Unified Threat Management

This document is intended to provide a high-level overview of Unified Threat Management (UTM) which is comprised of Juniper's Content Security and Advanced Threat Prevention Cloud (ATP Cloud) feature suites.

There are built in firewall features native to a Juniper vSRX platform that include:

• NAT
• Security Policy
• Basic IDS (screens)

Unified Threat Management (UTM), acting as a second tier, includes:

• Anti-virus(Sophos) - Uses a scanning engine and virus signature databases to protect against virus-infected files, worms, trojans, spyware, and other malware over POP3, HTTP, SMTP, IMAP, and FTP protocols.
  • Signatures updated daily
  • Applied against web and email outbound and inbound

• Content Filtering– Provides basic data loss prevention functionality. Content filtering filters traffic based on MIME type, file extension, and protocol commands. You can use the content filter module to block ActiveX, Java Applets, and other types of content.  
  • Cannot scan file contents
  • Not applied by default 

• Web Filtering– Provides URL filtering capabilities based on Categories (Cloud sourced via SurfControl) or Custom Lists.   
  • Blocks categories for Malicious, Suspicious, and Compromised sites by default.

• Anti-spam (Not supported by Expedient) – Tags or blocks unwanted e-mail traffic by scanning inbound and outbound SMTP e-mail traffic. Antispam filtering allows you to use both a thirdparty server-based spam block list (SBL) and to optionally create your own local whitelists and blacklists for filtering against e-mail messages.

• Intrusion Detection and Prevention (IDP) - An IDP policy lets you selectively enforce various attack detection and prevention techniques on the network traffic passing through your security device. Offering traditional signature-based detection, this feature is available as intrusion detection systems (IDS) and intrusion prevention systems (IPS) to detect and stop potential incidents on your network perimeter.   

We use Junipers Recommended Pre-Defined Policy to provide comprehensive out-of-the-box IDP protections designed to detect known attack patterns and protocol anomalies. 

• Juniper Managed Signature Database 
• No alerting but logging can be enabled

• Application Security (AppSecure) - AppSecure is a suite of application-aware security services to provide visibility and control over the types of applications traversing the network perimeter.   AppSecure uses a sophisticated classification engine to accurately identify applications regardless of port or protocol, including nested applications that reside within trusted network services.  Common uses:

• Application Identification (AppID) - Recognizes traffic at different network layers using characteristics other than port number.  Useful for access control by security policy using an ID.  For example, matching against an AppID of office365-apps vs. HTTP/TCP Port 80 plus a static list of Microsoft Public IP addresses.  

• SSL Proxy (Not supported by Expedient) – Provides visibility of encrypted traffic via man-in-the-middle certificate insertion, required on the firewall and end hosts.  Increased overhead of management and decreased reliability. 

Advanced Threat Prevention Cloud (ATP Cloud), as a third tier, includes:

• Advanced Anti-Malware (AAMW) Detection - See notes below
• Command and Control (C&C) Blocking - Filters traffic from known C&C botnets
• GeoIP Blocking - Filter traffic to and from specific geographies in the world

By combining UTM with ATP Cloud, both traditional signature-based detection and latest antimalware technologies are used to detect threats and mitigate them.

ATP Cloud uses a combination of static and dynamic analysis and machine learning to quickly identify unknown threats, either downloaded from the web or sent via e-mail, and delivers a file verdict and risk score back to the SRX Series firewall to enable blocking at the network level.  

ATP Cloud includes Encrypted Traffic Insights, giving you visibility into threats in encrypted traffic without the burden of full TLS/SSL decryption. The firewall collects relevant data about the TLS/SSL connection, including certificates, negotiated cipher suites, and connection behavior. ATP Cloud processes this information and uses network behavioral analysis and machine learning to determine if the connection is benign or malicious. You can configure policies on the SRX firewall to block traffic identified as malicious.

ATP Cloud delivers security intelligence (SecIntel) consisting of malicious domains, URLs, and IP addresses gathered from file analysis, Juniper Threat Labs research, and highly reputable thirdparty threat feeds. These feeds are collected and distributed to the SRX to automatically block command-and-control communications, making it more difficult to wage a successful attack on the organization.  

AAMW & C&C are beneficial in environments where end users will be traversing out of the firewall for Internet resources.  Inbound traffic to servers acting as application or web hosts would not benefit from these features.

ATP Cloud includes its own management portal and reporting.                           

Related Articles

These are external links not managed by Expedient https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-idp-overview.html https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-idp-policies-overview.html https://www.juniper.net/us/en/products-services/what-is/ids-ips/ 

Juniper UTM Components 

Juniper Sky Advanced Threat Prevention 

https://www.juniper.net/documentation/en_US/release-independent/skyatp/topics/concept/sky-atp-malware-analyze.html