Juniper JN0-230 JNCIA Security Associate – Unified Threat Management

  1. Introduction to UTM

Welcome back. Let’s now talk about the next topic, which is UTM, or unified threat management. This is a very simple topic. There’s not much depth in terms of the concepts, but still, it’s a very interesting topic. So let’s talk about it. Unified Threat Management is a collection of security features and services to protect users from security threats. The services include antivirus, antispam, content filtering, and web filtering. What makes Utes so easy to use is that all features or services are provided on a single device. This means it is very easy to manage these multiple security capabilities. It protects against viruses, Trojans, malware, malicious email attachments, spyware-infected files, and unapproved websites. Now let’s talk about each of these features at a high level. We’ll begin with antivirus. I’m sure you’ve heard about this before. Antivirus uses a virus scanning engine and a virus signature database to protect against virus-infected files, worms, Trojan horses, spyware, and other malware. It inspects application-layer traffic to check for malicious files, and files are checked on protocols such as Pop3, http, SMTP, iMapp, and FTP. Antivirus protection on an SRX device is provided by two different services, and we, as administrators, can choose which one we want to use. As a result, we can use Avira antivirus on our devices or Avira in the cloud.

The next feature is antispam. This scans inbound and outbound emails to identify spam. When spam is detected, the email message can be blocked or tagged, and we can define this as an administrator. It allows the usage of a third-party server-based spam blocklist, also known as an SBL. You can also define custom Allow and Block lists locally, also known as “white lists” and “black lists.” Then we have content filtering. This allows you to block or permit certain types of traffic based on mime types, file extensions, and protocol commands. Mime stands for multipurpose Internet mail extensions. It’s sometimes also referred to as the “media type.” It indicates the type and format of a document or file. In simple words, it identifies the type of data. Examples of Mime types include application, audio, image, text, video, etc. Content filtering can also be used to block ActiveX, Java applets, and other types of content. ActiveX controls are plugins that you instal on the Internet Explorer browser. Consider it similar to installing extensions on the Chrome browser or plugins or addons on the Firefox browser. They are commonly found in Internet Explorer, but can also be used by other Microsoft applications. The problem with ActiveX is that it is known to cause security issues. So content filtering can be used to block ActiveX. Java applets are Java programmes that run within your browser, and they can be used to deliver malware to your computer.

As a result, these kinds of content can be filtered using content filtering. And then we have web filtering. This allows you to limit web access based on configured categories and policies, and web filtering is very important for organizations. It allows you to define what type of web content is available to users when they’re connected to the corporate network. This may also have an impact on employee productivity. Web filtering supports the use of a local WebSense server or an Internet-based Surf Control server. It also supports a custom allow list or block list. To use the UTM feature on the SRX device, you need to have at least 1 GB of memory. Let’s now quickly talk about licensing. We don’t need to know this from the examination perspective, but it’s just a good idea to be aware of this. As you can see, content filtering, web filtering redirect, and web filtering local do not require a licence, but all other features require a subscription license. Anti-spam, antivirus-integrated web filtering, and enhanced web filtering all require a license. So that’s a high-level overview of UTM, or unifying threat management. In the upcoming lectures, we’ll look at the specifics of each service available with UTM, and we’ll also look at some configuration examples.

  1. Antivirus Protection

Let’s now talk about the antivirus protection feature of UTM. So we’ll look at the concepts of antivirus protection, and then we’ll look at a simple configuration example. From the JNCI security examination perspective, we only need to know the features and operations of UTM at a high level. We do not need to go into all the specifics. Having said that, let’s now talk about antivirus protection. Protection. So antivirus protection for UTM is provided by a couple of services. The first option is to use OnDeviceAV, and the second option is to use OnDeviceAV in the cloud Sofas antivirus.

The antivirus protection service scans for traffic over three HTTP, SMTP, IMAP, and FTP protocols. Let’s now talk about the on-device Avira antivirus service. This scans for application-layer traffic using an antivirus pattern database and protects against infected files,  Trojans, worms, and other malicious data. For this service to work, the average antivirus scan engine must be installed and activated on the SRX device. The other option is to use Sophos antivirus protection, which is an in-cloud antivirus solution. This means the virus protection database and the malware database are located on external servers maintained by an organisation called Sophos. The Sophos antivirus protection service can also be configured to intercept and decrypt HTTP traffic. We know that HTTPS is encrypted. This means that if any user gets hold of the data, all they see is encrypted data. The Sophos antivirus engine can be configured to use an SSL forward proxy. This means any HTTP traffic can be intercepted and decrypted to see the clear text traffic. The clear text traffic can then be forwarded to the UTM service to check for threats. The advantage of using Sofa’s antivirus protection is that there is no need to download and maintain the virus pattern database on the SRX device. This means the service will have a low memory and CPU footprint, making it ideal for lower-end SRX devices that have less memory.

Now, let’s talk about configuration. To configure the antivirus protection on the SRX device, we need to follow four steps. First, we’ll define the antivirus service type. Do we want to use Avira antivirus or Sofa’s antivirus? Then we’ll define a feature profile. A feature profile contains settings like scanning options and notification options. This step is optional because Juno by default has an antivirus profile installed on the device. So we can use the default profile, or we can create a custom profile. Then we need to define a UTM policy. We learned that antivirus software scans for traffic from various protocols such as HTTP, POP3, IMAP, and so on. By defining a UTM policy, we can configure the profile to be used for different protocols. And finally, we need to configure a security policy that uses the UTM policy configured in step number three. Let’s now go to the SRX terminal and take a look at the configuration. All right, I’m here at the terminal of the SRX device to configure UTM. We’ll first navigate to the Edit Security UTM page. So now we are in UTM configuration mode. First, let’s take a look at the existing configuration. I’ll use the show command, and as you can see right now, I do not have any configuration. The first step is to define the type of antivirus service that we want to use, and to do that, we’ll use the set command and the setspace question. Mark the keyword we are looking for with a question mark: “default configuration.” We are talking about the antivirus question mark, and the keyword that we need is type.

This allows us to define the antivirus engine type, and here we can see both options. We can use the Avira engine or the Sophos engine, or we can say we don’t want to use any antivirus engine. For now, we’ll configure that as the Avira engine, and let’s do a show here so we can see a warning. We understood from the last lecture that the antivirus feature requires a license. And as you can see here, I currently donot have a licence installed for Avira antivirus. But that’s not a problem; we can still look at the configuration. The next step is to define a feature profile. So let’s do a setspace question mark. We’ll use the feature-profile option. Feature profile question Mark: we’re configuring antivirus question Mark, and the keyword is profile, and here we can give a profile name. So, for example, we can say ProfileOne question mark, and here we can configure the various options. We can customise the URL whitelist, the Mime whitelist, and the fallback options. Like we discussed earlier, Juno has a default antivirus profile. So we really don’t have to configure a new profile; we can simply use the default profile. If you’d like to take a look at the default profile settings, we can use the command “Show groups,” or let’s go to the top of the configuration mode and do “Show groups.” We need to type the default group name, which is “Juno’s Defaults,” and we need to type this out. As a result, display groups. juno’s defaults security UTM feature-profile question mark, antivirus question mark profile, and here’s the default profile for Junio’s AV defaults. Now I can’t see the configuration because I don’t have the licence for that, but I have a document here that shows the default configuration of the profile.

So here’s the profile called Juno’s AV defaults. And here we can see the fallback options, the scan options, and the notification options configured for that profile. So we’re not going to configure a new feature profile. We’ll use the default AV profile. Let’s go back to editing the security UTM, and let’s go to the next step, which is to configure a UTM policy. So we’ll say edit space query Mark The keyword is “UTM-hyphenated policy,” and we need to provide a policy name. For the time being, let’s just call it P1. Question Mark We’re also configuring antivirus. Mark and now we can execute the command. So we’ll press Enter, and now we’re in the specific policy configuration mode. We can see the different protocols that we discussed by doing a set space question mark. So we can configure the profiles to be used for different protocols. So, for example, set the HTTP profile, and here we can see the default profile names. If we had configured a custom feature profile, that would show up in the list as well. Right now, we will just configure it as Juno’s AV default. And I’m going to repeat this command for the other protocols as well. Set your IMAP profile to the Juno AV defaults. Configure the pop 3 protocol. Juno’s AV defaults. Set the SMTP profile. Juno AV, default settings. And I’ll also configure that for FTP, where we can configure different profiles for uploading and downloading.

So download profile Juno’s AV defaults, and I’ll repeat the same thing for upload profile Juno’s AV defaults. Let’s go up and let’s do a show. So the default configuration has the antivirus type defined as Avira engine, and we have a UTM policy called P One, which has the different profile settings. The last step is to apply the UTM policy to a security policy configuration. So we’ll go ahead and edit security policies. Let’s do a show, and as you can see, I already have a policy defined here, from zone trust to zone untrust. Let’s do that. Change the zone trust to zone untrust. So here’s the policy, and we’re going to apply the UTM policy to this security policy. So we’ll say “set policy,” “default permit,” and “permit question mark.” And the keyword we’re after is application services. Application services. The next keyword is UTM policy. And here we can call our UTM policy that we defined P 1. Let’s do a show here, so we can see that we’re matching any source address, any destination address, and any application. Traffic is permitted. And we’ve defined the application services as UTM policies. So that’s how we configure antivirus protection. We first need to define the service type. Optionally, we can define a feature profile, then configure a UTM policy, and finally reference the UTM policy in the security policy configuration.

  1. Antispam

It’s now time to talk about the second UTM feature, known as anti-spam filtering. We’ll first understand what spam is, and then we’ll talk about the methods used by Juno’s to protect against spam. Spam generally refers to unsolicited or unwanted email messages sent in bulk. Usually, it’s referred to the practise of sending unwanted email messages for commercial or malicious purposes. The Juno’s antispam filtering feature monitors incoming and outgoing SMTP email traffic. It allows you to define a couple of actions for anti-spam filtering. You can choose to block spam emails, or you can choose to tag the spam emails. You can tag the email message header or you can tag the email subject. The antispam filtering service allows the usage of a third-party server-based spam block list, also known as an SPL.

In addition to that, you can also configure local allow lists and block lists. In other words, whitelist and blacklist. An important thing to bear in mind when using the antispam filtering service is that the antispam feature of Juno is meant to complement your existing antispam server. It is not meant to be a replacement. When talking about blocking spam on Juno, spam can be blocked at the connection level or at the email level. What is the difference? Well, when we talk about connection-level blocking, the SMTP sender is identified as spam based on its IP address, and the SMTP connection is rejected and dropped. An error message is sent from the firewall on behalf of the SMTP server, talking about email level blocking. The SMTP sender is identified as spam based on the sender address, and the email is rejected or dropped. An error message is sent from the firewall on behalf of the SMTP server talking about tagging spam. The email can be tagged and allowed if the sender is detected as spam. Tags can be applied to individual emails or at the connection level, so all emails from the connection are tagged. Tags can be applied in a couple of ways.

You can tag the subject; a user-defined string is added to the beginning of the subject of the email, and you can define that string. Or you can tag the header, in which case an ASCII-defined string is added to the email header. Now let’s talk about server-based anti-spam filtering. It uses an internet-based spam block list, also known as SBL. because the server is internet-based. The SRX device will need to have Internet connectivity, and you also need to have a name server configured on the SRX device because the SRX device will need to resolve host names to IP addresses. So two important things: The SRX device must have Internet connectivity, and you must have a name server defined on the SRX device. The SRX device will look up the IP address of the email sender in the spam block list to determine if the sender is a spammer. So that’s about server based antispam filtering. It uses an internet-based spam blacklist server. In addition to this, you can also configure local Allow Lists or Block Lists to filter emails. When configuring these lists, you can add domain names, email addresses, or IP addresses. An important thing to keep in mind is that the Allow list is checked before the Block list. So when processing an email, the Juno device will first try to see if the domain name, email address, or IP address is in the Allow list, and then it will check the Block list.

So, what happens when you have both mechanisms configured, i.e., a locally defined Allow List and Blocklist, as well as the use of SBL? Well, in that case, the local Allow List is checked first. If there is no match, then check the local block list. And if there is no match, then check the SBL server list. So when you have local lists and SBL configured, the local list will take action. The allow list is the one that takes action within the local list. So those are the concepts. Now let’s talk about configuring anti-spam on the SRX device. The configuration is simple. There are five steps that we need to follow. The first step is to enable antispam filtering. The second step is to define allow lists and block lists. And this is optional. We may choose to do this, or we can skip that. Step number three is to define a feature profile. Again, this step is optional because Juno by default has an anti-spam profile.

Then we need to define a UTM policy that will tell the SRX device which profile to use for anti-spam filtering. And finally, we need to configure the security policy to use the UTM policy. Now let’s get to the SRX device and see how to configure it. All right, I’m here at the terminal of the SRX device, and I’m right now in configuration mode. Let’s first navigate to Edit Security UTM, and let’s begin with a show command. So we don’t have any configuration right now. Let’s first enable anti-spam filtering. To do that, the command is “Set default configuration.” So here’s the keyword: Default Configuration: This keyword is used to specify the default configuration options. So, Mark, set the default configuration question. We are configuring anti-spam question mark. The keyword we are looking for is type, and the options we have here are SBL or none. So we’ll set it to SPL. Now we’ll define a custom object. So we can define “allow lists” or “block lists.” As a result, we’ll say “Setspace question mark.” We are trying to define custom objects. Set custom objects (question mark) And we’ll choose the option called URL pattern question mark. And now we’ll provide a name. Let’s just call this “Blocklist.” We can provide any name. Let’s put a question mark here. The keyword is value, and here we can provide the value for that object. Right now I’m going to define an IP address over here. But remember, you can provide domain names, email addresses, and IP addresses. So right now I’m just going to define an IP address that I want to add to the block list. This IP address is not necessarily a spam sender. I’m just using that as an example here.

Let’s do a show here. So we’ve defined an IP address in a list called a “blocklist.” Now we need to tell the UTM service that the values defined in this list should be treated as block lists or allow lists. This is just the value, but the UTM service does not know how to treat these values. We must specify whether the service should be treated as being on the allow or block list. and the way we can do that is by configuring a feature profile. So let’s do a setspace question mark. We’re going to use the keyword feature profile. question We are configuring Mark antispam. Question Mark SBL settings question Mark The keyword is “profile,” and now we need to provide a profile name. Let’s call this an anti-spam profile question. Mark and we have different options over here. So we can use the keywords “address blacklist” and “address whitelist.” We can provide the custom tag string that needs to be added to the email header or the email subject. We can define the usage of the SBL default server. Let’s actually do that first. SBL default server This tells the SRX device to use the default SPL server. We don’t need to configure the SPL server’s IP address. That’s taken care of by the SRX device. We only need to configure the SPL server’s usage.

Press Enter and let’s repeatthat command one more time. Set feature “antispam” SPL profile “profile name/question mark” and let’s define the blacklist. The keyword is “Address blacklist,” and we’ll call the block list that we defined blocklist. Press Enter, and we’ll repeat the command one more time. We haven’t told the SRX device what action we want to take for spam. Do we want to block it, or do we want to tag it? So we’ll use the same command again. set feature “Profile anti-spam” SPL Profile profile name, and this keyword will be used. Here is a spam action question. Mark has the option, and we have the options over here: block tag header or tag subject. If we choose the option to tag, for example, “header,” we can then define the custom string to be used. But right now, we are just going to set this to block. Okay, let’s do a show now. So we’ve defined the default configuration, the feature profile, and the custom objects. Next, we need to define a UTM policy. So we set UTM policy, and now we need to provide a name. Let’s call this an anti-spam policy question. Mark We’re configuring anti-spam.

Mark, and we’ll call the anti-spam profile that we defined SMTP profile. Notice that Juno also has a default anti-spam profile called “Juno’s as defaults.” But we are going to override that with the profile that we’ve created. Press enter; let’s do a show. So we’ve configured everything under Edit Security. UTM: Now we need to define the UTM policy in a security policy. So we’ll go to the top and navigate to Edit security policies from zone trust to zone untrust. We’ll also delve into a specific policy. The name of the policy is “default permit.” If we do a show here, we can see that it’s matching a source address, a destination address, and an application, and the action is set to permit. We’ll use the set command, and we’ll say set, then permit, and we’ll use the keyword application services question mark and the UTM policy question mark. And here we have the policy that we configured, called the Anti-Spam policy. Press Enter and let’s do a show. And now we have the anti-spam policy configured. So that’s about the configuration part. The key takeaway here is that with the antispam filtering service, you can define custom allow lists, custom block lists, or you can configure the use of a spam block list. Also bear in mind that Juno’s does not recommend replacing your existing antispam server with the UTM antispam feature. It’s meant to complement it, but not replace it. And there are a couple of ways in which you can handle spam. You can choose to block spam emails, or you can choose to tag the header or the subject of the email.