2803 - Configuring Threat Defense Security Policies

Scenario

You're tasked with configuring a Threat Defense security policy for your organization. This policy should:

• Always allow a trusted domain, such as our corporate site.

• Block specific domains such as identified harmful sites or competitors' domains.

• Block adult-themed content such as gambling sites.

• Block social media sites.

Estimated Completion Time

• 30 to 50 minutes

Prerequisites

• Administrative access to the Infoblox Portal

• Lab 2802: Enabling DNS Forwarding Proxy Service: This prerequisite is required for task 4.

• Lab 2804: Managing Infoblox Endpoints: This prerequisite is required for task 5.

Tasks

1. Create Custom lists.

2. Create Filters.

3. Add a Security Policy.

4. Test Security Policies using DNS Forwarding Proxy.

5. Test Security Policies using Infoblox Endpoint.

Task 1: Creating Custom lists

Use the Education Infoblox Portal credentials to log in to the Infoblox Portal. Create 2 custom lists: an allowlist that only lists the domain www.infoblox.com and a blocklist that contains the entries eicar.co, eicar.stream, and eicar.pw.

Task 2: Creating Filters

In the Infoblox Portal, create 2 filters: a category filter and an application filter.

Task 3: Adding a Security Policy

In the Infoblox Portal, create a new security policy named Techblue Sec Policy. Choose both DFP-1 and Techblue-Endpoints as network scopes.

• change the default general tab settings as follows:

  1. Change the Precedence Value to 1.

  2. Toggle Geolocation ON.

  3. Toggle Safe Search ON.

  4. Toggle Block DNS Rebinding Attacks ON.

• The policy contains the following rules in order:

  1. Allowlist-Custom → Allow with log

  2. Blocklist-Custom → Block (No Redirect)

  3. Block-Adult → Block (Default Redirect)

  4. Block-Inta-Tiktok → Block (Default Redirect)

  5. Infoblox_Base (feed) → Block (No Redirect)

Task 4: Testing Security Policies using DNS Forwarding Proxy

In testing-linux in a terminal window use the command sudo set-network-static-bloxone to set a static IP address for the VM. You might get a red error message "Failed to reload network settings: No such file or directory". If you do, please re-enter the command.

In the lab environment, use the testing-linux VM to perform DNS lookups against the oph1.techblue.net server. Lookups for the domain www.infoblox.com should be allowed, while lookups for eicar.pw and eicar.host should be blocked with NXDOMAIN. Using a web browser, access several websites and verify the category and application filters are working. Finally, look at the Security Activities under the Reports section to verify that Threat Defense has logged these queries.

Task 5: Testing Security Policies using Infoblox Endpoint

In testing-windows open the Tools folder on the Desktop and run the interface-static-internet.bat file as an administrator. This sets a static IP address for the VM. If the VM does not get an IP address the first time, please re-enter the command.

In the lab environment, use the testing-windows VM and its web browser to navigate to some websites to verify security policies are working as intended. www.infoblox.com should be allowed, while sites such as eicar.pw, eicar.steam, and eicar.host should be blocked. Access several websites and verify the category and application filters are working. Finally, look at the Security Activities under the Reports section to verify that Threat Defense has logged these queries.

Solutions

Task 1 Solution: Creating Custom lists

1. Log into your lab’s jump-desktop.

2. Use your Education Infoblox Portal Credentials to log into the Infoblox Portal.

3. Navigate to Configure → Security → Policies → Custom Lists.

4. Click Create Custom List:

   1. Use the name Allowlist-Custom.

   2. Change the default severity level to Info and Leave the Confidence level at High.

   3. Under the Domains and IP Addresses section:

      1. Click Add

      2. Enter the domain www.infoblox.com.

         

5. Create another Custom list:

   1. Use the name Blocklist-Custom.

   2. Change the default severity and Confidence levels to High.

   3. Under the Domains and IP Addresses section:

      1. Enter the domains eicar.co, eicar.stream and eicar.pw.

         

Task 2 Solution: Creating Filters

1. Navigate to Configure → Security → Policies → Filters.

2. Click Create Filter and choose Category Filters:

   1. Use the name Block-Adult.

   2. Click the arrow next to the Adult section to add it to the selected column.

      • Note: Use the search bar on top of the categories section.

        

3. Click Create Filter and choose App Filters:

   1. Use the name Block-Insta-Tiktok.

   2. Select both Instagram and TikTok from the application list.

      • Note: Use the search bar on top of the categories section.

        

Task 3 Solution: Adding a Security Policy

1. Navigate to Configure → Security → Policies → Security Policies

2. Click Create Security Policy:

   1. Use the name Techblue Sec Policy and change the default general tab settings as follows:

      1. Change the Precedence Value to 1.

      2. Toggle Geolocation ON.

      3. Toggle Safe Search ON.

      4. Toggle Block DNS Rebinding Attacks ON.

         

   2. Click Next, under the Network Scopes tab:

      1. Click Add Source and choose DNS Forwarding Proxy from the list.

      2. Add DFP-1 and click Save.

         

3. Click Add Source and choose Endpoint Groups from the list.

4. Add Techblue-Endpoints and click Save.

   

5. Click Next, under the Polciy Rules tab add the following rules:

   1. Allowlist-Custom → Allow (with log)

   2. Blocklist-Custom → Block (No Redirect)

   3. Block-Adult → Block (Default Redirect)

   4. Block-Inta-Tiktok → Block (Default Redirect)

   5. Infoblox_Base (feed) → Block (No Redirect)

6. Click Finish then Save&Close.

   

Task 4 Solution: Testing Security Policies using DNS Forwarding Proxy

In this task we are simulating a machine setting behind a DFP, the DFP should forward all the client DNS traffic to the Threat Defense Cloud and block any unwanted or harmful traffic based on our Security Policies.
Lab 2801: Deploying NIOS-X Servers is a PREQUESITE for this task

1. Log into your lab’s Testing-Linux, with the credentials training / infoblox.

2. Open a terminal window and enter the command sudo set-network-static-bloxone

   • NOTE: This command is used to set an IP address for the VM in a subnet managed by the DFP oph1.techblue.net set earlier in our lab.

   • NOTE: You might get a red error message "Failed to reload network settings: No such file or directory", please re-enter the command.

     

3. Use the command dig @10.100.0.110 <DOMAIN-NAME>to test the custom lists we created earlier.

   • dig @10.100.0.110 www.infoblox.com should be allowed with the NOERROR response code.

     

4. eicar.pw, eicar.stream and eicar.co all should be blocked with an NXDOMAIN response code.

   

5. Open a browser window and surf www.gambling.com, www.instragram.com and www.tiktok.com to test Category and Application filters.

   • All three domains should be redirected to the default Infoblox redirect page.

     

6. Use the command dig @10.100.0.110 eicar.host to test the Infoblox_Base Feed.

   1. The domain should be blocked with a NXDOMAIN response code.

      

7. use your Education Infoblox Portal Credentials to log into the Infoblox Portal.

8. Navigate to Reports → Security → Security Activities

   1. Use the search bar at the top of the page and use query ="<DOMAIN-NAME>" to verify each domain.

   2. The domain name will be under the Query field.

      

Task 5 Solution: Testing Security Policies using Infoblox Endpoint

In this task we are simulating a remote worker using an insecure internet connection, infoblox Endpoint should forward all the client DNS traffic to the Threat Defense Cloud and block any unwanted or harmful traffic based on our Security Policies.
Lab 2804: Managing Infoblox Endpoints is a PREQUESITE for this task

1. Log into your lab’s Testing-Windows, with the password infoblox.

2. Open the Tools folder on the Desktop and run the interface-static-internet.bat file as an administrator.

   • NOTE: This file is used to set an IP address for the VM in a subnet simulating a direct internet connection.

   • NOTE: If the machine doesn’t get an IP address, please re-enter the command.

     

3. Open a browser window and surf www.infoblox.com, eicar.pw, eicar.stream and eicar.co

   • www.infoblox.com should be allowed and the Infoblox home page should be visible.

     

4. eicar.pw, eicar.stream and eicar.co all should be blocked and the browser should fail to connect to the server.

   

5. Surf www.gambling.com, www.instragram.com and www.tiktok.com to test Category and Application filters.

   • All three domains should be redirected to the default Infoblox redirect page.

     

6. Surf eicar.host to test the Infoblox_Base Feed.

   1. The domain should be blocked and the browser should fail to connect to the server.

      

7. use your Education Infoblox Portal Credentials to log into the Infoblox Portal.

8. Navigate to Reports → Security → Security Activities

   1. Use the search bar at the top of the page and use device_name = testing-windows to view all the logs for this specific machine.

   2. The domain name will be under the Query field.