Infoblox Deployment Guide - Implementing Infoblox Data ... · 41. Configure data output Splunk...

© 2017 Infoblox Inc. All rights reserved. Implementing Infoblox Data Connector, July 2017 of 31

DEPLOYMENT GUIDE

Implementing Infoblox Data Connector 2.0


Contents

Overview .................................................................................................................................... 3

Prerequisites .............................................................................................................................. 3

Installing Infoblox Data Connector ............................................................................................. 4

Deploying Infoblox Data Connector ......................................................................................... 13

Splunk Certificate Installation ................................................................................................... 26

Testing the Data Connector ..................................................................................................... 28

Summary .................................................................................................................................. 31


Overview

The Infoblox Data Connector VM (virtual appliance) is a utility that is designed to collect DNS query and response data from the Infoblox Grid members, filter out based on user criteria thus reducing the quantity of data, convert the data to a format that can be securely transferred to the NIOS reporting server for report generation, Infoblox ActiveTrust Cloud and Threat Insight in the Cloud (Infoblox Cloud destinations), or to third-party Splunk Indexer. The Data Connector acts as a central point for data collection across your network. Using the Data Connector to collect DNS data helps reduce the impact of data exchange across your NIOS appliances and helps improve the performance of your Grid.

The Data Connector is designed to run on VMware ESXi servers. You can install the Data Connector VM on a host running VMware ESXi 5.x or later. After configuring the Data Connector VM, note that you can register only one Data Connector with a Grid running NIOS 7.3.0 and later for reporting destination. Registration is not required for cloud destinations and Splunk. When you set up a Data Connector VM, you use it solely for collecting DNS data, discovery information, lease information, and MS AD user from the Grid and sending this data out. You cannot add licenses to run other services, such as DNS and DHCP. The network map below illustrates the basic concept of the data collection process, which includes collecting query and response data from Grid members, storing them, and sending it back to the reporting server or other third-party destinations, including Infoblox Cloud destinations and Splunk indexers. You can then monitor the trend of DNS queries by client, domain, time, record type, query type, and DNS view.

Prerequisites

The following are prerequisites for Infoblox Data Connector:

• Functional Infoblox Grid with a Grid Master and Reporting server running NIOS 7.3 or later.

• An administrative user account on the Grid.

• VMWare ESXi version is 5.x or later.

• Security Ecosystem license for Splunk destination only (other destinations do not require the license).

Threat Insight


Installing Infoblox Data Connector

1. Download the Data Connector .ova file from the Infoblox Support site (https://support.infoblox.com/). 2. From the VMware vSphere client, select File Deploy OVF Template. Browse to the location of the file.

3. Click Next.


4. Click Next after reviewing the information.


5. Verify the name on the Data Connector is satisfactory or change it. Highlight the inventory location for

installing the Data Connector VM.

6. Click Next.


7. Highlight the host or cluster the Data Connector is to run.

8. Click Next.


9. If applicable, select the the host within the cluster to be used for the Data Connector VM .

10. Click Next.


11. Hightlight the resource pool.

12. Click Next.


13. Highlight the destination storage for the Data Connector .

14. Click Next.


15. Select the disk format. If possible, select thin provisioning.

16. Click Next.


17. Select the network the Data Connector will use.

18. Click Next.


19. Click Finish after verifying all of the settings.

Deploying Infoblox Data Connector

The example instructions below show how to configure the Data Connector to talk to a reporting server, Splunk instance and Infoblox Cloud destinations.

1. From the Data Connector VM console or an SSH client (using port 2020), log into the command line

interface with the default credentials of username of ‘admin’ and password of ‘infoblox’. You will be

asked to start up the wizard after your first boot up and login. Otherwise, type in ‘wizard’ and press

‘Enter’ to start the wizard.

2. You can change password for the Data Connector if you wish.


3. Press Enter to configure admin network settings.

4. Type dynamic to configure the server to set its network settings using DHCP. To configure a static IP

address, type them on a single line using the format “mode gateway address mask vlanid”.

a. Mode is set to either static, or dynamic (DHCP). This example uses static.

b. Gateway sets the default gateway router address. 10.60.16.1 is used in the example below.

c. Address is the IP address for the Data Connector VM. 10.60.16.29 is used in the example below.

d. Mask is used to set the subnet mask. 255.255.255.0 is used in the example below.

e. VLAN ID allows you to set a VLAN ID/tag if required for the network connection to work properly.

Use 0 if VLAN tagging is not being used.

Example: static 10.60.16.1 10.60.16.29 255.255.255.0 0 5. Press Enter.

6. Type the IP address of the DNS server to be used and press Enter.

7. For the domain configuration, enter the domain name to be used, or press ‘Enter’ to accept the default.

8. Enter the hostname to be used for your Data Connector VM, or press ‘Enter’ to accept the default. NOTE:

The maximum length of the name is 64 characters.


9. Verify the configuration settings. Enter ‘y’ to accept or ‘n’ to go back and make changes.

10. (Optional): If you have an active subscription to ActiveTrust Cloud Plus or Threat Insight in the Cloud, you

can provision your Data Connector server to send data to Infoblox Cloud destinations:

a. Using your web browser, log into your ActiveTrust Cloud Plus account on the Cloud Services

Portal (https://csp.infoblox.com/).

b. Navigate to Administration Unified Reporting.

c. Click ‘+’ to add a new entry.

d. Enter a (unique) name and select the Region.

e. Click Save.

f. Take note of the Name, URL and API Access Key as these will be required later in these steps.

11. Continuing in your Data Connector CLI session, type “y” and press Enter to configure the data output

cloud registration settings.

12. Enter the URL obtained from the Cloud Services Portal (CSP) which was generated above in step 10.

13. Enter the API ID obtained from the Cloud Services Portal (CSP) which was generated above in step 10.

14. For agent_id, enter the Name obtained from the Cloud Services Portal (CSP) which was generated above

in step 10.

15. For the agent ID, enter the Name which was obtained from the Cloud Services Portal (CSP) and which

was generated above in step 10.

16. Verify that the information entered is correct and press Enter.

https://csp.infoblox.com/


17. Steps 18 - 39 are optional and required if you are going to send data to Infoblox Cloud destinations

18. For setups where data output cloud registration settings have been configured (as detailed above): Type

“y” at the “configure data output cloud settings” prompt and press Enter.

19. Enter the output cloud mode. The acceptable values are:

a. Disabled - no data is processed to the ActiveTrust Cloud Plus portal. This is the default.

b. Hold - Data is processed from the Grid members and is held. This is a good way to get statistics

on the amount of data being sent to the Data Connector.

c. Forward – data is forwarded to the ActiveTrust Cloud Plus portal.

Note: As a best practice, it is best to hold the data when initially enabling this feature to determine the

amount of data generated over time.

20. Press Enter to confirm.

21. Configure Infoblox Grid as source of IPAM, User, and lease data and also for time synchronization. Type

in ‘data source grid’ from the > prompt.

22. Type ‘set username admin’. This command is used for setting the admin username for the Data

Connector to login to the Grid.

23. Type ‘set address <IP address of Grid Master or Grid Master Candidate>’.

24. Type ‘password’ to enter the admin password for the Grid master.

25. Type ‘data source grid’ from the > prompt.

26. Type ‘sync’ to synchronize the connection between the Data Connector and Grid.

27. Type ‘data source grid’ from the > prompt. You will be using the ‘set query’ command to configure the

Grid as the source of the IP metadata.


28. Type ‘set query userinfo enabled’.

29. Type ‘set query ipam enabled’.

30. Type ‘set query lease enabled’.

31. On the Grid side, you must configure syslog server to send DNS RPZ information to the Data Connector.

Navigate to Grid Grid Manager Toolbar Grid Properties Edit.


32. Click on the Monitoring button.

33. Enable ‘Log to External Syslog Servers’. Click on the + button to add a syslog server.

34. In the screen above, type in the IP address of the Data Connector and set the Transport to TCP. Click

the ‘Add’ button to add.


35. If your grid is running version 8.0 and above, you need to enable a couple of items: Enable Network

Users Feature and Enable Object Change Tracking.

36. Click on the General button and the Advanced tab. Click on Enable Network Users Feature.

37. Click on the Object Change Tracking button. Click on the Enable Object Tracking Change.

38. Click Save and Close.


39. On the Data Connector side, enter ‘data source syslog’ from the > prompt. Enter ‘set mode

unencrypted’. This command enables the receiving of unencrypted syslog messages from the Grid via

TCP.

40. Steps 41 - 46 are optional and required only if data should be forwarded to external Splunk.

41. Configure data output Splunk settings. These settings are for sending data to an external Splunk

Enterprise Indexer. The screen shot below is an example:

42. Enter the IP address of the Splunk Indexer similar to the screen above. Hit Enter.

43. Enter the Splunk index name similar to the screen above. Press Enter. This index name must also be

entered on the Splunk server.

44. Enter the Splunk default indexer port if it is different. Press Enter; otherwise, press Enter.

45. Leave the mode at disabled as the certificate has not been installed. See the subsequent section on

Splunk certificate installation for further configuration steps.

46. Verify the settings. Type ‘y’ for yes and press Enter.

47. Configure the admin settings.


48. Enter a new greeting banner value, or press ‘Enter’ to accept the default.

49. Configure the data input SCP settings. These settings will be used to configure the connection between

the Grid and the Data Connector.

50. Configure the data source Grid settings. These settings allow the Data Connector to login to the Grid

Master.

51. Configure the data output settings. These settings are used for holding or sending data to the reporting

server. The acceptable values are:

a. Disabled - no data is processed to the reporting server. This is the default.

b. Hold - Data is processed from the Grid members and is held. This is a good way to get statistics

on the amount of data being sent to the data connector.

c. Forward – data is forwarded to the reporting server.

Note: As a best practice, it is best to hold the data when initially enabling this feature to determine the amount of data generated over time.


52. Now that we have fully configured the Data Connector, switch to the Infoblox NIOS GUI to perform further

configurations. After logging into the Infoblox NIOS GUI, navigate to Data Management Grid DNS

ToolBar Edit Grid DNS Properties Logging Advanced.

I. Enable Capture DNS Queries and/or Capture DNS Responses (best practice is to enable only

one option at a time as this can have a performance impact on your server).

II. Enable Capture queries/response for all domains.

III. Set the Export to menu to SCP.

IV. Set the Directory Path to ~ (which represents ‘home directory’).

V. Set the Server Address to the IP address for your Data Connector server.

VI. Set the Username that was configured on the Data Connector.

VII. Set the Password that was configured on the Data Connector.

Steps 1 & 2 tells NIOS the type of data to forward to the Data Connector. Steps 3 to 5 tells NIOS the protocol and

credentials to use to transfer the data to the Data Connector.

53. Click Save and Close.


54. Go to Administration Reporting Toolbar Grid Reporting Properties.

a. Check the box for Enable Data Indexing.

b. Enable DNS Query Capture.

c. Set the Index % for DNS Query Capture to a non-zero number. You may need to adjust other

categories to stay at or under 100%.

d. Click Save & Close.

e. Restart services .

f. Click Save and Close.


55. Navigate to Grid Members Toolbar Data Collection. Click on Enable Registration. Note: This

screen is not in NIOS 7.3. When you register the data connector, there is no check to accept registration

in NIOS 7.3. The registration from the data connector goes straight through. Skip to step 21.

56. Click Save & Close.

57. (Optional. Reporting destination only). From the Data Connector command-line interface, enter the

command “data destination reporting registration register” to register with the Grid. This is necessary

if you are sending data to the Infoblox Reporting Server. Otherwise, skip the rest of the steps.

Note: tab completion can be used to simplify the entry of these commands.


58. (Optional. Reporting destination only). From the Grid GUI, navigate to Grid Member Toolbar

Data Collection to check the registration status.

59. From the Data Connector command-line interface, run the command ‘data source grid status’ to review

information about the Grid that Data Connector is configured to connect to.


Splunk Certificate Installation

Certificates must be installed and signed before any transactions can occur. The steps below will show you how to install and sign the certificates.

1. Ensure that you can ping the IP address of the Splunk server. The command is ‘admin network ping

<IP address> from the ‘>’ prompt. You may have to type exit a couple of times to get to the prompt.

2. From the ‘>’ prompt, enter ‘data destination splunk’ and hit the enter key. This will put you in the

correct subsystem to configure certificates.

3. Download the certificate from Splunk server. The command is ‘cacertficate import

scp://username@<IP address of Splunk server>://directory path/<certificate name>.pem

4. Now that we have the certificate from the Splunk server installed into the data connector, we need to

generate a certificate on the data connector and have it signed by the Splunk server. The command

is ‘certificate request’. This will be the forwarder certificate.


5. Highlight and copy this certificate request to the CLI of the Splunk server.

6. On the Splunk server, enter the command ‘openssl x509 -req -in <name of file that contains the

certificate> -extensions v3_usr –CA <Splunk certificate>.pem -CAkey <Splunk key name>.key -out

<name of pem file>.pem’. This creates the signed certificate to be downloaded to the data connector.

7. Back to the data connector screen. Import the signed certificate. The command is ‘certificate import

scp://<username>@<IP address>:/<directory path of certificate>/<certificate name>.pem’.

8. You can show the certificate by entering the command ‘show certificate’. The output will be similar to

the screen show below:

9. NOW you can set the mode of the data connector to forward data to the Splunk server. If the

command does not return a forward mode, then the certificate authentication was not correct. You


will need to troubleshoot this certificate problem. Refer to your Splunk administrator for assistance.

Testing the Data Connector

1. On the Data Connector, you can check the statistics to ensure data is being collected and transmitted

by running ‘data destination’ and then ‘stats’.

Once DNS queries have been run against this grid the Data Connector will transfer query data to the

reporting server. Click Reporting > Reports and open the DNS Top Requested Domain report.


2. On the ActiveTrust Cloud Plus side, here is a sample report of data coming from a on premises Grid.

“Include On-Prem Data” checkbox must be selected.

3. Here is the corresponding output from the nslookup command from a workstation.


4. For Splunk connections, run a DNS query command to one of the Infoblox DNS members. By default,

the queries will appear on Splunk server in 10 minutes. You can use the ‘dig’ command on Linux or

‘nslookup’ on Windows.

5. On the Splunk Indexes screen, ensure the Splunk index name is entered.

6. On the Splunk reporting screen, you should start to see entries from the queries from step 4 after 10

minutes.


Summary

Infoblox’s Data Connector provides the following benefits:

• Serves as a central data collection point.

• Reduces the impact of data exchange across NIOS appliances.

• Forwards data to the Reporting Appliance.

• Forwards data to the ActiveTrust Cloud for malicious site reporting purposes.

• Forwards data to Splunk Enterprise Indexer for reporting purposes.

Infoblox Deployment Guide - Implementing Infoblox Data ... · 41. Configure data output Splunk...

Documents

Transcript of Infoblox Deployment Guide - Implementing Infoblox Data ... · 41. Configure data output Splunk...