2803 - Configuring BloxOne Security Policies
Cloud Services Portal (CSP) is now Infoblox Portal
In early September, Cloud Services Portal (CSP) became Infoblox Portal with a new look-and-feel, and a new URL (https://portal.infoblox.com). As a result of this change, the layout and organization of several menus have been updated.
Unfortunately, this means that our video courseware and lab guides no longer match the new user interface. However, we are currently in the process of updating them, and they should be ready soon.
In the meantime, we have some resources to help you navigate the new interface:
We have created a mapping of the previous menu locations and their new breadcrumb location.
Additionally, you can find a walkthrough video of the new User Interface on Launchpad.
We apologize for any inconvenience this may cause and kindly ask for your patience as we work through this transition.
Scenario
You're tasked to deploy a new security policy for your organization, you will use BloxOne Threat Defense security policies to achieve your goal of excluding your organization’s local domains from being processed by the Bloxone cloud, Using static customized lists to block specific domains along with safe search and geo-location to comply with your organization's rules and utilize Infoblox's various feeds to block malicious traffic.
Estimate Completion Time
60-90 mins
Course Reference
2102: BloxOne Security Policies
Prerequisites
Administrative access to the CSP
Lab 2802: Enabling DNS Forwarding Proxies on BloxOne Hosts
Tasks
Task 1: Create Internal domains
Task 2: Create a Custom lists Allowlist and Blocklist
Task 3: Create a Category Filter
Task 4: Create Security Policies
Task 5: Verifying policies
Task 6: Creating and Testing Bypass Codes
Task 1: Create Internal domains
Create an internal domain with the name Techblue-Internal
Add techblue.com from being processed by the cloud
Task 2: Create a Custom lists Allowlist and Blocklist
Create two custom lists Allowlist and Blocklist
Add infoblox.com and www.infoblox.com to the allowlist custom list
Add vanglabbeek.us and www.vanglabbeek.us to the blocklist custom list
Task 3: Create a Category Filter
Create a Category Filter with the name Unwanted Content
Add Drugs, Mature/Violent, Pornography/Nudity categories and Gambling and Gambling related sub-categories into the filter
Task 4: Create Security Policies
Create a new security policy with the name Techblue-policy with Geo-location and safe search enabled
Add both BloxOne hosts and/or the endpoint group as your data sources
Add your rules in this order:
Add Allowlist as a rule to be allowed with no logging
Add Blocklist as a rule to be blocked
Add Unwated Content as a rule to be redirected
Add AntiMalware feed as rule to be blocked
Task 5: Verifying policies
Using dig on your Testing-Linux machine and your windows-testing machine, verify your policy rules are behaving as expected against 10.100.0.110 and 10.200.0.110:
infoblox.com should be allowed and queried
vanglabbeek.us should not be accessible
Gambling.com should be redirected
streamthembase.top a known malware domain should not be accessible
Use security activity reports in CSP to verify the correct rules were triggered
The command interface-static-bloxone.bat is used to set an IP address for “testing-windows”, to verify an Ip was configured enter the command ipconfig using Command Prompt.
The command sudo set-network-static-bloxone is used to set an Ip address for “testing-linux”, to verify an IP was configured enter the command ifconfig using a terminal window.
Task 6: Creating and Testing Bypass Codes
Create a bypass code with the name Techblue-bypass make sure the code will not expire before you test it
Use the code against Unwanted Content filter and add it into your security policy Techblue-Policy
Using your testing-windows machine, verify that gambling.com will allow bypass codes to be used
Solutions
Task 1 solution: Create Internal domains
In your CSP browser window, Navigate to Manage > Internal Domains, and Click on Create Internal Domain.
Enter Techblue-internal as the name and excluded internal domains as the description.
Expand Internal Domains and Add techblue.net as your internal domain entry then finally Click Save & Close.
Navigate to Manage > Infrastructure > Services, select DFP-OPH2 and click on the Edit button, select DNS Forwarding Proxy.
Expand Internal Domain Lists, click Add and choose Techblue-internal from the list.
Task 2 solution: Create a Custom lists Allowlist and Blocklist
In your CSP browser window, Navigate to Policies > Security Policies, then select Custom Lists from the menu and click on Create Custom List.
Enter Allowlist as the name for the custom list you're creating and Domain users are allowed to visit in the description box and set the Level to medium and Confidence to high.
Under the Domains/IP Addresses section click on add and enter infoblox.com then click on add again and enter www.infoblox.com then finally click Save & Close.
Click on Create Custom List and enter BlockList as the name for this list and Blocked Domains as a description.
Under the Domains/IP Addresses section click on add and enter vanglabbeek.us then click on add again and enter www.vanglabbeek.us then finally click Save & Close.
Task 3 solution: Create a Category Filter
In your CSP browser window, Navigate to Policies > Security Policies, then select Filters from the menu and click on Create Filter from the drop-down menu and choose to Create Category Filter.
Enter Unwanted Content as its name, from the list below check the Criminal Activity, and Adult categories (expand them to see that by checking the category all sub-categories are automatically added).
Click Save & Close.
Task 4 solution: Create Security Policies
In your CSP browser window, Navigate to Policies > Security Policies, and click on Create Security policy.
In the General tab, enter Techblue-Policy in the Name field, ensure that Geolocation, Safe search are set to enabled and leave Local On-Prem Resolution as disabled and click next.
Under Network Scope, click on Add Source and select DNS Forwarding Proxy from the list, select DFP-OPH1 and DFP-OPH2 from the list by clicking the arrow icon next to each one, and Click Save.
Under Policy Rules, click on Add Rule and select Custom List from the menu, choose the AllowList custom list as the name and Allow-No Log as the action.
From the Add Rule menu select Custom List, choose BlockList as the name and Block-No Redirect as the action.
From the Add Rule menu select Category Filter, choose Unwanted Content as the name, and Default Redirect as the action.
From the Add Rule menu select Feeds and Threat Insight, choose AntiMalware as the name and Block-No Redirect as the action.
At the top of the page, verify that Default Action is set to Allow.
Click next, under the Bypass Codes page make sure the selected column is empty and click next.
Verify your configuration under the summary page by clicking the arrow icons next to the configured sections, once done click Save & Close.
Reasons behind our action selection:
1- Our Allowlist is allowing users to access to domains that we trust and know are safe, so keeping logs wont be helpful and can actually cause us to miss more important events.
2- Blocklist will block access to known domains hence why we chose to block access with no redirection we simply want to stop access to these domains.
3- For our category filter we need our users to know they have been redirect from accessing a banned domain category, hence our choice.
4- Our feed rules acts similar to the Blocklist, is should deny access to malicious domains identified by Infoblox and we simply need to stop access to these domains.
Task 5 solution : Verifying policies
Switch over to testing-linux and open a terminal window.
To test that AllowList is working we will look up infoblox.com using dig, use the command
dig @10.100.0.110 infoblox.com
and you should get an output like this:To test that DenyList is working we will look up www.vanglabbeek.us using dig, use the command
dig @10.100.0.110 www.vanglabbeek.us
, you should get an output like this:To test our category filter Unwanted Content is working, we will switch to testing-windows machine
Open the Tools folder on your desktop and run interface-static-bloxone.bat as an administrator.
navigate to gambling.com through a web browser, and you should get an output like this:
To test our threat Insight & feeds rule we will look up top which is a known malware download domain using dig, switch back to testing-linux, and in a terminal window enter the command
dig @10.200.0.110 streamthembase.top
, you should get an output like this:Switch back to the jump-Desktop machine, in your CSP browser window, navigate to Reports > Security Activity, you should see all the requests we made listed under security events:
Task 6 solution: Creating and Testing Bypass Codes
Navigate to Administration > Bypass Codes, toggle the Bypass Code to Enabled
Click Create Bypass Code.
Enter the name Techblue-bypass and optionally a description, Examine the Beginning and Expiry dates, we will keep them as default active for 24 hours.
Expand and Check Category Filters, make sure that Unwanted Content is selected, and finally click Save & Close.
Copy or Memorize the VALUE field, this code will be used in a later step
Navigate back to Policies > Security Policies, select Techblue-Policy policy, and click on Edit.
Under Bypass Codes, move Techblue-bypass to the selected column and click Finish then Save & Close.
To test if the bypass code is working, we will switch to the testing-windows machine.
Navigate to gambling.com through a web browser, and you should get an output like this, use the code under the VALUE column found in the bypass Code page in CSP: