Configuring Threat Defense Security Policies (2803)

Scenario

You're tasked with configuring a Threat Defense security policy for your organization. This policy should:

• Always allow a trusted domain, such as our corporate site.

• Block specific domains such as identified harmful sites or competitors' domains.

• Block adult-themed content such as gambling sites.

• Block social media sites.

Estimated Completion Time

• 30 to 50 minutes

Prerequisites

• Administrative access to the Infoblox Portal

• Lab 2802: Enabling DNS Forwarding Proxy Service: This prerequisite is required for task 4.

• Lab 2804: Managing Infoblox Endpoints: This prerequisite is required for task 5.

Tasks

1. Create Custom lists.

2. Create Filters.

3. Add a Security Policy.

4. Test Security Policies using DNS Forwarding Proxy.

5. Test Security Policies using Infoblox Endpoint.

Task 1: Creating Custom lists

Use the Education Infoblox Portal credentials to log in to the Infoblox Portal. Create 2 custom lists: an allowlist that only lists the domain www.infoblox.com and a blocklist that contains the entries eicar.co, eicar.stream, and eicar.pw.

Task 2: Creating Filters

In the Infoblox Portal, create 2 filters: a category filter and an application filter.

Task 3: Adding a Security Policy

In the Infoblox Portal, create a new security policy named Techblue Sec Policy. Choose both DFP-1 and Techblue-Endpoints as network scopes.

• change the default general tab settings as follows:

  1. Change the Precedence Value to 1.

  2. Toggle Geolocation ON.

  3. Toggle Safe Search ON.

  4. Toggle Block DNS Rebinding Attacks ON.

• The policy contains the following rules in order:

  1. Default Allow → Allow (No log)

  2. Allowlist-Custom → Allow (with log)

  3. Default Block → Block (No Redirect)

  4. Threat Insight - Zero Day DNS → Block (No Redirect)

  5. Blocklist-Custom → Block (No Redirect)

  6. Infoblox_Base (feed) → Block (No Redirect)

  7. Infoblox_High_Risk (feed) → Block (No Redirect)

  8. Block-Adult → Block (Default Redirect)

  9. Block-Insta-Tiktok → Block (Default Redirect)

  10. Threat Insight - Data Exfiltration → Block (No Redirect)

  11. Threat Insight - Notional Data Exfiltration → Block (No Redirect)

  12. All Approved Applications → Allow (No log)

Task 4: Testing Security Policies against DNS Forwarding Proxy

In testing-linux in a terminal window use the command sudo set-network-static-bloxone to set a static IP address for the VM. You might get a red error message "Failed to reload network settings: No such file or directory". If you do, please re-enter the command.

In the lab environment, use the testing-linux VM to perform DNS lookups against the oph1.techblue.net server. Lookups for the domain www.infoblox.com should be allowed, while lookups for eicar.pw and eicar.host should be blocked with NXDOMAIN. Using a web browser, access several websites and verify the category and application filters are working. Finally, look at the Security Activities under the Reports section to verify that Threat Defense has logged these queries.

Task 5: Testing Security Policies against Infoblox Endpoint

In testing-windows open the Tools folder on the Desktop and run the interface-static-internet.bat file as an administrator. This sets a static IP address for the VM. If the VM does not get an IP address the first time, please re-enter the command.

In the lab environment, use the testing-windows VM and its web browser to navigate to some websites to verify security policies are working as intended. www.infoblox.com should be allowed, while sites such as eicar.pw, eicar.steam, and eicar.host should be blocked. Access several websites and verify the category and application filters are working. Finally, look at the Security Activities under the Reports section to verify that Threat Defense has logged these queries.

Solutions

Task 1 Solution: Creating Custom lists

In this task we will create two custom lists “Allowlist-Custom“ and “Blocklist-Custom“. We will add our partner domain www.infoblox.com to “Allowlist-Custom“ and the three unwanted domains eicar.co, eicar.stream and eicar.pw to “Blocklist-Custom“. Please note that the three unwanted domains are added to the list to simulate an unwanted domain all three domains are part of the Infoblox_Base feed and do not need to be blocked manually.

1. Log into your lab’s jump-desktop.

2. Use your Education Infoblox Portal Credentials to log into the Infoblox Portal.

3. Navigate to Configure → Security → Policies → Custom Lists.

4. Click Create Custom List:

   1. Use the name Allowlist-Custom.

   2. Change the default severity level to Info and Leave the Confidence level at High.

   3. Under the Domains and IP Addresses section:

      1. Click Add

      2. Enter the domain www.infoblox.com.

         

5. Create another Custom list:

   1. Use the name Blocklist-Custom.

   2. Change the default severity and Confidence levels to High.

   3. Under the Domains and IP Addresses section:

      1. Enter the domains eicar.co, eicar.stream and eicar.pw.

         

Task 2 Solution: Creating Filters

In this step, we will create two filters. The first is a category filter “Block-Adult“ that will match the adult category. The second is an Application filter “Block-Insta-Tiktok“ that will match two specific application being Instagram and Tiktok.

1. Navigate to Configure → Security → Policies → Filters.

2. Click Create Filter and choose Category Filters:

   1. Use the name Block-Adult.

   2. Click the arrow next to the Adult section to add it to the selected column.

      • Note: Use the search bar on top of the categories section.

        

3. Click Create Filter and choose App Filters:

   1. Use the name Block-Insta-Tiktok.

   2. Select both Instagram and TikTok from the application list.

      • Note: Use the search bar on top of the categories section.

        

Task 3 Solution: Adding a Security Policy

In this task, we will create a new security policy “Techblue Sec Policy“. The security policy will have geolocation, safe search and DNS rebinding attacks blocking enabled and will use DFP-1 and Techblue-Endpoints as network scopes. The security policy will follow rule precedence recommendations for a security-biased organization:

• Default Section: This section includes rules we are very certain about. It's a short list of rules that have their entries manually added, ensuring high confidence.

  • Default Allow → Allow (No log): In this scenario this list is empty but it should contain trusted domains that do not need to be logged.

  • Allowlist-Custom → Allow (with log): This is a custom list created to allow partner domains, so it needs to be high on the list.

  • Default Block → Block (No Redirect): In this scenario this list is empty but it should contain of either unwanted domains or the very rare feed false-negatives.

• High Confidence Block Section: This section contains rules that we are highly confident should be blocked and since Tehcblue is a security-biased organization we will add the high-confidence, low-risk feeds and medium-confidence custom lists to bottom of the section.

  • Threat Insight - Zero Day DNS → Block (No Redirect): This is a Threat Insight Custom List

  • Blocklist-Custom → Block (No Redirect): A custom list created to block some unwanted domains

  • Infoblox_Base (feed) → Block (No Redirect): A high confidence, high risk Infoblox feed.

  • Infoblox_High_Risk (feed) → Block (No Redirect): A high confidence, high risk Infoblox feed.

  • Block-Adult → Block (Default Redirect): A Category filter blocking adult content.

  • Block-Insta-Tiktok → Block (Default Redirect): An application filter blocking Instagram and Tiktok.

  • Threat Insight - Data Exfiltration → Block (No Redirect): This is a Threat Insight Custom List that detects and stops Data exfiltration attempts, this is a medium confidence list, In this scenario we chose to block its entries, this may cause some false positives.

  • Threat Insight - Notional Data Exfiltration → Block (No Redirect): This is a Threat Insight Custom List that detects and stops Data exfiltration attempts, this is a low confidence list, In this scenario we chose to block its entries since Tehcblue is a security-biased organization, this will cause false positives.

• Allow Section: This section includes application filters for allowed application that need to be monitored but not blocked. Usually medium and low confidence rules that should initially be allowed with logs for monitoring are added to this section.

  • All Approved Applications → Allow (with log): This list will be populated by Application Discovery.

1. Navigate to Configure → Security → Policies → Security Policies

2. Click Create Security Policy:

   1. Use the name Techblue Sec Policy and change the default general tab settings as follows:

      1. Change the Precedence Value to 1.

      2. Toggle Geolocation ON.

      3. Toggle Safe Search ON.

      4. Toggle Block DNS Rebinding Attacks ON.

         

   2. Click Next, under the Network Scopes tab:

      1. Click Add Source and choose DNS Forwarding Proxy from the list.

      2. Add DFP-1 and click Save.

         

3. Click Add Source and choose Endpoint Groups from the list.

4. Add Techblue-Endpoints and click Save.

   

5. Click Next, under the Policy Rules tab add the following rules:

   1. Default Allow → Allow (No log)

   2. Allowlist-Custom → Allow (with log)

   3. Default Block → Block (No Redirect)

   4. Threat Insight - Zero Day DNS → Block (No Redirect)

   5. Blocklist-Custom → Block (No Redirect)

   6. Infoblox_Base (feed) → Block (No Redirect)

   7. Infoblox_High_Risk (feed) → Block (No Redirect)

   8. Block-Adult → Block (Default Redirect)

   9. Block-Insta-Tiktok → Block (Default Redirect)

   10. Threat Insight - Data Exfiltration → Block (No Redirect)

   11. Threat Insight - Notional Data Exfiltration → Block (No Redirect)

   12. All Approved Applications → Allow (No log)

6. Click Finish then Save&Close.

   

Task 4 Solution: Testing Security Policies against DNS Forwarding Proxy

In this task we are simulating a machine setting behind a DFP, the DFP should forward all the client DNS traffic to the Threat Defense Cloud and block any unwanted or harmful traffic based on our Security Policies. Lab 2801: Deploying NIOS-X Servers is a PREREQUISITE for this task

1. Log into your lab’s Testing-Linux, with the credentials training / infoblox.

2. Open a terminal window and enter the command sudo set-network-static-bloxone

   • NOTE: This command is used to set an IP address for the VM in a subnet managed by the DFP oph1.techblue.net set earlier in our lab.

   • NOTE: You might get a red error message "Failed to reload network settings: No such file or directory", please re-enter the command.

     

3. Use the command dig @10.100.0.110 <DOMAIN-NAME>to test the custom lists we created earlier.

   • dig @10.100.0.110 www.infoblox.com should be allowed with the NOERROR response code.

     

4. eicar.pw, eicar.stream and eicar.co all should be blocked with an NXDOMAIN response code.

   

5. Open a browser window and surf www.gambling.com, www.instragram.com and www.tiktok.com to test Category and Application filters.

   • All three domains should be redirected to the default Infoblox redirect page.

     

6. Use the command dig @10.100.0.110 eicar.host to test the Infoblox_Base Feed.

   1. The domain should be blocked with a NXDOMAIN response code.

      

7. use your Education Infoblox Portal Credentials to log into the Infoblox Portal.

8. Navigate to Reports → Security → Security Activities

   1. Use the search bar at the top of the page and use query ="<DOMAIN-NAME>" to verify each domain.

   2. The domain name will be under the Query field.

      

Task 5 Solution: Testing Security Policies against Infoblox Endpoint

In this task we are simulating a remote worker using an insecure internet connection, Infoblox Endpoint should forward all the client DNS traffic to the Threat Defense Cloud and block any unwanted or harmful traffic based on our Security Policies. Lab 2804: Managing Infoblox Endpoints is a PREREQUISITE for this task

1. Log into your lab’s Testing-Windows, with the password infoblox.

2. Open the Tools folder on the Desktop and run the interface-static-internet.bat file as an administrator.

   • NOTE: This file is used to set an IP address for the VM in a subnet simulating a direct internet connection.

   • NOTE: If the machine doesn’t get an IP address, please re-enter the command.

     

3. Open a browser window and surf www.infoblox.com, eicar.pw, eicar.stream and eicar.co

   • www.infoblox.com should be allowed and the Infoblox home page should be visible.

     

4. eicar.pw, eicar.stream and eicar.co all should be blocked and the browser should fail to connect to the server.

   

5. Surf www.gambling.com, www.instragram.com and www.tiktok.com to test Category and Application filters.

   • All three domains should be redirected to the default Infoblox redirect page.

     

6. Surf eicar.host to test the Infoblox_Base Feed.

   1. The domain should be blocked and the browser should fail to connect to the server.

      

7. use your Education Infoblox Portal Credentials to log into the Infoblox Portal.

8. Navigate to Reports → Security → Security Activities

   1. Use the search bar at the top of the page and use device_name = testing-windows to view all the logs for this specific machine.

   2. The domain name will be under the Query field.