About Infoblox Legacy Data Connector

The Infoblox Legacy Data Connector VM (virtual appliance) is a utility designed to do the following:

Collects DNS query and response data from the Infoblox Grid members;
Filters based on user criteria, thus reducing the quantity of data;
Converts the data to a format that can be securely transferred to the following endpoints: NIOS reporting server for report generation, Infoblox BloxOne Threat Defense Cloud destination, and SIEM (Security Information and Event Management) tools.

The Legacy Data Connector filters data based on user criteria (thus reducing data quantity) and converts the data to a format that can be easily consumed by the supported destinations. It acts as a central point for data collection across your network devices, which reduces the impact of data exchange and improves your Grid performance. You can configure data filters to filter certain DNS queries and responses. For more information, see Configuring Data Filters.

SIEM tools can perform real-time analysis of the DNS query and response data to identify malicious activities and threats to the network. Legacy Data Connector 3.0 supports the following SIEMs:

Splunk Enterprise. For more information, see Configuring Legacy Data Connector for Splunk.
IBM QRadar. For more information, see Configuring Infoblox Legacy Data Connector for IBM QRadar.
McAfee ESM. For more information, see Configuring Legacy Data Connector for McAfee ESM.
Micro Focus ArcSight ESM. For more information, see Configuring Legacy Data Connector for Micro Focus ArcSight ESM.

Infoblox tested Legacy Data Connector 3.0 with the following SIEM versions:

Micro Focus ArcSight ESM version 7.0.0.2410.0 and SmartConnector Version: 7.8.0.8070.0
IBM QRadar version 7.2.8
McAfee ESM version 10.1.0

Although Infoblox cannot guarantee that your SIEM integration would work if you use a software version other than the ones that we have tested, the likelihood of this happening is slim because Legacy Data Connector 3.0 uses generic syslog as the output mechanism.

Note: The Legacy Data Connector 3.0 VM allows you to configure a cloud destination or a reporting destination with only one supported SIEM tool. You can also configure one of the supported SIEM destinations (Micro Focus ArcSight ESM, IBM QRadar, or McAfee ESM) with Splunk at the same time. The Legacy Data Connector VM does not support multiple SIEM destinations at the same time.

The Legacy Data Connector collects DNS query and response data from the Grid members that are answering queries, and then forwards this data to the NIOS reporting server and SIEM tools. Similarly, it collects RPZ hits, DHCP leasing information, IPAM information, and user information if available, from the Grid members, generates parquet files and sends the parquet files to the Infoblox BloxOne Threat Defense Cloud destination via HTTP requests. The Legacy Data Connector 3.0 VM converts the DNS queries and responses into CEF (Common Event Format) for ArcSight and McAfee ESM and LEEF (Log Event Extended Format) for QRadar.

The Legacy Data Connector is designed to run on VMware ESXi servers. You can install the Legacy Data Connector VM software package on a host with VMware ESXi 5.x or later installed, and then configure it as a virtual appliance. After configuring the Legacy Data Connector VM, you must register it with the Infoblox Grid and configure certain NIOS parameters before it can collect DNS query and response data from the Grid. Note that you can register only one Legacy Data Connector with a Grid running NIOS 7.3.0 and later.

Figure 1.1 Legacy Data Connection Process

Note

For BloxOne Cloud destination, Legacy Data Connector collects additional data from the Infoblox NIOS Grid for reporting and analytic purposes. For more information, see Configuring BloxOne Threat Defense Cloud Destination.

When you set up a Legacy Data Connector VM, you use it solely for collecting DNS data from the Grid and sending the data to the desired destination. You cannot add licenses to run other services, such as DNS and DHCP.

Note:

It is not required that you upgrade the Legacy Data Connector virtual machine when upgrading NIOS appliances in your Grid.
Legacy Data Connector virtual machines are not supported on IPv6-only Grids.

The following are some key features for the Data Connector:

The Data Connector collects DNS query data from the NIOS Grid and forwards this data to the NIOS reporting server through the SCP protocol, to the Infoblox cloud destination via HTTP requests, and to SIEM tools using TCP protocol.
To ensure confidentiality, all protocol exchanges to and from the Legacy Data Connector VM are encrypted.
The Legacy Data Connector VM has firewall enabled.
You can make a remote serial connection to the Legacy Data Connector VM using SSH port 2020. Example: ssh admin@DCVM_IP -p 2020.
Infoblox Technical Support can use port 2222 to access the Legacy Data Connector VM. Example: ssh dcadmin@DCVM_IP -p 2222.

Figure 1.1 illustrates the basic concept of the data collection process, which includes collecting query and response data from Grid members, storing them, and sending it back to the supported destinations. You can then monitor the trend of DNS queries by client, domain, time, record type, query type, and DNS view. For more information, see Viewing DNS Query Capture Reports.