Infoblox Deployment Guide - BloxOne Threat Defense DNS ... · BloxOne Threat Defense DNS Forwarding...

Quick Start Guide

BloxOneTM Threat Defense DNS Forwarding Proxy

BloxOne Threat Defense DNS Forwarding Proxy QSG 2

TABLE OF CONTENTS

Overview ................................................................................................................................ 3

Prerequisites .......................................................................................................................... 3

Licensing ............................................................................................................................. 3

Platforms ............................................................................................................................ 3

Validated Linux Platforms for Docker .................................................................................. 3

Minimum System Requirements ......................................................................................... 3

Port Usage .......................................................................................................................... 4

Best Practices ......................................................................................................................... 4

Join Tokens ............................................................................................................................. 5

Create Join Tokens .............................................................................................................. 5

Viewing Join Tokens ............................................................................................................ 6

Revoking Join Tokens .......................................................................................................... 7

Managing On-Premise Hosts .................................................................................................. 8

Create On-Premise Hosts .................................................................................................... 8

Modifying/Viewing On-premise Hosts ................................................................................. 9

Deleting On-Premise Hosts ................................................................................................ 11

DFP on NIOS appliances ......................................................................................................... 13

Download Files ...................................................................................................................... 14

BloxOne Threat Defense DNS Forwarding Proxy QSG 3

Overview Infoblox BloxOneTM Threat Defense Cloud (B1TD Cloud) is a SaaS offering designed to provide protection to devices on and off-premises, including roaming, remote, and branch offices. It provides visibility into infected and compromised devices, prevents DNS-based data exfiltration, and automatically stops device communications with command-and-control servers (C&Cs) and botnets, in addition to providing recursive DNS services in the cloud. It’s possible to access the services by deploying the DNS forwarding proxy.

The DNS Forwarding Proxy (DFP), which can be run on the On-Prem Host, is a DNS forwarder that forwards DNS queries to B1TD Cloud or to a local DNS server. DFP continually monitors connectivity to B1TD Cloud. If customers purchased ATC Plus or AT Plus/Advanced or are a B1TD customer, the On-Prem Host cannot reach BloxOne Threat Defense Cloud Anycast DNS server for any reason, it will send requests to a local DNS server which protects clients via security RPZ (DNS Firewall) feeds. For DFP running on NIOS having the DNS Forwarding Proxy fallback to a local DNS server, instead of the default DNS resolution path can be used in situations where DFP can’t reach BloxOne Threat Defense Cloud from its network.

Prerequisites

Licensing One of the following:

• BloxOne Threat Defense Advanced• BloxOne Threat Defense Business – Cloud

Platforms One of the following:

• Bare-metal systems running Linux and Docker version 1.13.0 or above• VMware ESXi server’s version 5.5, 6.0, or 6.5• Hyper-V or KVM, running Linux and Docker version 1.13.0 or above

Note: Latest requirements can be found in the Admin Guide: https://docs.infoblox.com/display/BloxOneThreatDefense/On-Prem+Host+Management

Validated Linux Platforms for Docker If deploying with Docker:

• Red Hat Enterprise Linux 7.2• CentOS 7.3.16• Ubuntu 16.04.2

Minimum System Requirements The minimum system requirements for VM’s are as follows:

• CPU: 1 core• Memory: 512 MB• Disk: 10 GB

BloxOne Threat Defense DNS Forwarding Proxy QSG

4

Port Usage The following table lists the port usage for the BloxOne on-premise hosts:

IP Protocol Port Domain Description

TCP 443 csp.infoblox.com Cloud Services Portal Access (unrestricted outbound access to TCP 443)

TCP 443 cp.noa.infoblox.com On-Prem Host – Platform Management

TCP 443 app.noa.infoblox.com On-Prem Host – Application Management

TCP 443 threatdefense.bloxone.infoblox.com

BloxOne Threat Defense Cloud DNS server

TCP 443 DNS server DNS over TLS for DNS Forwarding Proxy

UPD 123 ntp.ubuntu.com NTP Server (Only if time sync with EXSi is disabled)(For VM only if NTP isn’t provisioned)

UPD 123 ubuntu.pool.ntp.org NTP Server (Only if time sync with EXSi is disabled)

UPD 67 DHCP server DHCP

UPD 68 DHCP server DHCP Relay

TCP 647 DHCP server DHCP Failover

Best Practices To ensure a successful deployment of an on-premise host:

• When setting up DNS forwarding proxies as on-premise hosts for failover purposes, Infoblox recommends deploying two DNS forwarding proxies using one as the primary proxy and the other as the secondary.

• If needing to configure any name servers through the DHCP options or hosts, ensure that the name servers point to the DNS forwarding proxies.

• If needing to change the IP address of the on-premise host after the configuration, a restart is needed on the system for the changes to take effect.

• For DNS to function properly in OVA deployments on ESXi servers, for VM options where NTP isn’t provisioned, ensure to enable the synchronize guest time with host option during the


5

deployment and that the ESXi host is synchronized with the NTP server. If the Synchronize guest time with host option isn’t selected (or if this option is disabled), the DNS forwarding proxy synchronizes with the Ubuntu NTP servers: ntp.ubuntu.com and ubuntu.pool.ntp.org. When disabling this option, ensure to open the UDP 123 port for time synchronization with the Ubuntu NTP servers.

Join Tokens BloxOne Threat Defense Cloud introduces a workflow that streamlines the DNS forwarding proxy deployment process. It’s no longer need to pre-provision hosts through the Cloud Services Portal, nor is it needed to copy API keys to establish host connection when configuring DNS forwarding proxies on bare-metal containers or virtual machines. Instead organizations can use a join tokens to automatically connect the hosts with the Cloud Service Portal.

Create Join Tokens To create a join token, complete the following:

From the Cloud Services Portal, click “Manage” à “On-Prem Hosts”.

Click the “Join Tokens” tab, then click “Create Token”.

On the Create Token page, complete the following:

• Name: Enter a name for the token. • Description: Enter a description about the token. • Tags: Click “Add” to associate keys with the on-prem host and specify the following:

o KEY: Enter a meaningful name for the key, such as a location or a department. o VALUE: Enter a value for the key. To delete a key, select the respective check box

and click “Remove”.


6

Click “Save & Close”. The join token string appears in the “Copy Token” dialog box. Click “Copy” to copy the token. Copy the token string and save it in a place where it can be found later. This token string is needed when configuring the virtual on-prem hosts.

Note: The join token created appears only once in the dialog box. When closing the dialog, the join token will not be able to be retrieved. Ensure to copy it and save it for deployment purposes.

Viewing Join Tokens To view all join tokens created, do the following:


Click the “Join Tokens” tab, and the Cloud Services Portal displays the following information:

• TOKEN NAME: The name of the token. • STATUS: The current status of the token. This can be “Active” or “Revoked”. • COUNT: The number of times this token was used to set up virtual appliances. It’s possible to

reuse the same token multiple times for different virtual appliances. This number is useful for security purposes.


7

• LAST USED: The timestamp when the token was last used, in mm/dd/yy hh:mm:ss time zone format.

• DESCRIPTION: Information about the join token.

Revoking Join Tokens Organizations can revoke a join token that they no longer need, or if its security has been compromised.

To revoke a join token, complete the following:


Click the “Join Tokens” tab. On the Join Tokens page, select the check boxes of the join tokens wanted to be revoked. Click the “Revoke” button.

In the dialog box, click “Revoke” to confirm.


8

Managing On-Premise Hosts

Create On-Premise Hosts To create an on-prem host where using a Join token isn’t wanted to be used to have more finite control over first deployments, complete the following:


Click “Create On-Prem Host” to add an on-prem host. On the “Create On-Prem Host” page, specify the following:

• Name: The name of the on-prem host. • Description: Enter additional information about the on-prem host. • Tags: Click “Add” to associate keys with the on-prem host and specify the following:

o KEY: Enter a meaningful name for the key, such as a location or a department. o VALUE: Enter a value for the key. To delete a key, select the respective check box

and click “Remove”. • Applications & Services: Click “Add” to associate licenses and services with the on-prem host

or click “Remove” to delete the entry: o LICENSES: Displays information about the license, license tier, and additional

information about the license. Click to reorder the columns. o SERVICES: Displays the list of services associated with the respective license and

its state. Enable or disable a particular service by moving the slider respectively. Click to reorder the columns.


9

Click “Save & Close” to save the details or click “Cancel” to exit.

Note: If using a Join Token there’s no need to create an On-Premise Host.

Modifying/Viewing On-premise Hosts To modify an on-prem host:


Select the on-prem host and click the “Edit” button to modify host data.

On the edit page, it’s possible to review and modify the following information:

• Name: The name of the on-prem host. • Description: Additional information about the on-prem host. • API Access Key: Access key needed for deploying an On-Premise Host without a join token and

used for DFP communication. • Applications & Services: The licenses and services that are applicable to the host.


10

o LICENSES: This section lists the licenses for the host. This cannot be modified. o SERVICES: This section lists the services associated with the host and their states.

Use the service slider to enable or disable the service. All services are disabled by default when initially deploying the host.

• IP Interface Settings: This section lists the following information for the network interface of the on-prem host, if applicable. Note it’s possible to add or make changes to this section only for the physical appliance. If deploying a bare-metal or OVA deployment, it isn’t possible to add or modify any IP interface settings.

o NETWORK INTERFACE: The name of the Ethernet port on the appliance, such as “enp1s0” or “enp2s0”.

o NETWORK MODE: Displays the use of the interface, such as “dhcp” or “static”. o IP ADDRESS: The IP address associated with the interface. o CIDR/NETMASK: The netmask for the IP address. o DEFAULT GATEWAY: The default gateway for the interface.

• DNS Local Resolver IP Settings: This section displays the IP addresses of the local DNS resolver. It’s possible to add a new resolver or delete an existing one.

• NTP Settings: This section displays the NTP server that the on-prem host is currently using. It’s possible to add a new one or delete an existing one. Note that you can add or make changes to this section only for the physical appliance. If deploying a bare-metal or OVA deployment, modification is not allowed for NTP settings.

• Proxy Settings: This section displays the URL of the HTTPS proxy for the on-prem host, if configured. It’s possible to specify the path for the CA certificate that BloxOne Threat Defense Cloud should use to authenticate the proxy. The proxy setting is for web connection authentication only.

• Docker Bridge Settings: This section displays the IP addresses of the Docker Bridges that are associated with the on-prem host. It’s possible to add new IP addresses or remove existing ones only for physical appliances. If all IP addresses are disabled, the Docker Bridge will default to “172.17.0.0/24”.


11

Note: When adding or modifying any settings, services on the DFP will restart after the configuration is saved. There will be a minor outage when the services restart. In addition, if the new configuration is invalid, DFP will revert back to the previous configuration after a few minutes.

Deleting On-Premise Hosts To delete an on-premise host:


Select the check box beside an on-premise host. Click “On-Prem Host” and select “Remove” from the drop-down list.


12

A confirmation message is displayed. Click “Remove” to delete the respective on-premise host or click “Cancel” to cancel the operation.

Add/Modify/Remove Local Resolvers To configure an on-premise host:

Navigate to “Manage” à “On-Prem Hosts” and click on the on-prem host that you want to configure and click on the “Service” drop down then “DNS Forwarding Proxy” à “Configure”.

Click “Add” to add a local resolver. On the local Resolvers page, it’s possible to review and modify the following information:

• IP Address: This is the IP address of the local DNS resolver. The IP address should be accessible to the DFP that is on premise.

• Local Resolver: A local resolver is a local server that stores a central database of DNS nameservers and manages DNS requests for all the clients on your network.

• DNS Fallback: DNS Fallback is a backup endpoint and is used when the primary server is unavailable.


13

To remove a local resolver, choose the local resolver then click “Remove”.

DFP on NIOS appliances Navigate to “Grid” à “Grid Manager” à “DNS” and select and edit a DNS.

Navigate to the “Forwarders” tab.


14

At the bottom enable forwarding to B1TD: a. Choose to “Enable Recursive Queries Forwarding to ActiveTrust Cloud”. b. Enter the “Access Key” (access key can be found by referring to the Modifying/Viewing

On-premise Hosts section of this document.) c. Choose the name server to forward queries to. d. Choose, if wanting, to fall back to the default DNS resolution process if BloxOne Threat

Defense Cloud doesn’t respond.

Download Files In order to get the download files for DFP:

In the Cloud Services Portal, go to “Administration” à Downloads.

On the “Downloads” page, click “Download Package for VM” or “Download Package for Docker”, to download the OVA or tar.gz file for download.

Infoblox is leading the way to next-level DDI with its Secure Cloud-Managed Network Services. Infoblox brings next-level security, reliability and automation to on-premises, cloud and hybrid networks, setting customers on a path to a single pane of glass for network management. Infoblox is a recognized leader with 50 percent market share comprised of 8,000 customers, including 350 of the Fortune 500.

Corporate Headquarters | 3111 Coronado Dr. | Santa Clara, CA | 95054

+1.408.986.4000 | 1.866.463.6256 (toll-free, U.S. and Canada) | [email protected] | www.infoblox.com

© 2018 Infoblox, Inc. All rights reserved. Infoblox logo, and other marks appearing herein are property of Infoblox, Inc. All other marks are the property of their respective owner(s).

Date post:	21-Jun-2020
Category:	Documents
Upload:	others
View:	216 times
Download:	11 times

Infoblox Deployment Guide - BloxOne Threat Defense DNS ... · BloxOne Threat Defense DNS Forwarding...

Documents