Getting Started with BloxOne Threat Defense Cloud
Infoblox BloxOne Threat Defense Cloud is a SaaS offering designed to provide protection to devices on and off-premises, including roaming, remote, and branch offices. It provides visibility into infected and compromised devices, prevents DNS-based data exfiltration, and automatically stops device communications with command-and-control servers (C&Cs) and botnets, in addition to providing recursive DNS services in the cloud. Using BloxOne Threat Defense Cloud it is possible to manage external networks or to optionally deploy the DNS forwarding proxy.
This section explains the main steps required to configure, deploy, and manage your network using BloxOne Threat Defense Cloud.
With the exception of BloxOne Endpoint, running BloxOne software usually, but not always requires an On-Prem Host, which is available in virtual and preconfigured hardware options. You can download an installer package for VMware or for a Docker container. Virtual deployment allows you to run BloxOne on your equipment cost-effectively and with the greatest flexibility. When deplying DFP, keep in mind that or sites that require a dedicated BloxOne hardware solution or that do not have hardware already present, Infoblox has tested and certified several common server configurations.
Deploying On-Prem Host
Typically, the majority of organizations keep the default values when configuring on-prem host. However, if you are running a hybrid cloud environment, then you can deploy DNS forwarding proxy as a service on an on-prem host and connect it to BloxOne Threat Defense Cloud, so you can take advantage of the security features that BloxOne Threat Defense Cloud offers. You can deploy DNS forwarding proxies as a VM image or a docker container. You can also deploy a DNS forwarding proxy using HTTP Proxy to forward DNS queries to BloxOne Cloud. DFP is also available on NIOS.
If your network infrastructure allows, you can configure MTU (Maximum Transmission Unit) for your on-prem hosts. MTU is the largest size packet, specified in octets (eight-bit bytes), that can be sent in a single layer network transaction. MTU configuration is supported for both IPv4 and IPv6 networks, and the default is set to 1500. You can overwrite the default to adjust the MTU to a smaller or larger unit based on your network requirements. You can also enable or disable path MTU discovery. The default is enabled. Note that you can configure MTU only for OVA deployments when you first deploy an OVA on-prem host. For information, see
After deployment, you can adjust the MTU value through the Cloud Service Portal or Device UI. However, you can enable or disable path MTU discovery only through the Device UI. For more information, see
Creating an On-Prem Host
Before you create a new host, consider the following:
- On-prem hosts for physical BloxOne B1-105 appliances are automatically created when they are shipped by Infoblox with the correct serial number. You should not manually create on-prem host for BloxOne physical appliances.
- Virtual on-prem hosts are automatically created when they are connecting to the Cloud Services Portal using a valid token.
To create an on-prem host, complete the following:
From the Cloud Services Portal, click Manage -> On-Prem Hosts.
Click Create Host.
On the Create On-Prem Host page, specify the following:
- Name: The name of the on-prem host.
- Description: Enter additional information about the on-prem host.
- IP Space: Select the IP space from the drop-down. The on-prem host will be assigned to the selected IP space. For more information on IP space, see Configuring IP Spaces.
- Tags: Click Add to associate keys with the on-prem host and specify the following:
KEY: Enter a meaningful name for the key, such as a location or a department.
- VALUE: Enter a value for the key. Select the respective check box and click Remove to delete the associated key. For information about tags, see Managing Tags.
Applications & Services: Click Add to associate licenses and services with the on-prem host or click Remove to delete the entry.
LICENSES: Displays information about the license, license tier, and additional information about the license. Click to reorder the columns.
SERVICES: Displays the list of services associated with the respective license and its state. You can enable or disable a particular service by moving the slider respectively. Click to reorder the columns.
Click Save & Close to save the details or click Cancel to exit.
Infoblox provides the Docker Container and OVA deployment packages, so you can deploy on-prem hosts in a virtual infrastructure of your choice. Note that you can run multiple services on an on-prem host, including DNS forwarding proxies. Virtual on-prem hosts are automatically created when you use a join token to connect them to BloxOne Threat Defense Cloud. For information about join tokens, see Managing Join Tokens for On-Prem Hosts.
Infoblox recommends that you use Docker version 19.03.5 to avoid an issue in which the Docker container might re-deploy continuously, resulting in multiple deployments of the on-prem host. In addition, Kubernetes is not supported.
Before you start your on-prem host deployment, ensure that you review the following topics to ensure that your environment supports the deployment:
Threat Insight provides protection against data exfiltration that uses sophisticated DNS-tunneling techniques and against DNSMessenger, DGA, and fast flux by utilizuing built-in statistics of the DNS infrastructure, where these statistics can be used to detect and block data exfiltration by using only DNS and no additional endpoint software, security appliances, or network infrastructure.. Threat Insight is always active in your subscription but your organization can elect to use or not to use the threats it detects to block traffic.
Threat Insight uses patented technology that detects and automatically blocks data exfiltration via DNS without requiring endpoint agents or extra network infrastructure. It uses real-time streaming analytics of live DNS queries and machine learning to accurately detect the presence of potential data exfiltration activity within data queries.
Active Blocking of Data Exfiltration Attempts
By adding the destinations to a blacklist for the RPZ-based mitigation, Threat Insight automatically blocks communications to destinations associated with attempts to exfiltrate data. Through the Infoblox Grid, which distributes updates to all Infoblox members with DNS Firewall and RPZ capability, Threat Insight scales enforcement to all parts of the network. Threat Insight provides visibility into infected devices and employees who try to steal data, and it provides identifying information, such as username (through Identity Mapping), device IP and MAC addresses, and device type.
Reports generated by Threat Insight can be accessed through the Infoblox Reporting and Analytics server.
Unique Patented Technology
Threat Insight is a patented technology that uses machine learning and performs real-time streaming analytics on live DNS queries to detect data exfiltration. It examines host.subdomain and TXT records in DNS queries and uses entropy, lexical analysis, time series and other factors to determine the presence of suspicious data in queries.
Automated Security Response with Integrations
When an endpoint is trying to exfiltrate data, Infoblox provides indicators of compromise to endpoint remediation solutions such as Carbon Black. Using this intelligence, Carbon Black automatically bans the malicious processes from future execution and quarantines the infected endpoint. These actions accelerate security responses. Infoblox also exchanges security event information with Cisco Identity Services Engine (ISE) and provides robust restful APIs, which can enrich an enterprise’s SIEM with additional contextual data.
- Other Products Needed with Threat Insight: To ensure not just detection of data exfiltration, but also enforcement of protection, Threat Insight must be deployed with BloxOne Threat Defense. Threat Insight will create an RPZ entry in all Infoblox appliances running security.
Hardware or Software Delivery Options: Threat Insight can run on physical or virtual Infoblox appliances, and it works on the following models of Infoblox appliances: PT-1405, TE-1415/V1415, TE-1425/V1425, TE-2210/v2210, 2215/v2215, TE- 2220/v2220, 2225/ v2225, PT-2200, PT-2205, IB-4010/v4010, V4015, TE-V4010/V4015, PT4000, IB-4030-DCAGRID-AC/DC, IB-4030- DCAGRID-T1-AC/DC, IB4030-DCAGRID-T2-AC/DC and IB-4030- DCAGRID-T3-AC/DC.
A security policy is a set of rules and actions that you define to balance access and constraints, so you can mitigate malicious attacks and provide security for your networks. BloxOne Threat Defense Cloud provides a default global policy that gives you a head start in protecting your networks. You can review the default global policy and decide whether you want to add or remove some of the rules based on your business requirements.
In addition to the default global policy, you can add new security policies from scratch or clone an existing policy to complement the default policy. When you create a new security policy, you must first define a network scope to which you add external networks, user groups, DNS forwarding proxies, DDI IPAM, and Endpoint groups. BloxOne Threat Defense Cloud applies the security policy to all the entities that you include in the network scope. After you define the network scope, you can add policy rules and specify actions and their precedence order.
For additional information on setting up and configuring security policies, see Configuring Security Policies.
Optional BloxOne Threat Defense Components
BloxOne™ Endpoint is a lightweight mobile agent that can be used to access BloxOne Threat Defense Cloud service to secure roaming end users in varying environments such as home offices, branch offices, public spaces, and more. Endpoint protects users, devices, and systems no matter where they are, extending enterprise-level security to remote locations, and work from home environments. It leverages the power of your core network services to provide a foundational layer of security for on-prem, cloud and hybrid networks, streamlining and automating of threat responses.
Deploying BloxOne Endpoint
BloxOne Endpoint can be deployed using many methods, both manually and via automation. If using an automated is selected, ensure BloxOne Endpoint has its own folder, the correct Customer ID, and that all files contained within the .zip file are present when it is distributed. Once installed, BloxOne Endpoint will automatically update when updates are available.
For additional information on the installation and deployment of BloxOne Endpoint, see Installing Endpoint.
DNS Forwarding Proxy
DNS Forwarding Proxy (DFP) is a DNS forwarder that forwards DNS queries to BloxOne Threat Defense Cloud or to a local DNS server. DFP runs on the On-Prem Host where it continually monitors connectivity to BloxOne Threat Defense Cloud. For customers who purchased BloxOne Threat Defense, the On-Prem Host cannot reach BloxOne Threat Defense Cloud Anycast DNS server for any reason, then DFP will send requests to a local DNS server which protects clients via security RPZ (DNS Firewall) feeds.
DNS Forwarding Proxy is a virtual appliance that redirects DNS traffic from remote devices when installing an endpoint agent is not desirable or possible (on internal networks or IoT devices). This solution enables an agentless deployment that embeds client IP and MAC into DNS queries before forwarding to Infoblox Cloud. DNS Forwarding Proxy fallback to the DNS server is used as an end point when the primary server is unavailable. Having the DNS Forwarding Proxy fallback to a local DNS server can be used in situations where BloxOne Threat Defense Cloud is unreachable.
Before you can apply security policies, you must first define the networks that you want to protect from malicious attacks. The first step in configuring BloxOne Threat Defense Cloud is to set up DNS Firewall by defining your remote networks. You identify these external networks by their IP addresses. A network can contain a group of IPv4 addresses or blocks. If you plan to use multiple external networks in your configuration, Infoblox recommends that you register all your networks as soon as possible. Pre-registering your networks ensures that they will be available when traffic is pointed at them and prevents IP space belonging to your company from being incorrectly assigned. Please be aware that no protection is provided for traffic pointed to a network that has not yet been registered.
Infoblox’s cloud-managed Data Connector automatically collects DNS query-and-response data and security logs from various sources. Through the SCP protocol, Data Connector then forwards this data to the NIOS reporting server and third-party indexers, such as a SIEM. This process filters the information and transfers it to security operations center (SOC) tools, such as a SIEM solution, for easy correlation of events. The data is used to enrich Infoblox reports and furnish a seamless, integrated view into network and security events across on-prem and cloud (hybrid) deployments.
Data Connector is available as part of BloxOne Threat Defense, the Infoblox solution suite that works with an organization’s existing defenses to protect the network and automatically extend security to digital imperatives, including SD-WAN, IoT and the cloud. Because it is managed in the cloud, the Data Connector utility offers flexible scalability and ease of use for administrators.
For additional information on the installation and deployment of Data Connector, see Data Connector.
TIDE leverages highly accurate machine-readable threat intelligence data via a flexible Threat Intelligence Data Exchange (TIDE) to aggregate, curate, and enable distribution of data across a broad range of infrastructure. TIDE enables organizations to ease easily consume threat intelligence from various internal and external sources, and to effectively defend against and quickly respond to cyber threats. TIDE is backed by the Infoblox Cyber intelligence Unit (CIU) that normalizes and refines high-quality threat intelligence data feeds. TIDE collects and manages curated threat intelligence from internal and external sources in a single platform. It enables security operations to remediate threats more rapidly by sharing normalized TIDE data in real time with third-party security systems such as Palo Alto Networks, SIEM, etc. By leveraging highly accurate machine-readable threat intelligence (MRTI) data to aggregate and selectively distribute data across a broad range of security infrastructure, the end result is a highly refined feed with a very low historical false-positive rate.
For additional information on using TIDE for your threat intelligence needs, see Infoblox Quick Start Guide for Dossier and TIDE.
Dossier is a threat investigation and research tool providing analysts, threat researchers, security staff, and SOC team members with simultaneous contextual information on threats from multiple sources, including TIDE. The acquisition of immediate contextual information allows threat analysts to save precious time in taking action against any identified threats. Dossier automates the collection and correlation of threat intelligence from dozens of open-source proprietary and premium commercial resources and presents the aggregated data in a single view. By enabling analysts to quickly pivot between intelligence sources and complete investigations, Dossier helps the analysts respond to threats rapidly and effectively.
For additional information on using Dossier for your threat research, see the Infoblox Dossier User Guide.
Custom Lookalike Domain Monitoring
BloxOne Threat Defense supports custom lookalike domain monitoring for viewing and searching lookalike domains. Custom Lookalike Domain Monitoring provides the power of the global lookalike domain feature to be targeted for specific critical domains for the user. Using a customer-defined list of domains, an organization can now add the company's own domain, or domains frequently visited by or controlled by the organization in order to provide advanced warning of common attack vectors. Using Custom Lookalike Domain Monitoring, users can potentially avert unknown attacks, and prevent potentially 'brand-affecting" incidents.
Lookalike domains are domains that are found to be visually similar (homographs) when compared to the domains they are attempting to imitate. Lookalike domains are composed using methods such as replacing letters with visually confusing ones (e.g. o to 0, l to 1, w to vv), switching to different top-level domains (e.g. .com to .cc), or by using the IDN character set or Punycode characters to mimic the legitimate domains they are attempting to exploit. Lookalike domains are often found in cyber attacks seeking brandjacking, traffic redirection, "typosquatting," and phishing.
You can create custom lists containing domains and IP addresses to define whitelists and blacklists for additional protection. You can use a custom list to complement existing feeds or override the Block, Allow, Log, or Redirect action that is currently defined for an existing feed. You can also add a custom list to multiple security policies or multiple custom lists to one security policy based on your business needs. When using your own threat intelligence feeds with BloxOne Threat Defense Cloud, whitelists and blacklists, you can apply your own security policies. Each custom list can contain as many as 50,000 records, and BloxOne Thread Defense Cloud supports up to 500,000 records across al customer lists.
BloxOne Threat Defense Cloud automatically creates the following default global policies. If you are concerned about DNS data exfiltration through DNS tunneling, DNSMessenger, Fast Flux, and DGA (including Dictionary DGA), you can apply any or all of these policies to the security policy for a whitelist or backlist. Note that you cannot modify or delete these default policies.
Two types of filters can be configured using the Cloud Services Portal. You can configure category filters and application filters. Category filters are content categorization rules that BloxOne Threat Defense Cloud uses to detect and filter specific internet content. Based on your configuration, specific actions such as Allow or Block will be taken on the detected content. BloxOne Threat Defense Cloud provides the following content categories from which you can build your category filters. Application filters are content application rules that BloxOne Threat Defense Cloud uses to detect and filter specific Internet content.
- Category filters are a set of content categorization rules that BloxOne Threat Defense Cloud uses to detect and filter specific internet content. Based on your configuration, specific actions such as Allow or Block will be taken on the detected content. BloxOne Threat Defense Cloud provides the following content categories from which you can build your category filters.
- Application filters are a set of rules that BloxOne Threat Defense Cloud uses to detect and filter specific Internet content. Application filters rely on the Application Classification Service (ACS) to establish application-specific rules. The Application Classification Service (ACS) provides accessibility to applications based on their category or subcategory. Using application filters, you can set security policies based on whether you want to allow an app to access the Internet at all times, or if you want the app to use local resolution when used with BloxOne DDI appliances.
Default and Custom Redirects
You can configure BloxOne Threat Defense Cloud to redirect traffic to the Infoblox server that displays the default or customized redirect page. If you want to redirect traffic to a custom destination, you must first add the redirect IP or domain to the Redirect page.
For additional information on setting up and configuring redirects, see
To configure initial settings for BloxOne Threat Defense Cloud, complete the following tasks:
Optionally, you can complete the following configuration based on your business needs:
After you have set up BloxOne Threat Defense Cloud, you can manage users, monitor the BloxOne Threat Defense Cloud service, and mitigate potential threats through the following features:
This page has no comments.