If you are concerned about DNS data exfiltration through DNS tunneling, DNSMessenger, Fast Flux, and DGA (including Dictionary DGA), you can apply any or all of these policies to the security policy for a allow list or block list. Note that you cannot modify or delete these default policies.
For additional information on setting up and configuring custom lists, see Custom Lists.
Filters
Two types of filters can be configured using the Cloud Services Portal. You can configure category filters and application filters. Category filters are content categorization rules that BloxOne Threat Defense Cloud uses to detect and filter specific internet content. Based on your configuration, specific actions such as Allow or Block will be taken on the detected content. BloxOne Threat Defense Cloud provides the following content categories from which you can build your category filters. Application filters are content application rules that BloxOne Threat Defense Cloud uses to detect and filter specific Internet content.
Category filters are a set of content categorization rules that BloxOne Threat Defense Cloud uses to detect and filter specific internet content. Based on your configuration, specific actions such as Allow or Block will be taken on the detected content. BloxOne Threat Defense Cloud provides the following content categories from which you can build your category filters.
Application filters are a set of rules that BloxOne Threat Defense Cloud uses to detect and filter specific Internet content. Application filters rely on the Application Classification Service (ACS) to establish application-specific rules. The Application Classification Service (ACS) provides accessibility to applications based on their category or subcategory. Using application filters, you can set security policies based on whether you want to allow an app to access the Internet at all times, or if you want the app to use local resolution when used with BloxOne DDI appliances.
For additional information on setting up and configuring filters, see Using Filters.
Default and Custom Redirects
You can configure BloxOne Threat Defense Cloud to redirect traffic to the Infoblox server that displays the default or customized redirect page. If you want to redirect traffic to a custom destination, you must first add the redirect IP or domain to the Redirect page.
For additional information on setting up and configuring redirects, see Defining the Redirect Page.
Additional Resources
Optionally, you can complete the following configuration based on your business needs:
After you have set up BloxOne Threat Defense Cloud, you can manage users, monitor the BloxOne Threat Defense Cloud service, and mitigate potential threats through the following features: