Differences

This shows you the differences between two versions of the page.

--- infoblox:licencing [2023/01/24 11:56] – bstafford
+++ infoblox:licencing [2024/12/27 15:33] (current) – bstafford
@@ Line 1: / Line 1: @@
 ====== Infoblox Licencing ======
-=====BloxOne DDI =====
+===== Infoblox Tokens =====
-[[https://docs.infoblox.com/space/BloxOneDDI/35001450|Here]]
+[[https://docs.infoblox.com/space/BloxOneDDI/846954761/Universal+DDI+Licensing|Token documentation page]].
+==== Reporting Tokens ====
+Reporting tokens are only needed for
+  * DDI DHCP Lease Log
+  * DDI Query/Response Log
+The following logs are available even if no reporting tokens have been purchased. A data connector VM can be deployed and used to get the logs off the Infoblox Portal (without requiring Server Tokens)
+  * Audit Log
+  * Internal Notifications
+  * Service Log
+The following logs are available only to customers of the Infoblox Threat Defense Advanced and Infoblox Threat Defense Business Cloud subscriptions. They do not require reporting tokens as this is covered by the Threat Defense subscription.
+  * Threat Defense Query/Response
+  * Threat Defense Threat Feeds Hits Logs
+===== Universal DDI =====
+[[https://docs.infoblox.com/space/BloxOneDDI/846954761/Universal+DDI+Licensing|Here]]
 =====BloxOne Threat Defense =====
 [[https://docs.infoblox.com/space/BloxOneThreatDefense/35403512|Here]]
@@ Line 15: / Line 34: @@
   * Threat Lookup to research basic attacker data (Dossier is not included in BloxOne Threat Defense Essentials)
   * Predefined Reports (Infoblox reporting appliance is required if On-Prem)
+  * [[infoblox:rpz_feeds|This page lists feeds available]] in Essentials
@@ Line 23: / Line 43: @@
   * (**Cloud Only**) Web Content Filtering
   * Access to the Active indicators tool
+  * [[infoblox:rpz_feeds|This page lists feeds available]] in Business (Business + Essentials)
@@ Line 29: / Line 50: @@
   * Access to Application Discovery tool
   * Application filtering
+  * [[infoblox:rpz_feeds|This page lists feeds available]] in Advanced (Advanced + Business + Essentials)
-===== BloxOne Threat Defense RPZ Feeds =====
+===== BloxOne Licencing =====
-[[https://docs.infoblox.com/space/BloxOneThreatDefense/35403598|Feed Description]].
+BloxOne DDI data is [[https://docs.infoblox.com/display/BloxOneDDI/Licensing+and+Subscription|here]]
-Remember, always put the FQDN only feeds above the IP only feeds to improve performance.
+BloxOne Threat Defence data is [[https://docs.infoblox.com/display/BloxOneThreatDefense/Licensing+and+Subscription|here]].
-====Essentials====
-  * Base (FQDN)
-  * AntiMalware (FQDN)
-  * Ransomware (?)
-  * Bogon (IP)
-  * DHS AIS_IP (IP)
-  * DHS AIS_Hostname (FQDN)
-  * DHS AIS NCCIC Watch list Hostnames and Domains (FQDN)
-  * DHS AIS NCCIC Watch list IPs (IP)
-  * Public_DoH (FQDN)
-  * Public_DoH_IP (IP)
-==== Business====
+===== Universal DDI =====
-Essentials Feeds +
-  * Anti-malware IPs (IP)
-  * Bot IPs, Exploit kit IPs (IP)
-  * Malware DGA hostnames (FQDN)
-  * Tor Exit Node IPs (IP)
-  * SURBL Multi domains (FQDN)
-  * SURBL Multi Lite domains (FQDN)
-  * SURBL Fresh domains (FQDN)
-  * US OFAC Sanctions IPs (IP)
-  * EECN IPs (IP)
-  * Cryptocurrency hostnames and domains (FQDN)
-====Advanced====
+NIOS-X QPS calculation: We capture data ever 5 minutes so each value is averaged for each 5 minute collection interval.
-Essentials Feeds + Business Feeds +
+===== BloxOne Threat Defense License Caveat =====
-  * Extended base & anti-malware (FQDN)
+From [[https://www.infoblox.com/company/legal/infoblox-bloxone-threat-defense-supplemental-terms-and-conditions/|B1TD Supplemental Terms and Conditions]].
-  * Extended malware IPs (IP)
-  * Extended TOR Exit Node IPs (IP)
-  * Extended ransomware IPs (IP)
+//BloxOne Threat Defense Advanced and On-Prem offerings are subject to an **average monthly DNS query limit of 3,500 DNS queries per Protected User per day**. Usage of B1TD is continuously monitored to determine a customer’s average monthly DNS queries.The monthly DNS query average is calculated based on the number of DNS queries for any particular month (the number of days in that month) divided by the Customer’s Licensed Capacity. Infoblox may work with each Customer when their usage exceeds the current Licensed Capacity. If a Customer’s usage cannot be modified to align to the current Licensed Capacity, the Customer will need to purchase additional Licensed Capacity to ensure query limits are within the license terms.//
-  * Extended exploit kit IPs (IP)
-  * Spambot IPs (IP)
+Remember. B1TD Advanced is licensed based on employee count. Why? Because it is simple and it works for the most part. However, the caveat above is in place to protect Infoblox from a 100 employee company protection 10,000 busy servers, etc.
-  * Spambot IPs DNSBL (FQDN)
-  * Suspicious Domains (FQDN)
-  * Suspicious Emergent Domains (FQDN)
+===== Sandbox Restriction =====
-  * Suspicious Lookalikes (FQDN)
+From [[https://www.infoblox.com/company/legal/infoblox-bloxone-ddi-supplemental-terms-and-conditions/|here]]
+//"Allowable Usage" means, unless otherwise specified in the applicable Order, no more than **5.5 million DNS Queries per month per SANDBOX Instance**.//
+===== Other =====
+NIOS Grid Connector Notes:
+  * NIOS Grid connector requires NIOS 8.5 and can only export data to BloxOne. The exported data in BloxOne will be read only in BloxOne.
+  * The NIOS Grid Connector service does not support the importing of DHCP lease data from NIOS Grid.
+  * NIOS Grid connector requires that the appliance be TE-14xx or higher.
+  * Only IPv4 objects are imported it seems. See [[https://docs.infoblox.com/display/BloxOneDDI/Configuring+NIOS+Grid+Connector|here]].
+  * Data managed by NIOS and synced to BloxOne via NIOS Grid Connector (NGC) does not count towards licence usage of BloxOne. However, if devices that are "managed" by NIOS then go and query DNS services run by BloxOne, they will contribute to the BloxOne Active IP usage.
+**Active IP address**
+  * A Fixed (Static) Address - Just IP or does it have to include a MAC address?
+  * IP Address found in DHCP leases
+  * Source IP Address found in a DNS Query.
+**Instance**
+  * A single online Host running DHCP and/or DNS services
+  * A pair of hosts configured in co-located DHCP HA groups [A/A or A/P]) - Note, if the pair of hosts configured in a co-located DHCP HA group also run DNS, they are counted as two hosts. Advanced A/P members are counted separately
+===== External Licences =====
+External "BYOL" licences (purchased from other vendors) can be added to the BloxOne CSP to allow Dossier to pull more data for its reports.
+  * ProofPoint - Emerging Threats
+  * Mandiant - APIv4
+  * Virus Total
+(IF YOU HAVE B1TD ADVANCED) You can also purchase (from Infoblox) licences to allow access to RPZ threat feeds from other sources (these feeds are then accessible via the BloxOne portal along with all the other Infoblox RPZ feeds.
+  * FarSight - Security Newly Observed Domains (NOD)
+  * Proofpoint - Emerging Threats (ET) IP and Domain Reputation
+Note that the following sources of Threat Intelligence and/or Threat Intelligence feeds are no longer supported.
+  * CrowdStrike
+  * FireEye - iSight Threat Intelligence
+  * ThreatTrack - Security BorderPatrol