ATP Cloud
JuniperAdvancedThreatPreventionCloud
Administration Guide
Published
2021-03-31
ii
Juniper Networks, Inc. 1133 Innovation Way Sunnyvale, California 94089 USA
408-745-2000 www.juniper.net
JuniperNetworks,theJuniperNetworkslogo,Juniper,andJunosareregisteredtrademarksofJuniperNetworks,Inc. in theUnitedStatesandothercountries. Allothertrademarks,servicemarks,registeredmarks,orregisteredservicemarks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
ATPCloudJuniperAdvancedThreatPreventionCloudAdministrationGuide
Copyright © 2021 Juniper Networks, Inc. All rights reserved.
The information in this document is current as of the date on the title page.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.
END USER LICENSE AGREEMENT
TheJuniperNetworksproductthatisthesubjectofthistechnicaldocumentationconsistsof(orisintendedforusewith) JuniperNetworkssoftware.UseofsuchsoftwareissubjecttothetermsandconditionsoftheEndUserLicenseAgreement (“EULA”) posted at https://support.juniper.net/support/eula/. By downloading, installing or using such software, you agree to the terms and conditions of that EULA.
iii
About the Documentation | xi
Documentation and Release Notes | xi
Documentation Conventions | xi
Documentation Feedback | xiv
Requesting Technical Support | xiv
Self-Help Online Tools and Resources | xv
Creating a Service Request with JTAC | xv
1Overview and Installation
Juniper Advanced Threat Prevention Cloud Overview | 2
Juniper Advanced Threat Prevention Cloud | 2
About Juniper Advanced Threat Prevention Cloud | 2
Juniper ATP Cloud Features | 3
How the SRX Series Device Remediates Traffic | 5
Juniper ATP Cloud Use Cases | 7
Licensing | 8
How is Malware Analyzed and Detected? | 8
Analyzing and Detecting Malware | 8
Cache Lookup | 9
Antivirus Scan | 9
Static Analysis | 10
Dynamic Analysis | 10
Machine Learning Algorithm | 10
Threat Levels | 11
Licensing | 11
iv
About Policy Enforcer | 12
Policy Enforcer | 12
Install Juniper Advanced Threat Cloud Prevention | 14
Juniper Advanced Threat Prevention Cloud Installation Overview | 14
Managing the Juniper Advanced Threat Prevention Cloud License | 14
Obtaining the Premium License Key | 15
License Management and SRX Series Devices | 16
Juniper ATP Cloud Premium Evaluation License for vSRX | 16
License Management and vSRX Deployments | 17
High Availability | 18
Registering a Juniper Advanced Threat Prevention Cloud Account | 19
Downloading and Running the Juniper Advanced Threat Prevention Cloud Script | 24
2The Web Portal and Enrolling SRX Series Devices
The Juniper ATP Cloud Web Portal | 31
Juniper Advanced Threat Prevention Cloud Configuration Overview | 31
Juniper Advanced Threat Prevention Cloud Web UI Overview | 34
Accessing the Web UI | 34
Dashboard Overview | 37
Reset Password | 38
Recover Realm Name | 40
Enroll SRX Series Devices | 43
Enrolling an SRX Series Device With Juniper Advanced Threat Prevention Cloud | 43
Enrolling an SRX Series Device without the Juniper ATP Cloud Web Portal | 47
Removing an SRX Series Device From Juniper Advanced Threat Prevention Cloud | 49
Searching for SRX Series Devices Within Juniper Advanced Threat Prevention Cloud | 50
Juniper Advanced Threat Prevention Cloud RMA Process | 53
Device Information | 53
Cloud Feeds for Juniper Advanced Threat Prevention Cloud: More Information | 54
v
3Configure
Allowlists and Blocklists | 57
Allowlist and Blocklist Overview | 57
Creating Allowlists and Blocklists | 59
Email Scanning: Juniper ATP Cloud | 65
Email Management Overview | 65
Email Management: Configure SMTP | 67
Email Management: Configure IMAP | 70
Email Scanning: SRX Series Device | 74
Configuring the SMTP Email Management Policy on the SRX Series Device | 74
Configuring the IMAP Email Management Policy on the SRX Series Device | 80
Configuring Reverse Proxy on the SRX Series Device | 88
File Inspection Profiles | 92
File Inspection Profiles Overview | 92
Creating File Inspection Profiles | 94
Adaptive Threat Profiling | 97
Adaptive Threat Profiling Overview | 97
Overview | 97
Configure Adaptive Threat Profiling | 100
Deploy Adaptive Threat Profiling | 101
Use Case Examples | 104
Threat Detection Use Case 1 | 104
Asset Classification Use Case | 107
Create an Adaptive Threat Profiling Feed | 108
SecIntel Feeds | 111
SecIntel Feeds Overview | 112
Juniper SecIntel Feeds Overview | 118
vi
Global Configurations | 119
Global Configuration for Infected Hosts | 119
Configuring Threat Intelligence Sharing | 122
Configuring Trusted Proxy Servers | 124
Realm Overview | 125
Realms and Tenant Systems | 125
Configuration Overview | 126
SRX Series and Tenant System Enrollment | 126
Realm Management | 127
Tenant Systems: Security-Intelligence and Anti-Malware Policies | 129
Tenant System Support for SecIntel Feeds | 129
Tenant System Support for AAMW | 130
Security Profile CLI | 132
Enable Logging | 132
Enable Mist with Juniper ATP Cloud | 133
4Monitor and Take Action
Audit | 136
Viewing Audit Logs | 136
Reports | 145
Reports Overview | 145
Configure Report Definitions | 149
Hosts | 151
Hosts Overview | 151
Host Details | 154
Identifying Infected Hosts | 156
Compromised Hosts: More Information | 156
About Block Drop and Block Close | 160
Host Details | 161
Automatic Lowering of Host Threat Level or Removal from Infected Hosts Feed | 162
Configuring the SRX Series Devices to Block Infected Hosts | 163
vii
Threat Sources | 167
Threat Sources Overview | 167
Threat Source Details | 168
Identify Hosts Communicating with Command and Control Servers | 172
Command and Control Servers: More Information | 172
Configuring the SRX Series Device to Block Outbound Requests to a C&C Host | 175
File Scanning | 178
HTTP File Download Overview | 178
HTTP File Download Details | 180
File Summary | 181
HTTP Downloads | 182
Sample STIX Report | 183
Manual Scanning Overview | 183
File Scanning Limits | 185
SMB File Download Overview | 186
SMB File Download Details | 188
File Summary | 189
SMB Downloads | 190
Email Scanning | 191
Email Attachments Scanning Overview | 191
Email Attachments Scanning Details | 192
File Summary | 194
SMTP Quarantine Overview: Blocked Emails | 195
IMAP Block Overview | 197
Telemetry | 199
Telemetry Overview | 199
Telemetry Details | 201
viii
Encrypted Traffic Insights | 204
Encrypted Traffic Insights Overview | 204
Encrypted Traffic Insights and Detection | 205
Workflow | 206
Configurations on SRX Series Devices | 207
Encrypted Traffic Insights Details | 208
5Policies on the SRX Series Device
Configure Juniper ATP Cloud Policies on the SRX Series Device | 212
Juniper Advanced Threat Prevention Cloud Policy Overview | 212
Enabling Juniper ATP Cloud for Encrypted HTTPS Connections | 215
Example: Configuring a Juniper Advanced Threat Prevention Cloud Policy Using the CLI | 216
Unified Policies | 221
Explicit Web Proxy Support | 223
Configure IP-Based Geolocations on the SRX Series Device | 225
Geolocation IPs and Juniper Advanced Threat Prevention Cloud | 225
Configuring Juniper Advanced Threat Prevention Cloud With Geolocation IP | 226
Integrate Amazon Web Services GuardDuty with vSRX Firewalls | 228
Integrate AWS GuardDuty with vSRX Firewalls | 228
Solution Overview | 228
Workflow to Integrate AWS GuardDuty with vSRX Firewalls | 230
Set up AWS Environment | 231
Configure vSRX Firewall | 235
Configure DNS Sinkhole on the SRX Series Device | 239
DNS Sinkhole for Disallowed Domains | 239
Overview | 239
Benefits | 239
Configure DNS Request Filtering | 240
ix
6Administration
Juniper ATP Cloud Administration | 244
Modifying My Profile | 244
Creating and Editing User Profiles | 245
Application Tokens Overview | 247
Creating Application Tokens | 247
Multi-Factor Authentication Overview | 249
Configure Multi-Factor Authentication for Administrators | 249
Enable Multi-Factor Authentication | 250
Verification Codes for Multi-Factor Authentication: Mobile SMS | 251
Verification Codes for Multi-Factor Authentication: Email | 251
Unlock a User | 252
7Troubleshoot
Troubleshooting Topics | 254
Juniper Advanced Threat Prevention Cloud Troubleshooting Overview | 254
Troubleshooting Juniper Advanced Threat Prevention Cloud: Checking DNS and Routing
Configurations | 255
Troubleshooting Juniper Advanced Threat Prevention Cloud: Checking Certificates | 258
Troubleshooting Juniper Advanced Threat Prevention Cloud: Checking the Routing Engine
Status | 260
request services advanced-anti-malware data-connection | 262 request services advanced-anti-malware diagnostic | 264
TroubleshootingJuniperAdvancedThreatPreventionCloud:Checkingtheapplication-identification
License | 268
Viewing Juniper Advanced Threat Prevention Cloud System Log Messages | 269
Configuring traceoptions | 270
Viewing the traceoptions Log File | 272
Turning Off traceoptions | 272
Juniper Advanced Threat Prevention Cloud Dashboard Reports Not Displaying | 273
Juniper Advanced Threat Prevention Cloud RMA Process | 274
x
8More Documentation
ATP Cloud Tech Library Page Links | 276
Links to Documentation on Juniper.net | 276
xi
IN THIS SECTION
Documentation and Release Notes | xi
Documentation Conventions | xi
Documentation Feedback | xiv
Requesting Technical Support | xiv
Use this guide to configure, monitor, and manage Juniper ATP Cloud features to protect all hosts in your network against evolving security threats.
To obtain the most current version of all Juniper Networks® technical documentation, see the product documentation page on the Juniper Networks website at https://www.juniper.net/documentation/.
Iftheinformationinthelatestreleasenotesdiffersfromtheinformationinthedocumentation,followthe product Release Notes.
Juniper Networks Books publishes books by Juniper Networks engineers and subject matter experts. These books go beyond the technical documentation to explore the nuances of network architecture, deployment, and administration. The current list can be viewed at https://www.juniper.net/books.
Table 1 on page xii defines notice icons used in this guide.
xii
Table 1: Notice Icons |
|
|
Icon |
Meaning |
Description |
|
Informational note |
Indicates important features or instructions. |
|
Caution |
Indicates a situation that might result in loss of data or hardware |
|
|
damage. |
|
Warning |
Alerts you to the risk of personal injury or death. |
|
Laser warning |
Alerts you to the risk of personal injury from a laser. |
|
Tip |
Indicates helpful information. |
|
Best practice |
Alerts you to a recommended use or implementation. |
Table 2 on page xii defines the text and syntax conventions used in this guide.
Table 2: Text and Syntax Conventions
Convention |
Description |
Examples |
Bold text like this |
Represents text that you type. |
To enter configuration mode, type |
|
|
the configure command: |
|
|
user@host> configure |
Fixed-width text like this |
Represents output that appears on |
user@host> show chassis alarms |
|
the terminal screen. |
No alarms currently active |
|
|
Italictextlikethis |
• Introducesoremphasizesimportant |
|
new terms. |
|
• Identifies guide names. |
|
• Identifies RFC and Internet draft |
|
titles. |
•A policy term is a named structure that defines match conditions and actions.
•JunosOSCLIUserGuide
•RFC 1997, BGPCommunities Attribute
xiii
Table 2: Text and Syntax Conventions (continued)
Convention |
Description |
Italictextlikethis |
Represents variables (options for |
|
which you substitute a value) in |
|
commands or configuration |
|
statements. |
Examples
Configure the machine’s domain name:
[edit]
root@# set system domain-name domain-name
Text like this |
Represents names of configuration |
|
statements, commands, files, and |
|
directories; configuration hierarchy |
|
levels; or labels on routing platform |
|
components. |
•To configure a stub area, include the stub statement at the [edit protocols ospf area area-id] hierarchy level.
•The console port is labeled
CONSOLE.
< > (angle brackets) |
Encloses optional keywords or |
|
variables. |
| (pipe symbol) |
Indicates a choice between the |
|
mutually exclusive keywords or |
|
variablesoneithersideofthesymbol. |
|
The set of choices is often enclosed |
|
in parentheses for clarity. |
stub <default-metric metric>;
broadcast | multicast
(string1 | string2 | string3)
# (pound sign)
[ ] (square brackets)
Indention and braces ( { } )
; (semicolon)
Indicatesacommentspecifiedonthe |
rsvp{#RequiredfordynamicMPLS |
same line as the configuration |
only |
statement to which it applies. |
|
Enclosesavariableforwhichyoucan |
community name members [ |
substitute one or more values. |
community-ids ] |
Identifies a level in the configuration |
[edit] |
hierarchy. |
routing-options { |
|
static { |
Identifies a leaf statement at a |
route default { |
configuration hierarchy level. |
nexthop address; |
|
retain; |
|
} |
|
} |
|
} |
GUI Conventions
xiv
Table 2: Text and Syntax Conventions (continued) |
|
|
Convention |
Description |
Examples |
Bold text like this |
Represents graphical user interface |
• IntheLogicalInterfacesbox,select |
|
(GUI) items you click or select. |
All Interfaces. |
|
|
• To cancel the configuration, click |
|
|
Cancel. |
> (bold right angle bracket) |
Separates levels in a hierarchy of |
Intheconfigurationeditorhierarchy, |
|
menu selections. |
select Protocols>Ospf. |
We encourage you to provide feedback so that we can improve our documentation. You can use either of the following methods:
•Online feedback system—Click TechLibrary Feedback, on the lower right of any page on the Juniper Networks TechLibrary site, and do one of the following:
•Click the thumbs-up icon if the information on the page was helpful to you.
•Click the thumbs-down icon if the information on the page was not helpful to you or if you have suggestions for improvement, and use the pop-up form to provide feedback.
•E-mail—Sendyourcommentstotechpubs-comments@juniper.net.Includethedocumentortopicname, URL or page number, and software version (if applicable).
TechnicalproductsupportisavailablethroughtheJuniperNetworksTechnicalAssistanceCenter(JTAC). If you are a customer with an active Juniper Care or Partner Support Services support contract, or are
xv
covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC.
•JTACpolicies—ForacompleteunderstandingofourJTACproceduresandpolicies,reviewtheJTACUser Guide located at https://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.
•Productwarranties—Forproductwarrantyinformation,visithttps://www.juniper.net/support/warranty/.
•JTAC hours of operation—The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year.
Forquickandeasyproblemresolution,JuniperNetworkshasdesignedanonlineself-serviceportalcalled the Customer Support Center (CSC) that provides you with the following features:
•Find CSC offerings: https://www.juniper.net/customers/support/
•Search for known bugs: https://prsearch.juniper.net/
•Find product documentation: https://www.juniper.net/documentation/
•Find solutions and answer questions using our Knowledge Base: https://kb.juniper.net/
•Download the latest versions of software and review release notes: https://www.juniper.net/customers/csc/software/
•Search technical bulletins for relevant hardware and software notifications: https://kb.juniper.net/InfoCenter/
•Join and participate in the Juniper Networks Community Forum: https://www.juniper.net/company/communities/
•Create a service request online: https://myjuniper.juniper.net
To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool: https://entitlementsearch.juniper.net/entitlementsearch/
You can create a service request with JTAC on the Web or by telephone.
•Visit https://myjuniper.juniper.net.
•Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, see https://support.juniper.net/support/requesting-support/.
1
PART
Juniper Advanced Threat Prevention Cloud Overview | 2
Install Juniper Advanced Threat Cloud Prevention | 14
2
CHAPTER 1
JuniperAdvancedThreatPreventionCloudOverview
IN THIS CHAPTER
Juniper Advanced Threat Prevention Cloud | 2
How is Malware Analyzed and Detected? | 8
About Policy Enforcer | 12
IN THIS SECTION
About Juniper Advanced Threat Prevention Cloud | 2
Juniper ATP Cloud Features | 3
How the SRX Series Device Remediates Traffic | 5
Juniper ATP Cloud Use Cases | 7
Licensing | 8
Juniper® Advanced Threat Prevention Cloud (Juniper ATP Cloud)is a security framework that protects all hostsinyournetworkagainstevolvingsecuritythreatsbyemployingcloud-basedthreatdetectionsoftware with a next-generation firewall system. See Figure 1 on page 3.
3
Figure 1: Juniper ATP Cloud Overview
Juniper ATP Cloud protects your network by performing the following tasks:
•The SRX Series device extracts potentially malicious objects and files and sends them to the cloud for analysis.
•Known malicious files are quickly identified and dropped before they can infect a host.
•Multiple techniques identify new malware, adding it to the known list of malware.
•CorrelationbetweennewlyidentifiedmalwareandknownCommandandControl(C&C)sitesaidsanalysis.
•The SRX Series device blocks known malicious file downloads and outbound C&C traffic.
Juniper ATP Cloud supports the following modes:
•Layer 3 mode
•Tap mode
•Transparent mode using MAC address. For more information, see Transparent mode on SRX Series devices.
•Secure wire mode (high-level transparent mode using the interface to directly passing traffic, not by MAC address.) For more information, see Understanding Secure Wire.
Juniper ATP Cloud is a cloud-based solution. Cloud environments are flexible and scalable, and a shared environmentensuresthateveryonebenefitsfromnewthreatintelligenceinnearreal-time.Yoursensitive dataissecuredeventhoughitisinacloudsharedenvironment.Securityanalystscanupdatetheirdefense when new attack techniques are discovered and distribute the threat intelligence with very little delay.
4
In addition, Juniper ATP Cloud offers the following features:
•Integrated with the SRX Series device to simplify deployment and enhance the anti-threat capabilities of the firewall.
•Delivers protection against “zero-day” threats using a combination of tools to provide robust coverage against sophisticated, evasive threats.
•Checks inbound and outbound traffic with policy enhancements that allow users to stop malware, quarantine infected systems, prevent data exfiltration, and disrupt lateral movement.
•High availability to provide uninterrupted service.
•Scalabletohandleincreasingloadsthatrequiremorecomputingresources,increasednetworkbandwidth to receive more customer submissions, and a large storage for malware.
•Provides deep inspection, actionable reporting, and inline malware blocking.
•APIs for C&C feeds, allowlist and blocklist operations, and file submission. See the Threat Intelligence Open API Setup Guide for more information.
Figure 2 on page 4 lists the Juniper ATP Cloud components.
Figure 2: Juniper ATP Cloud Components
Table 3 on page 5 briefly describes each Juniper ATP Cloud component’s operation.
5
Table 3: Juniper ATP Cloud Components
Component Operation
Commandandcontrol(C&C)cloud C&Cfeedsareessentiallyalistofserversthatareknowncommandandcontrol feeds forbotnets. Thelistalsoincludesserversthatareknownsourcesformalware
downloads.
GeoIP cloud feeds |
GeoIPfeedsisanup-to-datemappingofIPaddressestogeographicalregions. |
|
This gives you the ability to filter traffic to and from specific geographies in |
|
the world. |
Infected host cloud feeds |
Infectedhostsindicatelocaldevicesthatarepotentiallycompromisedbecause |
|
they appear to be part of a C&C network or other exhibit other symptoms. |
Allowlist, blocklists and custom |
A allowlist is simply a list of known IP addresses that you trust and a blocklist |
cloud feeds |
is a list that you do not trust. |
|
NOTE: Custom feeds are not supported in this release. |
SRX Series device |
Submits extracted file content for analysis and detected C&C hits inside the |
|
customer network. |
|
Performs inline blocking based on verdicts from the analysis cluster. |
Malware inspection pipeline |
Performs malware analysis and threat detection. |
Internal compromise detection |
Inspects files, metadata, and other information. |
Service portal (Web UI) |
Graphics interface displaying information about detected threats inside the |
|
customer network. |
|
Configuration management tool where customers can fine-tune which file |
|
categories can be submitted into the cloud for processing. |
The SRX Series devices use intelligence provided by Juniper ATP Cloud to remediate malicious content throughtheuseofsecuritypolicies.Ifconfigured,securitypoliciesblockthatcontentbeforeitisdelivered to the destination address.
Forinboundtraffic,securitypoliciesontheSRXSeriesdevicelookforspecifictypesoffiles,like .exefiles, toinspect. Whenoneisencountered,thesecuritypolicysendsthefiletotheJuniperATPCloudcloudfor inspection.TheSRXSeriesdeviceholdsthelastfewKBofthefilefromthedestinationclientwhileJuniper ATP Cloud checks if this file has already been analyzed. If so, a verdict is returned and the file is either senttotheclientorblockeddependingonthefile’sthreatlevelandtheuser-definedpolicyinplace. Ifthe
6
cloud has not inspected this file before, the file is sent to the client while Juniper ATP Cloud performs an exhaustive analysis. If the file’s threat level indicates malware (and depending on the user-defined configurations) the client system is marked as an infected host and blocked from outbound traffic. For more information, see “How is Malware Analyzed and Detected?” on page 8.
Figure 3 on page 6 shows an example flow of a client requesting a file download with Juniper ATP Cloud.
Figure 3: Inspecting Inbound Files for Malware
Step Description
1AclientsystembehindanSRXSeriesdevicesrequestsafiledownloadfromtheInternet.TheSRXSeries device forwards that request to the appropriate server.
2TheSRXSeriesdevicereceivesthedownloadedfileandchecksitssecurityprofiletoseeifanyadditional action must be performed.
3Thedownloadedfiletypeisonthelistoffilesthatmustbeinspectedandissenttothecloudforanalysis.
4Juniper ATP Cloud has inspected this file before and has the analysis stored in cache. In this example, the file is not malware and the verdict is sent back to the SRX Series device.
5Basedonuser-definedpoliciesandbecausethisfileisnotmalware,theSRXSeriesdevicesendsthefile to the client.
7
For outbound traffic, the SRX Series device monitors traffic that matches C&C feeds it receives, blocks these C&C requests, and reports them to Juniper ATP Cloud. A list of infected hosts is available so that the SRX Series device can block inbound and outbound traffic.
Juniper ATP Cloud can be used anywhere in an SRX Series deployment. See Figure 4 on page 7.
Figure 4: Juniper ATP Cloud Use Cases
•Campus edge firewall—Juniper ATP Cloud analyzes files downloaded from the Internet and protects end-user devices.
•Datacenteredge—Likethecampusedgefirewall,JuniperATPCloudpreventsinfectedfilesandapplication malware from running on your computers.
•Branchrouter—JuniperATPCloudprovidesprotectionfromsplit-tunnelingdeployments.Adisadvantage of split-tunneling is that users can bypass security set in place by your company’s infrastructure.
8
Juniper ATP Cloud has three service levels: Free, Basic (feed only), and Premium. No license is required for the free version, but you must obtain a license for Basic and Premium levels.
TounderstandmoreaboutJuniperATPCloudlicenses,seeLicensesforJuniperAdvancedThreatPrevention (ATP) Cloud. Please refer to the Licensing Guide for general information about License Management. Please refer to the product Data Sheets for further details, or contact your Juniper Account Team or Juniper Partner.
IN THIS SECTION
Analyzing and Detecting Malware | 8
Cache Lookup | 9
Antivirus Scan | 9
Static Analysis | 10
Dynamic Analysis | 10
Machine Learning Algorithm | 10
Threat Levels | 11
Licensing | 11
JuniperATPCloudusesapipelineapproachtoanalyzinganddetectingmalware.Ifananalysisrevealsthat thefileisabsolutelymalware,itisnotnecessarytocontinuethepipelinetofurtherexaminethemalware. See Figure 5 on page 9.
9
Figure 5: Example Juniper ATP Cloud Pipeline Approach for Analyzing Malware
Each analysis technique creates a verdict number, which is combined to create a final verdict number between 1 and 10. A verdict number is a score or threat level. The higher the number, the higher the malware threat. The SRX Series device compares this verdict number to the policy settings and either permits or denies the session. If the session is denied, a reset packet is sent to the client and the packets are dropped from the server.
When a file is analyzed, a file hash is generated, and the results of the analysis are stored in a database. When a file is uploaded to the Juniper ATP Cloud cloud, the first step is to check whether this file has been looked at before. If it has, the stored verdict is returned to the SRX Series device and there is no needtore-analyzethefile. InadditiontofilesscannedbyJuniperATPCloud,informationaboutcommon malware files is also stored to provide faster response.
Cachelookupisperformedinrealtime. Allothertechniquesaredoneoffline. Thismeansthatifthecache lookup does not return a verdict, the file is sent to the client system while the Juniper ATP Cloud cloud continuestoexaminethefileusingtheremainingpipelinetechniques. Ifalateranalysisreturnsamalware verdict, then the file and host are flagged.
The advantage of antivirus software is its protection against a large number of potential threats, such as viruses, trojans, worms, spyware, and rootkits. The disadvantage of antivirus software is that it is always behind the malware. The virus comes first and the patch to the virus comes second. Antivirus is better at defending familiar threats and known malware than zero-day threats.
10
JuniperATPCloudutilizesmultipleantivirussoftwarepackages,notjustone,toanalyzeafile. Theresults are then fed into the machine learning algorithm to overcome false positives and false negatives.
Static analysis examines files without actually running them. Basic static analysis is straightforward and fast, typically around 30 seconds. The following are examples of areas static analysis inspects:
•Metadata information—Name of the file, the vendor or creator of this file, and the original data the file was compiled on.
•Categoriesofinstructionsused—IsthefilemodifyingtheWindowsregistry?IsittouchingdiskI/OAPIs?.
•File entropy—How random is the file? A common technique for malware is to encrypt portions of the code and then decrypt it during runtime. A lot of encryption is a strong indication a this file is malware.
Theoutputofthestaticanalysisisfedintothemachinelearningalgorithmtoimprovetheverdictaccuracy.
The majority of the time spent inspecting a file is in dynamic analysis. With dynamic analysis, often called sandboxing, a file is studied as it is executed in a secure environment. During this analysis, an operating system environment is set up, typically in a virtual machine, and tools are started to monitor all activity. The file is uploaded to this environment and is allowed to run for several minutes. Once the allotted time haspassed,therecordofactivityisdownloadedandpassedtothemachinelearningalgorithmtogenerate a verdict.
Sophisticated malware can detect a sandbox environment due to its lack of human interaction, such as mouse movement. Juniper ATP Cloud uses a number of deceptiontechniques to trick the malware into determining this is a real user environment. For example, Juniper ATP Cloud can:
•Generate a realistic pattern of user interaction such as mouse movement, simulating keystrokes, and installing and launching common software packages.
•Createfakehigh-valuetargetsintheclient,suchasstoredcredentials,userfiles,andarealisticnetwork with Internet access.
•Create vulnerable areas in the operating system.
Deceptiontechniquesbythemselvesgreatlyboostthedetectionratewhilereducingfalsepositives. They alsobooststhedetectionrateofthesandboxthefileisrunninginbecausetheygetthemalwaretoperform more activity. The more the file runs the more data is obtained to detect whether it is malware.
Juniper ATP Cloud uses its own proprietary implementation of machine learning to assist in analysis. Machine learning recognizes patterns and correlates information for improved file analysis. The machine
11
learning algorithm is programmed with features from thousands of malware samples and thousands of goodware samples. It learns what malware looks like, and is regularly re-programmed to get smarter as threats evolve.
JuniperATPCloudassignsanumberbetween0-10toindicatethethreatleveloffilesscannedformalware and the threat level for infected hosts. See Table 4 on page 11.
Table 4: Threat Level Definitions |
|
|
Threat Level |
Definition |
|
0 |
|
Clean; no action is required. |
1 |
- 3 |
Low threat level. |
4 |
- 6 |
Medium threat level. |
7 |
-10 |
High threat level. |
For more information on threat levels, see the Juniper ATP Cloud Web UI online help.
Juniper ATP Cloud has three service levels: Free, Basic (feed only), and Premium. No license is required for the free version, but you must obtain a license for Basic and Premium levels.
TounderstandmoreaboutJuniperATPCloudlicenses,seeLicensesforJuniperAdvancedThreatPrevention (ATP) Cloud. Please refer to the Licensing Guide for general information about License Management. Please refer to the product Data Sheets for further details, or contact your Juniper Account Team or Juniper Partner.
RELATED DOCUMENTATION
Juniper Advanced Threat Prevention Cloud | 2
Dashboard Overview | 37
12
IN THIS SECTION
Policy Enforcer | 12
View the Policy Enforcer data sheet (This takes you out of the help center to the Juniper web site): https://www.juniper.net/assets/fr/fr/local/pdf/datasheets/1000602-en.pdf
Policy Enforcer provides centralized, integrated management of all your security devices (both physical and virtual), giving you the ability to combine threat intelligence from different solutions and act on that intelligence from one management point.
It also automates the enforcement of security policies across the network and quarantines infected endpoints to prevent threats across firewalls and switches. It works with cloud-based Juniper Advanced ThreatPrevention(JuniperATP)Cloudtoprotectbothperimeter-orientedthreatsaswellasthreatswithin thenetwork. Forexample,ifauserdownloadsafilefromtheInternetandthatfilepassesthroughanSRX firewall, the file can be sent to the Juniper ATP Cloud cloud for malware inspection (depending on your configuration settings.) If the file is determined to be malware, Policy Enforcer identifies the IP address and MAC address of the host that downloaded the file. Based on a user-defined policy, that host can be put into a quarantine VLAN or blocked from accessing the Internet.
Policy Enforcer provides the following:
•Pervasive Security—Combine security features and intelligence from devices across your network, including switches, routers, firewalls, to create a “secure fabric” that leverages information you can use to create policies that address threats in real-time and into the future. With monitoring capabilities, it can also act as a sensor, providing visibility for intraand inter-network communications.
•User Intent-Based Policies—Create policies according to logical business structures such as users, user groups, geographical locations, sites, tenants, applications, or threat risks. This allows network devices (switches,routers,firewallsandothersecuritydevices)toshareinformation,resources,andwhenthreats are detected, remediation actions within the network.
•Threat Intelligence Aggregation—Gather threat information from multiple locations and devices, both physical and virtual, as well as third party solutions.
Figure 6 on page 13 illustrates the flow diagram of Policy Enforcer over a traditional SRX configuration.
13
Figure 6: Comparing Traditional SRX Customers to Policy Enforcer Customers
RELATED DOCUMENTATION
Hosts Overview | 151
Host Details | 154
Dashboard Overview | 37
14
CHAPTER 2
IN THIS CHAPTER
Juniper Advanced Threat Prevention Cloud Installation Overview | 14
Managing the Juniper Advanced Threat Prevention Cloud License | 14
Registering a Juniper Advanced Threat Prevention Cloud Account | 19
Downloading and Running the Juniper Advanced Threat Prevention Cloud Script | 24
AlthoughJuniperATPCloudisafreeadd-ontoanSRXSeriesdevice,youmuststillenableitpriortousing it. To enable Juniper ATP Cloud, perform the following tasks:
1.(Optional) Obtain a Juniper ATP Cloud premium license. See Licenses for Juniper Advanced Threat Prevention (ATP) Cloud. This link takes you to the Juniper Licensing Guide.
2.RegisteranaccountontheJuniperATPCloudcloudWebportal. See “RegisteringaJuniperAdvanced Threat Prevention Cloud Account” on page 19.
3.Download and run the Juniper ATP Cloud script on your SRX Series device. See “Downloading and Running the Juniper Advanced Threat Prevention Cloud Script” on page 24.
IN THIS SECTION
Obtaining the Premium License Key | 15
License Management and SRX Series Devices | 16
Juniper ATP Cloud Premium Evaluation License for vSRX | 16
15
License Management and vSRX Deployments | 17
High Availability | 18
This topic describes how to install the Juniper ATP Cloud premium license onto your SRX Series devices andvSRXdeployments.YoudonotneedtoinstalltheJuniperATPCloudfreelicenseastheseareincluded your base software. Note that the free license has a limited feature set (see JuniperAdvancedThreat PreventionCloudLicenseTypes and “File Scanning Limits” on page 185).
When installing the license key, you must use the license that is specific your device type. For example, the Juniper ATP Cloud premium license available for the SRX Series device cannot be used on vSRX deployments.
The Juniper ATP Cloud premium license can be found on the Juniper Networks product price list. The procedure for obtaining the premium license entitlement is the same as for all other Juniper Network products. The following steps provide an overview.
1.ContactyourlocalsalesofficeorJuniperNetworkspartnertoplaceanorderfortheJuniperATPCloud premium license.
Afteryourorderiscomplete,anauthorizationcodeise-mailedtoyou.Anauthorizationcodeisaunique 16-digitalphanumericusedinconjunctionwithyourdeviceserialnumbertogenerateapremiumlicense entitlement.
2.(SRX Series devices only) Use the show chassis hardware CLI command to find the serial number of the SRX Series devices that are to be tied to the Juniper ATP Cloud premium license.
[edit] |
|
|
|
|
root@SRX# run show chassis hardware |
|
|
||
Hardware inventory: |
|
|
|
|
Item |
Version |
Part number |
Serial number |
Description |
Chassis |
|
|
CM1915AK0326 |
SRX1500 |
Midplane |
REV 09 |
750-058562 |
ACMH1590 |
SRX1500 |
Pseudo CB 0 |
|
|
|
|
Routing Engine 0 |
|
BUILTIN |
BUILTIN |
SRX Routing Engine |
FPC 0 |
REV 08 |
711-053832 |
ACMG3280 |
FEB |
PIC 0 |
|
BUILTIN |
BUILTIN |
12x1G-T-4x1G-SFP-4x10G |