In this example, we will transparently monitor access from a unique class of IoT devices. All requests from these devices will be monitored and logged to allow you to build an access profile for this class of devices, which can then be used to restrict access to that "normal" activity.
- In the top navigation bar, click
and select
Policies. - Click
to create a new policy. - For Name, enter Monitor IoT Devices, and for Description, enter a brief description for the policy.
- For Type, select Monitor, and set the slider to Active.
- In the Sites field, start typing the name of a site, and then select the site you want to apply the policy to.
- Expand the Source IP section, and in the Source IPs field, type the IP address or CIDR range of an IoT device, and press Enter. You can enter multiple IP addresses or CIDR ranges.
- Click Save & Apply.
View blocked DNS activity
- In BlueCat Edge, select the DNS Activity view
. - In the Command bar, type /policyname Monitor IoT Devices, and press Enter. In the DNS Activity tab, you should see a list of queries from your IoT devices.
- Write down all the unique domain names so that you can use them in the next step to create a Domain List representing the normal activity for IoT devices.
- In the top navigation bar, click and select Domain
Lists.
- Click to create a new domain list.
- For Name, enter IoT Allowed, and for Description, enter a brief description for the list. For Type, keep the default User Defined.
- In the Domains field, type the list of domains you recorded above. You can press Enter after typing each domain, or you can type multiple domains separated by commas and press Enter.
- Click Save and Close.
- In the top navigation bar, click and select Domain
Lists.
- Click to create a new domain list.
- For Name, enter All Traffic, and for Description, enter a brief description for the list. For Type, keep the default User Defined.
- In the Domains field, type * and press Enter to represent all traffic.
- Click Save and Close.
Update the policy to restrict access from IoT devices
Follow the below to update the previously created Monitoring policy and turn it into a policy that will restrict access from the IoT devices to only the domain names determined to represent a normal activity.
In this example, the queries issued by the IoT devices to domain names listed in the IoT Allowed Domain List will be allowed and any other query will be blocked.
- In the top navigation bar, click and select
Policies.
- Find the Monitor IoT Devicespolicy and click
to edit the policy. - Change the name of the policy to Restrict IoT Devices,
- Change the type of the policy to Block.
- Expand the Domain List section, and in the Block List field, start typing All Traffic, and then select that domain list.
- In the Exception List field, start typing IoT Allowed, and then select that domain list.
- Expand the Source IPs section, and in the Source IPs field, type all of the IP addresses or CIDR ranges for all of the IoT devices that are the same type as the device configured to monitor the normal activity, and press Enter.
- Click Save & Apply.
- In BlueCat Edge, select the DNS Activity view .
- In the Command bar, type /policyname Restrict IoT Devices, and press Enter.
- If any blocked queries represent normal access, add the domain names to your IoT Allowed Domain List. Otherwise, you have discovered abnormal IoT activity.
- For further inspection, click the Threat Activity tab to see the abnormal traffic generated by the IoT Devices that were identified as a DNS threat.