2803 - Configuring Threat Defense Security Policies
Scenario
You're tasked with configuring a Threat Defense security policy for your organization. This policy should:
Always allow a trusted domain, such as our corporate site.
Block specific domains such as identified harmful sites or competitors' domains.
Block adult-themed content such as gambling sites.
Block social media sites.
Estimated Completion Time
30 to 50 minutes
Prerequisites
Administrative access to the Infoblox Portal
Lab 2802: Enabling DNS Forwarding Proxy Service: This prerequisite is required for task 4.
Lab 2804: Managing Infoblox Endpoints: This prerequisite is required for task 5.
Tasks
Create Custom lists.
Create Filters.
Add a Security Policy.
Test Security Policies using DNS Forwarding Proxy.
Test Security Policies using Infoblox Endpoint.
Task 1: Creating Custom lists
Use the Education Infoblox Portal credentials to log in to the Infoblox Portal. Create 2 custom lists: an allowlist that only lists the domain www.infoblox.com and a blocklist that contains the entries eicar.co, eicar.stream, and eicar.pw.
Task 2: Creating Filters
In the Infoblox Portal, create 2 filters: a category filter and an application filter.
Task 3: Adding a Security Policy
In the Infoblox Portal, create a new security policy named Techblue Sec Policy. Choose both DFP-1 and Techblue-Endpoints as network scopes. The policy contains the following rules in order:
Allowlist-Custom → Allow with log
Blocklist-Custom → Block (No Redirect)
Block-Adult → Block (Default Redirect)
Block-Inta-Tiktok → Block (Default Redirect)
Infoblox_Base (feed) → Block (No Redirect)
Task 4: Testing Security Policies using DNS Forwarding Proxy
In testing-linux in a terminal window use the command sudo set-network-static-bloxone
to set a static IP address for the VM. You might get a red error message "Failed to reload network settings: No such file or directory". If you do, please re-enter the command.
In the lab environment, use the testing-linux VM to perform DNS lookups against the oph1.techblue.net server. Lookups for the domain www.infoblox.com
should be allowed, while lookups for eicar.pw
and eicar.host
should be blocked with NXDOMAIN. Using a web browser, access several websites and verify the category and application filters are working. Finally, look at the Security Activities under the Reports section to verify that Threat Defense has logged these queries.
Task 5: Testing Security Policies using Infoblox Endpoint
In testing-windows open the Tools folder on the Desktop and run the interface-static-internet.bat
file as an administrator. This sets a static IP address for the VM. If the VM does not get an IP address the first time, please re-enter the command.
In the lab environment, use the testing-windows VM and its web browser to navigate to some websites to verify security policies are working as intended. www.infoblox.com
should be allowed, while sites such as eicar.pw
, eicar.steam
, and eicar.host
should be blocked. Access several websites and verify the category and application filters are working. Finally, look at the Security Activities under the Reports section to verify that Threat Defense has logged these queries.
Solutions
Task 1 Solution: Creating Custom lists
Log into your lab’s jump-desktop.
Use your Education Infoblox Portal Credentials to log into the Infoblox Portal.
Navigate to Configure → Security → Policies → Custom Lists.
Click Create Custom List:
Use the name Allowlist-Custom.
Change the default severity level to Info and Leave the Confidence level at High.
Under the Domains and IP Addresses section:
Click Add
Enter the domain
www.infoblox.com
.
Create another Custom list:
Use the name Blocklist-Custom.
Change the default severity and Confidence levels to High.
Under the Domains and IP Addresses section:
Enter the domains
eicar.co, eicar.stream and eicar.pw
.
Task 2 Solution: Creating Filters
Navigate to Configure → Security → Policies → Filters.
Click Create Filter and choose Category Filters:
Use the name Block-Adult.
Click the arrow next to the Adult section to add it to the selected column.
Note: Use the search bar on top of the categories section.
Click Create Filter and choose App Filters:
Use the name Block-Insta-Tiktok.
Select both Instagram and TikTok from the application list.
Note: Use the search bar on top of the categories section.
Task 3 Solution: Adding a Security Policy
Navigate to Configure → Security → Policies → Security Policies
Click Create Security Policy:
Use the name Techblue Sec Policy and keep the default general tab settings.
Click Next, under the Network Scopes tab:
Click Add Source and choose DNS Forwarding Proxy from the list.
Add DFP-1 and click Save.
Click Add Source and choose Endpoint Groups from the list.
Add Techblue-Endpoints and click Save.
Click Next, under the Polciy Rules tab add the following rules:
Allowlist-Custom → Allow (with log)
Blocklist-Custom → Block (No Redirect)
Block-Adult → Block (Default Redirect)
Block-Inta-Tiktok → Block (Default Redirect)
Infoblox_Base (feed) → Block (No Redirect)
Click Finish then Save&Close.
Task 4 Solution: Testing Security Policies using DNS Forwarding Proxy
In this task we are simulating a machine setting behind a DFP, the DFP should forward all the client DNS traffic to the Threat Defense Cloud and block any unwanted or harmful traffic based on our Security Policies.
Lab 2801: Deploying NIOS-X Servers is a PREQUESITE for this task
Log into your lab’s Testing-Linux, with the credentials
training / infoblox
.Open a terminal window and enter the command
sudo set-network-static-bloxone
NOTE: This command is used to set an IP address for the VM in a subnet managed by the DFP oph1.techblue.net set earlier in our lab.
NOTE: You might get a red error message "Failed to reload network settings: No such file or directory", please re-enter the command.
Use the command
dig @10.100.0.110 <DOMAIN-NAME>
to test the custom lists we created earlier.dig @10.100.0.110 www.infoblox.com
should be allowed with the NOERROR response code.
eicar.pw, eicar.stream and eicar.co
all should be blocked with an NXDOMAIN response code.Open a browser window and surf
www.gambling.com
,www.instragram.com
andwww.tiktok.com
to test Category and Application filters.All three domains should be redirected to the default Infoblox redirect page.
Use the command
dig @10.100.0.110 eicar.host
to test the Infoblox_Base Feed.The domain should be blocked with a NXDOMAIN response code.
use your Education Infoblox Portal Credentials to log into the Infoblox Portal.
Navigate to Reports → Security → Security Activities
Use the search bar at the top of the page and use
query ="<DOMAIN-NAME>"
to verify each domain.The domain name will be under the Query field.
Task 5 Solution: Testing Security Policies using Infoblox Endpoint
In this task we are simulating a remote worker using an insecure internet connection, infoblox Endpoint should forward all the client DNS traffic to the Threat Defense Cloud and block any unwanted or harmful traffic based on our Security Policies.
Lab 2804: Managing Infoblox Endpoints is a PREQUESITE for this task
Log into your lab’s Testing-Windows, with the password
infoblox
.Open the Tools folder on the Desktop and run the
interface-static-internet.bat
file as an administrator.NOTE: This file is used to set an IP address for the VM in a subnet simulating a direct internet connection.
NOTE: If the machine doesn’t get an IP address, please re-enter the command.
Open a browser window and surf
www.infoblox.com
,eicar.pw, eicar.stream and eicar.co
www.infoblox.com
should be allowed and the Infoblox home page should be visible.
eicar.pw, eicar.stream and eicar.co
all should be blocked and the browser should fail to connect to the server.Surf
www.gambling.com
,www.instragram.com
andwww.tiktok.com
to test Category and Application filters.All three domains should be redirected to the default Infoblox redirect page.
Surf
eicar.host
to test the Infoblox_Base Feed.The domain should be blocked and the browser should fail to connect to the server.
use your Education Infoblox Portal Credentials to log into the Infoblox Portal.
Navigate to Reports → Security → Security Activities
Use the search bar at the top of the page and use
device_name = testing-windows
to view all the logs for this specific machine.The domain name will be under the Query field.