© 2016 Infoblox Inc. Infoblox Threat Intelligence Feed Page 1 of 14

Deployment and Migration Guide

Infoblox Threat Intelligence Feed

Table of Contents

Introduction.....................................................................................................................................................3

Cloud Security Portal........................................................................................................................................4

Account registration.........................................................................................................................................4

Portal navigation..............................................................................................................................................4

Feed Configuration...........................................................................................................................................5

NIOS Configuration...........................................................................................................................................7License and Configuration Requirements..........................................................................................................7

Configuration...................................................................................................................................................7Troubleshooting..............................................................................................................................................10

Generating & Reviewing Hits..........................................................................................................................10

Portal Investigation........................................................................................................................................11

Migrating to Threat Intelligence Feed.............................................................................................................11

© 2016 Infoblox Inc. Infoblox Threat Intelligence Feed Page 2 of 14

IntroductionThis document provides you with a quick-start guide on how to deploy and if necessary migrate to the Infoblox Threat Intelligence feed. Prior to deployment/migration, you must first purchase the subscription for this feed or have had your maintenance contract renewed after May 2nd, 2016. Please contact your primary Infoblox Sales Representative for details.

Infoblox Support CenterOnce the subscription order has been completed successfully and all necessary licenses are activated and installed on the NIOS appliance, navigate to “Contacts” tab in the “Infoblox Support Center” portal and check the box under “Cloud Portal Manager” next to all contacts that you would like to provision as Cloud Portal Managers for your organization. Please note this can only be done once after the subscription order has completed and all future Cloud Portal Managers will need to be provisioned through our Cloud Security Portal (CSP).

Within 30 mins of assigning Cloud Portal Managers, a “Welcome” email will be sent with a “Get Started” link from donotreply@infoblox.com to the contacts selected.

There is also a link to the Cloud Security Portal located on the “Support Home” page of the Infoblox Support Portal at https://support.infoblox.com.

© 2016 Infoblox Inc. Infoblox Threat Intelligence Feed Page 3 of 14

Cloud Security Portal

Account registrationTo register, please ensure you have contacted your Sales account team or Sales Engineer to establish your account. Once they have processed your request, you will receive an email that allows you to complete the registration of your account.

To access the portal, login by using the link below:

csp.infoblox.com

This will take you to the Portal and you will see the following:

Portal navigationOnce you have accessed the Portal you will see:

© 2016 Infoblox Inc. Infoblox Threat Intelligence Feed Page 4 of 14

The portal has a sidebar reflecting the different sections you might use.

These are:

“Threat lookup” You will use this at a later time to research any Threats

“Services” Here you can perform the configuration of your feed and retrieve NIOS settings

“Users” Here you can configure additional users for your organization

© 2016 Infoblox Inc. Infoblox Threat Intelligence Feed Page 5 of 14

Feed Configuration

First Navigate to “Services” where you will need to configure your current un-configured service. This will take you to the screen below.

You can do this by clicking on “DNS Firewall” window marked “Not Configured”.

This will allow you to generate your unique zones and key.

When you click on “DNS Firewall” button, you will be taken to the screen below which will allow you to complete the NIOS setup. The setup will be displayed in the fields below:

© 2016 Infoblox Inc. Infoblox Threat Intelligence Feed Page 6 of 14

Suggestion: Copy the values in these fields to your favorite notepad before pressing “Next Step” button.You can then use the “Add Client” button and provide the name and external IP of your Infoblox member that will retrieve the feed data.

Note: Be sure to click “Finish” after adding your DNS Server or service will remain in “Not Configured” state.

© 2016 Infoblox Inc. Infoblox Threat Intelligence Feed Page 7 of 14

If you return to “Services” later, you will see that configuration of the services will reflect “Configuration Complete” if the service was successfully provisioned and you can click on this “DNS Firewall” button to add additional DNS servers in future if needed:

© 2016 Infoblox Inc. Infoblox Threat Intelligence Feed Page 8 of 14

NIOS Configuration

License and Configuration RequirementsIn order to deploy the Infoblox Threat Intelligence feed, you will need a NIOS node with at least a DNS and RPZ license.

In order to configure NIOS, your Grid member will need access to Infoblox Threat Intelligence Feed servers on port 53 (UDP and TCP) as the feed data is transferred through a DNS zone transfer. Your server will also need to be able to perform recursion in order to obtain response from the internet.

In order to review log hits, enable on the Member or Grid level the RPZ logging category (grid settings, toggle advanced, logging, check RPZ)

ConfigurationIn NIOS go to:

“Data Management” -> “DNS” -> “Response Policy Zones”

Press the + button or use “Add” in the sidebar

1. Select “Add a Response Policy Zone Feed”:

Press Next

2. Add the feed you want to useNote that for full protection, base.rpz.infoblox.local, antimalware.rpz.infoblox.local, ransomware.rpz.infoblox.local, and bogon.rpz.infoblox.local are required. You will need to repeat these steps for each response policy zone that is being added:

© 2016 Infoblox Inc. Infoblox Threat Intelligence Feed Page 9 of 14

Leave Policy override on “None (Given)” for now. For the other policy override settings, please refer to the Admin Guide.

Modify logging severity if needed

Press Next

3. Add the External PrimaryUse the dropdown next to the “+” sign to select External Primary

4. Define the External Primary’s settings

© 2016 Infoblox Inc. Infoblox Threat Intelligence Feed Page 10 of 14

Refer to the portal for the values from your account.

The value for “Name” can be anything

Press Add

5. Add a Grid Secondary

Use “Select” to select which member(s) you want to add or use “All recursive servers” if you want to add all recursive nodes with an RPZ license.

© 2016 Infoblox Inc. Infoblox Threat Intelligence Feed Page 11 of 14

Note: The Lead secondary only applies to a single node. If you set this, that member will be the only one to reach out to the external primary. You will then redistribute the feed internally between your members through zone transfers. Also, if you prefer, you may setup a name server group specifically for your RPZ servers and assign that name server group to each of the feeds.

Press Add

Press Save and Close, restart services as required (using the banner at the top).

Give services 5 minutes to fetch the zone. If you refresh the GUI you will see the last updated value for when the last transfer was successful.

TroubleshootingIn case you are not getting a feed from Infoblox servers, verify the following:

You used the right feed nameYou set the time correctly (NTP should be used)You use the right key name, TSIG key, and algorithm

Once the response policy zone has loaded successfully on your DNS firewall appliance, you should see the “Last updated” column populated with the date/time of the successful zone transfer. You can then click the “Name” of the feed in the “Name” column and download the response policy zone data as a CSV file.

For further troubleshooting check the syslog of your (lead) secondary for message that include “transfer”

Generating & Reviewing HitsIn order to generate a hit against the feed, query a member that has the response policy zone running for “adobekr.com”

Check the Syslog for security hits. You should see a CEF entry with the domain(s) you are testing in the Syslog file.

© 2016 Infoblox Inc. Infoblox Threat Intelligence Feed Page 12 of 14

Portal InvestigationIn order to review an RPZ hit, take the domain from the hit and use the “Threat Lookup” part of the portal’s interface to get more information.

You can also use IP’s from your logs. Be aware that you need to inverse them and take the first octet as the host mask. For example: 32.1.0.0.10 becomes 10.0.0.1/32

Migrating to Infoblox Threat Intelligence FeedIf you were an existing DNS Firewall customer prior to May 2nd, 2016 and you are renewing your maintenance for your current DNS Firewall appliance, your new maintenance contract will be automatically migrated to the new Infoblox Threat Intelligence Feed during the renewal process.

After the steps above have been successfully completed to add the new Infoblox Threat Intelligence Feed, you will then need to remove any legacy DNS firewall feeds from your NIOS configuration.

Please note that the new Infoblox Threat Intelligence Feed and legacy DNS Firewall feed are not identical. Therefore, some domains/IP’s that were blocked previously, may not be blocked by the new feed and some domains/IP’s that were not blocked, may now be blocked.

To do this, complete the steps below:

Navigate to Data Management | DNS | Response Policy Zones in the NIOS GUI Check the box to the left of ALL legacy DNS Firewall Zones to be decommissioned Click the “Delete” button rom the main Toolbar

o Note: You may choose to disable the legacy RPZ zones temporarily rather than delete them. You can then delete them at a later date once you validate everything is working as desired with the

© 2016 Infoblox Inc. Infoblox Threat Intelligence Feed Page 13 of 14

new Threat Intelligence feed. If you choose to delete them, you do also have the option to restore the deleted RPZ zone from the recycle bin.

Please note that a DNS service restart will be required for the legacy RPZ zones to be removed

© 2016 Infoblox Inc. Infoblox Threat Intelligence Feed Page 14 of 14