New BloxOne Feeds
Infoblox offers a set of new feeds designed to replace those feeds approaching end of service and scheduled for deprecation in December 2024.
The following new feeds are available based on your subscription level.
Feed Availability | ||||
|---|---|---|---|---|
Feed Name | Essentials | Business On-Prem | Business Cloud | Advanced |
Infoblox Base | ✔ | ✔ | ✔ | ✔ |
Infoblox Base IP | NA | ✔ | ✔ | ✔ |
Infoblox High Risk | NA | NA | NA | ✔ |
Infoblox Medium Risk | NA | NA | NA | ✔ |
Infoblox Low Risk | NA | NA | NA | ✔ |
Infoblox Informational | NA | ✔ | ✔ | ✔ |
For information on the new RPZ feed recommendations for NIOS, see Feed Revamp for NIOS.
Infoblox will notify you when the new feeds become available to be used in configuring security policies in the Cloud Services Portal.
Default Actions of the New Feeds | |
New Feeds | Default Action |
Infoblox Base | Block - No Redirect |
Infoblox Base IP | Block - No Redirect |
Infoblox High Risk | Block - No Redirect |
Infoblox Medium Risk | Block - No Redirect |
Infoblox Low Risk | Allow - With Log |
Infoblox Informational | Allow - With Log |
Feeds Scheduled for Deprecation in December 2024
The following feeds are approaching end of service and are being deprecated. In their place, Infoblox offers a set of new feeds designed to replace the deprecated feeds.
Deprecated Feeds | Description |
|---|---|
Base Hostnames | Enables protection against known hostnames that are dangerous as destinations, such as APT, Bot, Compromised Host/Domains, Exploit Kits, Malicious Name Servers, and Sinkholes. |
AntiMalware | Enables protection against known malicious hostname threats that can take action on or control of your system, such as Malware Command & Control, Malware Download, and active Phishing sites. |
Ransomware | Enables protection against ransomware taking over your system. Ransomware will encrypt files on your system and require you to pay in order to get them decrypted. This feed prevents ransomware to contact the servers which it needs to encrypt your files. |
Malware DGA Hostnames | Domain generation algorithm (DGA) are algorithms seen in various families of malware that are used to periodically generate a large number of domain names that can be used as rendezvous points with their command and control servers. Examples include Ramnit, Conficker, and Banjori. |
Antimalware IP | Enables protection against known malicious or compromised IP addresses. These are known to host threats that can take action on or control of your system, such as Malware Command & Control, Malware Download, and active Phishing sites. |
Suspicious | The Suspicious Domains feed enables protection against hostnames that have not been directly linked to malicious behavior but behave in a manner that suggests malicious behavior may be imminent. |
Suspicious Lookalike | The Suspicious Lookalikes feed includes domains that appear to impersonate other trusted domains, but have demonstrated enough abnormal behavior to warrant concern. |
Suspicious NOED | The Suspicious Emergent Domains feed include high risk, new domains. These domains have only recently become active, and share one or more characteristics with other known malicious domains to warrant concern. |
Newly Observed Emergent Domains | The NOED feed includes recently created and newly active domain names. These are not necessarily suspicious but some organizations may wish to log traffic going to these domains as there is a low likelihood that these domains would be visited normally. |
Infoblox Threat Defense Feed Mapping | ||
|---|---|---|
Old Feeds | to | New Feed |
Base Hostnames | => | Infoblox Base |
Infoblox Antimalware IP | => | Infoblox Base IP |
Newly Observed Emergent Domains (NOED) | => | Infoblox Informational |
Suspicious | => | Infoblox High Risk |
Deprecation of the Extended Feeds
With the deprecation of the old feeds and the release of the new feeds, infoblox will also be deprecating the extended feeds listed below. In the case of these feeds, they have lately been carrying zero indicators. Earlier when a malicious domain’s TTL expires, the domain was added to the corresponding Extended feeds, extending their lifetime. We updated that logic to verify the validity of the domain, on expiry. The domain is added to the same feed if it's still valid (as opposed to separate Extended feeds). As a result, the extended feeds were carrying zero indicators lately. At this point, we can effectively deprecate the below extended feeds.
Deprecated Extended RPZ Feed |
|---|
Extended Base & anti-malware Hostnames |
Extended Ransomware |
Extended AntiMalware IPs |
Spambot IPs DNSNL |
Upgrading Policy Rules Using the New Feeds
Upgrading to Improve Policy Rules
Your security policies must be updated to adhere to the latest policy rules using the upgraded feed structure. The deadline for upgrading your security policies is December 31, 2024. Any policy that has not been updated after this date will be automatically upgraded.
To upgrade a policy, perform the following:
Navigate to the Security Policies page in the Cloud Services Platform ( Policies > Security Policies).
On the Security Policy tab, click the Upgrade link in the Upgrade Status column. Once the Upgrade link is clicked, the upgrade process is automatic. The upgrade process is non-reversible.
Policies that have been upgraded will display a green check along with an Upgrade Complete message. No further action is required with policies already upgraded. Policies requiring upgraded will display an Upgrade link. Clicking on the link will commence the upgrade process for the policy selected.
Out of respect for our customers, policy upgrades are not being conducted automatically. Instead, we offer our customers some latitude with upgrading their policies to a date and time they see fit, although do keep in mind that customers not having upgraded their policies by December 31st, 2024, will have their policies automatically upgraded on this date.
Only system administrators possess the required permissions to update a security policy.
Viewing Your Current Security Policy Rules
To view your current security policy rules, select a security policy and click on the three horizontal bars icon associated with it. From among the available options, click the Edit option followed by clicking the Policy Rules side menu item of the Edit Policy wizard. The current security policy configuration will be displayed.
The deprecated feeds are being incorporated into the new set of Infoblox feeds.
Viewing Your Upgraded Security Policy Rules
To view your upgraded security policy rules, select a security policy and click on the three horizontal bars icon associated with it. From among the available options, click the Edit option followed by clicking the Policy Rules side menu item of the Edit Policy wizard. The upgraded security policy configuration will be displayed.
Restricted Workflows for Old Security Policies Prior to Upgrading
Before upgrading a security policy, you won't be able to modify the current security policy configuration. While you can still view your existing security policies, making changes to non-upgraded policies will not be possible. Once you upgrade a current security policy, you will once again have the ability to edit and update it. When attempting to edit or change a non-upgraded security policy, the Finish button will be disabled.
Additionally, if you attempt to edit the Policy Rules page, then the Save & Close button on the Summary page will be disabled. However, you will still be able to view the policy configuration.
Logic for Upgrade Script
Logic for Upgrade Script | |||
Step 1: | |||
Logic Used: | |||
Case 1A (Best: No mix, all Block) | New Action | ||
Base Hostnames | Block | ||
AntiMalware | Block | Infoblox Base | Block |
Malware DGA hostnames | Block | ||
Ransomware | Block | ||
Case 1B (Best: No Mix, all Allow) | New Action | ||
Base Hostnames | Allow | ||
AntiMalware | Allow | Infoblox Base | Allow |
Malware DGA hostnames | Allow | ||
Ransomware | Allow | ||
Case 2 (possible: 1-2 mixed) | New Action | ||
Base Hostnames | Block | ||
AntiMalware | Block | Infoblox Base | Block |
Malware DGA hostnames | Allow | ||
Ransomware | Block | ||
Case 3 (Worst: Most mixed) | New Action | ||
Base Hostnames | Allow | ||
AntiMalware | Block | Infoblox Base | Block |
Malware DGA hostnames | Allow | ||
Ransomware | Allow | ||
Step 2: | |||
Logic Used: | |||
New Action | Retained as is (in same precedence with same action), no change | ||
Antimalware IP | Infoblox Base IP | ||
Step 3: | |||
Logic Used: | |||
Case 1A: (Best: No mix, all Block) | New Action | ||
Suspicious | Block | Infoblox High Risk | Block |
Suspicious Lookalikes | Block | Infoblox Med Risk | Block |
Suspicious NOED | Block | Infoblox Low Risk | Block |
Case 1B: (Best: No Mix, all Allow) | New Action | ||
Suspicious | Allow | Infoblox High Risk | Allow |
Suspicious Lookalikes | Allow | Infoblox Med Risk | Allow |
Suspicious NOED | Allow | Infoblox Low Risk | Allow |
Case 2: (Possible: 1 mixed) | New Action | ||
Suspicious | Block | Infoblox High Risk | Block |
Suspicious Lookalikes | Allow | Infoblox Med Risk | Block |
Suspicious NOED | Allow | Infoblox Low Risk | Allow - with Log |
Case 3: (Worst: 2 mixed) | New Action | ||
Suspicious | Block | Infoblox High Risk | Block |
Suspicious Lookalikes | Allow | Infoblox Med Risk | Block |
Suspicious NOED | Block | Infoblox Low Risk | Allow - with Log |
Step 4: | |||
Logic Used: | |||
New Action | Retained as is (in same precedence with same action), no change | ||
NOED | Infoblox Informational | ||
Note: All other supported rules are not changed and left as is - with the exiting rule action.