Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
2155
Views
5
Helpful
0
Comments

Cisco Stealthwatch and Cisco ISE with Automatic ANC Policy Quarantine

Meddane
VIP
VIP

on ‎02-24-2023 08:06 AM

Background :

A company is using Cisco Umbrella as the DNS server to prevent internet threats.

We want a custom alarm so that when internals users are using other external DNS servers, an alarm is triggered to prevent connection to rogue DNS servers that potentially redirect traffic to external sites for malicious purposes.

When an alarm is raised, Cisco Secure Network Analytics will request Cisco ISE to quarantine the host that uses rogue DNS Servers with Adaptive Network Control Policy through PxGrid.

Navigate to Configure > Host Management.

In the parent host group Inside Hosts, create a Host Group named Corporate Networks for your internal networks.

 

Meddane_0-1677254448820.png

In the parent host group Outside Hosts, create a Host Group named Umbrella DNS Servers for Umbrella IP addresses.

 

Meddane_1-1677254448826.png

The internal users are using Cisco Umbrella as the DNS server to prevent internet threats.

Configure a custom alarm so that when internals users are using other external DNS servers, an alarm is triggered to prevent connection to rogue DNS server that potentially redirect traffic to external sites for malicious purposes.

When an alarm is raised, Cisco Secure Network Analytics will request Cisco ISE to quarantine the host that uses rogue DNS Servers with Adaptive Network Control Policy through PxGrid.

Navigate to Configure > Policy Management.

Create a Custom Events with the following informations :

  • Name : Unauthorized DNS Traffic
  • Subject Host Groups : Corporate Networks
  • Peer Host Groups : Outside Host Except Umbrella DNS Servers
  • Peer Port/Protocols : 53/UDP 53/TCP

Basically this event is triggered when any host withing Corporate Networks Host Group communicates with any host within Outside Hosts Host Group except those within Umbrella DNS Servers Host Group, through 53/UDP or 53/TCP, an alarm is raised.

 

Meddane_2-1677254448830.png

 

Meddane_3-1677254448838.png

Navigate to Configure > Response Management. Click on Actions.

 

Meddane_4-1677254448842.png

Select the ISE ANC Policy Action. Give a name and select the Cisco ISE cluster that should be contacted to apply a quarantine policy for any violation or connection to rogue servers.

 

Meddane_5-1677254448846.png

 

Meddane_6-1677254448850.png

Under the Rules section. Create a new Rule. This rule will apply the previously Action when any host inside the internal network is trying to send DNS traffic to rogue DNS Servers.

In the section Rule is triggered if, select Type, scroll down and select the custom event created previously. Under the Associated Actions, select the ISE ANC action created previously.

 

Meddane_7-1677254448856.png

From an inside host, open the CMD console. Execute the nslookup command, then server 8.8.8.8 command. Type in a few addresses for the 8.8.8.8 DNS server to resolve.

 

Meddane_8-1677254448859.png

Navigate to Monitor > ISE ANC Policy Assignments. You should see that the Cisco Secure Network Analytics applied Adaptive Network Control Policy through PxGrid and ISE to quarantine the Host.

 

Meddane_9-1677254448862.png

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents