Background :
A company is using Cisco Umbrella as the DNS server to prevent internet threats.
We want a custom alarm so that when internals users are using other external DNS servers, an alarm is triggered to prevent connection to rogue DNS servers that potentially redirect traffic to external sites for malicious purposes.
When an alarm is raised, Cisco Secure Network Analytics will request Cisco ISE to quarantine the host that uses rogue DNS Servers with Adaptive Network Control Policy through PxGrid.
Navigate to Configure > Host Management.
In the parent host group Inside Hosts, create a Host Group named Corporate Networks for your internal networks.
In the parent host group Outside Hosts, create a Host Group named Umbrella DNS Servers for Umbrella IP addresses.
The internal users are using Cisco Umbrella as the DNS server to prevent internet threats.
Configure a custom alarm so that when internals users are using other external DNS servers, an alarm is triggered to prevent connection to rogue DNS server that potentially redirect traffic to external sites for malicious purposes.
When an alarm is raised, Cisco Secure Network Analytics will request Cisco ISE to quarantine the host that uses rogue DNS Servers with Adaptive Network Control Policy through PxGrid.
Navigate to Configure > Policy Management.
Create a Custom Events with the following informations :
- Name : Unauthorized DNS Traffic
- Subject Host Groups : Corporate Networks
- Peer Host Groups : Outside Host Except Umbrella DNS Servers
- Peer Port/Protocols : 53/UDP 53/TCP
Basically this event is triggered when any host withing Corporate Networks Host Group communicates with any host within Outside Hosts Host Group except those within Umbrella DNS Servers Host Group, through 53/UDP or 53/TCP, an alarm is raised.
Navigate to Configure > Response Management. Click on Actions.
Select the ISE ANC Policy Action. Give a name and select the Cisco ISE cluster that should be contacted to apply a quarantine policy for any violation or connection to rogue servers.
Under the Rules section. Create a new Rule. This rule will apply the previously Action when any host inside the internal network is trying to send DNS traffic to rogue DNS Servers.
In the section Rule is triggered if, select Type, scroll down and select the custom event created previously. Under the Associated Actions, select the ISE ANC action created previously.
From an inside host, open the CMD console. Execute the nslookup command, then server 8.8.8.8 command. Type in a few addresses for the 8.8.8.8 DNS server to resolve.
Navigate to Monitor > ISE ANC Policy Assignments. You should see that the Cisco Secure Network Analytics applied Adaptive Network Control Policy through PxGrid and ISE to quarantine the Host.
Demystify and Simplify 