An Infected-Host feed lists the hosts that have been compromised and need to be quarantined from
communicating with other devices. The feed is in the format of IP addresses all with a
threat level of 10, for example xxx.xxx.xxx.133 with threat level 10. You can configure
security policies to take enforcement actions on the inbound and outbound traffic to and
from a host whose IP address is listed in the feed. The Infected-Host feed is downloaded
to the SRX Series Firewall only when the infected host profile is configured and enabled
in a firewall policy.
Note: Once the Juniper ATP Cloud global threshold for is met for an infected host (see Configuration for Infected Hosts), that
host is added to the infected hosts feed and assigned a threat level of 10 by the
cloud. Therefore all IP addresses in the infected hosts feed are threat level
10.
To create the infected host profile and policy and firewall
policy:
-
Define a profile for both the infected host and CC. In this example, the
infected host profile is named
ih-profile
and the action is
block drop anything with a threat level of 10. The CC host profile is named
cc-profile
and is based on outbound requests to a C&C
host, so add C&C rules to the profile (threat levels 8 and above are
blocked.)
root@host# set services security-intelligence profile ih-profile category Infected-Hosts rule if-rule match threat-level 10
root@host# set services security-intelligence profile ih-profile category Infected-Hosts rule if-rule then action block drop
root@host# set services security-intelligence profile ih-profile category Infected-Hosts rule if-rule then log
set services security-intelligence profile ih-profile category Infected-Hosts default-rule then action block drop
root@host# set services security-intelligence profile cc-profile category CC
root@host# set services security-intelligence profile cc-profile rule CC_rule match threat-level [8 9 10]
root@host# set services security-intelligence profile cc-profile rule CC_rule then action block drop
root@host# set services security-intelligence profile cc-profile rule CC_rule then log
root@host# set services security-intelligence profile cc-profile default-rule then action permit
As of Junos 18.1R1. there is support for the block action with HTTP URL
redirection for Infected Hosts. During the processing of a session IP
address, if the IP address in on the infected hosts list and HTTP traffic is
using ports 80 or 8080, infected hosts HTTP redirection can be done. If HTTP
traffic is using dynamic ports, HTTP traffic redirection cannot be done. See
command below.
- Verify your command using the
show services security-intelligence
CLI command. It should look similar to this:root@host# show services security-intelligence profile ih-profile
category Infected-Hosts;
rule if-rule {
match {
threat-level 10;
}
then {
action {
block {
drop;
}
}
log;
}
}
root@host# show services security-intelligence profile cc-profile
category CC;
rule CC_rule {
match {
threat-level [ 10 9 8 ];
}
then {
action {
block {
drop;
}
}
log;
}
}
default-rule {
then {
action {
permit;
}
}
}
- Configure the security intelligence policy to include
both profiles created in Step 1. In this example, the policy is named
infected-host-cc-policy
.root@host# set services security-intelligence policy infected-host-cc-policy Infected-Hosts ih-profile
root@host# set services security-intelligence policy infected-host-cc-policy CC cc-profile
- Configure the firewall policy to include the security
intelligence policy. This example sets the trust-to-untrust zone.
root@host# set security policies from-zone trust to-zone untrust policy p2 match source-address any destination-address any application any
root@host# set security policies from-zone trust to-zone untrust policy p2 then permit application-services security-intelligence-policy infected-host-cc-policy
- Verify your command using the
show security policies
CLI command. It should look similar to this:root@host# show security policies
...
from-zone trust to-zone untrust {
policy p2 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
application-services {
security-intelligence-policy infected-host-cc-policy;
}
}
}
}
}
...
[edit]
- Commit your changes.