1528 - Using NIOS Advanced DNS Protection (ADP) Monitoring and Reporting
This lab requires a lab environment with Advanced DNS Protection capability!
Please ensure that you have deployed a NIOS Lab Environment (with Advanced DNS Protection) lab environment.
Scenario
As part of the corporate security policy, you are tasked with viewing syslog records, the Grid manager Security Dashboard, and Reporting Server Dashboards and Reports. You also configure SNMP Traps to send alerts to 10.100.0.10. A process on the linux server is executing multiple DNS queries, which will be intercepted by extibns.techblue.net.
Estimate Completion Time
35 to 40 Minutes
Credentials
Description | Username | Password | URL or IP |
---|---|---|---|
Grid Manager UI | admin | infoblox |
Course References
1022: NIOS Advanced DNS Protection Monitoring and Reporting
Lab Initiation
Access jump-desktop
Once the lab is deployed, you can access the virtual machines required to complete this lab activity. To initiate the lab, click on the jump-desktop tile and login to the Linux UI:
Username: training
Password: infoblox
Initiate lab
To initiate the lab, double-click the Launch Lab icon on the Desktop.
Choose the lab number from the list and click OK.
After clicking OK, you will see a pop-up message with a brief description of the lab task. If the description looks correct, click Yes to continue lab initiation.
Lab initiation will take a couple of minutes to finish.
Once complete, you will see another pop-up message with the login credentials and the URL for the Grid Manager’s User Interface. Note that the credentials may differ from those from prior labs.
Tasks
Task 1: Set up NIOS-4 to join the Grid
Task 2: Adding Licenses and Setting up the reporting server
Task 3: Locate Threat Protection events in Syslog
Task 4: Configure SNMP traps
Task 5: Configure Grid Manager Security Dashboard
Task 6: View Grid Manager Security Dashboard
Task 7: Review Reporting Server Dashboards
Task 8: Identify the Top Clients triggering rules, and the Top Rules triggered
Task 9: Export Report Results
Task 1: Set up NIOS-4 to join the Grid
Log into NIOS-4 VM using the credentials (admin/infoblox).
Reset the VM to factory settings using the command
reset all
.log back into the VM and validate that it has been reset.
Edit the network settings, using the following table:
IP Address | 203.0.113.105 |
Netmask | 255.255.255.0 |
Gateway | 203.0.113.1 |
VLAN Tag | Untagged |
IPv6 settings | n |
Become a grid member | n |
set the management interface settings using the command
set interface mgmt
, using the following table:
Enable Management port | y |
IP address | 10.35.22.105 |
Gateway | 10.35.22.1 |
IPv6 settings | n |
Restrict access | y |
add the VM to the grid using the command
set membership
, using the following table:
Grid Master VIP | 10.100.0.100 |
Grid name | infoblox |
Grid Secret | test |
Enable grid services on Management interface | y |
Task 2: Adding Licenses and Setting up the reporting server
Add ADP license by navigating to Shared Drive/Licenses. Select the ADP.lic file
If you need to setup the reporting server Enter the following File Server Settings:
Configuration | Value |
Username | training |
Password | infoblox |
Protocol | SCP |
Host/ IP Address | 10.100.0.205 |
Port | 22 |
Path | /home/training/Documents/ReportingData |
Task 3: Locate Threat Protection events in Syslog
Please wait for the reporting service to be online and running on all grid members, this might take up to 10 mins.
view syslog records generated on the extibns.techblue.net member which is providing Threat Protection services.
Task 4: Configure SNMP traps
Enable SNMP Traps for the Grid, enable SNMP v1/v2, Enter public for the community string.
Use the IP address 10.100.0.10 for the trap receiver.
Task 5: Configure Grid Manager Security Dashboard
Configure and view the threat protection status for members.
Task 6: View Grid Manager Security Dashboard
View the top Threat Protection rule triggered on the ADP server, extibns.techblue.net to identify the rule that is triggered the most. You also identify the client hitting the most Threat Protection rules.
Task 7: Review Reporting Server Dashboards
View the Threat Protection Event Count and the Threat Protection Top Rules dashboards.
Task 8: Identify the Top Clients triggering rules, and the Top Rules triggered
Use Reports to identify the Top Clients triggering Rules, and the top rules those client(s) triggered.
Task 9: Export Report Results
Export the results of the Threat Protection Top Rules Logged by Source report.
Solutions
Task 1 Solution: Set up NIOS-4 to join the Grid
Log into NIOS-4 VM using the credentials (admin/infoblox).
Reset the VM to factory settings using the command
reset all
.log back into the VM and validate that it has been reset by using the command
show network
and if the interface is using the default ip then the VM has been reset.Edit the network settings using the command
set network
, using the following table:set the management interface settings using the command
set interface mgmt
, using the following table:add the VM to the grid using the command
set membership
, using the following screenshot:Switch over the Jump-Desktop machine and log into the grid Ui with the credentials (admin/infoblox) on the address https://10.100.0.100/
Verify that NIOS-4 has joined the grid under the name extibns.techblue.net
Task 2 Solution: Adding Licenses and Setting up the reporting server
Navigate to Grid → Licenses → Members. Click the plus (+) symbol to add a new license.
Click Select File to upload the license file.
Navigate to Shared Drive/Licenses. Select the ADP.lic file and click Open.
Click Save License(s).
Confirm that Grid member extibns.techblue.net has the Threat Protection feature licensed. Notice that there are two parts to the license. The Software add-on, and the Update license.
Click the very top Reporting tab (in between the Smart Folders and Grid tab).
The app configuration wizard opens – if it doesn’t open immediately, or presents an error, wait 5 minutes and try again, the reporting server might still be starting up
Click Continue to app setup pag
Enter the following File Server Settings:
Click Save, you will be taken to the Reporting Home Dashboard
Note: you can click on the Grid tab to get back to the Grid Manager screen.
Task 3 Solution: Locate Threat Protection events in Syslog
In this task, you view syslog records generated on the extibns.techblue.net member which is providing Threat Protection services.
Please wait for the reporting service to be online and running on all grid members, this might take up to 10 mins.
Navigate to Administration → Log → Syslog.
Select member extibns.techblue.net and select Threat Detection from the quick filter.
Click Toggle multi-line view to view the Syslog records. There are multiple records showing Threat Protection rules being hit. In this example, the EARLY DROP TCP . The rule is in the DNS Protocol Anomalies category. from the source ip 192.0.113.105
YOU WILL SEE DIFFERENT RESULTS IN YOUR LAB.
Task 4 Solution: Configure SNMP traps
In this task, you configure SNMP Traps.
Navigate to Grid → Grid Manager → Members.
Click Grid Properties in the Toolbar.
Scroll down to SNMP in the Grid Properties Editor.
Click the check box to enable SNMP v1/v2 Traps. Enter public for the community string.
Click the plus (+) symbol to add a Trap Receiver. Use the IP address 10.100.0.10 for the trap receiver. Click Save & Close. Click Yes for confirmation when prompted with SCP Warning.
Task 5 Solution: Configure Grid Manager Security Dashboard
In this task, you configure and view the NIOS Security Dashboard.
Navigate to Dashboards → Status → Security.
Scroll down to Threat Protection Status for Member.
Click the Gear icon to add the extibns.techblue.net member.
Click Select Member. Select extibns.techblue.net from the list. Check the Auto Refresh Period button. Optionally change the visualization type for Traffic being dropped and/or Traffic being received.
Click the gear icon again to close the edit window.
Task 6 Solution: View Grid Manager Security Dashboard
In this task, you view the top Threat Protection rule triggered on the ADP server, extibns.techblue.net to identify the rule that is triggered the most. You also identify the client hitting the most Threat Protection rules.
Navigate to Dashboards → Status → Security.
Scroll down to Threat Protection Status for Grid.
Click Top 10 Rules. In this example, the DROP ICMP large packets is the top rule. You may see different results in your lab.
Click the Top 10 Clients tab. In this example, the client with IP address 192.88.99.32 has generated the most hits. You may see different results in your lab.
Task 7 Solution: Review Reporting Server Dashboards
In this task, you view the Threat Protection Event Count and the Threat Protection Top Rules dashboards.
Please note, you will see different results in your lab.Navigate to Reporting → Dashboards.
Enter Threat Protection in the filter box. The list of dashboards is reduced to show just Threat Protection related dashboards. The list includes two Dashboards relating to Licensing and Enabled Grid features as you have recently licensed and enabled Threat Protection services.
Select the Threat Protection Event Count Dashboard.
View the Threat Protection Event Count by Category table, to determine the most prevalent critical threat category for the Last 1 day. In the example, the category ICMP has the highest value, with 297 events.
View the Threat Protection Even Count by Member table. In this example, there is only one entry. In our Grid, there is only one Grid member providing Threat Protection services, extibns.techblue.net.
Scroll down to the Threat Protection Event Count by Rule table. The results here reflect what has been observed previously. The rule with the largest hit count is DROP OSPF unexpected packets.
Use the SID value (Rule ID) to search for the DROP ICMP large packets rule in the active ruleset.
Navigate to Data Management → Security → Threat Protection Rules.
Click the version number of the active ruleset.
Click Show Filter. Select Rule ID as the filter, equals as the operator, and 130400210. Click Apply.
View the properties of the Rule. The rule 130400210 is an Auto rule. The Dashboard enables you to see the rules that are typically matched by your network traffic. You can then make a decision about which rules you wish/need to implement.
Return to the Threat Protection Event Count Dashboard. View the Threat Protection Event Count by Severity Trend chart. Determine if there is a peak of activity at specific time periods. In this example, there is peak activity of critical events from about 12:45 pm. The results you see are likely to be different.
Modify the dashboard to view Threat Protection Events in the last hour, viewing only the ICMP Category.
Open the Threat Protection Top Rules Logged Dashboard, by navigating to Reporting → Dashboards.
Use the Threat Protection Top Rules Logged by Source chart to identify which clients are attacking the server the most. In this example, IP address 192.0.0.164 has triggered the most events. You may obtain different results in your lab.
Task 8 Solution: Identify the Top Clients triggering rules, and the Top Rules triggered
In this task, you use Reports to identify the Top Clients triggering Rules, and the top rules those client(s) triggered.
Navigate to Reporting → Reports.
Enter Threat Protection in the filter box. The list of reports is reduced to show just Threat Protection Reports.
Open the Threat Protection Top Rules Logged by Source report. Notice the default time period for the report is the week (7 days).
In this example, client 192.0.0.164 has the top number of events. The top rule for this client is DROP OSPF unexpected . Other clients suchhave triggered multiple rules. This information is useful when tuning ADP
Task 9 Solution: Export Report Results
In this task, you export the results of the Threat Protection Top Rules Logged by Source report.
Downloads the results of Threat Protection Top Rules Logged by Source report in CSV format.
Click the Export icon
Select CSV format
Click Export
Open the file in LibreOffice Calc.
Click OK to open the file. The CSV file contains all the data from the report and can be used when you plan your ADP tuning.