deployment guide - data connector july 2019 · © 2019 infoblox inc. all rights reserved....

Deployment Guide Infoblox Data Connector 3.0 Deployment Guide

© 2019 Infoblox Inc. All rights reserved. Implementing Infoblox Data Connector, July 2019

2

TABLE OF CONTENTS Overview ............................................................................................................................................ 3 Prerequisites ...................................................................................................................................... 3 Installing Infoblox Data Connector ..................................................................................................... 4 Deploying Infoblox Data Connector ................................................................................................. 14 SIEM Integration Instructions ........................................................................................................... 29 ArcSight Integration Instructions ...................................................................................................... 29 McAfee Integration Instructions ....................................................................................................... 33 IBM QRadar Integration Instructions ................................................................................................ 35 Splunk Certificate Installation ........................................................................................................... 37 Testing the Data Connector ............................................................................................................. 42 Summary .......................................................................................................................................... 45


3

Overview The Infoblox Data Connector VM (virtual appliance) is a utility that is designed to collect DNS query and response data from the Infoblox Grid members, filter out based on user criteria thus reducing the quantity of data, convert the data to a format that can be securely transferred to the NIOS reporting server for report generation, Infoblox ActiveTrust Cloud and Threat Insight in the Cloud (Infoblox Cloud destinations), or to third-party SIEM. The Data Connector acts as a central point for data collection across your network. Using the Data Connector to collect DNS data helps reduce the impact of data exchange across your NIOS appliances when DNS query logging is enabled. The Data Connector is designed to run on VMware ESXi servers. You can install the Data Connector VM on a host running VMware ESXi 5.x or later. After configuring the Data Connector VM, note that you can register only one Data Connector with a Grid running NIOS 7.3.0 and later for reporting destination. Registration is not required for cloud destinations and Splunk. When you set up a Data Connector VM, you use it solely for collecting DNS data, discovery information, lease information, and MS AD user from the Grid and sending this data out. You cannot add licenses to run other services, such as DNS and DHCP. The network map below illustrates the basic concept of the data collection process, which includes collecting query and response data from Grid members, storing them, and sending it back to the reporting server or other third-party destinations, including Infoblox Cloud destinations and Splunk indexers. You can then monitor the trend of DNS queries by client, domain, time, record type, query type, and DNS view.

For further information on the data connector, please refer to the Data Connector User Guide on or support.infoblox.com. Note: Before using the data connector, please research and understand the performance impact that DNS query logging can have without the data connector or reporting server.

Prerequisites The following are prerequisites for Infoblox Data Connector: • Functional Infoblox Grid with a Grid Master and Reporting server running NIOS 7.3 or later.

• An administrative user account on the Grid.

• VMWare ESXi version is 5.x or later.

• Security Ecosystem license for Splunk destination only (other destinations do not require the license).


4

Installing Infoblox Data Connector 1. Download the data connector ova from the Infoblox support site (support.infoblox.com).


5

2. From the VMware vSphere client, select File à Deploy OVF Template. Browse to the location of the

file.

3. Click Next.


6

4. Click Next after reviewing the information.


7

5. Verify the name on the Data Connector is satisfactory or change it. Highlight the inventory location for installing the Data Connector VM.

6. Click Next.


8

7. Highlight the host or cluster the Data Connector is to run.

8. Click Next.


9

9. If applicable, select the the host within the cluster to be used for the Data Connector VM .

10. Click Next.


10

11. Highlight the resource pool.

12. Click Next.


11

13. Highlight the destination storage for the Data Connector .

14. Click Next.


12

15. Select the disk format. If possible, select thin provisioning.

16. Click Next.


13

17. Select the network the Data Connector will use.

18. Click Next.


14

19. Click Finish after verifying all of the settings.

Deploying Infoblox Data Connector The example instructions below show how to configure the Data Connector to talk to a reporting server, Splunk instance and Infoblox Cloud destinations.

1. From the Data Connector VM console or an SSH client (using port 2020), log into the command line interface with the default credentials of username of ‘admin’ and password of ‘infoblox’. You will be asked to start up the wizard after your first boot up and login. Otherwise, type in ‘wizard’ and press ‘Enter’ to start the wizard.


15

2. You can change password for the Data Connector if you wish.

3. Press Enter to configure admin network settings. 4. Type dynamic to configure the server to set its network settings using DHCP. To configure a static IP

address, type them on a single line using the format “mode gateway address mask vlanid”. a. Mode is set to either static, or dynamic (DHCP). This example uses static. b. Gateway sets the default gateway router address. 10.60.16.1 is used in the example below. c. Address is the IP address for the Data Connector VM. 10.60.16.29 is used in the example

below. d. Mask is used to set the subnet mask. 255.255.255.0 is used in the example below. e. VLAN ID allows you to set a VLAN ID/tag if required for the network connection to work

properly. Use 0 if VLAN tagging is not being used. Example: static 10.60.16.1 10.60.16.29 255.255.255.0 0 5. Press Enter.

6. Type the IP address of the DNS server to be used and press Enter.

7. For the domain configuration, enter the domain name to be used, or press ‘Enter’ to accept the

default.

8. Enter the hostname to be used for your Data Connector VM, or press ‘Enter’ to accept the default.

NOTE: The maximum length of the name is 64 characters.


16

9. Verify the configuration settings. Enter ‘y’ to accept or ‘n’ to go back and make changes.

10. (Optional): If you have an active subscription to ActiveTrust Cloud Plus or Threat Insight in the Cloud,

you can provision your Data Connector server to send data to Infoblox Cloud destinations: a. Using your web browser, log into your ActiveTrust Cloud Plus account on the Cloud Services

Portal (https://csp.infoblox.com/). b. Navigate to Administration à Unified Reporting. c. Click ‘+’ to add a new entry. d. Enter a (unique) name and select the Region. e. Click Save. f. Take note of the Name, URL and API Access Key as these will be required later in these

steps.

11. Continuing in your Data Connector CLI session, type “y” and press Enter to configure the data output

cloud registration settings. 12. Enter the URL obtained from the Cloud Services Portal (CSP) which was generated above in step 10. 13. Enter the API ID obtained from the Cloud Services Portal (CSP) which was generated above in step

10. 14. For agent_id, enter the Name obtained from the Cloud Services Portal (CSP) which was generated

above in step 10. 15. For the agent ID, enter the Name which was obtained from the Cloud Services Portal (CSP) and

which was generated above in step 10. 16. Verify that the information entered is correct and press Enter.


17

17. Steps 18 - 39 are optional unless you are sending data to Infoblox Cloud destinations. 18. For setups where data output cloud registration settings have been configured (as detailed above):

Type “y” at the “configure data output cloud settings” prompt and press Enter. 19. Enter the output cloud mode. The acceptable values are:

a. Disabled - no data is processed to the ActiveTrust Cloud Plus portal. This is the default. b. Hold - Data is processed from the Grid members and is held. This is a good way to get

statistics on the amount of data being sent to the Data Connector. c. Forward – data is forwarded to the ActiveTrust Cloud Plus portal.

Note: As a best practice, it is best to hold the data when initially enabling this feature to determine the amount of data generated over time.

20. Press Enter to confirm.

21. Configure Infoblox Grid as source of IPAM, User, and lease data and also for time synchronization.

Type in ‘data source grid’ from the > prompt. 22. Type ‘set username admin’. This command is used for setting the admin username for the Data

Connector to login to the Grid. 23. Type ‘set address <IP address of Grid Master or Grid Master Candidate>’. 24. Type ‘password’ to enter the admin password for the Grid master. 25. Type ‘data source grid’ from the > prompt. 26. Type ‘sync’ to synchronize the connection between the Data Connector and Grid.


18

27. Type ‘data source grid’ from the > prompt. You will be using the ‘set query’ command to configure the Grid as the source of the IP metadata.

28. Type ‘set query userinfo enabled’. 29. Type ‘set query ipam enabled’. 30. Type ‘set query lease enabled’. 31. On the Grid side, you must configure syslog server to send DNS RPZ information to the Data

Connector. Navigate to Grid à Grid Manager à Toolbar à Grid Properties à Edit.


19

32. Click on the Monitoring button.

33. Enable ‘Log to External Syslog Servers’. Click on the + button to add a syslog server.


20

34. In the screen above, type in the IP address of the Data Connector and set the Transport to TCP. Click the ‘Add’ button to add. TCP is the only transport that is supported at this time.

35. If your grid is running version 8.0 and above, you need to enable a couple of items: Enable Network Users Feature and Enable Object Change Tracking.

36. Click on the General button and the Advanced tab. Click on Enable Network Users Feature.


21

37. Click on the Object Change Tracking button. Click on the Enable Object Tracking Change.

38. Click Save and Close. 39. On the Data Connector side, enter ‘data source syslog’ from the > prompt. Enter ‘set mode

unencrypted’. This command enables the receiving of unencrypted syslog messages from the Grid via TCP.

40. Steps 41 - 46 are optional and required only if data should be forwarded to external Splunk.


22

41. Configure data output Splunk settings. These settings are for sending data to an external Splunk Enterprise Indexer. The screen shot below is an example:

42. Enter the IP address of the Splunk Indexer similar to the screen above. Hit Enter. 43. Enter the Splunk index name similar to the screen above. Press Enter. This index name must also be

entered on the Splunk server. 44. Enter the Splunk default indexer port if it is different. Press Enter; otherwise, press Enter. 45. Leave the mode at disabled as the certificate has not been installed. See the subsequent section on

Splunk certificate installation for further configuration steps. 46. Verify the settings. Type ‘y’ for yes and press Enter. 47. Configure the admin settings.


23

48. Enter a new greeting banner value, or press ‘Enter’ to accept the default.

49. Configure the data input SCP settings. These settings will be used to configure the connection

between the Grid and the Data Connector.

50. Configure the data source Grid settings. These settings allow the Data Connector to login to the Grid

Master.

51. Configure the data output settings. These settings are used for holding or sending data to the

reporting server. The acceptable values are: a. Disabled - no data is processed to the reporting server. This is the default. b. Hold - Data is processed from the Grid members and is held on the Data Connector. This is

a good way to get statistics on the amount of data being sent to the data connector.


24

c. Forward – data is forwarded to the reporting server. Note: As a best practice, it is best to hold the data when initially enabling this feature to determine the amount of data generated over time.

52. Now that we have fully configured the Data Connector, switch to the Infoblox NIOS GUI to perform

further configurations. After logging into the Infoblox NIOS GUI, navigate to Grid à DNS à ToolBar à Edit à Grid DNS Properties à Logging à Advanced.

a. Enable Capture DNS Queries and/or Capture DNS Responses (best practice is to enable only one option at a time as this can have a performance impact on your server).

b. Enable Capture queries/response for all domains.

c. Set the Export to menu to SCP.

d. Set the Directory Path to ~ (which represents ‘home directory’).

e. Set the Server Address to the IP address for your Data Connector server.

f. Set the Username that was configured on the Data Connector.

g. Set the Password that was configured on the Data Connector.

Steps A & B tells NIOS the type of data to forward to the Data Connector. Steps C to G tells NIOS the protocol and credentials to use to transfer the data to the Data Connector.


25

53. Click Save and Close.

54. Go to Administration à Reporting à Toolbar à Grid Reporting Properties.

a. Check the box for Enable Data Indexing.

b. Enable DNS Query Capture.

c. Set the Index % for DNS Query Capture to a non-zero number. You may need to adjust other categories to stay at or under 100%.

d. Click Save & Close.

e. Restart services .

f. Click Save and Close.


26

55. Navigate to Grid à Members à Toolbar à Data Collection. Click on Enable Registration. Note: This screen is not in NIOS 7.3. When you register the data connector, there is no check to accept registration in NIOS 7.3. The registration from the data connector goes straight through. Skip to step

57.

56. Click Save & Close.


27

57. (Optional. Reporting destination only). From the Data Connector command-line interface, enter the command “data destination reporting registration register” to register with the Grid. This is necessary if you are sending data to the Infoblox Reporting Server. Otherwise, skip the rest of the steps.

Note: tab completion can be used to simplify the entry of these commands.


28

58. (Optional. Reporting destination only). From the Grid GUI, navigate to Grid à Grid Manager àMember à Toolbar à Data Collection to check the registration status.

59. From the Data Connector command-line interface, run the command ‘data source grid status’ to review information about the Grid that Data Connector is configured to connect to.


29

SIEM Integration Instructions Data Connector 3.0 supports the forwarding of DNS query data to:

• Microfocus ArcSight 7.0.0.2410.0 • McAfee ESM 10.1.0. • IBM QRadar 7.2.8.

ArcSight Integration Instructions Here are the instructions for configuring the Data Connector to ArcSight:

1. Type ‘data destination siem’ to go to the SIEM configuration section.

2. Type ‘ArcSight’.

3. To add the IP address of your ArcSight SIEM, type ‘add address <IP address>’. 4. By default, the forwarding mode is set to hold. The possible settings are: hold, forward, or disabled.

The hold setting allows the data connector to accumulate data gathered from the Infoblox Grid Members. The disabled setting disables any accumulation and forward of DNS data. To configure the output mode to forward, type ‘set mode forward’ to start forwarding data to the SIEM.

5. To set the port number to communicate with the ArcSight SIEM, type ‘set port <number>’. 6. To import the certificate from the ArcSight SIEM, type certificate import

<scp|ftp>://loginname@serverIP:[port:]path 7. On the ArcSight side, execute the program called ‘ArcSight-<version string>-connector’ to add a

SmartConnector. 8. Select the installation folder and Click Next.


30

9. Select where you would like to create links and Click Next.

10. Review the information and click Next to confirm or click Previous to go back.


31

11. A second wizard will appear. Click Next to add a connector.

12. Select ‘Syslog NG Daemon’ and click Next.


32

13. Enter the port number and IP address of data connector. The port number must match the port number configured on the data connector side. Click Next.

14. Select the ArcSight Manager destination and click Next.


33

15. Enter the IP address of the manager, manager port number, and credentials and click Next.

16. Complete the rest of the installation per the installation wizard.

McAfee Integration Instructions Here are the instructions for configuring the Data Connector to McAfee ESM:


2. Type ‘McAfee’.

3. To add the IP address of your McAfee SIEM, type ‘add address <IP address>’. 4. By default, the forwarding mode is set to hold. The possible settings are: hold, forward, or disabled.


5. To set the port number to communicate with the McAfee SIEM, type ‘set port <number>’. 6. To import the certificate from the McAfee SIEM, type certificate import

<scp|ftp>://loginname@serverIP:[port:]path 7. Log into McAfee ESM.


34

8. Navigate to System Navigation Tree à Configuration à McAfee Event Receiver à Selected Event Receiver.


35

9. Click on the ‘Add’ button.

10. Fill out the following fields:

a. Data Source Vendor: Infoblox b. Data Source Model: NIOS. This will be filled in automatically when Infoblox is selected in

Data Source Vendor pull-down menu. c. Data Format: CEF. d. Data Retrieval: Syslog e. Name of Data Source. f. IP Address: IP address of data connector. g. Require syslog TLS: Enabled. h. Port number: Use the default if that is acceptable.

11. Click OK.

IBM QRadar Integration Instructions Here are the instructions for configuring the Data Connector to QRadar:



36

2. Type ‘QRadar’.

3. To add the IP address of your QRadar SIEM, type ‘add address <IP address>’. 4. By default, the forwarding mode is set to hold. The possible settings are: hold, forward, or disabled.


5. To set the port number to communicate with the QRadar SIEM, type ‘set port <number>’. 6. To import the certificate from the QRadar SIEM, type certificate import

<scp|ftp>://loginname@serverIP:[port:]path 7. Log into IBM QRadar. 8. Navigate to Admin à Data Sources à Log Sources.

9. Click on the ‘Add’ button. 10. Fill out the following fields:

a. Log Source Name. b. Log Source Description (optional). c. Log Source Type: Universal LEEF. d. Protocol Configuration: TLS Syslog e. Log Source Identifier; this is the IP address of the data connector. f. TLS Listen Port; ensure the port numbers match between IBM QRadar and Infoblox Data

Connector. g. Authentication Mode: TLS h. Certificate Type.

11. Enable the log source when ready. 12. Add the log source to the groups.


37

13. Click Save.

Splunk Certificate Installation Certificates must be installed and signed before any transactions can occur. You must create signed certificates. The steps below will show you how to create and install self-signed certificates. The steps below were run from a Linux server and the Data Connector CLI. Generate self-signed CA certificate

1. Execute ‘openssl genrsa -aes256 -out myCAPrivateKey.key 2048’. This command creates your private key. Enter the passphrase for the key file.

2. Execute ‘openssl req -new -key myCAPrivateKey.key myCAPrivateKey.key -out

myCACertificate.csr. This command creates the certificate signing request. Follow the prompts. The common name must be unique.

3. Execute ‘openssl x509 -req -in myCACertificate.csr -sha512 -signkey myCAPrivateKey.key -

CAcreateserial -out myCACertificate.pem -days 1095’. This command creates the CA certificate.

Generate Server Certificate


38

1. Execute ‘openssl genrsa -aes256 -out myServerPrivateKey 2048’

2. Execute ‘openssl req -new -key myServerPrivateKey.key -out myServerCertificate.csr’. This

command creates the server certificate signing request. The common name must be unique.

3. Execute ‘openssl x509 -req -in myServerCertificate.csr -SHA256 -CA myCACertificate.pem -

CAkey myCAPrivateKey.key -CAcreateserial -out myServerCertificate.pem -days 1095’.

Combine the server certificate, server private key, and CACertficate

1. Execute ‘cat myServerCertificate.pem myServerPrivateKey.key myCACertificate.pem > <combined server certificate file name>.pem’.

Upload certificate files to Splunk instance

1. Upload the ‘myCACertificate.pem’, ‘<combined certificate file name>.pem’, and myServerPrivateKey.key files to the Splunk server.

Modify the Inputs.conf file on the Splunk server

1. Modify the inputs.conf file in the /opt/splunk/etc/system/local/ subdirectory for Linux or \Program Files\Splunk\etc\system\local subdirectory.

2. Add the following lines in the sample inputs.conf file: # # SSL configuration stanza # See http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#.5BSSL.5D # for full details


39

# [SSL] # # Certification Authority certificate store. # It contain one or more certificates in .PEM format. # This certificates are used to sign indexer and forwarder certificates. # rootCA = <directory path>/myCACertificate.pem # # Indexer certificate signed by Certification Authority certificate # this certificate must include private key # serverCert = <directory path>/<combined server certificate file name>.pem # # Server certificate password, if it's encrypted # password = <password from server private key in clear text. Splunk will encrypt when restarted> # # Determines whether forwarder must authenticate # requireClientCert = true # # Stanza which configures receiving encrypted, parsed data from a forwarder. # Set <port> to the port number on which forwarder will use for sending # encrypted data. # [splunktcp-ssl:9997] ## this is empty stanza

Data Connector Configuration

1. Ensure that you can ping the IP address of the Splunk server. The command is ‘admin network ping <IP address> from the ‘>’ prompt.


40

2. From the ‘>’ prompt, enter ‘data destination splunk’ and hit the enter key. This will put you in the correct subsystem to configure certificates.

3. Download the certificate from Splunk server. The command is ‘cacertficate import

scp://username@<IP address of Splunk server>://directory path/<certificate name>.pem

4. Now that we have the certificate from the Splunk server installed into the data connector, we

need to generate a certificate on the data connector and have it signed by the Splunk server. The command is ‘certificate request’. This will be the forwarder certificate.

5. Highlight and copy this certificate request to the CLI of the Splunk server. 6. On the Splunk server, enter the command ‘openssl x509 -req -in <name of file that contains the

certificate> -extensions v3_usr –CA <Splunk certificate>.pem -CAkey <Splunk key name>.key -out <name of pem file>.pem’. This creates the signed certificate to be downloaded to the data connector.


41

7. Back to the data connector screen. Import the signed certificate. The command is ‘certificate import scp://<username>@<IP address>:/<directory path of certificate>/<certificate name>.pem’.

8. You can show the certificate by entering the command ‘show certificate’. The output will be

similar to the screen show below:

9. NOW you can set the mode of the data connector to forward data to the Splunk server. You will

need to troubleshoot this certificate problem. Refer to your Splunk administrator for assistance.

10. Also, you can run the ‘info’ command from ‘data.destination.splunk’ prompt to check for a

successful connection between the data connector and Splunk instance. You should see a ‘connected’ message like the screen shot below:

11. If you are doing a new installation of the Splunk server on Linux, make sure the ownership,

permissions are correct for the inputs.conf file. In addition, either disable iptables or enable iptables and then add rules to allow ports 8000, 9997, and 22.

12. On the Splunk GUI settings, make sure of the following: a. Indexer port is set to TCP 9997. b. Source type is set to ‘ib:dns:captures’. c. Index name is set to ‘ib_dns_captures’.


42

Testing the Data Connector 1. On the Data Connector, you can check the statistics to ensure data is being collected and

transmitted by running ‘data destination’ and then ‘stats’.

Once DNS queries have been run against this grid the Data Connector will transfer query data to the Infoblox Reporting server. Click Reporting > Reports and open the DNS Top Requested Domain report.


43

2. To test the data connector when pushing DNS data to ActiveTrust Cloud then the sample report below will show DNS security data from an on-premises Grid .

3. Here is the corresponding output from the nslookup command from a workstation.


44

4. To test the data connector when pushing DNS data to Splunk, run a DNS query command to one of the Infoblox DNS members. By default, the queries will appear on Splunk server in 10 minutes. You can use the ‘dig’ command on Linux or ‘nslookup’ on Windows.

5. On the Splunk Indexes screen, ensure the Splunk index name is entered.

6. On the Splunk reporting screen, you should start to see entries from the queries from step 4 after

10 minutes.


45

Summary Infoblox’s Data Connector provides the following benefits:

• Serves as a central data collection point. • Reduces the impact of data exchange across NIOS appliances. • Forwards data to the Reporting Appliance. • Forwards data to the ActiveTrust Cloud for malicious site reporting purposes. • Forwards data to

o Splunk Enterprise Indexer for reporting purposes. o Micro Focus ArcSight o McAfee ESM o IBM QRadar

Infoblox is leading the way to next-level DDI with its Secure Cloud-Managed Network Services. Infoblox brings next-level security, reliability and automation to on-premises, cloud and hybrid networks, setting customers on a path to a single pane of glass for network management. Infoblox is a recognized leader with 50 percent market share comprised of 8,000 customers, including 350 of the Fortune 500.

Corporate Headquarters | 3111 Coronado Dr. | Santa Clara, CA | 95054

+1.408.986.4000 | 1.866.463.6256 (toll-free, U.S. and Canada) | [email protected] | www.infoblox.com

© 2018 Infoblox, Inc. All rights reserved. Infoblox logo, and other marks appearing herein are property of Infoblox, Inc. All other marks are the property of their respective owner(s).

deployment guide - data connector july 2019 · © 2019 infoblox inc. all rights reserved....

Documents