Juniper ATP Cloud Administration Guide
ATP Cloud
Published
2021-03-31
Juniper Advanced Threat Prevention Cloud
Administration Guide
Juniper Networks, Inc.
1133 Innovation Way
Sunnyvale, California 94089
USA
408-745-2000
www.juniper.net
Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in
the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks
are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right
to change, modify, transfer, or otherwise revise this publication without notice.
ATP Cloud Juniper Advanced Threat Prevention Cloud Administration Guide
Copyright © 2021 Juniper Networks, Inc. All rights reserved.
The information in this document is current as of the date on the title page.
ii
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related
limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.
END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with)
Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement
(“EULA”) posted at https://support.juniper.net/support/eula/. By downloading, installing or using such software, you
agree to the terms and conditions of that EULA.
Table of Contents
1
About the Documentation | xi
Documentation and Release Notes | xi
Documentation Conventions | xi
Documentation Feedback | xiv
Requesting Technical Support | xiv
Self-Help Online Tools and Resources | xv
Creating a Service Request with JTAC | xv
Overview and Installation
Juniper Advanced Threat Prevention Cloud Overview | 2
iii
Juniper Advanced Threat Prevention Cloud | 2
About Juniper Advanced Threat Prevention Cloud | 2
Juniper ATP Cloud Features | 3
How the SRX Series Device Remediates Traffic | 5
Juniper ATP Cloud Use Cases | 7
Licensing | 8
How is Malware Analyzed and Detected? | 8
Analyzing and Detecting Malware | 8
Cache Lookup | 9
Antivirus Scan | 9
Static Analysis | 10
Dynamic Analysis | 10
Machine Learning Algorithm | 10
Threat Levels | 11
Licensing | 11
About Policy Enforcer | 12
2
Policy Enforcer | 12
Install Juniper Advanced Threat Cloud Prevention | 14
Juniper Advanced Threat Prevention Cloud Installation Overview | 14
Managing the Juniper Advanced Threat Prevention Cloud License | 14
Obtaining the Premium License Key | 15
License Management and SRX Series Devices | 16
Juniper ATP Cloud Premium Evaluation License for vSRX | 16
License Management and vSRX Deployments | 17
High Availability | 18
Registering a Juniper Advanced Threat Prevention Cloud Account | 19
Downloading and Running the Juniper Advanced Threat Prevention Cloud Script | 24
The Web Portal and Enrolling SRX Series Devices
iv
The Juniper ATP Cloud Web Portal | 31
Juniper Advanced Threat Prevention Cloud Configuration Overview | 31
Juniper Advanced Threat Prevention Cloud Web UI Overview | 34
Accessing the Web UI | 34
Dashboard Overview | 37
Reset Password | 38
Recover Realm Name | 40
Enroll SRX Series Devices | 43
Enrolling an SRX Series Device With Juniper Advanced Threat Prevention Cloud | 43
Enrolling an SRX Series Device without the Juniper ATP Cloud Web Portal | 47
Removing an SRX Series Device From Juniper Advanced Threat Prevention Cloud | 49
Searching for SRX Series Devices Within Juniper Advanced Threat Prevention Cloud | 50
Juniper Advanced Threat Prevention Cloud RMA Process | 53
Device Information | 53
Cloud Feeds for Juniper Advanced Threat Prevention Cloud: More Information | 54
Configure
3
Allowlists and Blocklists | 57
Allowlist and Blocklist Overview | 57
Creating Allowlists and Blocklists | 59
Email Scanning: Juniper ATP Cloud | 65
Email Management Overview | 65
Email Management: Configure SMTP | 67
Email Management: Configure IMAP | 70
Email Scanning: SRX Series Device | 74
Configuring the SMTP Email Management Policy on the SRX Series Device | 74
Configuring the IMAP Email Management Policy on the SRX Series Device | 80
v
Configuring Reverse Proxy on the SRX Series Device | 88
File Inspection Profiles | 92
File Inspection Profiles Overview | 92
Creating File Inspection Profiles | 94
Adaptive Threat Profiling | 97
Adaptive Threat Profiling Overview | 97
Overview | 97
Configure Adaptive Threat Profiling | 100
Deploy Adaptive Threat Profiling | 101
Use Case Examples | 104
Threat Detection Use Case 1 | 104
Asset Classification Use Case | 107
Create an Adaptive Threat Profiling Feed | 108
SecIntel Feeds | 111
SecIntel Feeds Overview | 112
Juniper SecIntel Feeds Overview | 118
Global Configurations | 119
4
Global Configuration for Infected Hosts | 119
Configuring Threat Intelligence Sharing | 122
Configuring Trusted Proxy Servers | 124
Realm Overview | 125
Realms and Tenant Systems | 125
Configuration Overview | 126
SRX Series and Tenant System Enrollment | 126
Realm Management | 127
Tenant Systems: Security-Intelligence and Anti-Malware Policies | 129
Tenant System Support for SecIntel Feeds | 129
Tenant System Support for AAMW | 130
Security Profile CLI | 132
vi
Enable Logging | 132
Enable Mist with Juniper ATP Cloud | 133
Monitor and Take Action
Audit | 136
Viewing Audit Logs | 136
Reports | 145
Reports Overview | 145
Configure Report Definitions | 149
Hosts | 151
Hosts Overview | 151
Host Details | 154
Identifying Infected Hosts | 156
Compromised Hosts: More Information | 156
About Block Drop and Block Close | 160
Host Details | 161
Automatic Lowering of Host Threat Level or Removal from Infected Hosts Feed | 162
Configuring the SRX Series Devices to Block Infected Hosts | 163
Threat Sources | 167
Threat Sources Overview | 167
Threat Source Details | 168
Identify Hosts Communicating with Command and Control Servers | 172
Command and Control Servers: More Information | 172
Configuring the SRX Series Device to Block Outbound Requests to a C&C Host | 175
File Scanning | 178
HTTP File Download Overview | 178
HTTP File Download Details | 180
File Summary | 181
HTTP Downloads | 182
Sample STIX Report | 183
vii
Manual Scanning Overview | 183
File Scanning Limits | 185
SMB File Download Overview | 186
SMB File Download Details | 188
File Summary | 189
SMB Downloads | 190
Email Scanning | 191
Email Attachments Scanning Overview | 191
Email Attachments Scanning Details | 192
File Summary | 194
SMTP Quarantine Overview: Blocked Emails | 195
IMAP Block Overview | 197
Telemetry | 199
Telemetry Overview | 199
Telemetry Details | 201
Encrypted Traffic Insights | 204
5
Encrypted Traffic Insights Overview | 204
Encrypted Traffic Insights and Detection | 205
Workflow | 206
Configurations on SRX Series Devices | 207
Encrypted Traffic Insights Details | 208
Policies on the SRX Series Device
Configure Juniper ATP Cloud Policies on the SRX Series Device | 212
Juniper Advanced Threat Prevention Cloud Policy Overview | 212
Enabling Juniper ATP Cloud for Encrypted HTTPS Connections | 215
Example: Configuring a Juniper Advanced Threat Prevention Cloud Policy Using the CLI | 216
Unified Policies | 221
Explicit Web Proxy Support | 223
viii
Configure IP-Based Geolocations on the SRX Series Device | 225
Geolocation IPs and Juniper Advanced Threat Prevention Cloud | 225
Configuring Juniper Advanced Threat Prevention Cloud With Geolocation IP | 226
Integrate Amazon Web Services GuardDuty with vSRX Firewalls | 228
Integrate AWS GuardDuty with vSRX Firewalls | 228
Solution Overview | 228
Workflow to Integrate AWS GuardDuty with vSRX Firewalls | 230
Set up AWS Environment | 231
Configure vSRX Firewall | 235
Configure DNS Sinkhole on the SRX Series Device | 239
DNS Sinkhole for Disallowed Domains | 239
Overview | 239
Benefits | 239
Configure DNS Request Filtering | 240
Administration
6
7
Juniper ATP Cloud Administration | 244
Modifying My Profile | 244
Creating and Editing User Profiles | 245
Application Tokens Overview | 247
Creating Application Tokens | 247
Multi-Factor Authentication Overview | 249
Configure Multi-Factor Authentication for Administrators | 249
Enable Multi-Factor Authentication | 250
Verification Codes for Multi-Factor Authentication: Mobile SMS | 251
Verification Codes for Multi-Factor Authentication: Email | 251
Unlock a User | 252
ix
Troubleshoot
Troubleshooting Topics | 254
Juniper Advanced Threat Prevention Cloud Troubleshooting Overview | 254
Troubleshooting Juniper Advanced Threat Prevention Cloud: Checking DNS and Routing
Configurations | 255
Troubleshooting Juniper Advanced Threat Prevention Cloud: Checking Certificates | 258
Troubleshooting Juniper Advanced Threat Prevention Cloud: Checking the Routing Engine
Status | 260
request services advanced-anti-malware data-connection | 262
request services advanced-anti-malware diagnostic | 264
Troubleshooting Juniper Advanced Threat Prevention Cloud: Checking the application-identification
License | 268
Viewing Juniper Advanced Threat Prevention Cloud System Log Messages | 269
Configuring traceoptions | 270
Viewing the traceoptions Log File | 272
Turning Off traceoptions | 272
Juniper Advanced Threat Prevention Cloud Dashboard Reports Not Displaying | 273
Juniper Advanced Threat Prevention Cloud RMA Process | 274
More Documentation
8
ATP Cloud Tech Library Page Links | 276
Links to Documentation on Juniper.net | 276
x
About the Documentation
IN THIS SECTION
Documentation and Release Notes | xi
Documentation Conventions | xi
Documentation Feedback | xiv
Requesting Technical Support | xiv
Use this guide to configure, monitor, and manage Juniper ATP Cloud features to protect all hosts in your
network against evolving security threats.
xi
Documentation and Release Notes
To obtain the most current version of all Juniper Networks®technical documentation, see the product
documentation page on the Juniper Networks website at https://www.juniper.net/documentation/.
If the information in the latest release notes differs from the information in the documentation, follow the
product Release Notes.
Juniper Networks Books publishes books by Juniper Networks engineers and subject matter experts.
These books go beyond the technical documentation to explore the nuances of network architecture,
deployment, and administration. The current list can be viewed at https://www.juniper.net/books.
Documentation Conventions
Table 1 on page xii defines notice icons used in this guide.
Table 1: Notice Icons
xii
DescriptionMeaningIcon
Indicates important features or instructions.Informational note
Caution
Indicates a situation that might result in loss of data or hardware
damage.
Alerts you to the risk of personal injury or death.Warning
Alerts you to the risk of personal injury from a laser.Laser warning
Indicates helpful information.Tip
Alerts you to a recommended use or implementation.Best practice
Table 2 on page xii defines the text and syntax conventions used in this guide.
Table 2: Text and Syntax Conventions
ExamplesDescriptionConvention
Fixed-width text like this
Italic text like this
Represents text that you type.Bold text like this
Represents output that appears on
the terminal screen.
Introduces or emphasizes important
•
new terms.
Identifies guide names.
•
Identifies RFC and Internet draft
•
titles.
To enter configuration mode, type
the configure command:
user@host> configure
user@host> show chassis alarms
No alarms currently active
A policy term is a named structure
•
that defines match conditions and
actions.
Junos OS CLI User Guide
•
RFC 1997, BGP Communities
•
Attribute
Table 2: Text and Syntax Conventions (continued)
xiii
ExamplesDescriptionConvention
Italic text like this
Text like this
< > (angle brackets)
| (pipe symbol)
Represents variables (options for
which you substitute a value) in
commands or configuration
statements.
Represents names of configuration
statements, commands, files, and
directories; configuration hierarchy
levels; or labels on routing platform
components.
variables.
Indicates a choice between the
mutually exclusive keywords or
variables on either side of the symbol.
The set of choices is often enclosed
in parentheses for clarity.
Configure the machine’s domain
name:
[edit]
root@# set system domain-name
domain-name
To configure a stub area, include
•
the stub statement at the [edit
protocols ospf area area-id]
hierarchy level.
The console port is labeled
•
CONSOLE.
stub <default-metric metric>;Encloses optional keywords or
broadcast | multicast
(string1 | string2 | string3)
# (pound sign)
[ ] (square brackets)
Indention and braces ( { } )
; (semicolon)
GUI Conventions
Indicates a comment specified on the
same line as the configuration
statement to which it applies.
Encloses a variable for which you can
substitute one or more values.
Identifies a level in the configuration
hierarchy.
Identifies a leaf statement at a
configuration hierarchy level.
rsvp { # Required for dynamic MPLS
only
community name members [
community-ids ]
[edit]
routing-options {
static {
route default {
nexthop address;
retain;
}
}
}
Table 2: Text and Syntax Conventions (continued)
xiv
ExamplesDescriptionConvention
Bold text like this
> (bold right angle bracket)
Represents graphical user interface
(GUI) items you click or select.
Separates levels in a hierarchy of
menu selections.
In the Logical Interfaces box, select
•
All Interfaces.
To cancel the configuration, click
•
Cancel.
In the configuration editor hierarchy,
select Protocols>Ospf.
Documentation Feedback
We encourage you to provide feedback so that we can improve our documentation. You can use either
of the following methods:
Online feedback system—Click TechLibrary Feedback, on the lower right of any page on the Juniper
•
Networks TechLibrary site, and do one of the following:
Click the thumbs-up icon if the information on the page was helpful to you.
•
Click the thumbs-down icon if the information on the page was not helpful to you or if you have
•
suggestions for improvement, and use the pop-up form to provide feedback.
E-mail—Send your comments to techpubs-comments@juniper.net. Include the document or topic name,
•
URL or page number, and software version (if applicable).
Requesting Technical Support
Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC).
If you are a customer with an active Juniper Care or Partner Support Services support contract, or are
covered under warranty, and need post-sales technical support, you can access our tools and resources
online or open a case with JTAC.
JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User
•
Guide located at https://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.
Product warranties—For product warranty information, visit https://www.juniper.net/support/warranty/.
•
JTAC hours of operation—The JTAC centers have resources available 24 hours a day, 7 days a week,
•
365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called
the Customer Support Center (CSC) that provides you with the following features:
Find CSC offerings: https://www.juniper.net/customers/support/
•
Search for known bugs: https://prsearch.juniper.net/
•
xv
Find product documentation: https://www.juniper.net/documentation/
•
Find solutions and answer questions using our Knowledge Base: https://kb.juniper.net/
•
Download the latest versions of software and review release notes:
•
https://www.juniper.net/customers/csc/software/
Search technical bulletins for relevant hardware and software notifications:
•
https://kb.juniper.net/InfoCenter/
Join and participate in the Juniper Networks Community Forum:
•
https://www.juniper.net/company/communities/
Create a service request online: https://myjuniper.juniper.net
•
To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool:
https://entitlementsearch.juniper.net/entitlementsearch/
Creating a Service Request with JTAC
You can create a service request with JTAC on the Web or by telephone.
Visit https://myjuniper.juniper.net.
•
Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
•
For international or direct-dial options in countries without toll-free numbers, see
https://support.juniper.net/support/requesting-support/.
1
PART
Overview and Installation
Juniper Advanced Threat Prevention Cloud Overview | 2
Install Juniper Advanced Threat Cloud Prevention | 14
CHAPTER 1
Juniper Advanced Threat Prevention Cloud Overview
IN THIS CHAPTER
Juniper Advanced Threat Prevention Cloud | 2
How is Malware Analyzed and Detected? | 8
About Policy Enforcer | 12
Juniper Advanced Threat Prevention Cloud
2
IN THIS SECTION
About Juniper Advanced Threat Prevention Cloud | 2
Juniper ATP Cloud Features | 3
How the SRX Series Device Remediates Traffic | 5
Juniper ATP Cloud Use Cases | 7
Licensing | 8
About Juniper Advanced Threat Prevention Cloud
Juniper®Advanced Threat Prevention Cloud (Juniper ATP Cloud)is a security framework that protects all
hosts in your network against evolving security threats by employing cloud-based threat detection software
with a next-generation firewall system. See Figure 1 on page 3.
Figure 1: Juniper ATP Cloud Overview
Juniper ATP Cloud protects your network by performing the following tasks:
3
The SRX Series device extracts potentially malicious objects and files and sends them to the cloud for
•
analysis.
Known malicious files are quickly identified and dropped before they can infect a host.
•
Multiple techniques identify new malware, adding it to the known list of malware.
•
Correlation between newly identified malware and known Command and Control (C&C) sites aids analysis.
•
The SRX Series device blocks known malicious file downloads and outbound C&C traffic.
•
Juniper ATP Cloud supports the following modes:
Layer 3 mode
•
Tap mode
•
Transparent mode using MAC address. For more information, see Transparent mode on SRX Series
•
devices.
Secure wire mode (high-level transparent mode using the interface to directly passing traffic, not by
•
MAC address.) For more information, see Understanding Secure Wire.
Juniper ATP Cloud Features
Juniper ATP Cloud is a cloud-based solution. Cloud environments are flexible and scalable, and a shared
environment ensures that everyone benefits from new threat intelligence in near real-time. Your sensitive
data is secured even though it is in a cloud shared environment. Security analysts can update their defense
when new attack techniques are discovered and distribute the threat intelligence with very little delay.
In addition, Juniper ATP Cloud offers the following features:
Integrated with the SRX Series device to simplify deployment and enhance the anti-threat capabilities
•
of the firewall.
Delivers protection against “zero-day” threats using a combination of tools to provide robust coverage
•
against sophisticated, evasive threats.
Checks inbound and outbound traffic with policy enhancements that allow users to stop malware,
•
quarantine infected systems, prevent data exfiltration, and disrupt lateral movement.
High availability to provide uninterrupted service.
•
Scalable to handle increasing loads that require more computing resources, increased network bandwidth
•
to receive more customer submissions, and a large storage for malware.
Provides deep inspection, actionable reporting, and inline malware blocking.
•
APIs for C&C feeds, allowlist and blocklist operations, and file submission. See the Threat Intelligence
•
Open API Setup Guide for more information.
Figure 2 on page 4 lists the Juniper ATP Cloud components.
4
Figure 2: Juniper ATP Cloud Components
Table 3 on page 5 briefly describes each Juniper ATP Cloud component’s operation.
Table 3: Juniper ATP Cloud Components
OperationComponent
5
Command and control (C&C) cloud
feeds
GeoIP cloud feeds
Infected host cloud feeds
Allowlist, blocklists and custom
cloud feeds
SRX Series device
C&C feeds are essentially a list of servers that are known command and control
for botnets. The list also includes servers that are known sources for malware
downloads.
GeoIP feeds is an up-to-date mapping of IP addresses to geographical regions.
This gives you the ability to filter traffic to and from specific geographies in
the world.
Infected hosts indicate local devices that are potentially compromised because
they appear to be part of a C&C network or other exhibit other symptoms.
A allowlist is simply a list of known IP addresses that you trust and a blocklist
is a list that you do not trust.
NOTE: Custom feeds are not supported in this release.
Submits extracted file content for analysis and detected C&C hits inside the
customer network.
Performs inline blocking based on verdicts from the analysis cluster.
Performs malware analysis and threat detection.Malware inspection pipeline
Inspects files, metadata, and other information.Internal compromise detection
Service portal (Web UI)
Graphics interface displaying information about detected threats inside the
customer network.
Configuration management tool where customers can fine-tune which file
categories can be submitted into the cloud for processing.
How the SRX Series Device Remediates Traffic
The SRX Series devices use intelligence provided by Juniper ATP Cloud to remediate malicious content
through the use of security policies. If configured, security policies block that content before it is delivered
to the destination address.
For inbound traffic, security policies on the SRX Series device look for specific types of files, like .exe files,
to inspect. When one is encountered, the security policy sends the file to the Juniper ATP Cloud cloud for
inspection. The SRX Series device holds the last few KB of the file from the destination client while Juniper
ATP Cloud checks if this file has already been analyzed. If so, a verdict is returned and the file is either
sent to the client or blocked depending on the file’s threat level and the user-defined policy in place. If the
cloud has not inspected this file before, the file is sent to the client while Juniper ATP Cloud performs an
exhaustive analysis. If the file’s threat level indicates malware (and depending on the user-defined
configurations) the client system is marked as an infected host and blocked from outbound traffic. For
more information, see “How is Malware Analyzed and Detected?” on page 8.
Figure 3 on page 6 shows an example flow of a client requesting a file download with Juniper ATP Cloud.
Figure 3: Inspecting Inbound Files for Malware
6
DescriptionStep
1
2
4
5
A client system behind an SRX Series devices requests a file download from the Internet. The SRX Series
device forwards that request to the appropriate server.
The SRX Series device receives the downloaded file and checks its security profile to see if any additional
action must be performed.
The downloaded file type is on the list of files that must be inspected and is sent to the cloud for analysis.3
Juniper ATP Cloud has inspected this file before and has the analysis stored in cache. In this example,
the file is not malware and the verdict is sent back to the SRX Series device.
Based on user-defined policies and because this file is not malware, the SRX Series device sends the file
to the client.
For outbound traffic, the SRX Series device monitors traffic that matches C&C feeds it receives, blocks
these C&C requests, and reports them to Juniper ATP Cloud. A list of infected hosts is available so that
the SRX Series device can block inbound and outbound traffic.
Juniper ATP Cloud Use Cases
Juniper ATP Cloud can be used anywhere in an SRX Series deployment. See Figure 4 on page 7.
Figure 4: Juniper ATP Cloud Use Cases
7
Campus edge firewall—Juniper ATP Cloud analyzes files downloaded from the Internet and protects
•
end-user devices.
Data center edge—Like the campus edge firewall, Juniper ATP Cloud prevents infected files and application
•
malware from running on your computers.
Branch router—Juniper ATP Cloud provides protection from split-tunneling deployments. A disadvantage
•
of split-tunneling is that users can bypass security set in place by your company’s infrastructure.
Licensing
Juniper ATP Cloud has three service levels: Free, Basic (feed only), and Premium. No license is required
for the free version, but you must obtain a license for Basic and Premium levels.
To understand more about Juniper ATP Cloud licenses, see Licenses for Juniper Advanced Threat Prevention
(ATP) Cloud. Please refer to the Licensing Guide for general information about License Management.
Please refer to the product Data Sheets for further details, or contact your Juniper Account Team or
Juniper Partner.
How is Malware Analyzed and Detected?
IN THIS SECTION
Analyzing and Detecting Malware | 8
8
Cache Lookup | 9
Antivirus Scan | 9
Static Analysis | 10
Dynamic Analysis | 10
Machine Learning Algorithm | 10
Threat Levels | 11
Licensing | 11
Analyzing and Detecting Malware
Juniper ATP Cloud uses a pipeline approach to analyzing and detecting malware. If an analysis reveals that
the file is absolutely malware, it is not necessary to continue the pipeline to further examine the malware.
See Figure 5 on page 9.
Figure 5: Example Juniper ATP Cloud Pipeline Approach for Analyzing Malware
9
Each analysis technique creates a verdict number, which is combined to create a final verdict number
between 1 and 10. A verdict number is a score or threat level. The higher the number, the higher the
malware threat. The SRX Series device compares this verdict number to the policy settings and either
permits or denies the session. If the session is denied, a reset packet is sent to the client and the packets
are dropped from the server.
Cache Lookup
When a file is analyzed, a file hash is generated, and the results of the analysis are stored in a database.
When a file is uploaded to the Juniper ATP Cloud cloud, the first step is to check whether this file has
been looked at before. If it has, the stored verdict is returned to the SRX Series device and there is no
need to re-analyze the file. In addition to files scanned by Juniper ATP Cloud, information about common
malware files is also stored to provide faster response.
Cache lookup is performed in real time. All other techniques are done offline. This means that if the cache
lookup does not return a verdict, the file is sent to the client system while the Juniper ATP Cloud cloud
continues to examine the file using the remaining pipeline techniques. If a later analysis returns a malware
verdict, then the file and host are flagged.
Antivirus Scan
The advantage of antivirus software is its protection against a large number of potential threats, such as
viruses, trojans, worms, spyware, and rootkits. The disadvantage of antivirus software is that it is always
behind the malware. The virus comes first and the patch to the virus comes second. Antivirus is better at
defending familiar threats and known malware than zero-day threats.
Juniper ATP Cloud utilizes multiple antivirus software packages, not just one, to analyze a file. The results
are then fed into the machine learning algorithm to overcome false positives and false negatives.
Static Analysis
Static analysis examines files without actually running them. Basic static analysis is straightforward and
fast, typically around 30 seconds. The following are examples of areas static analysis inspects:
Metadata information—Name of the file, the vendor or creator of this file, and the original data the file
•
was compiled on.
Categories of instructions used—Is the file modifying the Windows registry? Is it touching disk I/O APIs?.
•
File entropy—How random is the file? A common technique for malware is to encrypt portions of the
•
code and then decrypt it during runtime. A lot of encryption is a strong indication a this file is malware.
The output of the static analysis is fed into the machine learning algorithm to improve the verdict accuracy.
Dynamic Analysis
10
The majority of the time spent inspecting a file is in dynamic analysis. With dynamic analysis, often called
sandboxing, a file is studied as it is executed in a secure environment. During this analysis, an operating
system environment is set up, typically in a virtual machine, and tools are started to monitor all activity.
The file is uploaded to this environment and is allowed to run for several minutes. Once the allotted time
has passed, the record of activity is downloaded and passed to the machine learning algorithm to generate
a verdict.
Sophisticated malware can detect a sandbox environment due to its lack of human interaction, such as
mouse movement. Juniper ATP Cloud uses a number of deception techniques to trick the malware into
determining this is a real user environment. For example, Juniper ATP Cloud can:
Generate a realistic pattern of user interaction such as mouse movement, simulating keystrokes, and
•
installing and launching common software packages.
Create fake high-value targets in the client, such as stored credentials, user files, and a realistic network
•
with Internet access.
Create vulnerable areas in the operating system.
•
Deception techniques by themselves greatly boost the detection rate while reducing false positives. They
also boosts the detection rate of the sandbox the file is running in because they get the malware to perform
more activity. The more the file runs the more data is obtained to detect whether it is malware.
Machine Learning Algorithm
Juniper ATP Cloud uses its own proprietary implementation of machine learning to assist in analysis.
Machine learning recognizes patterns and correlates information for improved file analysis. The machine
learning algorithm is programmed with features from thousands of malware samples and thousands of
goodware samples. It learns what malware looks like, and is regularly re-programmed to get smarter as
threats evolve.
Threat Levels
Juniper ATP Cloud assigns a number between 0-10 to indicate the threat level of files scanned for malware
and the threat level for infected hosts. See Table 4 on page 11.
Table 4: Threat Level Definitions
DefinitionThreat Level
Clean; no action is required.0
Low threat level.1 - 3
Medium threat level.4 - 6
11
High threat level.7 -10
For more information on threat levels, see the Juniper ATP Cloud Web UI online help.
Licensing
Juniper ATP Cloud has three service levels: Free, Basic (feed only), and Premium. No license is required
for the free version, but you must obtain a license for Basic and Premium levels.
To understand more about Juniper ATP Cloud licenses, see Licenses for Juniper Advanced Threat Prevention
(ATP) Cloud. Please refer to the Licensing Guide for general information about License Management.
Please refer to the product Data Sheets for further details, or contact your Juniper Account Team or
Juniper Partner.
RELATED DOCUMENTATION
Juniper Advanced Threat Prevention Cloud | 2
Dashboard Overview | 37
About Policy Enforcer
IN THIS SECTION
Policy Enforcer | 12
Policy Enforcer
View the Policy Enforcer data sheet (This takes you out of the help center to the Juniper web site):
https://www.juniper.net/assets/fr/fr/local/pdf/datasheets/1000602-en.pdf
Policy Enforcer provides centralized, integrated management of all your security devices (both physical
and virtual), giving you the ability to combine threat intelligence from different solutions and act on that
intelligence from one management point.
12
It also automates the enforcement of security policies across the network and quarantines infected
endpoints to prevent threats across firewalls and switches. It works with cloud-based Juniper Advanced
Threat Prevention (Juniper ATP) Cloud to protect both perimeter-oriented threats as well as threats within
the network. For example, if a user downloads a file from the Internet and that file passes through an SRX
firewall, the file can be sent to the Juniper ATP Cloud cloud for malware inspection (depending on your
configuration settings.) If the file is determined to be malware, Policy Enforcer identifies the IP address
and MAC address of the host that downloaded the file. Based on a user-defined policy, that host can be
put into a quarantine VLAN or blocked from accessing the Internet.
Policy Enforcer provides the following:
Pervasive Security—Combine security features and intelligence from devices across your network,
•
including switches, routers, firewalls, to create a “secure fabric” that leverages information you can use
to create policies that address threats in real-time and into the future. With monitoring capabilities, it
can also act as a sensor, providing visibility for intra- and inter-network communications.
User Intent-Based Policies—Create policies according to logical business structures such as users, user
•
groups, geographical locations, sites, tenants, applications, or threat risks. This allows network devices
(switches, routers, firewalls and other security devices) to share information, resources, and when threats
are detected, remediation actions within the network.
Threat Intelligence Aggregation—Gather threat information from multiple locations and devices, both
•
physical and virtual, as well as third party solutions.
Figure 6 on page 13 illustrates the flow diagram of Policy Enforcer over a traditional SRX configuration.
Figure 6: Comparing Traditional SRX Customers to Policy Enforcer Customers
13
RELATED DOCUMENTATION
Hosts Overview | 151
Host Details | 154
Dashboard Overview | 37
CHAPTER 2
Install Juniper Advanced Threat Cloud Prevention
IN THIS CHAPTER
Juniper Advanced Threat Prevention Cloud Installation Overview | 14
Managing the Juniper Advanced Threat Prevention Cloud License | 14
Registering a Juniper Advanced Threat Prevention Cloud Account | 19
Downloading and Running the Juniper Advanced Threat Prevention Cloud Script | 24
14
Juniper Advanced Threat Prevention Cloud Installation Overview
Although Juniper ATP Cloud is a free add-on to an SRX Series device, you must still enable it prior to using
it. To enable Juniper ATP Cloud, perform the following tasks:
1. (Optional) Obtain a Juniper ATP Cloud premium license. See Licenses for Juniper Advanced Threat
Prevention (ATP) Cloud. This link takes you to the Juniper Licensing Guide.
2. Register an account on the Juniper ATP Cloud cloud Web portal. See “Registering a Juniper Advanced
Threat Prevention Cloud Account” on page 19.
3. Download and run the Juniper ATP Cloud script on your SRX Series device. See “Downloading and
Running the Juniper Advanced Threat Prevention Cloud Script” on page 24.
Managing the Juniper Advanced Threat Prevention Cloud License
IN THIS SECTION
Obtaining the Premium License Key | 15
License Management and SRX Series Devices | 16
Juniper ATP Cloud Premium Evaluation License for vSRX | 16
License Management and vSRX Deployments | 17
High Availability | 18
This topic describes how to install the Juniper ATP Cloud premium license onto your SRX Series devices
and vSRX deployments. You do not need to install the Juniper ATP Cloud free license as these are included
your base software. Note that the free license has a limited feature set (see Juniper Advanced Threat
Prevention Cloud License Types and “File Scanning Limits” on page 185).
When installing the license key, you must use the license that is specific your device type. For example,
the Juniper ATP Cloud premium license available for the SRX Series device cannot be used on vSRX
deployments.
Obtaining the Premium License Key
15
The Juniper ATP Cloud premium license can be found on the Juniper Networks product price list. The
procedure for obtaining the premium license entitlement is the same as for all other Juniper Network
products. The following steps provide an overview.
1. Contact your local sales office or Juniper Networks partner to place an order for the Juniper ATP Cloud
premium license.
After your order is complete, an authorization code is e-mailed to you. An authorization code is a unique
16-digit alphanumeric used in conjunction with your device serial number to generate a premium license
entitlement.
2. (SRX Series devices only) Use the show chassis hardware CLI command to find the serial number of
the SRX Series devices that are to be tied to the Juniper ATP Cloud premium license.
[edit]
root@SRX# run show chassis hardware
Hardware inventory:
Item Version Part number Serial number Description
Chassis CM1915AK0326 SRX1500
Midplane REV 09 750-058562 ACMH1590 SRX1500
Pseudo CB 0
Routing Engine 0 BUILTIN BUILTIN SRX Routing Engine
FPC 0 REV 08 711-053832 ACMG3280 FEB
PIC 0 BUILTIN BUILTIN 12x1G-T-4x1G-SFP-4x10G
Loading...