Creating Threat Prevention Policies
You can create threat prevention policies for various profiles from the Policies page.
If you are creating policies for the first time, you are given the option of setting up Policy Enforcer with Juniper ATP Cloud or configuring Juniper ATP Cloud alone. Clicking either button takes you to quick setup for your selection. See Comparing the Juniper Connected Security and non-Juniper Connected Security Configuration Steps for a configuration comparison.
Before You Begin
Determine the type of profile you will use for this policy; command & control server, infected hosts, malware. You can select one or more threat profiles in a policy. Note that you configure Geo IP policies separately. See Creating Geo IP Policies.
Determine what action to take if a threat is found.
Know what policy enforcement group you will add to this policy. To apply the policy, you must assign one or more policy enforcement groups. See the instructions for assigning groups to policies at the bottom of this page.
Once policies are configured with one more groups assigned, you can save a policy in draft form or update it. Policies changes do not go live until they have been updated.
If you are using Juniper ATP Cloud without Policy Enforcer, you must assign your threat prevention policy to a firewall rule for it to take affect. See the instructions at the bottom of this page.
If you delete a threat prevention policy that is assigned to a policy enforcement group, a status screen appears displaying the progress of the deletion and the affected configuration items.
To create a threat prevention policy:
- Select Configure>Threat Prevention > Policies.
- Click the + icon.
The Create Threat Prevention Policy page appears.
- Complete the configuration by using the guidelines in theTable 1, Table 2, Table 3, Table 4, and Table 5 below.
- Click OK.
Table 1: Fields on the Threat Prevention Policy Page
Field | Description |
---|---|
Name | Enter a unique string that must begin with an alphanumeric character and can include underscores; no spaces allowed; 63-character maximum. |
Description | Enter a description; maximum length is 1024 characters. You should make this description as useful as possible for all administrators. |
Profiles | Include the following profiles to your threat prevention policy. You must include at least one profile. An error message is shown if you try to create the threat prevention policy without selecting a profile. |
Log Setting (Policy setting for all profiles) | Select the log setting for the policy. You can log all traffic, log only blocked traffic, or log no traffic. |
Table 2 shows the management of command and control server threat in a policy.
Table 2: C&C Server Profile Management
Field | Description |
---|---|
Command and Control Server | Select and choose settings for command and control servers. A C&C is a centralized computer that issues commands to botnets (compromised networks of computers) and receives reports back from them. Botnets can be used to gather sensitive information, such as account numbers or credit card information, or to participate in a distributed denial-of-service (DDoS) attack. |
Include C& C profile in policy | Select the check box to include management for this threat type in the policy. |
Threat Score | Use the slider to change the action to be taken based on the threat score. Threat scores are assigned using several criteria. Refer to the monitoring pages in the UI to investigate, located under Monitor > Threat Management. |
Actions | If the threat score is high enough to cause a connection to be blocked, you have following configurable options:
|
Table 3 shows the management of infected host threat in a policy.
Table 3: Infected Host Profile Management
Field | Description |
---|---|
Infected Host | Infected hosts are systems for which there is a high confidence that attackers have gained unauthorized access. Infected hosts data feeds are listed with the IP address or IP subnet of the host, along with a threat score. |
Include infected host profile in policy | Select the check box to include management for this threat type in the policy. Note: If you want to enforce an infected host policy within the network, you must include a switch in the site. |
Actions | You have following options:
|
Table 4 shows the management of malware threat in a policy.
Table 4: Malware Threat Profile Management
Field | Description |
---|---|
Malware (HTTP file download, SMTP File attachment, and IMAP attachments) | Malware is files that are downloaded by hosts or received as email attachments and found to be suspicious based on known signatures, URLs. or other heuristics. |
Include malware profile in policy | Select the check box to include management for this threat type in the policy. |
HTTP file download | Turn this feature on to scan files downloaded over HTTP and then select a file scanning device profile. The device profile is configured using Juniper ATP Cloud. |
Scan HTTPS | Turn this feature to scan encrypted files downloaded over HTTPS. |
Device Profile | Select ATP Cloud device profile. This is configured through ATP Cloud. ATP Cloud profiles let you define which files to send to the cloud for inspection. You can group types of files to be scanned together under a common name and create multiple profiles based on the content you want scanned. |
Actions | If the threat score is high enough to cause a connection to be blocked, you have following configurable options:
|
SMTP File Attachments | Turn this feature on to inspect files received as email attachments (over SMTP only). |
Scan SMTPS | Enable this option to configure reverse proxy for SMTP. The reverse proxy does not prohibit server certificates. It forwards the actual server certificate or chain as is to the client without modifying it. |
Device Profile | If you do not click the Change button to select a device profile for SMTP scanning, the device profile selected for HTTP will be used by default. Select Change to use a different device profile for SMTP. Device profiles are configured through ATP Cloud and define which files to send to the cloud for inspection. |
Threat Score | Use the slider to change the action to be taken based on the threat score. Threat scores are assigned using several criteria. This threat score applies to all malware, HTTP and SMTP. (Note: There is no monitoring setting for malware.) |
Actions | Actions for SMTP File Attachments include: Quarantine, Deliver malicious messages with warning headers added, and Permit. This actions are set in ATP Cloud. Refer to the Juniper ATP Cloud documentation for information. |
IMAP Attachments | Turn this feature on to select a a file scanning device profile and threat score ranges to apply to IMAP e-mails. |
Scan IMAPS | Enable this option to configure reverse proxy for IMAP e-mails. |
Device Profile | If you do not click the Change button to select a device profile for IMAP scanning, the device profile selected for HTTP will be used by default. Select Change to use a different device profile for IMAP. Device profiles are configured through ATP Cloud and define which files to send to the cloud for inspection. |
Actions | Actions for IMAP Attachments include: Block, Deliver malicious messages with warning headers added, and Permit. This actions are set in ATP Cloud. Refer to the Juniper ATP Cloud documentation for information. |
Threat Score | Use the slider to change the action to be taken based on the threat score. Threat scores are assigned using several criteria. This threat score applies to all malware, HTTP, SMTP, and IMAP. (Note: There is no monitoring setting for malware.) |
Table 5 shows the management of DDoS threat in a policy
Table 5: DDoS Threat Profile Management
Field | Description |
---|---|
Include DDoS Profile in Policy | Enable this option to include the management of Distributed denial-of-service (DDoS) protection that enables the MX router to quickly identify an attack and prevent a flood of malicious control packets from exhausting system resources. When you create a threat policy for the DDoS profile, it is not pushed to the device because the policy is not yet assigned to any device. Assign the policy to the policy enforcement group. Because the policy is created for the MX router, rule analysis is not initiated when a policy is assigned to the policy enforcement group (PEG). |
Actions | Select the following actions from the list for the DDoS profile:
|
Scrubbing Site | Specify a routing instance to which packets are forwarded in the as-number:community-value format, where each value is a decimal number. For example, 65001:100. |
Once you have a threat prevention policy, you assign one or more groups to it:
- In the threat prevention policy main page (located under Configure>Threat Prevention > Policy), find the appropriate policy.
- In the Policy Enforcement Groups column, click the Assign to Groups link that appears here when there are no policy
enforcement groups assigned or click the group name that appears in
this column to edit the existing list of assigned groups. You can
also select the check box beside a policy and click the Assign
to Groups button at the top of the page. See Policy Enforcement Groups Overview .
For the infected host profiles created with Monitor action, you cannot assign a policy enforcement group if it contains only the third-party connector devices or the combination of both Junos Space and third-party connector devices. You must have only the Junos Space subnets in the policy enforcement groups to assign them to the infected host profiles with Monitor action.
If you edit an existing infected host profile with either Drop Connection or Quarantine action to Monitor action, you cannot assign any policy enforcement group having only third-party connector devices or the combination of Junos Space and third-party connector devices.
- In the Assign to Groups page, select the check box beside a group in the Available list and click the > icon to move it to the Selected list. The groups in the Selected list will be assigned to the policy.
- Click OK.
- Once one or more policy enforcement groups have been assigned, a Ready to Update link appears in the Status column. You must update to apply your new or edited policy configuration. Clicking the Ready to Update link takes you the Threat Policy Analysis page. See Threat Policy Analysis Overview. From there you can view your changes and choose to Update now, Update later, or Save them in draft form without updating.
- If you are using Juniper ATP Cloud without Policy Enforcer, you must assign your threat prevention policy to a firewall rule for it to take affect. Navigate to Configure > Firewall Policy > Policies. In the Advanced Security column, click an item to access the Edit Advanced Security page and select the threat prevention policy from the Threat Prevention pulldown list.