06-22-2020 12:23 PM
We Want to ask about the Bloxone Threat Defence Deployments scenarios as it's not clear to us if we will go for the cloud scenario/on-premiss.. will it be installed on a vm or integrated with the DDI appliance.. because the admin guide just show us the configurations we didn't find any starting point for the on-premiss vm etc..
thanks for the support.
Solved! Go to Solution.
07-08-2020 09:09 PM
there are 2 kind of deployments:
1. By Using B1TD Threat Defense RPZ feeds. means that you onprem nios will be configured as slave RPZ member, and the data feed will be pulled from the B1TD cloud.
2. By Using B1TD Cloud. at this option you also have 2 sub option to do:
a. on Prem DFP using separate Virtual Appliance, it could be installed from docker or from VMware OVA template that given by Infoblox. (all can be download from the csp portal0
b. on prem DFP using onprem NIOS. in this option you are going to enable the DFP on the NIOS level.
For the configuration detail, please refer to the deployment guide.
08-13-2020 08:56 AM
This confused the hell out of me when trying to set up our pilot environment 'in my spare time', so I just wanted to clarify a bit for anyone else looking at your answer. (I've got a training budget, but no time to actually take the training, yet.) I worked off the online admin guide, mostly, since I couldn't quickly find a video or deployment guide that explained the parts that were throwing me off.
There really seems to be 3 deployment options, even though there are just two choices about where recursive queries are answered. (Or, I guess, 4 deployment options, but I may be missing some of the finer points due to terminology.)
1. Answer recursive queries yourself with an on-prem DNS firewall using physical or virtual NIOS appliances (so, one or two options, depending on if you consider those the same or different)
2. Forward recursive queries to Infoblox's cloud using a virtual DNS forwarding proxy appliance (haven't quite figured out where this is deployed, yet, as we're using Trinzic appliances in our data centers. From the instructions on Tokens, it appears the image can be loaded onto a hypervisor or a bare metals appliance from Infoblox, so maybe this is actually two different options, as well.)
3. Forward recursive queries to Infoblox's cloud using on-prem NIOS appliances (not well covered in the documentation)
I was finally able to get everything set up and working, after playing around a bit. Definitely could have been easier, though.
Monday - last edited yesterday
You're most welcome. I came here looking for the same info, so I understand the frustration.
We've actually gone live with our deployment and I've discovered a few new points that might help. Primarily, that BloxOne Threat Defense is a suite of offerings and the portion that is the Cloud-based DNS firewall SaaS (Software as a Service) is often shortened to just B1TD.
A DNS firewall is the core of this service and is offered as a SaaS (B1TD Cloud) or as a license to be applied to member(s) of your grid (on-prem), whether they are virtual machines or physical appliances. It essentially blocks or redirects users from reaching malicious sites.
There is a NIOS DNS firewall and the rules are configured within the grid, using RPZ (Response Policy Zones), and the threat intelligence feeds are 'imported' so that the processing is done 'on-prem.' I think this is what the Infoblox guys are thinking of when they make the distinction of Cloud vs On-Prem, in terms of 'Threat Defense'. (The two deployment options mentioned by @aralvidra02)
B1TD Cloud puts the DNS firewall part within the Infoblox controlled environment, and there are three ways (that I know of) how to get the DNS traffic to them:
1. Global forwarding of recursive queries to them with allowed networks defined in the CSP (assuming a source filter on a view type of thing)
2. A Windows or Mac agent that is downloaded and installed on the clients you want protected
3. DFP or DNS Forwarding Proxy, which is essentially a transparent proxy for DNS and can point to either the cloud or another customer-controlled DNS. I'm pretty sure the virtual machines and bare-metal appliances that act as only proxies are what Infoblox means by 'On-Prem Hosts' but a DNS server running NIOS can also be configured as a DNS proxy on top of other DNS services. And it can be physical or virtual, as well. (The two Cloud sub-options)
If you use purpose built proxies, either virtual or physical, the configuration is controlled in the CSP, which is the web-based interface for B1TD Cloud. These are the VM images referenced in the deployment guide and the physical units use the tokens referenced there.
If you use appliances running the NIOS software, either virtual or physical, you'll configure part of it in the Grid Master and part of it in the CSP. (Unless, perhaps you also have DDI in the Cloud?) What was confusing to me is that both the proxy-only hosts and the NIOS hosts are managed in the same section, but have different options available to them. Only part of the instructions apply to appliances that are licensed with NIOS, and it's not clear what those are.
Hope that didn't muddy the waters further...
you got it right
the only thing which needs to be corrected is "The DNS firewall license is ADP (Advanced DNS Protection)"
ADP is protection of DNS server itself, against DNS software exploits, DoS, DDoS etc. - it's not related to DNS firewall functionality and it's not included in BloxOne Threat Defense (or B1TD). This functionality is most often used to protect external authoritative DNS servers, since they directly face Internet. Other typical use case for ADP is a DNS resolver of internet service provider (one of typical targets of DoS attacks often).
On the other hand DNS firewall functionality is what B1TD is doing - it's all about protection of users and data with the help of DNS resolver (blocking malicious domains, detection of data exfiltration over DNS, C2 over DNS etc.).
ps. there's a 3rd way of pushing DNS queries towards B1TD cloud - you can install BloxOne Threat Defense agent on Windows or MacOS for roaming users. The agent will take over DNS queries from such computer, add some information such as username, OS version, MAC (so later infected computers can be identified in security reports), encrypt query and send it to B1TD cloud for processing.
I totally forgot about the agents; I'll add that to the other post. I'll also correct the part about the ADP and do some more reading. Unfortunately, the information is scattered about in many different places and the descriptions on the public website are more marketing than technical. Toss in a few name changes, to spice things up... lol