Threat Defense Lab Instructions
Before you can begin your exercises, you'll need to:
Create an Infoblox Portal Tenant – This is your personal trial tenant, to avoid doing work in your production tenant.
Deploy a Universal DDI and Threat Defense Lab environment. We recommend deploying the lab for at least two weeks to allow you to complete all lab exercises and return to them if required.
Configure the systems in your lab environment and link them to your Infoblox Portal tenant (you'll do this in the first lab exercise, Deploying NIOS-X Servers, lab 2801).
At Techblue, the IT team was on a mission to boost the company's cybersecurity. They had just rolled out Infoblox Threat Defense—an innovative system designed to detect and block harmful and unwanted DNS traffic. Your role in this journey was to help bring that system to life, step by step.
Environment Build/Deployment
The Environment Build/Deployment section is mandatory and cannot be skipped. Each subsequent scenario is designed to be independent and can stand alone.
If your previous lab environment has expired, your work will remain in the Infoblox Portal tenant. Still, you will need to connect your new lab environment to your Infoblox Portal tenant.
As part of a broader initiative to strengthen the organization's network infrastructure, you will begin by deploying new NIOS-X servers at both the headquarters and branch office locations. These servers will be the foundation for the company's secure and intelligent DNS services.
Once the servers are in place, you will design a unified security policy for all locations. This policy will be crafted to reflect the organization's security goals and acceptable use standards, ensuring consistent protection and control over DNS traffic no matter where users are located.
With the infrastructure ready and the policy framework defined, you will prepare to connect everything together, laying the groundwork for a more secure, centralized, and manageable network environment.
Scenario 1: Protecting Main and Branch Offices
You will start by focusing on the NIOS-X servers located at both the headquarters and branch offices. These servers need to forward DNS traffic to the Threat Defense cloud to enable real-time inspection. You will enable the DNS Forwarding Proxy (DFP) service on two servers, one located at headquarters and one at a branch office.
Next, you will incorporate the DFP-enabled NIOS-X servers into the company's existing security policy, ensuring that DNS packets originating from a NIOS-X server are inspected. To verify the setup, you will simulate various types of traffic—some safe and some potentially harmful—and confirm that the system operates as intended.
Enabling the DNS Forwarding Proxy Service (DFP) on a NIOS-X Server (2802)This lab covers setting up the DFP service on an NIOS-X.
Integrating DNS Forwarding Proxy Service (DFP) into a Security Policy (2816)This lab covers adding DFP service instances to a security policy and testing security policies against the service.
Intercepting Exfiltration with Threat Insight (2814)This lab showcases a use case where Security Insights detects and stops a Data Exfiltration attempt using security policies.
Scenario 2: Protecting Roaming Clients
After successfully deploying DFPs, you will focus on employees working remotely or constantly on the go. Laptops, smartphones, and tablets will require the same level of protection as devices connected to the office network. To address this, you will deploy the Infoblox Endpoint agent on a company-managed Windows device and add it to a new Endpoint Group called “Techblue Endpoints”. This group will then be incorporated into the security policy, ensuring that mobile users receive the same level of protection as those working in the office. You will conduct several tests using the Windows device and confirm that the security rules are enforced.
Installing and Managing Infoblox Endpoints (2804)This lab covers installing endpoints (on Windows) and adding them to an endpoint group.
Adding Endpoint Groups to Security Policies (2815)This lab covers adding an endpoint group to a security policy and testing security policies against it.
Scenario 3: Monitoring DNS using Threat Defense Activity and Discovery Reports
In addition to the labs in the Environment Build/Deployment section, you need to complete the following labs before starting with the scenario:
Things were running smoothly after successfully rolling out Infoblox Threat Defense across the organization. The DNS Forwarding Proxy (DFP) services were up and running on NIOS-X servers, and Endpoint protection had been deployed to laptops and mobile devices. Everyone—from headquarters to remote workers—was now covered under a unified security policy. It felt like a big win for the IT team.
Then, one morning, something unusual happened.
While reviewing the Threat Defense dashboard, you noticed a sudden spike in DNS traffic. It wasn't part of any planned activity, and it stood out. Curious and a bit concerned, you decided to dig deeper. You opened the DNS and security activity reports and began tracing the source of the surge.
Using Threat Defense Reports (2807)This lab covers identifying suspicious activity and demonstrates how to leverage activity reports to investigate and analyze the incident.
After identifying the recent DNS traffic spike and presenting your findings to the team, you felt confident in the security systems you had helped put in place. But the incident also left you thinking: What else might be flying under the radar?
You decided it was time to be more proactive.
To gain deeper insight, you will begin reviewing the Application Discovery Report to see which applications are active across the organization. Some entries will catch your attention—applications you won't immediately recognize or expect to see.
You will also explore the Web Content Discovery Report to build a fuller picture. This will help you observe patterns in web usage and identify the types of content users are accessing. As you go through the data, specific trends will begin to emerge, prompting further questions and considerations.
Using Application Discovery Reports (2809)This lab goes through identifying your organization's application usage through Application Discovery Reports.
Using the Web-Content Discovery Report (2810)This lab goes through identifying your organization's web usage through Web-Content Discovery Reports.