1526 - Using NIOS DNS Firewall Monitoring and Reporting

Scenario

As part of the corporate security policy, you are tasked with gathering information about the clients that may be compromised. You are also asked to provide information about the most recent RPZ Hits, and the status of the name servers and RPZ feeds.
You use the Security Dashboard, and the Reporting Server to identify potentially infected clients, and obtain information about recent hits, name server status, and RPZ Feeds.
You create a Search for RPZ Hits for the base.rpz.infoblox.local feed and add the search to a dashboard. You create associated reports and alert. The Base RPZ Hits Alert sends an email to soc@techblue.net.

Estimate Completion Time

• 45 to 55 minutes

Credentials

Course References

• 1020: NIOS DNS Firewall Monitoring and Reporting

Lab Initiation

Access jump-desktop

Once the lab is deployed, you can access the virtual machines required to complete this lab activity. To initiate the lab, click on the jump-desktop tile and login to the Linux UI:

Username: training

Password: infoblox

Initiate lab

To initiate the lab, double-click the Launch Lab icon on the Desktop.

Choose the lab number from the list and click OK.

After clicking OK, you will see a pop-up message with a brief description of the lab task. If the description looks correct, click Yes to continue lab initiation.

Lab initiation will take a couple of minutes to finish.

Once complete, you will see another pop-up message with the login credentials and the URL for the Grid Manager’s User Interface. Note that the credentials may differ from those from prior labs.

Tasks

• Task1: Generate RPZ Hits

• Conditional Task 1: Adding Licenses

• Task 2: Use Security Dashboard to identify clients with RPZ Hits

• Task 3: Confirm Name Server status

• Task 4: Identify Peak time for RPZ hits

• Conditional Task 2: Setup the reporting server

• Task 5: Use the Reporting Server Dashboards to identify DNS Top RPZ Hits

• Task 6: Create a new Dashboard called DDI Security Dashboard

• Task 7: Create a Search for Base RPZ Hits

• Task 8: Create a Report for Base RPZ Hits

• Task 9: Create an Alert for Base RPZ hits

• Task 10: Disable the Base RPZ Hits alert

Task1: Generate RPZ Hits

On the jump-desktop, login to the GM web interface. Use the Threat Indicator from the Base RPZ to generate RPZ hits to simulate some security violations.

• On your Jump-Desktop, open a browser window and type https://10.100.0.100 to access the GM Interface.

• Navigate to Grid → Licenses, Click Show filter and select feature equals RPZ, If ibns1 and ibns2 are not listed then please execute conditional step 1 immediately.

  

• Use one or more of the following threat indicators: eicar.stream or eicar.co or eicar.host

• Switch over to the testing-linux machine with the credentials (training/infoblox) and set the machine up for testing.

  • open a terminal window and issue the command sudo set-network-static-nios and verify that the machine now has the IP address 172.31.101.250 using the command ifconfig.

    

    If you see the error message "Failed to reload network settings: No such file or directory", please re-enter "sudo set-network-static-nios".

Conditional Task 1: Adding Licenses

• Apply the RPZ license file stored on the Jump-desktop

• Verify that DNS licenses are enabled and running on members that will be hosting RPZ

• Add the RPZ licenses located in the Shared Drive/Licenses folder under the name RPZ.txt

Task 2: Use Security Dashboard to identify clients with RPZ Hits

• View the RPZ Recent Hits in the Security Dashboard to identify clients that are causing many RPZ hits.

Task 3: Confirm Name Server status

• Use the Security Dashboard to confirm the status of the Grid name servers, ibns1.techblue.net and ibns2.techblue.net

Task 4: Identify Peak time for RPZ hits

• Investigate the peak time when the most RPZ hits occur

Conditional Task 2: Setup the reporting server

If the reporting server is not setup, please use the following instructions to set it up

• If you need to setup the reporting server Enter the following File Server Settings:

Task 5: Use the Reporting Server Dashboards to identify DNS Top RPZ Hits

If the reporting server is not setup, please execute Conditional Task2

• Use the Reporting Server to provide information about RPZ Hits

Task 6: Create a new Dashboard called DDI Security Dashboard

• create a new dashboard using XML source from the Infoblox Community. This Dashboard provides a good visual representation of DDI Security and will be popular with less technical senior staff.

• The XML is stored in the Reporting - DDI Security Dashboard.xml file in the Shared Drive/NIOS Imports folder on the Linux Desktop.

Task 7: Create a Search for Base RPZ Hits

• Create a search for RPZ Hits. The Search is saved as a Dashboard Panel on the new DDI Security Dashboard.

Task 8: Create a Report for Base RPZ Hits

• Use the previously created Search to create a report called Base RPZ Hits.

Task 9: Create an Alert for Base RPZ hits

• Create an Alert for hits on the Base RPZ. When the Alert triggers, an email is sent to the SOC.

Task 10: Disable the Base RPZ Hits alert

• Disable the base RPZ Alert to prevent disruption to future labs.

Solutions

Task 1 Solution: Generate RPZ Hits

In this task you use a Threat Indicator from the Base RPZ to generate RPZ Hits.

1. On your Jump-Desktop, open a browser window and type https://10.100.0.100 to access the GM Interface, use the Credentials ops/infoblox.

2. Navigate to Grid → Licenses, Click Show filter and select feature equals RPZ, If ibns1 and ibns2 are not listed then please execute conditional step 1 immediately.

   

3. Please wait for the reporting service to be online and running on all grid members, this might take up to 10 mins.
   the reporting service might alternate between online and offline on different members but the whole process shouldn’t take longer than 10 mins

   

4. Switch over to the testing-linux machine with the credentials (training/infoblox) and set the machine up for testing.

   • open a terminal window and issue the command sudo set-network-static-nios and verify that the machine now has the IP address 172.31.101.250 using the command ifconfig.

     

     If you see the error message "Failed to reload network settings: No such file or directory", please re-enter "sudo set-network-static-nios".

5. Use the dig command to generate RPZ Hits. In the example thejoe.publicvm.com is used. Replace this with one or more of these indicators: eicar.stream or eicar.co or eicar.host

   

6. Press the up -arrow button to repeat the command at least 10 times

Conditional Task 1 Solution: Adding Licenses

1. Navigate to Grid → Licenses.

2. Click the plus (+) symbol to add the RPZ license.

   

3. Select the Upload License File radio button. Click Select File.

   

4. Navigate to shared Drive/Licenses. Click the RPZ.txt file and select Open.

   

5. Click Save License(s).

   

6. Click Filter On and use a quick filter to search for RPZ licenses. There are two licenses associated with ibns1.techblue.net as this member is part of an HA pair.

   

Task 2 Solution: Use Security Dashboard to identify clients with RPZ Hits

In this task, you view the RPZ Recent Hits in the Security Dashboard to identify clients that are causing a large number of RPZ hits. You use Threat Lookup to investigate a domain name that occurs in the RPZ hits and may be a potential threat.

1. Navigate back to the Jump-Desktop, Under Dashboards → Status → Security.

2. Scroll down to Response Policy Zone (RPZ) Status for Grid. Click on RPZ Recent Hits. The results show recent RPZ Hits for the client with IP Address 172.31.101.250.

   

3. Move the mouse to the Response Policy Zone (RPZ) Status for Member, Click the cog wheel icon and select ibns1.techblue.net.

   

4. Click RPZ Recent Hits. The same client IP Address 172.31.101.250 is listed. Click the View Syslog button.

   

5. Hover the mouse over the message entries until you find the one with the address 172.31.101.250. The full syslog message is displayed. The message shows the client 10.100.0.10 made a request for the A record of host in the <your threat indicator> domain. The request was blocked by the base.rpz.infoblox.local RPZ.

   

Task 3 Solution: Confirm Name Server status

In this task, you use the Security Dashboard to confirm the status of the Grid name servers, ibns1.techblue.net and ibns2.techblue.net.

1. Navigate to Navigate to Dashboards → Status → Security.

2. Scroll down to Security Status for all Members. Verify the status for each member. In the example, the widget shows a yellow Warning for ibns1.techblue.net. The status for ibsn2.techblue.net is a green OK. Your Grid may show different results.

   

Task 4 Solution: Identify Peak time for RPZ hits

In this task, you investigate the peak time when the most RPZ hits occur.

1. Scroll down to the Response Policy Zone (RPZ) Status for Grid widget.

2. Click the Trend Option to view the Peak time when RPZ hits are occurring. In this example, the information on the Dashboard widget shows the peak time of around 1:55 pm.

   

Conditional Task 2 solution: Setup the Reporting Server

1. Click the very top Reporting tab (in between the Smart Folders and Grid tab).

   1. The app configuration wizard opens – if it doesn’t open immediately, or presents an error, wait 5 minutes and try again, the reporting server might still be starting up

2. Click Continue to app setup pag

3. Enter the following File Server Settings:

   

4. Click Save, you will be taken to the Reporting Home Dashboard
   Note: you can click on the Grid tab to get back to the Grid Manager screen.

Task 5 Solution: Use the Reporting Server Dashboards to identify DNS Top RPZ Hits

In this task, you use the Reporting Server to provide information about RPZ Hits.

• The Reporting setup wizard configures some important settings for the Reporting service.

  1. View the DNS Top RPZ Hits by Clients report on the Reporting Server. Navigate to Reporting → Reports.

  2. Type RPZ in the filter box.

     

  3. Click the DNS Top RPZ Hits by Clients report. Client 172.31.101.250 has the most hits. This may be an indication of compromise and should be investigated further.

     

Task 6 Solution: Create a new Dashboard called DDI Security Dashboard

In this task, you create a new dashboard using XML source from the Infoblox Community. This Dashboard provides a good visual representation of DDI Security and will be popular with less technical senior staff.

• The XML is stored in the Reporting - DDI Security Dashboard.xml file in the Shared Drive/NIOS Imports folder on the Linux Desktop.

  1. Navigate to Reporting → Dashboards.

  2. Click Create New Dashboard.

     

  3. Type test in the Title field. It will be replaced by the title in the XML file. You can enter a description if you wish. Select Shared in App the dashboard is available to others. Click Create Dashboard.

     

  4. Navigate back to Reporting → Dashboards

  5. Enter test In the filter bar, Click Edit Source

     

  6. Copy the XML for the DDI Security Dashboard.

     1. Use File Manager to navigate to the Shared Drive/NIOS Imports folder on the Linux Desktop.

     2. Right click on the Reporting - DDI Security Dashboard.xml file. Open the file with the Geany application.

        

     3. Click Edit and choose Select All.

     4. Click Edit and choose Copy.
        

        

        

     5. Switch back to the Grid Manager. Highlight the existing text in the dashboard source window. Right click to paste the XML you copied over the top of the existing XML.

     6. Click Save.

        

Task 7 Solution: Create a Search for Base RPZ Hits

Previous research with logs, and the NIOS security dashboard indicates that there are frequent hits on the Base RPZ. In this task, you create a search for RPZ Hits. The Search is saved as a Dashboard Panel on the new DDI Security Dashboard.

1. Navigate to Reporting  → Search.

   1. Enter the following text as the Search command: index=ib_dns RPZ_QNAME="*.base.rpz.infoblox.local"| timechart count by CLIENT

   2. Leave All Time selected as the time value. Click the Search button.

      

   3. Click Visualization and select Column for the display type.

      

   4. Click Save As and save the Search as a Dashboard Panel.

      

   5. Select Existing and select DDI Security as the dashboard where the panel will go.

   6. Enter a name for the panel. Select Column as the Panel content. Click Save.

      

   7. When prompted, click View to look at the panel on your customized dashboard. Scroll to the bottom of the dashboard to view the new panel.

Task 8 Solution: Create a Report for Base RPZ Hits

In this task, you use the previously created Search to create a report called Base RPZ Hits.

1. Navigate to Reporting → Search.

2. Use the Search history to recall your search for Base RPZ Hits. Click the Add to Search button.

   

3. Click the Search button.

   

4. Click Save As and select Report.

   

5. Enter a value for your report name. Select Yes for Time Range Picker. Click Save.

   

6. Click View to see the Report.

Task 9 Solution: Create an Alert for Base RPZ hits

In this task, you create an Alert for hits on the Base RPZ. When the Alert triggers, an email is sent to the SOC.

1. Navigate to Reporting → Reports.

2. filter down results to rpz

3. Click Open in Search for the Base RPZ Hits.

   

   1. Click Alert in the Save As list.

      

   2. Specify a Title for the Alert Base RPZ Hits.

   3. Choose Shared in App for Permissions, and Real-Time for Alert Type.

   4. Set the Trigger alert when value to Number of Results is greater than 1 in 20 minutes.

   5. Set Trigger value to Once.

   6. Set the Throttle value to suppress triggering for 10 minutes.

      

4. Configure the Trigger Action.

   1. Select Send Email.

      

   2. Send the email to soc@techblue.net

   3. Set the Priority to High.

   4. Type a message, and tick the check boxes to include Search String, Trigger Condition, and Attach PDF.

   5. Click Save.

      

Task 10 Solution: Disable the Base RPZ Hits alert

In this task, you disable the base RPZ Alert to prevent disruption to future labs.

1. Navigate to Reporting → Alerts.

2. Click Base RPZ Hits.

3. Click Disable.

   

4. Click Disable to confirm.