2803 - Configuring BloxOne Security Policies

Scenario

You're tasked to deploy a new security policy for your organization, you will use BloxOne Threat Defense security policies to achieve your goal of excluding your organization’s local domains from being processed by the Bloxone cloud, Using static customized lists to block specific domains along with safe search and geo-location to comply with your organization's rules and utilize Infoblox's various feeds to block malicious traffic.

Estimate Completion Time

• 60-90 mins

Course Reference

• 2102: BloxOne Security Policies

Prerequisites

• Administrative access to the CSP

• Lab 2802: Enabling DNS Forwarding Proxies on BloxOne Hosts

Tasks

• Task 1: Create Internal domains

• Task 2: Create a Custom lists Allowlist and Blocklist

• Task 3: Create a Category Filter

• Task 4: Create Security Policies

• Task 5: Verifying policies

• Task 6: Creating and Testing Bypass Codes

Task 1: Create Internal domains

• Create an internal domain with the name Techblue-Internal

  • Add techblue.com from being processed by the cloud

Task 2: Create a Custom lists Allowlist and Blocklist

• Create two custom lists Allowlist and Blocklist

  • Add infoblox.com and www.infoblox.com to the allowlist custom list

  • Add vanglabbeek.us and www.vanglabbeek.us to the blocklist custom list

Task 3: Create a Category Filter

• Create a Category Filter with the name Unwanted Content

  • Add Drugs, Mature/Violent, Pornography/Nudity categories and Gambling and Gambling related sub-categories into the filter

Task 4: Create Security Policies

• Create a new security policy with the name Techblue-policy with Geo-location and safe search enabled

  • Add both BloxOne hosts and/or the endpoint group as your data sources

  • Add your rules in this order:

    1. Add Allowlist as a rule to be allowed with no logging

    2. Add Blocklist as a rule to be blocked

    3. Add Unwated Content as a rule to be redirected

    4. Add AntiMalware feed as rule to be blocked

Task 5: Verifying policies

• Using dig on your Testing-Linux machine and your windows-testing machine, verify your policy rules are behaving as expected against 10.100.0.110 and 10.200.0.110:

  • infoblox.com should be allowed and queried

  • vanglabbeek.us should not be accessible

  • Gambling.com should be redirected

  • streamthembase.top a known malware domain should not be accessible

  • Use security activity reports in CSP to verify the correct rules were triggered

The command interface-static-bloxone.bat is used to set an IP address for “testing-windows”, to verify an Ip was configured enter the command ipconfig using Command Prompt.

The command sudo set-network-static-bloxone is used to set an Ip address for “testing-linux”, to verify an IP was configured enter the command ifconfig using a terminal window.

Task 6: Creating and Testing Bypass Codes

• Create a bypass code with the name Techblue-bypass make sure the code will not expire before you test it

  • Use the code against Unwanted Content filter and add it into your security policy Techblue-Policy

  • Using your testing-windows machine, verify that gambling.com will allow bypass codes to be used

Solutions

Task 1 solution: Create Internal domains

1. In your CSP browser window, Navigate to Manage > Internal Domains, and Click on Create Internal Domain.

2. Enter Techblue-internal as the name and excluded internal domains as the description.

3. Expand Internal Domains and Add techblue.net as your internal domain entry then finally Click Save & Close.

4. Navigate to Manage > Infrastructure > Services, select DFP-OPH2 and click on the Edit button, select DNS Forwarding Proxy.

5. Expand Internal Domain Lists, click Add and choose Techblue-internal from the list.

Task 2 solution: Create a Custom lists Allowlist and Blocklist

1. In your CSP browser window, Navigate to Policies > Security Policies, then select Custom Lists from the menu and click on Create Custom List.

2. Enter Allowlist as the name for the custom list you're creating and Domain users are allowed to visit in the description box and set the Level to medium and Confidence to high.

3. Under the Domains/IP Addresses section click on add and enter infoblox.com then click on add again and enter www.infoblox.com then finally click Save & Close.

4. Click on Create Custom List and enter BlockList as the name for this list and Blocked Domains as a description.

5. Under the Domains/IP Addresses section click on add and enter vanglabbeek.us then click on add again and enter www.vanglabbeek.us then finally click Save & Close.

Task 3 solution: Create a Category Filter

1. In your CSP browser window, Navigate to Policies > Security Policies, then select Filters from the menu and click on Create Filter from the drop-down menu and choose to Create Category Filter.

2. Enter Unwanted Content as its name, from the list below check the Criminal Activity, and Adult categories (expand them to see that by checking the category all sub-categories are automatically added).

3. Click Save & Close.

Task 4 solution: Create Security Policies

1. In your CSP browser window, Navigate to Policies > Security Policies, and click on Create Security policy.

2. In the General tab, enter Techblue-Policy in the Name field, ensure that Geolocation, Safe search are set to enabled and leave Local On-Prem Resolution as disabled and click next.

3. Under Network Scope, click on Add Source and select DNS Forwarding Proxy from the list, select DFP-OPH1 and DFP-OPH2 from the list by clicking the arrow icon next to each one, and Click Save.

4. Under Policy Rules, click on Add Rule and select Custom List from the menu, choose the AllowList custom list as the name and Allow-No Log as the action.

5. From the Add Rule menu select Custom List, choose BlockList as the name and Block-No Redirect as the action.

6. From the Add Rule menu select Category Filter, choose Unwanted Content as the name, and Default Redirect as the action.

7. From the Add Rule menu select Feeds and Threat Insight, choose AntiMalware as the name and Block-No Redirect as the action.

8. At the top of the page, verify that Default Action is set to Allow.

9. Click next, under the Bypass Codes page make sure the selected column is empty and click next.

10. Verify your configuration under the summary page by clicking the arrow icons next to the configured sections, once done click Save & Close.

Reasons behind our action selection:
1- Our Allowlist is allowing users to access to domains that we trust and know are safe, so keeping logs wont be helpful and can actually cause us to miss more important events.
2- Blocklist will block access to known domains hence why we chose to block access with no redirection we simply want to stop access to these domains.
3- For our category filter we need our users to know they have been redirect from accessing a banned domain category, hence our choice.
4- Our feed rules acts similar to the Blocklist, is should deny access to malicious domains identified by Infoblox and we simply need to stop access to these domains.

Task 5 solution : Verifying policies

1. Switch over to testing-linux and open a terminal window.

2. To test that AllowList is working we will look up infoblox.com using dig, use the command dig @10.100.0.110 infoblox.com and you should get an output like this:

   

3. To test that DenyList is working we will look up www.vanglabbeek.us using dig, use the command dig @10.100.0.110 www.vanglabbeek.us, you should get an output like this:

   

4. To test our category filter Unwanted Content is working, we will switch to testing-windows machine

5. Open the Tools folder on your desktop and run interface-static-bloxone.bat as an administrator.

6. navigate to  gambling.com through a web browser, and you should get an output like this:

   

7. To test our threat Insight & feeds rule we will look up top which is a known malware download domain using dig, switch back to testing-linux, and in a terminal window enter the command dig @10.200.0.110 streamthembase.top, you should get an output like this:

   

8. Switch back to the jump-Desktop machine, in your CSP browser window, navigate to Reports > Security Activity, you should see all the requests we made listed under security events:

   

Task 6 solution: Creating and Testing Bypass Codes

1. Navigate to Administration > Bypass Codes, toggle the Bypass Code to Enabled

2. Click Create Bypass Code.

3. Enter the name Techblue-bypass and optionally a description, Examine the Beginning and Expiry dates, we will keep them as default active for 24 hours.

4. Expand and Check Category Filters, make sure that Unwanted Content is selected, and finally click Save & Close.

   

   Copy or Memorize the VALUE field, this code will be used in a later step

5. Navigate back to Policies > Security Policies, select Techblue-Policy policy, and click on Edit.

6. Under Bypass Codes, move Techblue-bypass to the selected column and click Finish then Save & Close.

7. To test if the bypass code is working, we will switch to the testing-windows machine.

8. Navigate to gambling.com through a web browser, and you should get an output like this, use the code under the VALUE column found in the bypass Code page in CSP: