For those of you who weren’t able to attent out Quarterly Customer Update webinar on June 19th, a replay of it is now available. We have also compiled the Q&A from the webinar and included it here for you.
Q: Is it possible to add our own custom DNS Malware feed, for example to take advantage of TrendMicro’s cloud reputation services, and feed that into the DNS Firewall appliance?
A: Infoblox built its reputational feed for DNS Firewall from 35+ public & private resources throughout the world to provide the greatest coverage and choices of botnets, C&C servers and geography blocks. By building feeds of varying levels of service, Infoblox enables customers to choose a single feed that can be easily imported (usually every 2 hours) and minimizes impact the overall performance of the DNS server. Depending on the level of protection chosen, the impact on the DNS server can vary. Impact of the highest level (malware, botnets, dropper sites, and maximum geography blocks) is around 15% on server resources.
You can use feeds from 3rd party services but there are a few caveats:
- The feed data must be compatible with Infoblox DNS Firewall RPZ (see documentation for information).
- You will responsible for keeping the data up-to-date.
- Infoblox Technical Support will be limited in how much it can help in the event of problem with the feed being used by DNS Firewall.
Q: Where are you getting your DNS blacklist?
Some of the sources of blacklist information include services like SpamHaus and PhishTank. Some of sources are privately held companies that we can not name. Infoblox offers the repuational feed in 7 levels so customers can choose the appropriate level of protection. Each level of service is updated every 2 hours and pushed out to DNS Firewall servers via DNS Notify.
Q: Can you “whitelist” server machines to get DNS Malware resolutions? For example, a third party MTA anti-spam engine that needs to evaluate embebded URLs within email to rule check them ?
A: You can configure DNS Firewall to do one of the following actions with DNS query resolutions that resolve to bad domains: Block, re-direct to a internal webpage for http/URL queries or passthru & log. In the case of http/URL you can also re-direct to a 3rd party product for evaluation.
Q: Is the DHCP option sequence you are using publicly known so an attacker could emulate the sequence and fool your system?
A: The option sequence is defined in DHCP Option 55 and available through the device vendor. Where defined the second identification is the device ID in Option 60. By using the reports you can monitor for MAC’s changing their fingerprint.
Q: Does DHCP fingerprinting add any additional load on a Infoblox appliance?
A: As part of the DHCP process the LPS performance impact is less than 10%. Existing customers upgrading to 6.7 will need to turn on DHCP fingerprinting as it is not automatically enabled by the upgrade. For new installations with NIOS 6.7 DHCP fingerprinting is enabled by default.
Q: Does DHCP fingerprinting reporting require the report applance?
A: DHCP Fingerprinting does not require Reporting Server. If you don’t have Reporting Server you will need to build your own reporting for trending information that comes from having DHCP fingerprinting information available.
Q: Is a NAC product coming?
A: At this time there are no plans for NAC. DHCP Fingerprinting is about controlling access of devices, not users.
Q: Was that reporting page bult into the DDI product, or does that require the addtional reporting product?
A: Reporting comes from a separate server which provides reporting for DNS, DHCP, and IP Address management. Reporting Server off-loads the data collection and correlation of data from DNS, DNS Firewall, DHCP, and IP Address management.
Q: Reporting is built-in feature or do we have to buy?
A: Trinzic Reporting is an add-on feature that includes a turn-key physical or virtual appliance option for providing long-term visibility of DNS, DHCP and IPAM aspect. The solution includes an embedded data collection engine and over 30 pre-built reports.
Q: Is reporting supported on a VM server or only a hardware device?
A: Reporting Server is offered as a virtual appliance. You need to be aware that it performs continual data collection and correlation and running on a VM might not be ideal for environments with high levels of activity.
Q: So how does the DHCP Fingerprint intergrate with the DHCP registration. Is there a portal where I can have users register their gaming devices etc.. to the employee ID?
A: There is a Captive Portal for AuthDHCP available. Your user would use this to register the device. After registered, the device will be automatically identified.
Q: Do you have any link that specifies versions upgrade map? I want to know from what NIOS version to what NIOS version I can upgrade.
A: Your best reference are the release notes for the NIOS version you are upgrading to. Each version includes an upgrade path chart.
Q: Do the NT devices cluster or use HA pairs ? I interested in making the NT-1400 redundant similar to NIOS HA pairs .
A: There are redundant options available. The Network Automation appliances can be deployed in a redundant fashion for failover needed. They are not exactly HA pairs for immediate failover, but the redundancy option provides back up options for fast conversion. The NT-Appliances can be deployed in a distributed architecture.
Q: Does 6.7 support staggered upgrade?
A: SGU support depends on the version of NIOS you are upgrading from. Please check the release note for more information.
Q: Are there any plans for NETMRI to support VRF tagging?
A: VRF support is a feature we are investigating. If you want specific details, please contact your Infoblox rep and ask for a roadmap discussion. We cannot discuss futures in this forum.
Q: Since NetMRI can do policy checking will it also be able to handle any compliance checking?
A: Yes, the Network Automation platform is used extensively for both policy check and compliance checking for internal and external mandates. The continuous monitoring enusures the network stays standard and single-click reports can prove success for audit requirements.
Q: Does anyone complain about the network ports being on the front of the appliance? It plays havoc with our rack mounting installation.
A: Typically Infoblox appliances are installed in racks with network equipment which has ports on the front so from a wiring prospective it works well.
Q: Are Ironport products supported?
A: Ironport (Security Device Controller) support is to be determined