Configuring Threat Defense Security Policies (2803)

Scenario

Your organization is implementing Infoblox Threat Defense to block malicious and unwanted DNS traffic and bolster its security posture. You're tasked with configuring a Threat Defense security policy for your organization. This policy should:

Always allow a trusted domain, such as our corporate site.
Block malicious threat indicators identified by Infoblox.
Block unwanted domains flagged by your organization's management.
Block adult-themed content such as gambling sites.
Block unwanted social media sites.
Allow Approved Application.

Estimated Completion Time

20 to 30 minutes

Prerequisites

Administrative access to the Infoblox Portal
Deploying NIOS-X Servers (2801)

Tasks

Create Custom lists.
Create Filters.
Add a Security Policy.

Task 1: Creating Custom Lists

Use the Education Infoblox Portal credentials to log in to the Infoblox Portal. Create two custom lists: an allowlist that only lists the domain www.infoblox.com and a blocklist containing entries eicar.co, eicar.stream, and eicar.pw.

Task 2: Creating Filters

In this task, you will create a Category Filter for adult-themed content and an Application Filter for the social media apps Instagram and TikTok.

Task 3: Adding a Security Policy

In the Infoblox Portal, create a new security policy named Techblue Sec Policy.

Don't add any network scopes.
Change the default general tab settings as follows:
1. Change the Precedence Value to 1.
2. Toggle Geolocation ON.
3. Toggle Safe Search ON.
4. Toggle Block DNS Rebinding Attacks ON.
The policy contains the following rules in order:
1. Default Allow → Allow (No log)
  - Default Allow will be listed under Feeds and Threat Insight
2. Allowlist-Custom → Allow (with log)
3. Default Block → Block (No Redirect)
  - Default Block will be listed under Feeds and Threat Insight
4. Threat Insight - Zero Day DNS → Block (No Redirect)
5. Blocklist-Custom → Block (No Redirect)
6. Infoblox_Base (feed) → Block (No Redirect)
7. Infoblox_High_Risk (feed) → Block (No Redirect)
8. Block-Adult → Block (Default Redirect)
9. Block-Insta-Tiktok → Block (Default Redirect)
10. Threat Insight - Data Exfiltration → Allow (with log)
11. Threat Insight - Notional Data Exfiltration → Allow (with log)
12. All Approved Applications → Allow (with log)

Solutions

Task 1 Solution: Creating Custom Lists

In this task, we will create two custom lists, “Allowlist-Custom“ and “Blocklist-Custom“. We will add our partner domain www.infoblox.com to “Allowlist-Custom“ and the three unwanted domains eicar.co, eicar.stream and eicar.pw to “Blocklist-Custom“.

Note: The three unwanted domains are added to the list to simulate an unwanted domain for lab purposes. All three domains are already part of the Infoblox_Base feed and need not be blocked manually.

Log in to your lab’s jump-desktop.
Use your Education Infoblox Portal Credentials to log into the Infoblox Portal.
Navigate to Configure → Security → Policies → Custom Lists.
Click Create Custom List:
1. Use the name Allowlist-Custom.
2. Change the default severity level to Info and leave the Confidence level High.
3. Under the Domains and IP Addresses section:
  1. Click Add
  2. Enter the domain www.infoblox.com.
  3. Click Save & Close.
Create another Custom List:
1. Use the name Blocklist-Custom.
2. Change the default severity and Confidence levels to High.
3. Under the Domains and IP Addresses section:
  1. Enter the domain eicar.co, eicar.stream and eicar.pw.
  2. Click Save & Close.

Task 2 Solution: Creating Filters

In this step, we will create two filters. The first is a category filter, “Block-Adult“, which will match the adult category. The second is an Application filter, “Block-Insta-Tiktok“, which will match two specific applications, Instagram and TikTok.

Navigate to Configure → Security → Policies → Filters.
Click Create Filter and choose Create Category Filters:
1. Use the name Block-Adult.
2. Click the arrow next to the Adult section to add it to the selected column.
  - If you don’t see the Adult category immediately, use the search bar above the Available categories list to locate it quickly.
  - Click Save & Close.
Click Create Filter and choose Create App Filters:
1. Use the name Block-Insta-Tiktok.
2. Use the search bar at the top of the Applications available section to quickly locate Instagram and TikTok.
3. Select both Instagram and TikTok from the application list.
4. Click Save & Close.

Task 3 Solution: Adding a Security Policy

In this task, we will create a new security policy, Techblue Sec Policy. The security policy will enable geolocation, safe search, and DNS rebinding attacks blocking. Network scopes will not be configured as part of this lab. The security policy will follow rule precedence recommendations for a security-biased organization:

Default Section: This section includes rules we are very certain about. It's a short list of rules whose entries have been manually added, ensuring high confidence.
- Default Allow → Allow (No log): This list is empty in this scenario, but it should contain trusted domains that do not need to be logged.
- Allowlist-Custom → Allow (with log): This is a custom list created to allow partner domains, so it needs to be high on the list.
- Default Block → Block (No Redirect): In this scenario, this list is empty, but it should contain either unwanted domains or the very rare feed false-negatives.
High Confidence Block Section: This section contains rules that we are highly confident should be blocked. Since Techblue is a security-biased organization, we will add the high-confidence, low-risk feeds and medium-confidence custom lists to the bottom of the section.
- Threat Insight - Zero Day DNS → Block (No Redirect): This is a Threat Insight Custom List
- Blocklist-Custom → Block (No Redirect): A custom list created to block some unwanted domains
- Infoblox_Base (feed) → Block (No Redirect): A high confidence, high risk Infoblox feed.
- Infoblox_High_Risk (feed) → Block (No Redirect): A high confidence, high risk Infoblox feed.
- Block-Adult → Block (Default Redirect): A Category filter blocking adult content.
- Block-Insta-Tiktok → Block (Default Redirect): An application filter blocking Instagram and TikTok.
Allow Section: This section includes application filters for allowed applications that need to be monitored but not blocked. Usually, medium—and low-confidence rules that should initially be allowed with monitoring logs are added to this section.
- Threat Insight—Data Exfiltration → Allow (with log): This is a Threat Insight Custom List that detects Data exfiltration attempts. It is a medium-confidence list. In this scenario, we chose to allow its entries and monitor its behaviour before deciding on its final action.
- Threat Insight—Notional Data Exfiltration → Allow (with log): This Threat Insight Custom List detects and stops Data exfiltration attempts. It is a low-confidence list. In this scenario, we chose to allow its entries and monitor its behaviour before deciding on its final action.
- All Approved Applications → Allow (with log): This list will be populated by Application Discovery.

Navigate to Configure → Security → Policies → Security Policies
Click Create Security Policy:
1. Use the name Techblue Sec Policy and change the default general tab settings as follows:
  1. Set the Precedence Value to 1.
  2. Toggle Geolocation ON.
  3. Toggle Safe Search ON.
  4. Toggle Block DNS Rebinding Attacks ON.
Click the Policy Rules tab add the following rules:
1. Default Allow → Allow (No log)
2. Allowlist-Custom → Allow (with log)
3. Default Block → Block (No Redirect)
4. Threat Insight - Zero Day DNS → Block (No Redirect)
5. Blocklist-Custom → Block (No Redirect)
6. Infoblox_Base (feed) → Block (No Redirect)
7. Infoblox_High_Risk (feed) → Block (No Redirect)
8. Block-Adult → Block (Default Redirect)
9. Block-Insta-Tiktok → Block (Default Redirect)
10. Threat Insight - Data Exfiltration → Allow (With log)
11. Threat Insight - Notional Data Exfiltration → Allow (With log)
12. All Approved Applications → Allow (With log)
Click Finish, then Save & Close.