2543 - NIOS Threat Defense RPZ Feeds
Scenario
As part of a security initiative, the company has purchased subscriptions to Infoblox BloxOne Threat Defense.
You are tasked with adding specific Infoblox BloxOne Threat Defense feeds to your RPZ configuration. You will check the creation of the new RPZs. Once the zones are downloaded you will test them.
To download the RPZ feeds, you need to log in to the Infoblox Cloud Services Portal (the Infoblox portal) https://the Infoblox portal.infoblox.com. Your credential for accessing the Infoblox portal is on the Learning Portal.
Course References
2032: Configuring Threat Defense RPZ feeds in NIOS
Estimate Completion Time
45 to 55 minutes
Credentials
Description | Username | Password | URL or IP |
---|---|---|---|
Grid Manager UI | admin | infoblox |
Requirements
Administrative access to the Grid
Lab Initiation
Access jump-desktop
Once the lab is deployed, you can access the virtual machines required to complete this lab activity. To initiate the lab, click on the jump-desktop tile and login to the Linux UI:
Username: training
Password: infoblox
Initiate lab
To initiate the lab, double-click the Launch Lab icon on the Desktop.
Choose the lab number from the list and click OK.
After clicking OK, you will see a pop-up message with a brief description of the lab task. If the description looks correct, click Yes to continue lab initiation.
Lab initiation will take a couple of minutes to finish.
Once complete, you will see another pop-up message with the login credentials and the URL for the Grid Manager’s User Interface. Note that the credentials may differ from those from prior labs.
Tasks
Task 1: Log into NIOS and Verify Licenses
Task 2: Log into the Infoblox portal and copy the RPZ feed names and credentials
Task 3: Log into the NIOS grid and create RPZ DNSFW NSG name server group
Task 4: Configure RPZ Feeds into the NIOS GRID
Task 5: Verify RPZ Feed action using dig and syslog
Task 6: Test RPZ Feed action by disabling and re-enabling them
Task 1: Log into NIOS and Verify Licenses
Log into the NIOS grid and verify that the RPZ licenses are available for ibns1.techblue.net and ibns2.techblue.net grid members.
Add missing licenses from: Shared Drive/licenses, If you find any missing licenses.
Task 2: Log into Infoblox Portal and copy the RPZ feed names and credentials
using your Infoblox Portal credentials from Launchpad. log into the Infoblox Portal and obtain information about the feeds, the IP address of the servers providing the feeds, and the feed authentication credentials (TSIG Credentials).
Infoblox_Base
Infoblox_Base_IP
Infoblox_High_Risk
Copy the RPZ names and your server IP and TSIG credentials into a text file for use later. Use Geany (text editor) to save the feed information for later use.
Task 3: Log into the NIOS grid and create RPZ DNSFW NSG name server group
Create a name server group called RPZ DNSFW NSG. This name server group is used by the Infoblox RPZ feeds
Use the server information you obtained from the Infoblox portal and add an external primary server
Ibns1.techblue.net is a lead secondary
Ibns2.techblue.net is a secondary
You get an error if you try and add a name server group with Grid Replication as the Update Zones Using method to an RPZ
Task 4: Configure RPZ Feeds into the NIOS GRID
Configure an RPZ for each feed separately. Initially, each RPZ is configured in Passthru Policy Override mode. Once they have been successfully tested, and you confirm that they don’t cause issues with legitimate traffic, they are put into None (Given) Policy Override Mode.
Re-order the RPZs if required so that they are ordered as follows:
allowlist.rpz
walledgarden.rpz
denylist.rpz
infoblox-base.rpz.infoblox.local
infoblox-base-ip.rpz.infoblox.local
infoblox-high-risk.rpz.infoblox.local
Task 5: Verify RPZ Feed action using dig and syslog
If you see the error message "Failed to reload network settings: No such file or directory", please re-enter "sudo set-network-static-nios".
Switch over to the testing-linux machine with the credentials (training/infoblox) and set the machine up for testing.
open a terminal window and issue the command
sudo set-network-static-nios
and verify that the machine now has the IP address 172.31.101.250 using the commandifconfig
.
Use dig and syslog entries to validate the local RPZ configurations.
When using dig please specify the server 10.100.0.105 in the command using the
@
symbol, i.e.:dig @10.100.0.105 <domain>
Use one or more from the following domains: "eicar.stream”, "eicar.co” or “eicar.host".
You verify that the infoblox-base.rpz.infoblox.local RPZ is detecting domain names that should be blocked.
You then change the Override Policy for infoblox-base.rpz.infoblox.local from Passthru to Block (No Such Domain) and test again using dig and syslog.
Task 6: Test RPZ Feed action by disabling and re-enabling them
Disable the infoblox-base.rpz.infoblox.local feed and repeat the DNS Query for the A record for the previously tested domains.
Once verified that the domains are accessible, re-enable the infoblox-base.rpz.infoblox.local feed and re-order the RPZ list to its previous ordering in task 3
Solutions
Task 1 Solution: Log into NIOS and Verify Licenses
Log into the NIOS grid and navigate to Grid → Licenses → Members, click the Show Filter button and filter based on the RPZ feature.
verify that the RPZ licenses are available for ibns1.techblue.net and ibns2.techblue.net grid members.
Add missing licenses from: Shared Drive/licenses, If you find any missing licenses.
Click on the + icon, then on the Select file button.
Under Shared Drive/ Licenses, select RPZ.lic and click Save License.
Task 2 Solution: Log into the Infoblox portal and copy the RPZ feed names and credentials
You can access the Learning Portal using the web browser from within your lab environment, this will enable you to easily copy and paste the the Infoblox portal credentials.
In this task, you obtain your credentials for the Infoblox portal from the Learning Portal. You log into the the Infoblox portal Service Portal. You obtain information about the feeds, the IP addresses of the servers providing the feeds, and your feed authentication credentials (TSIG Credentials).
Copy the RPZ names, and your TSIG credentials into a text file for use later, Use Geany (text editor) to save the save the feed information for later use.
Use the the Infoblox portal account details provided on the Learning portal to log into the Infoblox portal.
Open a new tab in the web browser. Navigate to https://portal.infoblox.com
Enter your username and password from the Learning Portal.
Navigate to Configure → Security → On-prem DNS Firewall.
Click the On-prem DNS Firewall Configuration link.
Copy the RPZ names to a text editor. This step is for convenience. You can simply copy and paste the values when you create the new RPZ if you prefer.
Open a text editor on the Jump-Desktop. Click the Infoblox logo on the bottom left of the Desktop. Click the Geany icon.
Click the Step 2 Feeds Configuration Values link.
Click the Copy button to copy the RPZ name for the Base feed.
Paste the name of the Base RPZ into the editor.
Repeat the process for the Base-IP and High-Risk RPZs.
Close the Threat Feed Details page.
Click the Step 3 Distribution Server Configuration Values link.
Copy the values for Name, Distribution Server, Key Name, TSIG Key, and Key Algorithm to your text editor.
Make sure you use the copy button rather than highlight, select, and paste. You might not get the whole key if you don’t use the copy button.
These specific RPZs have been chosen to ensure they don’t exceed the capacity of the NIOS appliances in your lab environment.
Task 3 Solution: Log into NIOS grid and create RPZ DNSFW NSG name server group
In this task, you create a name server group called RPZ DNSFW NSG. This name server group is used by the Infoblox RPZ feeds.
Navigate to Data Management → DNS → Name Server Groups
Click the drop-down arrow next to the plus (+) symbol to add a new Authoritative Name Server Group.
Type RPZ DNSFW NSG in the Name field. Click the drop-down arrow next to the plus (+) symbol and select External Primary.
Add the details for the External Primary Name Server.
In this example, the US West Distribution Server is used.
Use Name you saved earlier for the server name.
The IP Address is 54.69.93.185.
Click the Use TSIG button.
Copy your Key Name and Key Data from the the Infoblox portal Portal, or the file you copied them to.
Click the Add button.
Click the drop-down arrow next to the plus (+) symbol and select Grid Secondary.
Click Select, Select ibns1.techblue.net from the Member Selector.
Check the Lead Secondary box. Click Add.
Click the drop-down arrow next to the plus (+) symbol. Click Grid Secondary.
Click Select, Select ibns2.techblue.net from the Member Selector.
Click Add then Save & Close.
Task 4 Solution: Configure RPZ Feeds into the NIOS GRID
In this task, you create the RPZ configuration for the feeds. Initially, each RPZ is configured in Passthru Policy Override mode. Once they have been successfully tested, and you confirm that they don’t cause issues with legitimate traffic, they are put into None (Given) Policy Override Mode.
Navigate to Data Management → DNS → Response Policy Zones.
Click the check button for Add Response Policy Zone Feed. Click Next.
Copy the name from your text file, or type, base.rpz.infoblox.local into the name field. Select Passthru as the Policy Override value. Add a description for the zone. Click Next.
Choose to Use this Name Server Group. Select RPZ DNSFW NSG and click Save & Close.
Do NOT restart services yet
Repeat Steps b, c and d to add the Base-IP and High-Risk RPZ Feeds. Use Passthru as the Policy Override value for all feeds.
Re-order the RPZs if required so that they are ordered as follows:
allowlist.rpz
walledgarden.rpz
denylist.rpz
infoblox-base.rpz.infoblox.local
infoblox-base-ip.rpz.infoblox.local
infoblox-high-risk.rpz.infoblox.local
Restart DNS services now.
Navigate to Data Management → DNS → Response Policy Zones. The Last Updated field for the BloxOne Threat Defense feeds shows the date and time of the last update.
It may take some time for the downloads to complete.
Task 5 Solution: Verify RPZ Feed action using dig and syslog
If you see the error message "Failed to reload network settings: No such file or directory", please re-enter "sudo set-network-static-nios".
Switch over to the testing-linux machine with the credentials (training/infoblox) and set the machine up for testing.
open a terminal window and issue the command
sudo set-network-static-bloxone
and verify that the machine now has the IP address 172.31.101.250 using the commandifconfig
.
Use dig and syslog entries to validate the local RPZ configurations.
When using dig please specify the server 10.100.0.105 in the command using the
@
symbol, i.e.:dig @10.100.0.105 <domain>
Open a terminal window on the Testing-Linux machine. Use dig to perform a DNS query for eicar.stream or eicar.co or eicar.host.
The NXDOMAIN response here is from public DNS resolvers not from our DNS Server, the output here is not that important we know our servers didn’t block it, since the SOA record is for a public DNS server and not one of our servers, to verify that further.
Navigate to Administration → Logs → Syslog → Active. Select Member ibns1.techblue.net from the drop-down list.
Choose RPZ Incidents from the Quick Filter drop-down list. Type <insert indicator used above> in the search box.
Check syslog. In this example, the DNS Query for thejoe.publixvm.com is listed in the messages section, in CEF format. The query has matched a PASSTHRU rule in base.rpz.infoblox.local.
You verify that the base.rpz.infobox.local RPZ is detecting domain names that should be blocked by modifying the Policy Override value for base.rpz.infoblox.local. Change the value to None (Given).
Navigate to Data Management → DNS → Response Policy Zones.
Select the base.rpz.infoblox.local feed and click the hamburger icon. Select Edit.
Change the Policy Override value to None(Given). Click Save & Close. We use None (Given) as the policy actions are already set in the rules inside the RPZ.
Restart services when prompted.
Repeat the dig command from step 1. Open a terminal window on Testing-Linux. Use dig to perform a DNS query for eicar.stream or eicar.co or eicar.host.. This time the query is blocked by the feed.
This time the NXDOMAIN response is coming from our DNS server, meaning that the feeds are blocking the queries and we can further verify using the logs.
View the record in syslog. This time the DNS response is NXDOMAIN – No Such Domain.
Task 6 Solution: Test RPZ Feed action by disabling and re-enabling them
In this task, you disable the base.rpz.infoblox.local feed and repeat the DNS Query for the A record of http://mydreamhoroscope.com.
Navigate to Data Management → DNS → Response Policy Zones.
Check the box next to infoblox-base.rpz.infoblox.local. Click the hamburger icon or the edit button to edit the zone.
Click the General tab.
Check the Disable box
Click Save & Close
Restart the services when prompted
Open a terminal Window on the Testing-Linux machine
Run the command dig eicar.stream or eicar.co or eicar.host. In the results, you can see the A record returned by the DNS Server. The domain has not been blocked. Without the Base RPZ feed, users are able to obtain the IP Address of malicious sites.
Enable base.rpz.infoblox.local RPZ.
Navigate to Data Management → DNS → Response Policy Zones.
Check the box next to base.rpz.infoblox.local. Click the hamburger icon or the edit button to edit the zone.
Make sure the Disable box is unchecked. Click Save & Close. Restart Services when prompted.
Re-order the RPZ so that base.rpz.infoblox.local is below denylist.rpz. Restart Services when prompted.
Repeat the dig command once more on Testing-Linux. Use dig to perform a DNS query for eicar.stream or eicar.co or eicar.host.. This time the query is blocked by the base.rpz.infoblox.local feed.