Spotlight Secure Connector

Spotlight Secure Connector
Spotlight Secure
Spotlight Secure Connector Getting Started Guide
Modified: 2015-06-04
Copyright © 2015, Juniper Networks, Inc.
Juniper Networks, Inc.
1133 Innovation Way
Sunnyvale, California 94089
USA
408-745-2000
www.juniper.net
Copyright © 2015, Juniper Networks, Inc. All rights reserved.
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United
States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other
trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,
transfer, or otherwise revise this publication without notice.
Spotlight Secure Spotlight Secure Connector Getting Started Guide
Copyright © 2015, Juniper Networks, Inc.
All rights reserved.
The information in this document is current as of the date on the title page.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the
year 2038. However, the NTP application is known to have some difficulty in the year 2036.
END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks
software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at
http://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions of
that EULA.
ii
Copyright © 2015, Juniper Networks, Inc.
Table of Contents
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Part 1
Overview
Chapter 1
Introduction to Security Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Perimeter Security Today . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Juniper Networks Security Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Security Intelligence in the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Dynamic Address Entry and Security Intelligence Services . . . . . . . . . . . . . . . . . . . 8
Dynamic Address Entry Configuration on the SRX Series Enforcement Point
for Security Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Chapter 2
Security Intelligence Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Security Intelligence and Command and Control Server Threats . . . . . . . . . . . . . . 12
Security Intelligence and Fingerprinted Attackers . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Security Intelligence and Undesired Locales . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Security Intelligence and Custom Feeds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Part 2
Initial Setup
Chapter 3
Configuring the Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Configuring Spotlight Secure Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Configuring Spotlight Secure Connector Network Settings . . . . . . . . . . . . . . 20
Adding Spotlight Secure Connector as a Specialized Node in Junos
Space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Setting Up High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Spotlight Secure Connector General Settings Overview . . . . . . . . . . . . . . . . . . . . 32
Associating an SRX Series Device With Spotlight Secure Connector . . . . . . . . . . 34
About Trusted Server CAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Updating the Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Managing Spotlight Secure Connectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Adding Spotlight Secure Connector Global Settings . . . . . . . . . . . . . . . . . . . 40
Uploading Trusted Server CAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Associating Devices to Spotlight Secure Connectors . . . . . . . . . . . . . . . . . . . 42
Updating Spotlight Secure Connector Configuration . . . . . . . . . . . . . . . . . . . 44
Copyright © 2015, Juniper Networks, Inc.
iii
Spotlight Secure Connector Getting Started Guide
Deleting Spotlight Secure Connectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Viewing Spotlight Secure Connector Feed Status . . . . . . . . . . . . . . . . . . . . . 44
Upgrading Spotlight Secure Connector Software or Package . . . . . . . . . . . . 45
Creating a Backup or Restoring the Connector Settings . . . . . . . . . . . . . . . . . . . . 46
Part 3
Configuring Spotlight Secure Connector in Security Director
Chapter 4
Configuring Spotlight Secure Connector Information Source . . . . . . . . . . . 49
Spotlight Secure Connector Information Source Overview . . . . . . . . . . . . . . . . . . 49
Whitelists and Blacklists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Geolocation IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Command and Control Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
WebApp Secure Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
About Custom Address Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Feed Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Information Source Update Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Creating an Information Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Managing Information Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Modifying an Information Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Deleting an Information Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Updating Feeds to Connectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Chapter 5
Spotlight Secure Connector Profiles and Policies Overview . . . . . . . . . . . . 65
Spotlight Secure Connector Profile Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
About Threat Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Verifying Profiles On the SRX Series Device . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Creating Security Intelligence Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Managing Security Intelligence Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Modifying a Security Intelligence Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Deleting a Security Intelligence Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Modifying a Global White List or Global Black List . . . . . . . . . . . . . . . . . . . . . 74
Spotlight Secure Connector Policy Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Creating Security Intelligence Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Managing Security Intelligence Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Modifying a Security Intelligence Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Deleting a Security Intelligence Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Chapter 6
Applying Spotlight Secure to Security Rules . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Using Spotlight Secure Connector Policies in Security Rules . . . . . . . . . . . . . . . . . 79
Dynamic Address Group Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Creating Dynamic Address Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Managing Dynamic Address Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Modifying a Dynamic Address Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Deleting an Address from a Dynamic Address Group . . . . . . . . . . . . . . . . . . . 87
Chapter 7
Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Example: Pushing a Whitelist, Blacklist, C&C, and GeoIP to a Security Device . . . 89
Defining the Information Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Creating the Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Creating the Spotlight Secure Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
iv
Copyright © 2015, Juniper Networks, Inc.
Table of Contents
Creating the Dynamic Address Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Associating the SRX Series Device With the Connector . . . . . . . . . . . . . . . . . 98
Creating the Firewall Policy and Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Part 4
Index
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Copyright © 2015, Juniper Networks, Inc.
v
Spotlight Secure Connector Getting Started Guide
vi
Copyright © 2015, Juniper Networks, Inc.
About the Documentation
•
Documentation and Release Notes on page vii
•
Documentation Conventions on page vii
•
Documentation Feedback on page ix
•
Requesting Technical Support on page x
Documentation and Release Notes
®
To obtain the most current version of all Juniper Networks technical documentation,
see the product documentation page on the Juniper Networks website at
http://www.juniper.net/techpubs/.
If the information in the latest release notes differs from the information in the
documentation, follow the product Release Notes.
Juniper Networks Books publishes books by Juniper Networks engineers and subject
matter experts. These books go beyond the technical documentation to explore the
nuances of network architecture, deployment, and administration. The current list can
be viewed at http://www.juniper.net/books.
Documentation Conventions
Table 1 on page viii defines notice icons used in this guide.
Copyright © 2015, Juniper Networks, Inc.
vii
Spotlight Secure Connector Getting Started Guide
Table 1: Notice Icons
Icon
Meaning
Description
Informational note
Indicates important features or instructions.
Caution
Indicates a situation that might result in loss of data or hardware damage.
Warning
Alerts you to the risk of personal injury or death.
Laser warning
Alerts you to the risk of personal injury from a laser.
Tip
Indicates helpful information.
Best practice
Alerts you to a recommended use or implementation.
Table 2 on page viii defines the text and syntax conventions used in this guide.
Table 2: Text and Syntax Conventions
Convention
Description
Examples
Bold text like this
Represents text that you type.
To enter configuration mode, type the
configure command:
user@host> configure
Fixed-width text like this
Italic text like this
Italic text like this
viii
Represents output that appears on the
terminal screen.
user@host> show chassis alarms
•
Introduces or emphasizes important
new terms.
•
•
Identifies guide names.
A policy term is a named structure
that defines match conditions and
actions.
•
Identifies RFC and Internet draft titles.
•
Junos OS CLI User Guide
•
RFC 1997, BGP Communities Attribute
Represents variables (options for which
you substitute a value) in commands or
configuration statements.
No alarms currently active
Configure the machine’s domain name:
[edit]
root@# set system domain-name
domain-name
Copyright © 2015, Juniper Networks, Inc.
About the Documentation
Table 2: Text and Syntax Conventions (continued)
Convention
Description
Examples
Text like this
Represents names of configuration
statements, commands, files, and
directories; configuration hierarchy levels;
or labels on routing platform
components.
•
To configure a stub area, include the
stub statement at the [edit protocols
ospf area area-id] hierarchy level.
•
The console port is labeled CONSOLE.
< > (angle brackets)
Encloses optional keywords or variables.
stub <default-metric metric>;
| (pipe symbol)
Indicates a choice between the mutually
exclusive keywords or variables on either
side of the symbol. The set of choices is
often enclosed in parentheses for clarity.
broadcast | multicast
# (pound sign)
Indicates a comment specified on the
same line as the configuration statement
to which it applies.
rsvp { # Required for dynamic MPLS only
[ ] (square brackets)
Encloses a variable for which you can
substitute one or more values.
community name members [
community-ids ]
Indention and braces ( { } )
Identifies a level in the configuration
hierarchy.
; (semicolon)
Identifies a leaf statement at a
configuration hierarchy level.
(string1 | string2 | string3)
[edit]
routing-options {
static {
route default {
nexthop address;
retain;
}
}
}
GUI Conventions
Bold text like this
Represents graphical user interface (GUI)
items you click or select.
> (bold right angle bracket)
Separates levels in a hierarchy of menu
selections.
•
In the Logical Interfaces box, select
All Interfaces.
•
To cancel the configuration, click
Cancel.
In the configuration editor hierarchy,
select Protocols>Ospf.
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation. You can provide feedback by using either of the following
methods:
•
Online feedback rating system—On any page at the Juniper Networks Technical
Documentation site at http://www.juniper.net/techpubs/index.html, simply click the
stars to rate the content, and use the pop-up form to provide us with information about
your experience. Alternately, you can use the online feedback form at
https://www.juniper.net/cgi-bin/docbugreport/.
Copyright © 2015, Juniper Networks, Inc.
ix
Spotlight Secure Connector Getting Started Guide
•
E-mail—Send your comments to techpubs-comments@juniper.net. Include the document
or topic name, URL or page number, and software version (if applicable).
Requesting Technical Support
Technical product support is available through the Juniper Networks Technical Assistance
Center (JTAC). If you are a customer with an active J-Care or Partner Support Service
support contract, or are covered under warranty, and need post-sales technical support,
you can access our tools and resources online or open a case with JTAC.
•
JTAC policies—For a complete understanding of our JTAC procedures and policies,
review the JTAC User Guide located at
http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.
•
Product warranties—For product warranty information, visit
http://www.juniper.net/support/warranty/.
•
JTAC hours of operation—The JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides you with the
following features:
•
Find CSC offerings: http://www.juniper.net/customers/support/
•
Search for known bugs: http://www2.juniper.net/kb/
•
Find product documentation: http://www.juniper.net/techpubs/
•
Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
•
Download the latest versions of software and review release notes:
http://www.juniper.net/customers/csc/software/
•
Search technical bulletins for relevant hardware and software notifications:
http://kb.juniper.net/InfoCenter/
•
Join and participate in the Juniper Networks Community Forum:
http://www.juniper.net/company/communities/
•
Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
To verify service entitlement by product serial number, use our Serial Number Entitlement
(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/
Opening a Case with JTAC
You can open a case with JTAC on the Web or by telephone.
x
•
Use the Case Management tool in the CSC at http://www.juniper.net/cm/.
•
Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
Copyright © 2015, Juniper Networks, Inc.
About the Documentation
For international or direct-dial options in countries without toll-free numbers, see
http://www.juniper.net/support/requesting-support.html.
Copyright © 2015, Juniper Networks, Inc.
xi
Spotlight Secure Connector Getting Started Guide
xii
Copyright © 2015, Juniper Networks, Inc.
PART 1
Overview
•
Introduction to Security Intelligence on page 3
•
Security Intelligence Configurations on page 11
Copyright © 2015, Juniper Networks, Inc.
1
Spotlight Secure Connector Getting Started Guide
2
Copyright © 2015, Juniper Networks, Inc.
CHAPTER 1
Introduction to Security Intelligence
•
Perimeter Security Today on page 3
•
Juniper Networks Security Intelligence on page 4
•
Dynamic Address Entry and Security Intelligence Services on page 8
Perimeter Security Today
Threats to your network continue to evolve. And defensive software and appliances that
you can deploy to defend your network, and the assets that are available through your
network, are becoming more complex. The typical approach to dealing with new security
threats is to add layers of security. Defense in depth is a basic approach to network
security, but it adds complexity by adding gateways that must often be managed and
configured separately. The complexity of the system can slow your ability to react and
respond to a threat.
Traditional network perimeter security uses stateful firewall protection and intrusion
prevention tied to an enterprise business policy. This type of enforcement works well
against known threats. The emergence of next-generation firewalls combined with unified
threat management (UTM) has allowed a more granular degree of filtering. These
integrated security functions expand security measures beyond basic stateful firewall
filtering. However, the security policies must be manually configured and maintained in
most cases.
The threat landscape has evolved. Attackers have migrated from using broad, unfocused
tactics and are now creating specialized malware that attacks specific targets or groups
of targets. Often, the goal of these attacks is to embed malware in the target’s
infrastructure and continue the attack, without detection, over long periods. If malware
infiltrates a rich target, it can carry out a wide range of undetected malicious activities
over months or years, including data theft, espionage, and disruption or destruction of
infrastructure and processes. While methods vary, the commonality of these specialized
attacks is that they are designed to avoid detection by mainstream security technologies,
such as antivirus, firewalls, and content inspection gateways.
To respond more quickly to evolving network security threats, the next-generation firewall
must adapt dynamically in real time. The next-generation firewall needs access to external
threat detection systems that are updated dynamically with information about new and
evolving threats. With access to dynamic threat data, security policies can adapt and
evolve over time without manual intervention.
Copyright © 2015, Juniper Networks, Inc.
3
Spotlight Secure Connector Getting Started Guide
Related
Documentation
•
Juniper Networks Security Intelligence on page 4
Juniper Networks Security Intelligence
Juniper Networks Security Intelligence (SecIntel) is a security framework that protects
webservers in the DMZ against evolving security threats by employing threat detection
software, both local and cloud-based security information, and control software with a
next-generation firewall system.
SecIntel delivers dynamic threat intelligence to the firewall. It enables automatic and
dynamic traffic filtering at both the network and application layers. A SecIntel solution
includes, at a minimum, one or more Juniper Networks SRX Series Services Gateways
and Spotlight Secure Connector, a premises-hosted application that accepts and
distributes threat intelligence information to enforcement points. In addition, the SecIntel
framework integrates Juniper Networks WebApp Secure, which protects websites from
attackers by using Web intrusion prevention to detect, track, profile, and block attackers
in real time, and Log Director for detailed logging, reporting, and event visualization of
SRX Series activity. Optional Spotlight Secure cloud-based threat intelligence feeds
provide a stream of information about evolving threats that is gathered, analyzed, and
prioritized by Juniper Networks from multiple collection points.
SecIntel offers the following features:
4
•
Dynamic security policies and flexible enforcement options on the firewall to react to
rapidly changing threats. The security policy on the firewall can use dynamic intelligence
sources, both local and cloud based. The SecIntel security policy enables a wide range
of enforcement actions beyond just “allow” or “deny.”
•
An open platform approach that can adapt to customer needs and use cases. You can
easily employ local intelligence and third-party information sources in threat recognition.
•
Tunable controls. The SecIntel security policy recognizes threat levels, which allows
you to fine-tune your security policy response to different types of threats.
•
Centrally managed security data for one or many firewalls. One control point brokers
the feeds from the data sources and passes the information directly to the firewall
security policies.
•
Actionable intelligence with fewer false positives. Normalized threat scores enable
intuitive security policies. Cloud-based security intelligence and prioritized threat feeds
maximize firewall resources.
Copyright © 2015, Juniper Networks, Inc.
Chapter 1: Introduction to Security Intelligence
SecIntel employs the following threat-detection mechanisms:
•
Juniper Networks WebApp Secure—WebApp Secure protects websites from attackers.
Its Web intrusion prevention system uses deception to detect, track, profile, and block
attackers in real time by inserting detection points into your webserver's output to
identify attackers before they can do damage. WebApp Secure then tracks the
attackers, profiles their behavior, and deploys countermeasures.
WebApp Secure sits between your webservers and the outside world. It inspects HTTP
and HTTPS traffic and functions as a reverse proxy. WebApp Secure seeks out potential
attack attempts or probes by adding detection points to outbound Web traffic and
removing detection points from inbound Web traffic. These detection points are
transparent to common, legitimate users. It then monitors and strips these points from
the requests coming back from the user's browser. Any change to a detection point is
an indicator of an attempted attack. The system logs incidents to a database of attacker
profiles and exposes them to the security administrators through a Web-based interface.
System administrators can then apply automated abuse-prevention policies or respond
manually.
SecIntel uses the following information sources:
•
Spotlight Secure—Spotlight Secure, formerly known as Spotlight Cloud, is a cloud-based
dynamic intelligence service for WebApp Secure. It enables a two-way communication
process that shares information about attackers and attacks to and from a Spotlight
server run by Juniper Networks. The updates allow WebApp Secure to positively identify
attackers that have attacked other Juniper customers. This service also provides
additional details about sessions, which allows Juniper to make more informed decisions
on how to respond to threats. The Spotlight Secure service provides the following
information feeds that target the following specific threats:
Spotlight Command and Control
•
Blocks Command and Control (CC) connections.
•
Blocks botnet activity.
•
Identifies and isolates internal infections.
Spotlight GeoIP
•
•
Blocks traffic from specified countries.
Local and third-party information—You can create whitelists and blacklists using locally
derived information and use it as part of your firewall security policies. A whitelist is a
list of known IP addresses that you trust, and a blacklist identifies IP addresses that
you do not trust. You configure the lists through Spotlight Secure Connector. Typically,
you configure a security policy to either allow traffic from whitelist addresses and
prevent everything else or block blacklist address traffic and allow everything else. You
can create your own lists or obtain lists from a third-party vendor.
Spotlight Secure Connector is the central connection point between information sources
and enforcement points. Spotlight Secure Connector receives the information feeds from
Spotlight Secure and from the locally defined information sources, and makes that threat
Copyright © 2015, Juniper Networks, Inc.
5
Spotlight Secure Connector Getting Started Guide
information available to the enforcement points. Spotlight Secure Connector manages
the flow of threat information and serves as the interface where the security administrator
defines and publishes security policies to the enforcement points. Spotlight Secure
Connector is a virtual machine that runs within the Juniper Space Fabric and is managed
through Security Director. Junos Space is a comprehensive network management solution
that enables management applications that improve the agility of network platforms
and applications.
NOTE: The Spotlight Secure Connector information consumers periodically
query Spotlight Secure Connector for updates. Spotlight Secure Connector
does not push data to the consumers.
Figure 1: Junos Space > Security Director > Security Intelligence
Enforcement points (security devices):
•
SecIntel uses SRX Series Services Gateways as enforcement points.
SRX Series Services Gateways are high-performance network security solutions for
enterprises and service providers. SRX Series deliver next-generation firewall protection
with application awareness, intrusion prevention system (IPS), and extensive user
role-based control options. Next-generation firewalls can perform full packet inspection
and can apply security policies based on Layer 7 information. You configure security
policies from within Spotlight Secure Connector and then publish them to the
enforcement points. The Security Intelligence Supported Platforms Guide provides
complete details on supported enforcement points.
Security Intelligence in the Network
Figure 2 on page 7 shows the how the components of the SecIntel solution work together.
6
Copyright © 2015, Juniper Networks, Inc.
Chapter 1: Introduction to Security Intelligence
Figure 2: Security Intelligence in the Network
Spotlight Secure delivers optimized threat intelligence on known threats to Spotlight Secure Connector.
Spotlight Secure Connector brings together all the available threat intelligence and makes it available to the security
policies on the enforcement point. One instance of Spotlight Secure Connector can support many enforcement points
with threat intelligence from Spotlight Secure, from local and third-party sources, and from evolving threat information
discovered by WebApp Secure.
As the threat intelligence is updated on Spotlight Secure Connector, the SRX Series enforcement point can poll Spotlight
Secure Connector and update the security policy threat intelligence on the deployed security policies.
Webserver traffic is monitored by WebApp Secure for new threats while the SRX Series enforcement point security
policies perform real-time enforcement.
Web application traffic is protected.
Enforcement actions include discarding or redirecting network traffic that is identified as a threat. All threat events are
logged by Log Director.
Related
Documentation
•
Security Intelligence and Command and Control Server Threats on page 12
•
Security Intelligence and Fingerprinted Attackers on page 13
•
Security Intelligence and Undesired Locales on page 14
•
Security Intelligence and Custom Feeds on page 15
Copyright © 2015, Juniper Networks, Inc.
7
Spotlight Secure Connector Getting Started Guide
Dynamic Address Entry and Security Intelligence Services
In a typical security environment, traffic flowing across an enforcement point is evaluated
against a security policy that is defined on that enforcement point. When a policy match
occurs, a specific action, such as block, is applied to the traffic. The threat information
that is used by the security policy to evaluate the traffic, typically IP source and destination
addresses, is part of the policy.
A Dynamic Address Entry (DAE) provides dynamic IP address information to security
policies. A DAE is a group of IP addresses, not just a single IP prefix, that can be imported
into Spotlight Secure Connector from external sources. These IP addresses are for specific
domains or for entities that have a common attribute such as a particular undesired
location that poses a threat. The administrator can then configure security policies to
use the DAE within a security policy. When the DAE is updated, the changes automatically
become part of the security policy. There is no need to update the policy manually.
Any data source that is available to Spotlight Secure Connector can be used as a DAE.
Dynamic Address Entry Configuration on the SRX Series Enforcement Point for Security
Intelligence
Security Intelligence feeds support security policy enforcements without requiring a
configuration commit action. After you have created a security policy through Security
Director and published it to one or more SRX Series enforcement points, updated threat
intelligence updates are passed from Spotlight Secure Connector to the SRX Series
enforcement point automatically.
A category is a list of feeds of the same type. The type defines SRX Series enforcement
point criteria for feed lookup and enforcement. A feed is a collection of objects, and an
object defines criteria for a positive threat match. A SecIntel object can be of the following
types:
•
IP addresses—IPv4 or IPv6 Classless Interdomain Routing (CIDR) ranges, prefixes, or
a single address entry.
•
Command and Control servers—IP addresses, URLs, and domain names. SRX Series
enforcement points support IPv4 URLs for Command and Control (CC) objects.
•
WebApp Secure—IP addresses and session cookies that WebApp Secure uses to track
potentially malicious (Web) clients.
An object is declared as matched only if all the criteria within that object have matched.
For example, a CC object might have IP, URL, domain name, and/or IPS signature in
combination or in isolation.
Some typical examples of object matching criteria include the following:
8
•
Always allow specific IP addresses (whitelist) to minimize false positives.
•
Always deny or redirect certain IP addresses (blacklist) to minimize false negatives.
Copyright © 2015, Juniper Networks, Inc.
Chapter 1: Introduction to Security Intelligence
The security policy enforces the following policy match hierarchy:
•
Firewall policies. Whitelist, blacklist, and other policies including GeoIP are matched
first.
•
SecIntel service policies based on whitelist feeds, blacklist feeds, and other service
feeds including CC and WebApp Secure feeds.
The Dynamic Address Entry (DAE) feature allows feed-based IP objects to be used in
security policies to either deny or allow traffic baed on either source or destination IP
criteria. The key difference with DAE is that feed data on SRX Series enforcement points
can be updated dynamically; no configuration commit action is required.
A security administrator defines the DAE as an import of IP objects (an IP list feed) using
Security Director, and uses the DAE in firewall security policies.
The properties for IP lists can include the following:
Related
Documentation
•
Severity
•
GeoIP filters (Country, County, City, Zip, and so on)
•
Juniper Networks Security Intelligence on page 4
Copyright © 2015, Juniper Networks, Inc.
9
Spotlight Secure Connector Getting Started Guide
10
Copyright © 2015, Juniper Networks, Inc.
CHAPTER 2
Security Intelligence Configurations
The range of security solutions available with the Security Intelligence framework depends
on which of the components you choose to deploy.
•
Security Intelligence and Command and Control Server Threats on page 12
•
Security Intelligence and Fingerprinted Attackers on page 13
•
Security Intelligence and Undesired Locales on page 14
•
Security Intelligence and Custom Feeds on page 15
Copyright © 2015, Juniper Networks, Inc.
11
Spotlight Secure Connector Getting Started Guide
Security Intelligence and Command and Control Server Threats
When a compromised host tries to initiate contact with a possible Command and Control
(CC) server on the Internet, the SRX Series enforcement point can intercept the traffic
and perform an enforcement action based on real-time feed information from Spotlight
Secure Connector that identifies the CC server IP address and URL. The data feed from
Spotlight Secure is automatically passed through Spotlight Secure Connector as a
Dynamic Address Entry (DAE) to the security policy without requiring an explicit commit
or a configuration change to the SRX Series enforcement point. Figure 3 on page 12 shows
how SecIntel handles a CC threat.
Figure 3: Spotlight Secure Connector Command and Control Feed into
Spotlight Connector
Spotlight Secure delivers threat intelligence that identifies command and control servers to Spotlight Secure Connector.
Spotlight Secure Connector makes the information available to security policies on the SRX Series enforcement point.
Spotlight Secure Connector brings together all of the available threat intelligence and makes it available to the security
policies on the enforcement point. One instance of Spotlight Secure Connector can support many enforcement points
with threat intelligence.
As the threat intelligence is updated on Spotlight Secure Connector, the SRX Series enforcement point can poll Spotlight
Secure Connector to keep threat intelligence updated on the deployed security policies.
All CC server traffic that matches the feed data is discarded or redirected and the activity is tracked in Log Director. The
SRX Series enforcement point security policies perform real-time enforcement.
Web application traffic is protected.
Enforcement actions include discarding or redirecting network traffic that is identified as a threat. All threat events are
logged by Log Director.
12
Copyright © 2015, Juniper Networks, Inc.
Chapter 2: Security Intelligence Configurations
Related
Documentation
•
Security Intelligence and Fingerprinted Attackers on page 13
•
Security Intelligence and Undesired Locales on page 14
•
Security Intelligence and Custom Feeds on page 15
Security Intelligence and Fingerprinted Attackers
Rather than waiting until there has been a compromised host on your system, security
intelligence information provided through Spotlight Secure Connector can enable the
SecIntel system to filter traffic before an attacker even attempts contact with your
network. With WebApp Secure, the information about a fingerprinted attacker from
another network is distributed as part of the Spotlight Secure Connector feed, which
makes it available to your SRX Series enforcement point. Figure 4 on page 13 shows how
SecIntel handles fingerprinted attackers.
Figure 4: Fingerprinted Attacker Feed into Spotlight Secure Connector
Spotlight Secure delivers threat intelligence that identifies attacker fingerprints to Spotlight Secure Connector. Another
instance of WebApp Secure identifies and collects the threat information, which is then uploaded to Juniper Networks
to be analyzed and weighted. This amalgamated threat intelligence is then made available as a service to subscribers.
Spotlight Secure Connector makes the attacker fingerprint information available to security policies on the SRX Series
enforcement point.
As the threat intelligence is updated on Spotlight Secure Connector, the SRX Series enforcement point can poll Spotlight
Secure Connector to keep threat intelligence updated on the deployed security policies.
Copyright © 2015, Juniper Networks, Inc.
13
Spotlight Secure Connector Getting Started Guide
All traffic that matches the feed data is discarded or redirected. The SRX Series enforcement point security policies
perform real-time enforcement.
Enforcement actions include discarding or redirecting network traffic that is identified as a threat. All threat events are
logged by Log Director.
Web application traffic is protected.
Related
Documentation
•
Security Intelligence and Command and Control Server Threats on page 12
•
Security Intelligence and Undesired Locales on page 14
•
Security Intelligence and Custom Feeds on page 15
Security Intelligence and Undesired Locales
Identified locations and their associated IP addresses can be profiled within a Spotlight
Secure GeoIP data feed. In the event of fraudulent activity or known illegal traffic that is
sourced from a particular geography, SecIntel can filter network traffic based on the
location of a host. You can base packet filtering on blocks of IP addresses that have been
identified and attributed to a particular geography. Figure 5 on page 14 shows how
SecIntel handles threats based on locales.
Figure 5: GeoIP Based Feed into Spotlight Secure Connector
Spotlight Secure delivers threat intelligence that identifies geographic locations that pose a threat to network security
to Spotlight Secure Connector. Another instance of WebApp Secure identifies and collects the threat information, which
is then uploaded to Juniper Networks to be analyzed and weighted. This amalgamated threat intelligence is then made
available as a service to subscribers.
Spotlight Secure Connector makes the information available to security policies on the SRX Series enforcement point.
14
Copyright © 2015, Juniper Networks, Inc.
Chapter 2: Security Intelligence Configurations
As the threat intelligence is updated on Spotlight Secure Connector, the SRX Series enforcement point can poll Spotlight
Secure Connector to keep security policy threat intelligence updated on the deployed security policies.
All traffic that matches the feed data is discarded or redirected. The SRX Series enforcement point security policies
perform real-time enforcement.
Enforcement actions include discarding or redirecting network traffic that is identified as a threat. All threat events are
logged by Log Director.
Web application traffic is protected.
Related
Documentation
•
Security Intelligence and Command and Control Server Threats on page 12
•
Security Intelligence and Fingerprinted Attackers on page 13
•
Security Intelligence and Custom Feeds on page 15
Security Intelligence and Custom Feeds
The Juniper Security Intelligence Solution (SecIntel) is designed so that you can customize
it for your unique environment. For example, you can define whitelist and blacklist feeds
based on local information or from a third party and include it within the SecIntel
enforcement configuration.
Your custom security intelligence information that is used for policy enforcement can be
provided by a trusted third party or generated from known IP addresses. The custom
information must be posted in a file that is accessible to Spotlight Secure Connector.
Spotlight Secure Connector polls the file according to a configured schedule and updates
the SRX Series enforcement point security policy without an explicit commit or
configuration change. Figure 6 on page 16 shows how SecIntel uses whitelists and
blacklists to protect a network.
Copyright © 2015, Juniper Networks, Inc.
15
Spotlight Secure Connector Getting Started Guide
Figure 6: Scenario for Whitelist or Blacklist Custom Feed into Spotlight
Connector
The security administrator creates formatted lists that contain whitelisted IP addresses and blacklisted IP addresses.
The security administrator can use local information and also third-party lists. The information only needs to be formatted
according to the simple rules appropriate for use with Spotlight Secure Connector.
Spotlight Secure Connector makes the information available to security policies on the SRX Series enforcement point.
As the threat intelligence is updated on Spotlight Secure Connector, the SRX Series enforcement point can poll Spotlight
Secure Connector to keep security policy threat intelligence updated on the deployed security policies.
All traffic that matches the feed data is handled according to the security policy configuration. Whitelisted addresses
are allowed to pass while black listed addresses are blocked. The SRX Series enforcement point security policies perform
real-time enforcement. All threat events are logged by Log Director.
Web application traffic is protected. False positive and false negatives are minimized.
Related
Documentation
16
•
Security Intelligence and Command and Control Server Threats on page 12
•
Security Intelligence and Fingerprinted Attackers on page 13
•
Security Intelligence and Undesired Locales on page 14
Copyright © 2015, Juniper Networks, Inc.
PART 2
Initial Setup
•
Configuring the Connector on page 19
Copyright © 2015, Juniper Networks, Inc.
17
Spotlight Secure Connector Getting Started Guide
18
Copyright © 2015, Juniper Networks, Inc.
CHAPTER 3
Configuring the Connector
•
Configuring Spotlight Secure Connector on page 19
•
Setting Up High Availability on page 30
•
Spotlight Secure Connector General Settings Overview on page 32
•
Associating an SRX Series Device With Spotlight Secure Connector on page 34
•
About Trusted Server CAs on page 38
•
Updating the Schema on page 39
•
Managing Spotlight Secure Connectors on page 39
•
Creating a Backup or Restoring the Connector Settings on page 46
Configuring Spotlight Secure Connector
Spotlight Secure Connector is delivered as an OVA package to be deployed inside your
VMware ESX network. As with other Junos Space virtual appliances, the connector
requires either a VMware ESX server version 4.0 or later or a VMware ESXi server version
4.0 or later that can support a virtual machine with the following configuration:
•
2 CPUs
•
8-GB RAM
•
80-GB disk space
You need to enter several configuration settings for Spotlight Secure Connector. You can
use the following table to record your settings for later use.
Configuration Setting
Value
Spotlight Secure Connector hostname
Spotlight Secure Connector static IP address
Network mask
Default gateway
Primary and secondary DNS server
Copyright © 2015, Juniper Networks, Inc.
19
Spotlight Secure Connector Getting Started Guide
Configuration Setting
Value
(Optional) Failover Spotlight Secure Connector static IP address
(Optional) Virtual IP address
(Optional) NTP servers
Customer ID—Your Juniper Networks-defined identifier that entitles you to use
Spotlight Secure Connector. This is typically the same as the SiteID tied to your
support account.
Administrator password
The steps to configuring the connector are as follows:
•
Configuring Spotlight Secure Connector Network Settings on page 20
•
Adding Spotlight Secure Connector as a Specialized Node in Junos Space on page 27
Configuring Spotlight Secure Connector Network Settings
Once you have deployed the connector, you can configure its basic network settings.
NOTE: When you first log in to the connector, you are prompted for
credentials. The default username is root. The default password is abc123.
20
Copyright © 2015, Juniper Networks, Inc.
Chapter 3: Configuring the Connector
To configure the connector network settings:
1.
Launch the vSphere Client that is connected to the ESX Server where Spotlight Secure
Connector is to be deployed and power on the connector virtual machine.
The welcome page appears. See Figure 7 on page 21.
Figure 7: Spotlight Secure Connector Welcome Page
2. Click OK.
The End User License Agreement (EULA) window appears.
3. Click Accept to acknowledge the EULA. If you do not agree with the EULA, click Cancel.
Your configuration will stop and you will return to the main vSphere Client page.
The Network configuration page appears. See Figure 8 on page 21.
Figure 8: Defining the Basic Network Configuration Settings
Copyright © 2015, Juniper Networks, Inc.
21
Spotlight Secure Connector Getting Started Guide
4. Enter the following configuration information.
Option
Description
Hostname
Enter the hostname for the Spotlight Secure Connector virtual
appliance; for example, connector.juniper.net.
IP address
Enter the static IP address for the Spotlight Secure Connector virtual
appliance; for example, 172.24.1.105. Spotlight Secure Connector does
not support DHCP to assign its IP address.
Network mask
Enter the netmask for the Spotlight Secure Connector virtual appliance;
for example, 255.255.255.0.
Default gateway
Enter the IP address of the default gateway that connects your internal
network to external networks; for example, 172.24.0.1.
Primary DNS server
Enter the IP address of your primary system registered to join the Domain
Name System (DNS); for example, 8.8.8.8.
Secondary DNS server
Enter the IP address of a secondary DNS server; for example, 8.8.4.4.
Spotlight Secure Connector uses this address only when the primary
DNS server is unavailable.
Skip DNS servers check
Select this check box if you do not want to check basic network settings.
By default, the system will ping the gateway to ensure it receives a
response indicating your settings are correct.
5. Click Apply Changes.
Your network settings are applied. A progress window indicates the status.
When the system is finished updating your network settings, an NTP server window
appears and prompts you to configure the NTP server list. See Figure 9 on page 22.
Figure 9: Prompt for Configuring the NTP Servers
22
Copyright © 2015, Juniper Networks, Inc.
Chapter 3: Configuring the Connector
6. Click Yes to customize the NTP server list. Click No to use the default list of 0, 1, 2 and
3.centos.pool.ntp.org.
7. (Optional) Specify the NTP servers to use. See Figure 10 on page 23. Click Apply
Changes to accept your edits, Clear All to clear all fields in this window, or Cancel to
discard any edits and continue to the next step.
Figure 10: Configuring the NTP Servers
The HA Cluster Configuration prompt appears.
8. (Optional) Click Yes to set up a high-availability cluster (also called a failover cluster.)
The HA Cluster Configuration page appears. See Figure 11 on page 23.
Figure 11: Option to Define a Failover Device
Copyright © 2015, Juniper Networks, Inc.
23
Spotlight Secure Connector Getting Started Guide
9. Enter the following configuration information.
Option
Description
Remote
connector
instance IP
address
Enter the IP address of the failover Spotlight Secure Connector virtual
appliance; for example, 172.24.1.106.
Virtual IP address
Enter the virtual IP (VIP) shared between the two Spotlight Secure Connector
hosts. The VIP serves as the primary external contact point for connected
devices like the SRX Series Services Gateways. When failover occurs, the
VIP is reassigned to the standby Spotlight Secure Connector host and it
becomes the new active device.
When the primary Spotlight Secure Connector virtual appliance is
unreachable, the failover Spotlight Secure Connector is used. A health check
is performed every 60 seconds. Depending on the severity of the failure,
failover can take between 60 seconds and 15 minutes. If the remote host
cannot be reached, failover occurs in 60 seconds. If there is an internal failure
in updating multiple Spotlight Secure Connector feeds, it can take up to 15
minutes for failover to occur.
10. Click Apply.
The Customer Information page appears. See Figure 12 on page 24.
Figure 12: Entering Customer Information
11. Enter your customer ID. This might be your SiteID tied to your support account.
12. Click OK.
The Root password change page appears. See Figure 13 on page 25.
24
Copyright © 2015, Juniper Networks, Inc.
Chapter 3: Configuring the Connector
Figure 13: Changing the Root Password
13. Enter and reenter a new administrator password for the connector virtual appliance.
Passwords must be at least eight characters in length. If you forget your password,
see CentOS root password reset instructions.
14. Click OK.
The Juniper Networks Security Intelligence Connector page appears. See
Figure 14 on page 25.
Figure 14: Reviewing and Changing Your Configuration Settings.
Copyright © 2015, Juniper Networks, Inc.
25
Spotlight Secure Connector Getting Started Guide
15. Select one of the options and press Enter.
Option
Description
Review configuration and
finish setup
Lets you review the configuration settings you defined one last time
before applying them to the connector virtual appliance.
We recommend that you do not change your configuration settings
after the connector is added as a specialized node to the Junos Space
fabric.
Change...
Select a setting to update its value.
Troubleshooting menu
Lets you ping the default gateway, remote HA device (if configured),
and custom IP address (if configured). Also lets you perform a DNS
lookup to verify that your settings are correct.
The Review configuration page appears. See Figure 15 on page 26.
Figure 15: Reviewing Your Configuration Settings
16. Review your configuration settings and click Finish setup. To change any of the settings,
click Change configuration.
When you click Finish setup, the configuration settings are applied to the connector
virtual appliance. A status page indicates the progress.
When done, the Setup Complete page appears. See Figure 16 on page 27.
26
Copyright © 2015, Juniper Networks, Inc.
Chapter 3: Configuring the Connector
Figure 16: Completing the Setup Steps
17. Click Finish to return to the main vSphere Client page.
Adding Spotlight Secure Connector as a Specialized Node in Junos Space
As with other Junos Space appliances, you add Spotlight Secure Connector to the Junos
Space Network Management Platform. You can add multiple connector devices to the
existing Junos Space fabric, but you can add only one at a time.
Copyright © 2015, Juniper Networks, Inc.
27
Spotlight Secure Connector Getting Started Guide
To add Spotlight Secure Connector to the Junos Space fabric:
1.
On the Junos Space Network Management Platform user interface, select
Administration > Fabric and then click the Add Fabric Node icon. See
Figure 17 on page 28.
Figure 17: Adding a New Fabric
The Add Node to Fabric dialog box appears. See Figure 18 on page 28.
Figure 18: Add Node to Fabric Dialog Box
28
Copyright © 2015, Juniper Networks, Inc.
Chapter 3: Configuring the Connector
2. Enter the following information.
Option
Description
Name
Enter a name for the Spotlight Secure Connector device. The name cannot
exceed 32 characters and cannot contain spaces.
IP
Enter the IP address of the Spotlight Secure Connector. This is the IP address
you assigned to the Spotlight Secure Connector when running the bootstrap
script.
User and
Password
Enter the login credentials (SSH username and password) of the Spotlight
Secure Connector.
The credentials must be the same as those you specified when you ran the
configuration step.
If the credentials do not match, the add node operation (job) fails and Junos
Space Network Management Platform displays the following error message
on the Job Management workspace: Please check network credentials.
3. (Optional) Schedule when you want to add the fabric node:
•
Clear the Schedule at a later time check box (the default) to initiate the add operation
when you complete Step 7 of this procedure.
•
Select the Schedule at a later time check box to specify a later start date and time
for the add operation.
NOTE: The selected time in the scheduler corresponds to the Junos Space
server time but is mapped to the local time zone of the client computer.
4. Click Add to add the connector to the fabric.
It might take a few minutes to add Spotlight Secure Connector. When done, the
Network Management Platform shows the appliance as having an UP status. See
Figure 19 on page 29.
Figure 19: Spotlight Secure Connector Status in the Network Management
Platform
Copyright © 2015, Juniper Networks, Inc.
29
Spotlight Secure Connector Getting Started Guide
Similarly, in the Junos Space Security Director Platform user interface select Security
Intelligence > Spotlight Connectors. The Security Director Platform shows Spotlight
Secure Connector as having an UP connection status when it is available. See
Figure 20 on page 30.
Figure 20: Spotlight Secure Status in the Security Director Platform
Related
Documentation
•
Setting Up High Availability on page 30
•
Associating an SRX Series Device With Spotlight Secure Connector on page 34
Setting Up High Availability
Depending on your requirements, you can configure Spotlight Secure Connector for High
Availability (HA) or failover. When the primary node fails, the secondary node
automatically takes over without any manual intervention.
To set up HA:
1.
During the setup process, define the HA network configuration settings.
2. Add both spotlight connectors as specialized nodes into Junos Space.
During the setup process, you define the primary node (Local Connector instance IP
address), the secondary node (Remote Connector instance IP address) and the virtual
IP address to send to the SRX Series device. See Figure 21 on page 31.
30
Copyright © 2015, Juniper Networks, Inc.
Chapter 3: Configuring the Connector
Figure 21: Defining the HA Network Configuration Settings
When adding a connector as a specialized node to Junos Space, the system reads the
network configuration information specified in the setup process. When the secondary
node is added to Junos Space, the system recognizes it as the failover node and
establishes the relationship with the primary node automatically. See Figure 22 on page 31.
Figure 22: Failover Information Displayed in Security Director
Because the virtual IP address and not the connector management IP address is sent to
the SRX Series device, failover occurs seamlessly.
If you did not configure HA during the setup process and want to configure it after you
have already added the connector to Junos Space, follow these steps:
1.
On the Junos Space Security Director user interface, select Security Intelligence >
Spotlight Connector.
2. Select the connector(s) that you want to configure for HA and click Delete to remove
them as a node.
3. 2. Log in to the connector using SSH (for example, log in to the connector through the
VM console) and re-run the setup script.
4. Re-add the connectors as a specialized node in Junos Space.
Copyright © 2015, Juniper Networks, Inc.
31
Spotlight Secure Connector Getting Started Guide
NOTE: If the connectors were already associated with an SRX Series device,
you must associate them again. When configured for HA, the SRX Series
device talks to the virtual IP and not the individual device’s IP address.
Related
Documentation
•
Configuring Spotlight Secure Connector on page 19
•
Spotlight Secure Connector General Settings Overview on page 32
•
Associating an SRX Series Device With Spotlight Secure Connector on page 34
Spotlight Secure Connector General Settings Overview
You can configure general settings for Spotlight Secure Connector. See
Figure 23 on page 33. These settings apply to all instances of the connector within Security
Director.
NOTE: This option is available only if you do not have any spotlight connectors
selected. If this option is disabled, deselect all spotlight connectors and try
again.
32
Copyright © 2015, Juniper Networks, Inc.
Chapter 3: Configuring the Connector
Figure 23: Spotlight Secure Connector General Settings
Table 3 on page 33 briefly describes the settings in each tab.
Table 3: Spotlight Secure Connector General Setting Options
Settings Tab
Description
Connection
Defines the tokens used for authentication between Spotlight Secure
Connector and other devices, such as WebApp Secure.
NOTE: Generate these tokens before associating an SRX Series device or
WebApp Secure. You must enter the same token when configuring WebApp
Secure. The device auth token is pushed to the SRX Series device when
associating the SRX Series device.
Syslog
Defines the severity level of log messages to report.
E-mail
Defines e-mail settings for sending error log reports.
Auto-upgrade
Defines when to check for updates to the Spotlight Secure Connector
firmware and software packages. Updates are located in the Spotlight
Cloud.
Copyright © 2015, Juniper Networks, Inc.
33
Spotlight Secure Connector Getting Started Guide
Related
Documentation
•
Configuring Spotlight Secure Connector on page 19
Associating an SRX Series Device With Spotlight Secure Connector
After the connector is added as a fabric to Junos Space, you can associate an SRX series
device to that connector. You can associate multiple SRX devices to each connector.
NOTE: Spotlight Secure does not support Logical System (LSYS) devices.
Before associating an SRX Series device, you must first generate the device auth token
in the Global Connector Settings page. An alert appears if no auth token is present. See
Figure 24 on page 34.
Figure 24: Associating an SRX Series Device Without a Device Auth Token
34
Copyright © 2015, Juniper Networks, Inc.
Chapter 3: Configuring the Connector
If your SRX device is already managed by the Security Director, skip to 5. If you have not
already associated an SRX Series device with a connector, follow these steps:
1.
On the Junos Space Security Director user interface, select Devices > Device Discovery
> Device Targets and then click the Add Device icon (+). See Figure 25 on page 35.
Figure 25: Adding a New Device Target
2. Enter the IP address of the SRX Series device that you want to associate with the
connectorand click Add. See Figure 26 on page 35.
Figure 26: Specifying the SRX Series IP Address
3. Enter the SRX Series device login credentials and click Add. See Figure 27 on page 36.
Copyright © 2015, Juniper Networks, Inc.
35
Spotlight Secure Connector Getting Started Guide
Figure 27: Entering SRX Device Login Credentials
4. On the Junos Space Security Director user interface, select Jobs > Job Management
to view the progress of adding the SRX Series device. When done, a Discovery
succeeded message appears. See Figure 28 on page 36.
Figure 28: Viewing the Discovery Status
5. On the Junos Space Security Director user interface, select Security Intelligence >
Spotlight Connectors.
6. Right-click the connector you want to associate with SRX Series devices and select
Device Association. See Figure 29 on page 37.
NOTE: If you do not see the SRX Series device, make sure the SRX Series
device’s release number and schema match that supported by Spotlight
Secure. See the Spotlight Secure Supported Platforms Guide.
36
Copyright © 2015, Juniper Networks, Inc.
Chapter 3: Configuring the Connector
Figure 29: Selecting the Connector to Associate Devices
7. Select the SRX Series devices to associate with this connector and click Save. See
Figure 30 on page 37.
Figure 30: Selecting the SRX Series Devices to Associate
NOTE: Spotlight Secure requires a specific DMI schema. If you do not see
your SRX Series device, make sure the correct DMI schema is installed.
See “Updating the Schema” on page 39 and the Spotlight Secure Supported
Platforms Guide.
A configuration commit is done on the device after it is associated. On the
SRX550 and SRX650 devices, memory allocation is updated and the
device is rebooted.
To verify the device association, run the show configuration CLI command on the SRX
Series device or the Device Configuration View in Network Management Platform and
look for the following entry:
services {
security-intelligence {
url https://10.189.240/api/v1/manifest.xml;
Copyright © 2015, Juniper Networks, Inc.
37
Spotlight Secure Connector Getting Started Guide
authentication{
auth-token 7qgxe0VnlQxVphbdFMkEItgL5MpmqTN1;
}
}
}
The URL and auth-token entries will be unique to your configuration.
Related
Documentation
•
Configuring Spotlight Secure Connector on page 19
•
Setting Up High Availability on page 30
•
Updating the Schema on page 39
About Trusted Server CAs
Spotlight Secure Connector uses server certificate authorities (CAs) when communicating
with any https server, such as those hosting information sources. A set of trusted CAs
are pre-installed but you can install additional certificates. See Figure 31 on page 38.
Figure 31: Uploading Additional Trusted Server CA Certificates.
Related
Documentation
38
•
Spotlight Secure Connector Information Source Overview on page 49
Copyright © 2015, Juniper Networks, Inc.
Chapter 3: Configuring the Connector
Updating the Schema
Security Intelligence requires specific versions of the DMI schema. See the Spotlight
Secure Supported Platforms Guide for detailed information. Depending on your current
installed versions, you may be required to update your DMI schema. This topic presents
an overview of the steps. It assumes you have already downloaded the schema file to
your local system. See Updating a DMI Schema for complete instructions.
To update a DMI schema:
1.
From the Junos Space Network Management Platform, select Administration > DMI
Schemas and click the Update Schema icon.
2. Check the Archive (tgz) option radio button.
3. Click Browse, select the .tgz file and click Open.
4. Click Upload.
5. Select the desired schema and click Install.
The DMI Schemas inventory landing page displays the newly installed schema.
Related
Documentation
•
Associating an SRX Series Device With Spotlight Secure Connector on page 34
Managing Spotlight Secure Connectors
To open the Spotlight Secure Connectors page:
•
Select Security Intelligence > Spotlight Secure Connectors.
The Spotlight Secure Connectors landing page appears, listing the existing spotlight
secure connector.
•
Right-click the spotlight secure connector to manage it, or select the required options
from Actions.
You can perform the following management tasks on the Spotlight Secure Connectors
page:
•
Adding Spotlight Secure Connector Global Settings on page 40
•
Uploading Trusted Server CAs on page 41
•
Associating Devices to Spotlight Secure Connectors on page 42
•
Updating Spotlight Secure Connector Configuration on page 44
•
Deleting Spotlight Secure Connectors on page 44
•
Viewing Spotlight Secure Connector Feed Status on page 44
•
Upgrading Spotlight Secure Connector Software or Package on page 45
Copyright © 2015, Juniper Networks, Inc.
39
Spotlight Secure Connector Getting Started Guide
Adding Spotlight Secure Connector Global Settings
To add spotlight secure connector global settings:
1.
Select Security Intelligence > Spotlight Secure Connectors.
The Spotlight Secure Connectors landing page appears, listing the existing spotlight
secure connectors.
2. Click the Spotlight Secure Connector - Global Settings icon in the toolbar.
The Spotlight Secure Connector - Global Settings page appears, as shown in
Figure 32 on page 40.
Figure 32: Global Connector Settings
3. Under the Connection tab, configure the following parameters:
•
To generate a 32-character token for the Device Connector Auth Token field, click
Generate.
•
To generate a 32-character token for the WebApp Secure Auth Token field, click
Generate.
You can edit the auto-generated token; however, make sure that it still contains 32
characters.
4. Under the Syslog tab, configure the following parameters:
40
•
Select the Enabled check box to enable the syslog collection.
•
In the Address field, provide the address to use to collect the syslog data.
Copyright © 2015, Juniper Networks, Inc.
Chapter 3: Configuring the Connector
•
In the Log Verbosity drop-down list, select the required option. The available options
are:
•
Error
•
Warning
•
Info
•
Debug
5. Under the E-mail tab, configure the following parameters:
•
Select the Enabled check box to enable the E-mail functionality.
•
In the Host field, enter the hostname.
•
In the Port field, select the required port number.
•
In the Username field, enter the username.
•
In the Password field, enter the password information.
•
In the From Address field, enter the From address.
•
in the To Address field, enter the To address.
•
Select the Use TLS check box.
6. Under the Auto-upgrade tab, you can configure the following parameters:
•
To automatically upgrade the spotlight secure connector once a week, select the
Weekly Auto-upgrade check box.
•
From the Day of the Week drop-down list, select the required day to perform the
automatic upgrade.
•
From the Time of the Day drop-down list, select the time.
7. Click Save to save the spotlight secure connector settings.
Uploading Trusted Server CAs
To upload the trusted server CA certificates:
1.
Select Security Intelligence > Spotlight Secure Connectors.
The Spotlight Secure Connectors landing page appears, listing the existing spotlight
secure connectors.
2. Click the Trusted Server CAs icon.
The Trusted Server CAs page appears, listing the already uploaded certificates.
3. To upload the new certificate, click the plus sign (+).
The Upload Trusted Server CA Certificate pop-up window appears.
4. To select the certificate file to upload, click Select file.
5. To upload the certificate files, click Upload.
Copyright © 2015, Juniper Networks, Inc.
41
Spotlight Secure Connector Getting Started Guide
Associating Devices to Spotlight Secure Connectors
To associate a device with a spotlight secure connector:
1.
Select Security Intelligence > Spotlight Secure Connectors.
The Spotlight Secure Connectors landing page appears, listing the existing spotlight
secure connectors.
2. Right-click the spotlight secure connector, or, from the Actions, select Associate
Devices.
The Device Association page appears.
3. Select the required devices from the Available column, and move them to the Selected
column.
If you assign a SRX550 or SRX650 device, the following message about the memory
optimization is shown, as shown in Figure 33 on page 42.
Figure 33: Confirm Device Association
4. To associate the selected devices with the spotlight secure connector, click Save.
When a device is associated with a spotlight secure connector or disassociated from a
spotlight secure connector, a job is created in Security Director to push the spotlight
secure connector configuration information to the device.
You can view the associated devices on the Spotlight Secure Connectors landing page.
Click the Associated Devices column for the respective spotlight secure connector, and
all the devices are listed, as shown in Figure 34 on page 43.
42
Copyright © 2015, Juniper Networks, Inc.
Chapter 3: Configuring the Connector
Figure 34: Connector-Device List
You can view the feed update status of the security device. Select the required device
and click the Feed Update Status. A window appears showing the feed status of the
device, as shown in Figure 35 on page 43.
Figure 35: Security Device Feed Status
You can update the feed to any listed device. Select the required Security Device, and
click Update Feed option provided in the bottom of the Device List page, as shown in
Figure 34 on page 43.
A job window appears showing the status of the feed update. Click View under the
Message column to view the update feed message.
Copyright © 2015, Juniper Networks, Inc.
43
Spotlight Secure Connector Getting Started Guide
Updating Spotlight Secure Connector Configuration
If the configuration of a spotlight secure connector is out of sync from Security Director,
administrator can choose to push or update the latest configuration to a spotlight secure
connector.
To update the configuration:
1.
Select Security Intelligence > Spotlight Secure Connectors.
The Spotlight Secure Connectors landing page appears, listing the existing spotlight
secure connectors.
2. Right-click the spotlight secure connector, or, from the Actions, select Update Spotlight
Secure Connector Configuration.
A confirmation message appears confirm the update.
3. Click Continue.
The Job Details page appears, showing the spotlight secure connector update details.
4. In the Message column, click View to view the spotlight secure connector configuration.
When Device connector auth-token changes, both Update connector and Update
connector settings to device jobs begin. The later job updates the auth-token information
alone in the device.
Deleting Spotlight Secure Connectors
To delete a spotlight secure connector:
1.
Select Security Intelligence > Spotlight Secure Connectors.
The Spotlight Secure Connectors landing page appears, listing the existing spotlight
secure connectors.
2. Right-click the spotlight secure connector and select Delete Spotlight Secure Connector,
or click the minus sign (-).
3. You cannot directly delete a spotlight secure connector from the Security Intelligence
workspace. A pop-up window appears to enable you to delete the spotlight secure
connector.
4. Go to Network Management Platform > Administration > Fabric.
Select the required node, and click the minus sign (-).
5. The required spotlight secure connector is deleted.
Viewing Spotlight Secure Connector Feed Status
To view the feed status of a spotlight secure connector:
1.
44
Select Security Intelligence > Spotlight Secure Connectors.
Copyright © 2015, Juniper Networks, Inc.
Chapter 3: Configuring the Connector
The Spotlight Secure Connectors landing page appears, listing the existing spotlight
secure connectors.
2. Click the Feed Status column for the required spotlight secure connector.
A Feed Status page appears showing the feed name, last updated time, and the last
updated status, as shown in Figure 36 on page 45.
Figure 36: Spotlight Secure Connector Feed Status
3. To close the window, click Done.
Upgrading Spotlight Secure Connector Software or Package
To upgrade the new spotlight secure connector software package:
1.
Enable the auto upgrade option for the spotlight secure connector. Ensure the spotlight
secure connector has connectivity to the spotlight secure connector software
repository.
2. If a spotlight secure connector does not have the latest software version and the
spotlight secure connector has connectivity to the spotlight secure connector software
package, administrator can upgrade the spotlight secure connector from the update
link of the spotlight secure connector listing page.
3. If Step 1 and Step 2 options are not available, administrator can upload the software
image and apply to spotlight secure connectors for upgrade. In the first release,
administrator must SCP the upgrade package to spotlight secure connector VMs and
invoke the upgrade process by executing a a set of specific commands. You require
an active internet connection because the command downloads the latest spotlight
secure connector release from the Juniper Networks cloud package server.
Related
Documentation
•
Creating a Spotlight Secure Connector
Copyright © 2015, Juniper Networks, Inc.
45
Spotlight Secure Connector Getting Started Guide
Creating a Backup or Restoring the Connector Settings
You can create a backup of the connector configuration and restore the connector
settings. To create a backup:
1.
Select Security Intelligence > Backup/Restore.
The Backup/Restore page appears, listing the current versions.
2. To create a backup of the connector configuration, click the plus sign (+).
The Backup Connector Setting page appears.
3. In the Description field, enter a description of the new version.
4. Click Backup.
5. The Snapshot Policy page appears, showing the status of the backup. Click Close.
A new version is created and listed on the Backup/Restore page.
To restore the connector configuration:
1.
On the Backup/Restore page, select a version and right-click, or, from Actions, select
Restore.
The Connector Settings - Restore Summary page appears. This page shows a summary
of the connector settings before you restore the configuration.
2. Click Restore.
The selected version is rolled back to the previous version, and the Rollback Policy
page lists a summary of the rollback.
3. To view the summary of the rolled-back version, click Summary Report.
You can also delete the versions.
Related
Documentation
46
•
Security Intelligence Overview
Copyright © 2015, Juniper Networks, Inc.
PART 3
Configuring Spotlight Secure Connector
in Security Director
•
Configuring Spotlight Secure Connector Information Source on page 49
•
Spotlight Secure Connector Profiles and Policies Overview on page 65
•
Applying Spotlight Secure to Security Rules on page 79
•
Examples on page 89
Copyright © 2015, Juniper Networks, Inc.
47
Spotlight Secure Connector Getting Started Guide
48
Copyright © 2015, Juniper Networks, Inc.
CHAPTER 4
Configuring Spotlight Secure Connector
Information Source
•
Spotlight Secure Connector Information Source Overview on page 49
•
Information Source Update Interval on page 60
•
Creating an Information Source on page 60
•
Managing Information Sources on page 62
Spotlight Secure Connector Information Source Overview
The first step in configuring the connector is to set up your data feeds or information
sources. Spotlight Secure Connector supports three information sources:
•
Custom files
•
Spotlight Cloud
•
WebApp Secure
The following data categories can be obtained from one or more of the information
sources.
Information Source
Data Feed
Custom files
Whitelists and blacklists
Spotlight Cloud
GeoIP, C&C
WebApp Secure
WebApp Secure threats
•
Whitelists and Blacklists on page 50
•
Geolocation IP Address on page 52
•
Command and Control Lists on page 54
•
WebApp Secure Threats on page 56
•
About Custom Address Lists on page 58
•
Feed Status on page 59
Copyright © 2015, Juniper Networks, Inc.
49
Spotlight Secure Connector Getting Started Guide
Whitelists and Blacklists
Generally speaking, a whitelist is simply a list of known IP addresses that you trust and
a blacklist is a list that you don’t trust. See Example Blacklist on page 50. Depending on
your requirements, you can set up the connector to either allow what’s on the whitelist
and prevent everything else, or prevent what’s on the blacklist and allow everything else.
You can create your own list or obtain a list from a third-party vendor.
Example Blacklist
239.102.121.28
10.39.38.38-10.39.134.41
140.156.140.116
10.101.88.97-10.101.153.218
48.36.103.130/28
39.187.114.224/14
6.30.10.43/2
233.194.172.81
99.139.153.226
10.169.130.35-10.169.178.129
10.83.5.148-10.83.28.167
10.183.194.58-10.183.210.220
96.15.111.63
10.23.57.20-10.23.97.40
156.79.137.86
99.188.94.107/32
55.96.230.38
These lists can be stored locally on a system or posted on a webserver. See
Figure 37 on page 51. Spotlight Secure Connector periodically polls the webserver and
dynamically updates the security device with the addresses. Or, the list can be assigned
to a dynamic address group and used for source or destination match in the security
policy.
Whitelists and blacklists must be an ASCII text file with each entry on a separate line.
See Example Blacklist on page 50.
50
Copyright © 2015, Juniper Networks, Inc.
Chapter 4: Configuring Spotlight Secure Connector Information Source
Figure 37: Using the Custom File Source for Whitelists and Blacklists
With this release, Spotlight Secure Connector supports only IP record format.
The IP record format can be any of the following:
•
IP Address—Supports only IPv4 address with this release; for example, 172.16.254.1.
•
IP Range—IP addresses can also be shown as a range; for example, 172.16.0.0 –
172.31.255.255 or 122.140.201-205.*
•
CIDR—Classless Interdomain Routing (CIDR) notation specifies an IP address and its
associated routing prefix; for example, 192.168.0.1.0/24.
Once created, you can add your list to the Global Whitelist or Global Blacklist profile. See
Figure 38 on page 52. You can also these lists in dynamic address groups.
Copyright © 2015, Juniper Networks, Inc.
51
Spotlight Secure Connector Getting Started Guide
Figure 38: Creating a Global Blacklist Profile
Geolocation IP Address
Geolocation software uses the IP address to determine a person’s geographic location
by identifying what country or organization is assigned to that IP address. This technology
is widely used by several industries, such as banking, travel, health care, and so forth for
preventing fraud, serving targeted marketing content and other functions.
With Security Intelligence, you can use geolocation IP (GeoIP) address to allow or deny
traffic to or from a particular geographic region. GeoIP feeds are created with dynamic
address groups or from the Spotlight Cloud. You can create a list of allowed countries
or a list of countries to exclude with dynamic address groups. See Figure 39 on page 53.
52
Copyright © 2015, Juniper Networks, Inc.
Chapter 4: Configuring Spotlight Secure Connector Information Source
Figure 39: Creating a GeoIP Dynamic Address Group
You can create only one Spotlight Cloud information source. Once created, all available
Spotlight Cloud feeds are automatically downloaded to the connector for use. See
Figure 40 on page 53.
Figure 40: Example of the Spotlight Cloud Information Source
Copyright © 2015, Juniper Networks, Inc.
53
Spotlight Secure Connector Getting Started Guide
Unlike static address groups where you specify the host’s network address, dynamic
address groups let you define fields or tags as identifiers. With dynamic address groups
you can add or remove hosts in the list without having to reconfigure the security device.
Command and Control Lists
A bot, also called a web robot, is a program that runs automated tasks over the Internet.
After a computer is taken over by a bot, it can steal personal information, send spam
e-mail, launch distributed denial of service (DDOS) attacks, and perform other malicious
actions. Bots are usually part of a collection of infected computers, ranging from a few
computers to several thousand, called botnets. Botnets are controlled by a central system
called the Command and Control (C&C) server.
With Security Intelligence, the SRX Series device can mitigate traffic when an infected
device attempts to contact a known C&C server by comparing IP addresses and URLs
feeds. See Figure 41 on page 54.
Figure 41: Security Intelligence and Infected Host Detection
You can download C&C feeds only from the Spotlight Cloud. You cannot create your
own C&C feed, but you can create custom blacklists to block specific IP addresses or
URLs. Once you create a Spotlight Cloud information source, all Spotlight Cloud feeds
are automatically downloaded to the connector for use. See Figure 42 on page 55.
54
Copyright © 2015, Juniper Networks, Inc.
Chapter 4: Configuring Spotlight Secure Connector Information Source
Figure 42: Specifying the C&C Source in Security Director
Then you can create a profile and policy to mitigate C&C threats. See Figure 43 on page 56.
You can also use C&C lists in dynamic address groups.
Copyright © 2015, Juniper Networks, Inc.
55
Spotlight Secure Connector Getting Started Guide
Figure 43: Creating a C&C Profile in Security Director
WebApp Secure Threats
Once an attacker is identified and fingerprinted on a subscriber’s network using WebApp
Secure, the attacker profile is shared with other subscribers, providing a real-time security
solution. This approach provides better accuracy when compared with IP-based reputation
feeds. See Figure 44 on page 57.
56
Copyright © 2015, Juniper Networks, Inc.
Chapter 4: Configuring Spotlight Secure Connector Information Source
Figure 44: Example WebApp Secure Deployment
Figure 45 on page 58 shows the dialog box for adding a WebApp Secure information
source. Note that you must also configure the WebApp Secure device with the same
information.
Copyright © 2015, Juniper Networks, Inc.
57
Spotlight Secure Connector Getting Started Guide
Figure 45: Creating a WebApp Secure Information Source
The group name lets you push feeds to multiple WebApp Secure devices (all devices
with the same group name receive the same feed.) In the example in Figure 46 on page 58,
connector 1 pushes feeds to WebApp Secure 1 through 4. WebApp Secure 1 and WebApp
Secure 2 receive the same feeds because they share the same group name. WebApp
Secure 3 and WebApp Secure 4 receive the same feeds because they share the same
group name, but receive different feeds than WebApp Secure 1 and WebApp Secure 2
because they are in different groups.
Figure 46: Group Names Receive the Same Feeds
About Custom Address Lists
When you import a list, either from your local system or from a server, it is categorized
as a Custom Address List feed. See Figure 47 on page 59. At this point, Security Intelligence
does not know whether this is a whitelist, a blacklist or to be used as a dynamic address
group.
58
Copyright © 2015, Juniper Networks, Inc.
Chapter 4: Configuring Spotlight Secure Connector Information Source
Figure 47: Custom Address List Feed Category
If you configure a custom address feed as a blacklist or a whitelist, it becomes a Security
Intelligence policy. If you configure it as a dynamic address group, it becomes a firewall
policy. This allows flexibility for creating rules. For example, suppose you have a GeoIP
dynamic address group set up as a firewall policy to block a region. However, there are
certain IP addresses within that region that you want to allow. You can create a whitelist
and add it as a Security Intelligence policy to that firewall rule to allow those specific IP
addresses.
Note that Spotlight Secure policies have priority over firewall policies and the source
priorities (in decreasing order) are as follows:
•
whitelist
•
blacklist
•
C&C
•
GeoIP
Feed Status
The feed status page indicates the feed’s current state on the SRX Series device. The
Detailed Status column shows the feed status. Values are pending, storing, and store
succeeded. If the status is store succeeded, then the feed is active on the SRX Series
device and the Last Update Time column shows when the feed was successfully
downloaded to the SRX Series device.
Copyright © 2015, Juniper Networks, Inc.
59
Spotlight Secure Connector Getting Started Guide
Figure 48: Feed Status Information
Information Source Update Interval
Spotlight Secure Connector is not a push-enabled application. Instead, it relies on its
clients, like the SRX Series device, to query the connector for updates to information
sources. See Table 4 on page 60.
Table 4: SRX Series Device Update Interval Time for Information Sources
Information Source
Update Interval
Command and Control
30 minutes
GeoIP
7 days
Custom file
15 minutes
When using the Custom File Server to add an information source, you can specify the
interval for polling the server. Custom file information sources are pushed to the connector
immediately after being uploaded to Security Director.
Related
Documentation
•
Spotlight Secure Connector Information Source Overview on page 49
Creating an Information Source
To create an information source:
1.
Select Security Director > Security Intelligence.
The landing page appears, showing the feed status of connectors and devices.
2. Under Security Intelligence, in the left pane, select Information Sources.
60
Copyright © 2015, Juniper Networks, Inc.
Chapter 4: Configuring Spotlight Secure Connector Information Source
The Information Sources landing page appears, as shown in Figure 49 on page 61.
Figure 49: Information Sources Landing Page
3. To create a new information source, click the plus sign (+).
The Add Information Source page appears, as shown in Figure 50 on page 61.
Figure 50: Add Information Source
Copyright © 2015, Juniper Networks, Inc.
61
Spotlight Secure Connector Getting Started Guide
4. From the Source drop-down list, select the required source. The following sources
are available:
•
Spotlight Intelligence Cloud
•
WebApp Secure
•
Custom File Upload
•
Custom File Server
The Spotlight Intelligence Cloud option is available only if the information source of
Spotlight Intelligence Cloud type is not defined already. If the administrator has already
created an information source of this type, the Spotlight Intelligence Cloud option is
not shown in subsequent Add Information Source screen.
5. If you select WebApp Secure as the source, configure the following parameters:
•
In the Group Name field, enter the name of the information source.
•
In the Description field, enter a description of the information source.
If you select Custom File Upload as the source, configure the following parameters:
•
In the Name field, enter the name of the information source.
•
In the Description field, enter a description of the information source.
•
To upload the custom file, click Browse....
You can click View sample file to view the sample custom file.
If you select Custom File Server as the source, configure the following parameters:
•
In the Group Name field, enter the name of the information source.
•
In the Description field, enter a description of the information source.
•
In the Address field, enter the address of the customer host file server.
•
In the Username field, enter the username of the given address.
•
In the Password field, enter the password.
•
From the Update Interval drop-down list, select the frequency of the update.
6. To create a new information source, click Create.
Once you create, update, or delete the information source, you must push the configuration
to all the connected connectors.
Related
Documentation
•
Managing Information Sources on page 62
Managing Information Sources
To open the Information Sources page:
•
62
Select Security Intelligence > Information Sources.
Copyright © 2015, Juniper Networks, Inc.
Chapter 4: Configuring Spotlight Secure Connector Information Source
The Information Sources landing page appears, listing the existing sources.
•
Right-click the information source to manage it, or select the required options from
Actions.
You can perform the following management tasks on the Information Sources page:
•
Modifying an Information Source on page 63
•
Deleting an Information Source on page 63
•
Updating Feeds to Connectors on page 63
Modifying an Information Source
To modify an existing information source:
1.
Select Security Intelligence > Information Sources.
The Information Sources landing page appears.
2. Select the source and click the pencil icon to modify it.
The Modify Information Source page appears.
3. Modify the required fields, and click Modify.
Deleting an Information Source
To delete an information source:
1.
Select Security Intelligence > Information Sources.
The Information Sources landing page appears.
2. Select the source, and click the minus sign (-).
A confirmation window appears before you can delete the source.
3. To delete the source, click Delete.
Updating Feeds to Connectors
To update a feed to the connectors:
1.
Select Security Intelligence > Information Sources.
The Information Sources landing page appears.
2. Select a source that has Spotlight Intelligence Cloud or Custom File Server as the
source and right-click, or, from Actions, select Update Feeds Now.
All the connectors receive the feeds from the information sources based on the update
interval for the feed category. You can use this option to get the feeds immediately.
3. A job is created to view the status of the feeds update.
Related
Documentation
•
Creating an Information Source on page 60
Copyright © 2015, Juniper Networks, Inc.
63
Spotlight Secure Connector Getting Started Guide
64
Copyright © 2015, Juniper Networks, Inc.
CHAPTER 5
Spotlight Secure Connector Profiles and
Policies Overview
•
Spotlight Secure Connector Profile Overview on page 65
•
Creating Security Intelligence Profiles on page 70
•
Managing Security Intelligence Profiles on page 73
•
Spotlight Secure Connector Policy Overview on page 74
•
Creating Security Intelligence Policies on page 76
•
Managing Security Intelligence Policies on page 77
Spotlight Secure Connector Profile Overview
Spotlight Secure Connector profiles are configured on the Security Intelligence > Profiles
page. See Figure 51 on page 66. Profiles define the actions to take for a specific data feed
and for a specific threat level.
Copyright © 2015, Juniper Networks, Inc.
65
Spotlight Secure Connector Getting Started Guide
Figure 51: Example Spotlight Secure Connector Profiles
By default, a global whitelist and global blacklist are provided.
Whitelists and blacklists have higher priority over other Spotlight Secure profiles and are
evaluated first in security rules.
About Threat Levels
Every attacker is assigned a name and each incident is recorded along with a threat level
based on their intent and skill. The severity of the alert matches the threat level; higher
severity attacks result in a higher threat level. Spotlight Secure Connector defines default
actions but you can customize at what threat level to start logging events and the action
to take (permit, reject, redirect) per threat level when creating the profile. See
Figure 52 on page 67.
66
Copyright © 2015, Juniper Networks, Inc.
Chapter 5: Spotlight Secure Connector Profiles and Policies Overview
Figure 52: Threat Level Settings
Spotlight Secure Connector uses a scale of 1 (most aggressive) to 10 (least aggressive)
to define the action to take depending on the threat level. When setting the threat level,
attacks with threat numbers equal to and higher than the selected are blocked. For
example, if you set the threat level to 4, all threat levels with a score of 4 and higher are
blocked. A more aggressive threat level blocks more traffic but also creates more false
positives. When you move the slider, the graphs show a general representation of the
likelihood of false positives and your security level. The default setting is threat level 6.
As part of the overall Spotlight Secure solution, WebApp Secure sends information on
malicious cookies and IP addresses to Spotlight Secure Connector. WebApp Secure also
recommends a threat level for the session cookie or IP address, based on a set of criteria,
including how malicious the associated attacker is deemed to be. Note that not all
sessions are sent to the connector--only those marked as malicious.
Copyright © 2015, Juniper Networks, Inc.
67
Spotlight Secure Connector Getting Started Guide
Table 5: Mapping WebApp Secure Threat Levels to Spotlight Secure
Connector Threat Levels
WebApp
Secure
Threat Level
Spotlight
Secure
Connector
Threat Level
Description
Low
Low threat levels incorporate IP addresses and hosts where
the threat is not as severe, the malicious activity has not been
seen for a long period of time, or there is evidence of both
malicious and non-malicious activity on the same host. For
example, requesting server configuration files, non-standard
HTTP requests, attempting to locate files not linked by the web
server.
4-5
Medium
Medium threat levels represent a moderate threat and are
unlikely to be non-malicious. For example, tampering with
cookies, attempting to defeat tracking techniques, manipulating
honeypot code.
6-7
High
High threat levels represent severe threats at a very high level
of certainty. For example, attempting to crack passwords,
session spoofing attacks, attempting to defeat WebApp Secure
counter-responses.
8-10
To view session cookies and locations sent to the connector, in the WebApp Secure Web
UI, navigate to Juniper Spotlight > Spotlight Connector. There you will find a Session
Cookies tab and a Locations tab. See Figure 53 on page 69.
68
Copyright © 2015, Juniper Networks, Inc.
Chapter 5: Spotlight Secure Connector Profiles and Policies Overview
Figure 53: Spotlight Secure Connector Session Cookies in WebApp Secure
Verifying Profiles On the SRX Series Device
Use the show configuration CLI command or the Device Configuration View in Network
Management Platform to verify profiles are pushed to the SRX Series device. A profile
section is created as shown in the following example.
profile JWAS-Fingerprints {
category JWAS;
rule Rule-1 {
match {
threat-level [1 2 3 4 5 6 7 8 9 10];
}
then {
action {
recommended;
}
log;
}
}
}
In the example above, a profile named JWAS-Fingerprints now resides on the SRX Series
device and uses the default recommended actions.
Related
Documentation
•
Using Spotlight Secure Connector Policies in Security Rules on page 79
•
Example: Pushing a Whitelist, Blacklist, C&C, and GeoIP to a Security Device on page 89
Copyright © 2015, Juniper Networks, Inc.
69
Spotlight Secure Connector Getting Started Guide
Creating Security Intelligence Profiles
To create a profile:
1.
Select Security Director > Security Intelligence > Profiles.
The Profiles page appears, listing the existing profiles, as shown in Figure 54 on page 70.
Figure 54: Profiles Page
2. To create a new Security Intelligence profile, click the plus sign (+).
The Create Security Intelligence Profile page appears, as shown in Figure 55 on page 71.
70
Copyright © 2015, Juniper Networks, Inc.
Chapter 5: Spotlight Secure Connector Profiles and Policies Overview
Figure 55: Create Security Intelligence Profile Page
3. In the Name field, enter the name of the profile.
4. In the Description field, enter a description of the profile.
5. From the Feed Category drop-down list, select a required feed category.
The available categories are Device Fingerprint and Command & Control. By default,
the feed category is set to Device Fingerprint.
6. Configure the Blocking Threshold field to either for the recommended values, or
configure your own parameters.
Recommended actions provide the best balance between increased security and
reduced false positives. Recommended actions provide the best balance between
increased security and reduced false positives. Recommended actions dynamically
blocks malicious or highly suspicious traffic based on the most current thread
assessment provided through the dynamic feed
7. If the feed category is Device Fingerprint:
•
The recommended action for all the blocked traffic under Block Options is Close
connection (recommended). When closing the HTTP traffic, the recommended
action is not send any message to the user.
•
The recommended action for log events under Logging is Log all traffic
(recommended).
Copyright © 2015, Juniper Networks, Inc.
71
Spotlight Secure Connector Getting Started Guide
You can customize the data to block traffic based on the threat score, as shown in
Figure 56 on page 72.
Figure 56: Create Security Intelligence Profile-Custom Values
Under Blocking Options, you can customize the following action to be taken for all
the closed HTTP traffic:
•
No Message
•
Default Message
•
Redirect URL
•
Customer Message
Under Logging section, you can customize the following log events:
•
Log only blocked traffic
•
Log all traffic (not recommended)
•
Don’t log any traffic
8. If the feed category is Command & Control:
72
•
Under the Block Options, the recommended action for all the blocked traffic is log
all traffic (recommended).
•
Under Logging section, the recommended action is Log only blocked traffic.
Copyright © 2015, Juniper Networks, Inc.
Chapter 5: Spotlight Secure Connector Profiles and Policies Overview
You can customize Blocking Options and Logging fields to the required values.
9. Click Create.
A new profile is created and added to the Profiles page.
NOTE:
Related
Documentation
•
•
On the Profiles page, the Global Black List and Global White List profiles
are created by default.
•
The Security Intelligence profiles can be assigned only to the firewall
policies.
Managing Security Intelligence Profiles on page 73
Managing Security Intelligence Profiles
You can modify and delete the profiles that are listed on the Profiles main page.
To open the Profiles page:
•
Select Security Director > Security Intelligence > Profiles.
The Profiles page appears, listing the existing profiles.
•
Right-click a profile to manage it.
You can perform the following management tasks on the Profiles page:
•
Modifying a Security Intelligence Profile on page 73
•
Deleting a Security Intelligence Profile on page 74
•
Modifying a Global White List or Global Black List on page 74
Modifying a Security Intelligence Profile
To modify a profile:
1.
Select Security Director > Security Intelligence > Profiles.
The Profiles page appears, listing the existing profiles.
2. Select the profile that you want to modify, and click the pencil icon or right-click and
select Modify Security Intelligence Profile.
The Modify Security Intelligence Profile page appears.
3. On the Modify Security Intelligence Profile page you can modify the name, description,
actions, and threat levels for the Custom Actions.
4. To modify the profile, click Modify.
Copyright © 2015, Juniper Networks, Inc.
73
Spotlight Secure Connector Getting Started Guide
Deleting a Security Intelligence Profile
To delete a profile:
1.
Select Security Director > Security Intelligence > Profiles.
The Profiles page appears, listing the existing profiles.
2. Select the profile that you want to delete, and click the minus sign or right-click and
select the Delete Security Intelligence Profile(s) option. A confirmation window appears
before you can delete the profile.
3. To delete the profile, click Delete.
You can delete more than one profile at a time.
Modifying a Global White List or Global Black List
To modify a global white list or a black list:
1.
Select Security Director > Security Intelligence > Profiles.
The Profiles page appears, listing the existing profiles.
2. Select Global White List or Global Black List, right-click and select Modify Security
Intelligence Profile.
The Modify Intelligence Profile window appears for a particular list.
3. Select the custom addresses available from the Available Address Lists. The Custom
Address List feed category is assigned to these profiles.
Related
Documentation
•
Creating Security Intelligence Profiles on page 70
Spotlight Secure Connector Policy Overview
Policies enforce a set of rules for transit traffic, identifying which traffic can pass through
the security device and the actions taken on the traffic as it passes through the security
device. With Spotlight Secure Connector, you can include one or more profiles to a policy
and apply them across multiple security rules. See Figure 57 on page 75. If you want to
test a different profile, you can modify it and it will apply across all your security rules
where you have referenced this policy.
74
Copyright © 2015, Juniper Networks, Inc.
Chapter 5: Spotlight Secure Connector Profiles and Policies Overview
Figure 57: Example Spotlight Secure Connector Policies
To verify the profiles on an SRX Series device, use the show configuration CLI command
or the Device Configuration View in Network Management Platform. A policy section is
added as shown in the following example.
policy SecIntel-Policy1 {
CC {
Command_and_Control;
}
JWAS {
JWAS-Fingerprints;
}
}
In the above example, a policy named SecIntel-Policy1 exists and contains C&C and JWAS
profiles.
Related
Documentation
•
Spotlight Secure Connector Profile Overview on page 65
•
Example: Pushing a Whitelist, Blacklist, C&C, and GeoIP to a Security Device on page 89
Copyright © 2015, Juniper Networks, Inc.
75
Spotlight Secure Connector Getting Started Guide
Creating Security Intelligence Policies
To create a policy:
1.
Select Security Director > Security Intelligence > Policies.
The Policies page appears, listing all the existing policies, as shown in
Figure 58 on page 76.
Figure 58: Policies Page
2. To create a new Security Intelligence policy, click the plus sign (+).
The Create Policy page appears, as shown in Figure 59 on page 76.
Figure 59: Create Policy Page
76
Copyright © 2015, Juniper Networks, Inc.
Chapter 5: Spotlight Secure Connector Profiles and Policies Overview
3. In the Name field, enter the name of the policy.
4. In the Description field, enter a description of the policy.
5. Under the Profiles section, configure the following profile categories:
•
Command & Control
•
Device Fingerprint
6. To view and modify the custom address list of the Global White List and Global Black
List profiles, click View.
The Modify Security Intelligence Profile page appears to enable you to view or modify
the profile.
7. Click Create.
A new Security Intelligence policy is created and listed in the Policies page.
Related
Documentation
•
Managing Security Intelligence Policies on page 77
Managing Security Intelligence Policies
You can modify and delete the policies that are listed on the Policies main page.
To open the Policies page:
•
Select Security Director > Security Intelligence > Policies.
The Policies page appears, listing the existing policies.
•
Right-click a policy to manage it.
You can perform the following management tasks on the Policies page:
•
Modifying a Security Intelligence Policy on page 77
•
Deleting a Security Intelligence Policy on page 78
Modifying a Security Intelligence Policy
To modify a policy:
1.
Select Security Director > Security Intelligence > Policies.
The Policies page appears, listing the existing policies.
2. Select the policy that you want to modify, and click the pencil icon or right-click and
select Modify Policy.
The Modify Policy page appears.
3. On the Modify Policy page you can modify the name, description, profiles, and custom
address list.
4. To modify the policy, click Modify.
Copyright © 2015, Juniper Networks, Inc.
77
Spotlight Secure Connector Getting Started Guide
Deleting a Security Intelligence Policy
To delete a policy:
1.
Select Security Director > Security Intelligence > Policies.
The Policies page appears, listing the existing policies.
2. Select the policy that you want to delete, and click the minus sign or right-click and
select the Delete Security Intelligence Policy(ies) option. A confirmation window
appears before you can delete the policy.
3. To delete the policy, click Delete.
You can delete more than one policy at a time.
Related
Documentation
78
•
Creating Security Intelligence Policies on page 76
Copyright © 2015, Juniper Networks, Inc.
CHAPTER 6
Applying Spotlight Secure to Security
Rules
•
Using Spotlight Secure Connector Policies in Security Rules on page 79
•
Dynamic Address Group Overview on page 81
•
Creating Dynamic Address Groups on page 85
•
Managing Dynamic Address Groups on page 86
Using Spotlight Secure Connector Policies in Security Rules
Once you defined your policies, you can assign them to a security rule. See
Figure 60 on page 79. The process for adding a Spotlight Secure policy to an SRX Series
device is basically the same as any other policy. See Firewall Policies Overview and Adding
Rules to a Firewall Policy.
Figure 60: Assigning Spotlight Secure Policies to a Security Rule
After the rule is added, you define the action (permit, deny, reject, and so forth) taken on
the traffic as it passes through the security device. See Figure 61 on page 80.
Copyright © 2015, Juniper Networks, Inc.
79
Spotlight Secure Connector Getting Started Guide
Figure 61: Defining the Rule Action
Use the Security Intelligence column to specify the Spotlight Secure policy to attach to
this rule. See Figure 62 on page 80.
Figure 62: Assigning the Spotlight Secure Policy to the Rule
Finally, publish the policy to the SRX Series device. See Figure 63 on page 81.
80
Copyright © 2015, Juniper Networks, Inc.
Chapter 6: Applying Spotlight Secure to Security Rules
Figure 63: Publishing a Rule
You can view what is being published to the security device through the CLI Configuration
window. See Figure 64 on page 81.
Figure 64: Viewing the Policies Pushed to the Security Device
Related
Documentation
•
Dynamic Address Group Overview
Manually adding address entries into a policy can be time consuming. There are external
sources that provide lists of IP addresses that have a specific purpose (such as a blacklist)
or that have a common attribute (such as a particular location or behavior that might
Copyright © 2015, Juniper Networks, Inc.
81
Spotlight Secure Connector Getting Started Guide
pose a threat). The administrator can leverage this external intelligence in the cloud to
identify threat sources by their IP address, then group those addresses into a dynamic
address entry, and reference that entry in a security policy, thereby controlling the traffic
to and from those addresses. Each such group of IP addresses is referred to as a dynamic
address entry.
NOTE: A dynamic address entry is a group of IP addresses, not a single IP
prefix. A dynamic address entry is different from the security address concepts
of address books and address entry addresses.
There are major benefits to deploying dynamic address entries in security policies:
•
The network administrator has more control over the traffic to and from groups of IP
addresses.
•
The network administrator can leverage the external intelligence (IP address feeds)
that exists in the cloud.
•
The external server provides updated IP address feeds to the SRX Series device.
•
The administrator’s efforts are dramatically reduced. For example, in a legacy security
policy configuration, adding 1000 address entries for a policy to reference would require
some 2000 lines of configuration. By defining a dynamic address entry and referencing
it in a security policy, up to millions of entries could flow into the SRX Series device
without much additional configuration effort.
•
No commit process is required to add new addresses. Adding thousands of addresses
to a configuration through a legacy method takes a long time to commit. Alternatively,
IP addresses in a dynamic address entry come from an external feed, so no commit
process is required when the addresses in an entry change.
Figure 65 on page 83 illustrates a functional overview of how the dynamic address entry
in a security policy works.
82
Copyright © 2015, Juniper Networks, Inc.
Chapter 6: Applying Spotlight Secure to Security Rules
Figure 65: Functional Components of the Dynamic Address Entry in a
Security Policy
The Spotlight Secure process (daemon) periodically retrieves an IP address feed file or
an update to the file from the external source (or server) and decodes the server data
into a dynamic address entry. A dynamic address entry contains many IP addresses that
share a common purpose or attribute, such as a geographical origin, a threat type, or a
threat level.
A security policy then references the dynamic address entry in a source address or
destination address field (in much the same way that a security policy references a legacy
address entry).
Figure 66 on page 84 illustrates a policy that uses a dynamic address entry in the
Destination-address field.
Copyright © 2015, Juniper Networks, Inc.
83
Spotlight Secure Connector Getting Started Guide
Figure 66: A Dynamic Address Entry in a Security Policy
In Figure 66 on page 84, Policy 1 uses the destination address 10.10.1.1, which is a legacy
security address entry. Policy 2 uses the destination address Vendor blocklist, which is a
dynamic address entry named by the network administrator. Its content is the list of IP
addresses retrieved from an external feed file. Packets that match all five criteria (the
From-zone named untrust, the To-zone named engineer, any source address, a destination
IP address that belongs to the Vendor blocklist dynamic address entry, and the mail
application) are handled according to the policy actions, which are to deny and log the
packet.
NOTE: The dynamic address entry names share the same name space as
legacy security address entries, so do not use the same name for more than
one entry. The Junos OS commit process checks that names are not
duplicated to avoid a conflict.
Dynamic address groups support the following data feeds:
•
Custom lists (whitelists and blacklists)
•
GeoIP
Figure 67 on page 85 shows the dialog box for creating a dynamic address group in Security
Director.
84
Copyright © 2015, Juniper Networks, Inc.
Chapter 6: Applying Spotlight Secure to Security Rules
Figure 67: Creating a Dynamic Address Group
Related
Documentation
•
Creating Dynamic Address Groups
Dynamic address is an infrastructure that serves as a container for a list of IP addresses
propagated from an external data feed. In Security Director, it is referenced by the firewall
policy in the same way as the security legacy address entry. The only difference is that
the content (such as IP addresses, prefixes, or ranges) contained in the Dynamic Address
Entry(DAE) changes dynamically based on a periodic update retrieval from an external
feed.
To create a dynamic address group:
1.
Select Security Director > Security Intelligence > Dynamic Address Groups.
The Dynamic Address Groups page appears, as shown in Figure 68 on page 85.
Figure 68: Dynamic Address Groups Main Page
2. To create a new dynamic address group, click the plus sign (+).
The Create Dynamic Address Group page appears, as shown in Figure 69 on page 86.
Copyright © 2015, Juniper Networks, Inc.
85
Spotlight Secure Connector Getting Started Guide
Figure 69: Create Dynamic Address Page
3. In the Name field, enter the name of the dynamic address group.
4. In the Description field, enter a description.
5. From the Feed drop-down list, select the external data feed.
6. Click Create.
A new dynamic address is created. This can be used only in the firewall policy.
Related
Documentation
•
Managing Dynamic Address Groups on page 86
Managing Dynamic Address Groups
You can modify and delete the dynamic addresses that are listed on the Dynamic Address
Groups main page.
To open the Dynamic Address Groups page:
•
Select Security Director > Security Intelligence > Dynamic Address Groups.
The Dynamic Address Groups page appears, listing the existing dynamic addresses.
•
Right-click a dynamic address to manage it.
You can perform the following management tasks on the Dynamic Address Groups page:
•
Modifying a Dynamic Address Group on page 86
•
Deleting an Address from a Dynamic Address Group on page 87
Modifying a Dynamic Address Group
To modify a dynamic address group:
1.
Select Security Director > Security Intelligence > Dynamic Address Groups.
The Dynamic Address Groups page appears.
2. Select the dynamic address that you want to modify, and click the pencil icon or
right-click and select Modify SecIntel Dynamic Address.
86
Copyright © 2015, Juniper Networks, Inc.
Chapter 6: Applying Spotlight Secure to Security Rules
The Modify Dynamic Address page appears, as shown in Figure 70 on page 87.
Figure 70: Modify Dynamic Address Page
3. On the Modify Dynamic Address page, you can modify the name, description, feed,
and countries list in addition to modifying the dynamic address.
4. Click inside the Countries field, and select the required countries from the drop-down
list.
The IP addresses shown from the countries in the list are included.
5. If you select the Negate Selected Countries option, the IP addresses from all the
countries, except those listed in the Countries field, are included.
6. To modify a dynamic address, click Modify.
Deleting an Address from a Dynamic Address Group
To delete a dynamic address from a dynamic address group:
1.
Select Security Director > Security Intelligence > Dynamic Address Groups.
The Dynamic Address Groups page appears.
2. Select the dynamic address that you want to delete, and click the minus sign(-) or
right-click and select the Delete SecIntel Dynamic Addresses option. A confirmation
window appears before you can delete the address.
3. To delete the address, click Delete.
You can delete more than one dynamic address at a time.
Related
Documentation
•
Creating Dynamic Address Groups on page 85
Copyright © 2015, Juniper Networks, Inc.
87
Spotlight Secure Connector Getting Started Guide
88
Copyright © 2015, Juniper Networks, Inc.
CHAPTER 7
Examples
•
Example: Pushing a Whitelist, Blacklist, C&C, and GeoIP to a Security Device on page 89
Example: Pushing a Whitelist, Blacklist, C&C, and GeoIP to a Security Device
This example describes how to push a whitelist, blacklist, command and control, and
geography IP feed to an SRX Series device. This example assumes that the connector is
already created and is part of the Security Director fabric and that the SRX Series device
is already added as a device to Junos Space Network Management Platform.
•
Defining the Information Sources on page 89
•
Creating the Profiles on page 92
•
Creating the Spotlight Secure Policy on page 95
•
Creating the Dynamic Address Groups on page 96
•
Associating the SRX Series Device With the Connector on page 98
•
Creating the Firewall Policy and Rules on page 98
Defining the Information Sources
The first step is to upload the data feeds into the connector. In this example:
•
The blacklist and whitelist are uploaded from a file on the local system.
•
The command and control feed comes from the Spotlight Intelligence Cloud.
•
The geography IP data, which also comes from the Spotlight Intelligence Cloud, is
configured as a dynamic address group and is described later.
To define the blacklist, whitelist, and command and control information sources:
1.
In the Junos Space Security Director Platform user interface, select Security Intelligence
> Spotlight Connectors > Information Sources.
2. Click Add New Information Source.
3. Select Custom File Upload from the Source pull-down menu. Enter
feed_source_blacklist as the name and Feed for blacklist as the description.
4. Click Select File, locate the blacklist source file and click Open. See Figure 71 on page 90.
Copyright © 2015, Juniper Networks, Inc.
89
Spotlight Secure Connector Getting Started Guide
Figure 71: Defining the Blacklist Information Source
5. Click Create.
6. Click the connector feed status to verify the blacklist file is uploaded to the connector.
See Figure 72 on page 90.
Figure 72: Checking the Feed Status for the Blacklist Update
7. Repeat Steps 2-5 for the whitelist file. The connector feed status shows the blacklist
and whitelist files are both uploaded to the connector. See Figure 73 on page 91.
90
Copyright © 2015, Juniper Networks, Inc.
Chapter 7: Examples
Figure 73: Defining the Whitelist and Checking the Feed Status
8. Click Add New Information Source.
9. Select Spotlight Intelligence Cloud from the Source pull-down menu. Enter Spotlight
Cloud as the name and click Create. See Figure 74 on page 91.
Figure 74: Adding the Spotlight Intelligence Cloud Information Source
Copyright © 2015, Juniper Networks, Inc.
91
Spotlight Secure Connector Getting Started Guide
You can create only one Spotlight Intelligence Cloud information source. Once created,
the cloud retrieves all subscribed feeds.
10. Click the connector feed status to make sure the feeds have been uploaded. The
Spotlight Intelligence Cloud adds a cc_ip_data, cc_url_data, and geoip_country feed.
See Figure 72 on page 90.
Figure 75: Checking the Feed Status for Spotlight Intelligence Cloud
Information Sources
Creating the Profiles
Next, add our custom whitelist and blacklist to the global whitelist and global blacklist
profiles and create a profile for the command and control feed.
To create the Spotlight Secure profiles:
1.
In the Junos Space Security Director Platform user interface, select Security Intelligence
> Spotlight Connectors > Profiles.
By default a Global White List and a Global Black List profile are provided. See
Figure 76 on page 92.
Figure 76: Default Profiles
2. Select the Global Blacklist check box and click Modify Profile.
3. Select feed_source_blacklist and move it to the Black Lists column. See
Figure 77 on page 93.
92
Copyright © 2015, Juniper Networks, Inc.
Chapter 7: Examples
Figure 77: Adding the Custom Blacklist to the Global Blacklist
4. Click Modify.
View the connector feed status window to verify that the custom blacklist file is
uploaded.
Figure 78: Viewing the Feed Status for the Global Blacklist
5. Select the Global Whitelist check box and click Modify Profile.
Copyright © 2015, Juniper Networks, Inc.
93
Spotlight Secure Connector Getting Started Guide
6. Select feed_source_whitelist and move it to the White Lists column. See
Figure 73 on page 91.
Note that feed_source_blacklist is not available as an option since it is already used
in the Global Blacklist profile. A file cannot be used for both a whitelist and blacklist
profile.
Figure 79: Adding the Custom Blacklist to the Global Blacklist
7. (optional) Check the connector feed status to verify that the whitelist is uploaded.
8. Click Add New Profile.
9. Enter cc_profile as the name, Command and Control Profile as the description, and
select Command & Control from the Feed Category pull-down menu. In this example,
we will use the default recommended actions for the blocking threshold. See
Figure 80 on page 95.
94
Copyright © 2015, Juniper Networks, Inc.
Chapter 7: Examples
Figure 80: Creating the Command and Control Profile
10. Click Create.
The Command and Control profile is added to the profiles list. See Figure 81 on page 95.
Figure 81: Command and Control Profile Added to Profile List
Creating the Spotlight Secure Policy
In this section, we will create the security intelligence policy for the command and control
profile. Spotlight Secure policies are added to firewall rules from the Security Intelligence
pull-down menu. See Figure 82 on page 96.
Copyright © 2015, Juniper Networks, Inc.
95
Spotlight Secure Connector Getting Started Guide
Figure 82: Referencing the Spotlight Secure Policy within the Firewall
Rule
To create the Spotlight Secure policy:
1.
In the Junos Space Security Director Platform user interface, select Security Intelligence
> Spotlight Connectors > Policies.
2. Click Add New Policy.
3. Enter secintel_policy for the name and Secintel Polcy 1 for the description and select
cc_profile from the Command & Control pull-down menu. See Figure 83 on page 96.
Figure 83: Creating the Command and Control Spotlight Secure Policy
Note that the global whitelist and blacklist are also part of this policy and are pushed
to the SRX Series device along with the command and control information.
4. Click Create.
Creating the Dynamic Address Groups
Next, we will create a dynamic address group for the geography IP address (allowing IP
addresses originating from Argentina) and the blacklist. Note that this is the same blacklist
file pushed in the section above. Normally you do not need to push the same blacklist
again; however, this example shows how to use dynamic address groups to push custom
feeds such as whitelist and blacklists.
96
Copyright © 2015, Juniper Networks, Inc.
Chapter 7: Examples
To create the dynamic address groups:
1.
In the Junos Space Security Director Platform user interface, select Security Intelligence
> Spotlight Connectors > Dynamic Address Group.
2. Enter Argentina_ip_list as the name, GeoIP list of Argentina as the Description, select
GeoIP from the Feed pull-down menu and select Argentina from the Countries list.
See Figure 84 on page 97.
Figure 84: Creating the Geography IP Dynamic Address Group
3. Click Create.
4. In the Junos Space Security Director Platform user interface, select Security Intelligence
> Spotlight Connectors > Dynamic Address Group.
5. Enter to_block as the name, Blacklist ips as the description, and select
feed_source_blacklist from the Feed pull-down menu.
6. Click Create.
Copyright © 2015, Juniper Networks, Inc.
97
Spotlight Secure Connector Getting Started Guide
Associating the SRX Series Device With the Connector
In this example, the SRX Series device is not yet associated with the connector. This
section describes the association process. You have to do this process only once for each
pairing.
To associate the SRX Series device with the connector:
1.
Select the check box next to connector7 and then select Actions > Device Association.
See Figure 85 on page 98.
Figure 85: Choosing the Device Association Command
2. Move guavabert to the Selected table and click Save.
Guavabert is now paired with connector7 and can start receiving data feeds.
Creating the Firewall Policy and Rules
In this section, we will create the firewall policy and then add the following rules:
•
98
Allow IP addresses that originate from Argentina.
Copyright © 2015, Juniper Networks, Inc.
Chapter 7: Examples
•
Block IP addresses based on the blacklist information source through dynamic address
groups.
•
Allow IP addresses that match the whitelist and block IP addresses based on the
command and control source and blacklist through the Spotlight Secure policy.
See Junos Space Network Management Platform for more information on creating firewall
policies and rules.
To create the firewall policy and rules:
1.
In the Junos Space Security Director Platform user interface, select Firewall Policy.
2. Click Create Policy from the left pane.
3. Set the following options:
Option
Value
Type
Device
Name
guavabert_policy
Description
Guavabert FW policy
Manage
Zone Policy
Policy Priority
Medium
Profile
All Logging Enabled
Device
guavabert
IPS Configuration Mode
None
See Figure 86 on page 100.
Copyright © 2015, Juniper Networks, Inc.
99
Spotlight Secure Connector Getting Started Guide
Figure 86: Creating the Firewall Policy
4. Click Create.
5. Click the plus (+) icon to add a device pre-rule.
6. Click in the Source Address column and move Argentina_ip_list to the Selected column.
See Figure 87 on page 101.
100
Copyright © 2015, Juniper Networks, Inc.
Chapter 7: Examples
Figure 87: Configuring the Allow Argentina IP Addresses Firewall Rule
7. Click OK.
8. Click in the Action column and select Permit. Then click in the Security Intelligence
column and select secintel_policy. See Figure 88 on page 101.
Figure 88: Configuring the Spotlight Secure Firewall Rule
9. Click the plus (+) icon to add another device pre-rule.
10. Click in the Source Address column and move to_block to the Selected table. See
Figure 89 on page 101.
Figure 89: Configuring the Blacklist Firewall Rule
Copyright © 2015, Juniper Networks, Inc.
101
Spotlight Secure Connector Getting Started Guide
11. Click OK.
12. View the job details to see the firewall policies added to the SRX Series device.
Related
Documentation
102
•
Spotlight Secure Connector Information Source Overview on page 49
•
Spotlight Secure Connector Profile Overview on page 65
•
Spotlight Secure Connector Policy Overview on page 74
Copyright © 2015, Juniper Networks, Inc.
PART 4
Index
•
Index on page 105
Copyright © 2015, Juniper Networks, Inc.
103
Spotlight Secure Connector Getting Started Guide
104
Copyright © 2015, Juniper Networks, Inc.
H
high availability........................................................................30
I
Index
Symbols
#, comments in configuration statements.....................ix
( ), in syntax descriptions.......................................................ix
< >, in syntax descriptions.....................................................ix
[ ], in configuration statements...........................................ix
{ }, in configuration statements..........................................ix
| (pipe), in syntax descriptions............................................ix
A
associating an SRX Series device.....................................34
B
blacklist......................................................................................49
braces, in configuration statements..................................ix
brackets
angle, in syntax descriptions........................................ix
square, in configuration statements.........................ix
C
cloud information source.....................................................49
comments, in configuration statements.........................ix
configuration settings............................................................19
network settings.............................................................20
conventions
text and syntax................................................................viii
curly braces, in configuration statements.......................ix
custom file information source.........................................49
customer support......................................................................x
contacting JTAC.................................................................x
D
DMI schema..............................................................................39
documentation
comments on....................................................................ix
dynamic address group.........................................................81
F
failover........................................................................................30
font conventions.....................................................................viii
Copyright © 2015, Juniper Networks, Inc.
information source
blacklist.............................................................................49
cloud...................................................................................49
custom file........................................................................49
WebApp Secure.............................................................49
whitelist.............................................................................49
M
manuals
comments on....................................................................ix
N
network settings
configuring........................................................................20
P
parentheses, in syntax descriptions..................................ix
policies........................................................................................74
security rules....................................................................79
profiles
threat level........................................................................65
S
schema
updating............................................................................39
Security Intelligence
dynamic address group................................85, 86, 87
See also creating
See also delete
See also managing
See also modify
policy.....................................................................76, 77, 78
See also creating
See also delete
See also managing
See also modify
profiles..................................................................70, 73, 74
See also creating
See also delete
See also managing
See also modify
security rules.............................................................................79
server certificate authorities...............................................38
specialized node
adding.................................................................................27
105
Spotlight Secure Connector Getting Started Guide
SRX Series device
associating.......................................................................34
support, technical See technical support
syntax conventions................................................................viii
T
technical support
contacting JTAC.................................................................x
threat level
settings..............................................................................65
WebApp Secure.............................................................65
trusted server certificate authorities...............................38
V
VMware
configuration.....................................................................19
W
whitelist......................................................................................49
106
Copyright © 2015, Juniper Networks, Inc.
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising