Page tree

Contents

BloxOne Endpoint bypass in combination with FQDN and a probe token, are used by BloxOne Endpoint to identify that Endpoint is on-prem and is following the configured on-prem policies. To verify BloxOne Threat Defense Cloud probe responses, BloxOne Endpoint periodically sends DNS queries from a non-resolvable probe domain to default resolvers to avoid the possibility of “spoofed” responses. In cases where a domain is not expected to resolve, then any subdomains of the domain will also not resolve. For instance, if some-domain.com is configured as a probe domain, then mail.some-domain.com would also not resolve.

The probe token can be auto-generated or custom configured. By making the probe configurable rather than static, additional safeguards are provided that protect against potential hijacking attempts. A BloxOne Endpoint probe domain and associated probe token are configured during the protected bypass mode configuration process.

By enabling BloxOne Endpoint protected bypass mode for a BloxOne Endpoint group, you can define your own domain and response for on-prem DNS service protected by DNS Firewall. With deployed DNS forwarding proxies (in auto mode), a unique and hashed response using a probe token is used to detect if an endpoint is in a protected environment. By design, because DNS is used, the probe domain is resolvable. If the endpoint is in a protected environment, then it must adhere to the policies defined for the location. When configuring BloxOne Endpoint groups for use with the endpoint probe using a probe token, the following must be taken into consideration:

  • Bypass Mode: You must enable bypass mode at the group level so that the bypass configuration can be used. The bypass mode setting is inherited whenever a new endpoint group is created. The user can change the settings at a group level. The group level setting will override the setting established at the default endpoint group setting. The bypass code must be provisioned on the Cloud Services Platform. 
  • FQDN: A fully qualified domain name or FQDN must be selected at the time of configuration. The FQDN can either be the default probe domain (i.e. probe.infoblox.com), or customized based on your requirements. If you choose to use a customized probe domain, ensure that it can be resolved with the defined TXT record.
  • TXT Record: A TXT record to be prepended to the FQDN must be created when generating a probe token or randomly generated by clicking Generate random TXT record during the configuration. You can also define a custom TXT record to accompany a custom probe domain to ensure that the domain can be resovled.

The probe token supports two modes: automatic and manual. In automatic mode, clicking Generate random TXT record generates a new random label to be prepended to the default domain. In manual mode, a custom domain and TXT record for the probe token are custom defined and supplied. A custom created TXT record can be up to 256 characters in length. Customers can also choose to disable probing requests entirely by disabling protected bypass mode for an endpoint group.

Of the options provided, automatic mode is the most secure. When using automatic mode, the BloxOne client will send different queries and receive different responses for each query. In automatic mode, potential attackers will not be able to spoof the client. Automatic mode is intended for use where external attackers can potentially flood local DNS servers with fake responses, in scenarios where hackers can potentially gain access to a local DNS Server, or where DFP already exists in the network.

Manual mode is intended for use in specific environments (NIOS), where DFP is not in use in the network, or where DFP already exists elsewhere in the network and predefined probe domain and response are to be custom configured.

Enabling Probe Requests by Adding Protected Bypass Mode to a BloxOne Endpoint Group                             

When applying security policies to multiple BloxOne Endpoint devices, you can make the process more efficient by organizing the endpoint devices into BloxOne Endpoint groups, and then add the groups to the network scope when you create a security policy. Note that BloxOne comes with a default endpoint group called All BloxOne Endpoints (default) that is associated with the default global policy. You cannot modify or remove the default endpoint group.

Warning

Infoblox does not recommend configuring a subdomain in BloxOne Endpoint if the parent domain already exists as a member of a different BloxOne Endpoint group. For example, if the domain abc.com already exists in another BloxOne Endpoint group, then do not add subdomains of the domain to additional BloxOne Endpoint groups. For example, xyz.abc.com should not be added to additional BloxOne Endpoint groups. 

To enable probe requests in a BloxOne Endpoint group, complete the following:

  1. From the Cloud Services Portal, click Manage -> Endpoints.
  2. On the Endpoints page, select the Endpoint Groups tab, and then click the Add button.

Note

At least one BloxOne Endpoint must be added to the configuration prior to configuring and enabling protected bypass mode.

3. In the Bypass Mode section of the Create Endpoint Group page, complete the following:

    1. State: Enable protected bypass mode from its default disabled state by switching the toggle from Disabled to Enable.
    2. FQDN: The default probe domain is probe.infoblox.com. You can choose to accept the default or create your own FQDN based on your requirements. If you choose to use a custom probe domain, ensure that it can be resolved with a custom TXT record.
    3. TXT Record: You can choose to accept the default TXT record, generate a random TXT record by clicking Generate random TXT Record, or apply a custom TXT record.

Important Note

To avoid conflict between two TXT records, Infoblox recommends that you define a custom probe domain and a custom TXT record, instead of using the defaults. Ensure that the custom probe domain can be resolved with the custom TXT record.

4. Click Save & Close to create the endpoint group or click Cancel to return to the BloxOne Endpoint Group page without enabling protected bypass mode and probing.

Disabling Probing Requests

Probing requests can be discontinued by disabling Bypass mode. To disable probing requests, complete the following:

  1. From the Cloud Services Portal, click Manage -> Endpoints.
  2. On the Endpoints page, select the Endpoint Groups tab, and then click the Add button.
  3. In the Bypass Mode section of the Create Endpoint Group page, toggle the State switch from Enabled to Disable
  4. Click Save and Close to save the configuration or click Cancel to return to the BloxOne Endpoint Group page without disabling protected bypass mode and probing requests.

For information on creating endpoint groups, see Creating Endpoint Groups.

  • No labels

This page has no comments.