Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Filter and Transmit Threat and Attack Logs to ClearPass

 

The SRX Series device transmits the threat and attack logs recorded to the ClearPass Policy Manager (CPPM). You can also configure the threats and attacks related to a specific device and their users. CPPM can use the log data to harden the security.

Understanding How the Integrated ClearPass Feature Detects Threats and Attacks and Notifies the CPPM

The integrated ClearPass authentication and enforcement feature allows you to integrate your device with the ClearPass Policy Manager (CPPM) to obtain authenticated user identity information. It also allows the device to send attack and threat logs to the CPPM. This topic focuses on sending attack and threat logs to the CPPM.

When the device features detect threat and attack events, the event is recorded in the device event log. The device uses syslog to forward the logs to the CPPM. The CPPM can evaluate the logs and take action based on matching conditions. As administrator of ClearPass, you can use the information from the device and define appropriate actions on the CPPM to harden your security.

Junos OS on the SRX Series device generates over 100 different types of log entries issued by more than 10 of its modules. Among the device features that generate threat and attack logs are SCREENS, IDP, and UTM. To avoid overburdening the SRX Series device and the log server, the integrated ClearPass feature allows you to configure the device to send to the CPPM only attack and threat log entries that were written to the event log in response to activity detected by the SCREENS, IDP, and UTM security features.

You can set the following conditions to control the log transmission:

  • A log stream filter to ensure that only threat and attack logs are sent.

  • A rate limiter to control the transmission volume. The device log transmission will not exceed the rate-limiting conditions that you set.

For the CPPM to analyze the log information that the sends to it, the content must be formatted in a standard, structured manner. The device log transmission follows the syslog protocol, which has a message format that allows vendor-specific extensions to be provided in a structured way.

Here is an example of an attack log generated by IDP:

Table 1 uses the content of this example IDP attack log to identify the parts of an attack log entry. See SRX Series Threat and Attack Logs Sent to Aruba ClearPass for further details on types of attack and threat logs.

Table 1: Attack Log Fields Using Example Log

Log Entry Component

Meaning

Format

Example

Priority

pri = LOG_USER + severity. Version is always 1

pri version

<14>1

Time and Time Zone

When the log was recorded and in what time zone.

y-m-dThs.ms+time zone

  • y = year

  • m=month

  • d = day

  • T+hours

2014-07-24T1358.362+08:00

Device/Host Name

Name of the device from which the event log was sent. This value is configured by the user.

string, hostname

bjsolar

Service Name

SRX Series feature that issued the event log.

string service

SERVICE_IDP

Application Name

Application that generated the log entry.

string application-name

NONE

PID

Process ID.

The process ID is not meaningful in this context, so pid is replaced by “-”.

The value “-” is a placeholder for process ID.

pid

-

Errmsg Tag

Log ID name, error message tag.

string, log-name and tag

IDP_ATTACK_LOG_EVENT

Errmsg Tag Square Bracket

Log content enclosed in square brackets.

[ ]

-

OID

Product ID provided by the chassis daemon (chassisd).

junos@oid

junos@2636.1.1.1.2.86

Epoch Time

The time when the log was generated after the epoch.

number

1421996988

SRX Series Threat and Attack Logs Sent to Aruba ClearPass

The SRX Series integrated ClearPass authentication and enforcement feature collaborates with Aruba ClearPass in protecting a company’s resources against potential and actual attacks through use of attack and threat event logs. These logs that are generated by the SRX Series SCREENS, IDP, and UTM components clearly identify the types of attacks and threats that threaten a company’s network security.

The SRX Series device filters from the overall log entries the logs that report on threat and attack events, and it forwards these log entries to the ClearPass Policy Manager (CPPM) to be used in assessing and enforcing the company’s security policy. The SRX Series device transmits the logs in volumes determined by the rate-limiting conditions that you set.

Table 2 identifies the types of threat and attack log entries and the events that they represent.

Table 2: Threat and Attack Log Entries Generated by SRX Series Components

Log Type

Description

RT_SCREEN_ICMP

ICMP attack

RT_SCREEN_ICMP_LS

RT_SCREEN_IP

IP attack

RT_SCREEN_IP_LS

RT_SCREEN_TCP

TCP attack

RT_SCREEN_TCP_LS

RT_SCREEN_TCP_DST_IP

TCP destination IP attack

RT_SCREEN_TCP_DST_IP_LS

RT_SCREEN_TCP_SRC_IP

TCP source IP attack

RT_SCREEN_TCP_SRC_IP_LS

RT_SCREEN_UDP

UDP attack

RT_SCREEN_UDP_LS

AV_VIRUS_DETECTED_MT

Virus infection

A virus was detected by the antivirus scanner.

AV_VIRUS_DETECTED_MT_LS

ANTISPAM_SPAM_DETECTED_MT

spam

The identified e-mail was detected to be spam.

ANTISPAM_SPAM_DETECTED_MT_LS

IDP_APPDDOS_APP_ATTACK_EVENT

Application-level distributed denial of service (AppDDoS) attack

The AppDDoS attack occurred when the number of client transactions exceeded the user-configured connection, context, and time binding thresholds.

IDP_APPDDOS_APP_ATTACK_EVENT_LS

IDP_APPDDOS_APP_STATE_EVENT

AppDDoS attack

The AppDDoS state transition occurred when the number of application transactions exceeded the user-configured connection or context thresholds.

IDP_APPDDOS_APP_STATE_EVENT_LS

IDP_ATTACK_LOG_EVENT

Attack discovered by IDP

IDP generated a log entry for an attack.

IDP_ATTACK_LOG_EVENT_LS

Example: Configuring Integrated ClearPass to Filter and Rate-limit Threat and Attack Logs

The SRX Series device can dynamically send to the ClearPass Policy Manager (CPPM) information about threats and attacks identified by its security modules that protect network resources. It detects attack and attack threats that pertain to the activity of specific devices and their users, and it generates corresponding logs. To control this transmission, you must configure the type of logs to be sent and the rate at which they are sent. You can then use this information in setting policy rules on the CPPM to harden your network security.

This example shows how to configure the SRX Series integrated ClearPass authentication and enforcement feature to filter and transmit only threat and attack logs to the CPPM and to control the volume and rate at which the SRX Series device transmits them.

Requirements

The topology for this example uses the following hardware and software components:

  • Aruba CPPM implemented in a virtual machine (VM) on a server. The CPPM is configured to use its local authentication source to authenticate users.

  • SRX Series device running Junos OS that includes the integrated ClearPass feature. The SRX Series device is connected to the Juniper Networks EX4300 switch and to the Internet. The SRX Series device communicates with ClearPass over a secure connection.

  • Juniper Networks EX4300 switch used as the wired 802.1 access device. The EX4300 Layer 2 switch connects the endpoint users to the network. The SRX Series device is connected to the switch.

  • Wired, network-connected PC running Microsoft OS. The system is directly connected to the EX4300 switch.

    Threat and attack logs are written for activity from these devices triggered by events that the security features catch and protect against.

Overview

The SRX Series integrated ClearPass authentication and enforcement feature participates with Aruba ClearPass in protecting your company’s resources against actual and potential attacks. The SRX Series device informs the CPPM about threats to your network resources and attacks against them through logs that it sends. You can then use this information to assess configuration of your security policy on the CPPM. Based on this information, you can harden your security in regard to individual users or devices.

To control the behavior of this feature, you must configure the SRX Series device to filter for attack and threat log entries and set rate-limiting conditions.

You can tune the behavior of this function in the following ways:

  • Set a filter to direct the SRX Series device to send only threat and attack logs to the CPPM. This filter allows you to ensure that the SRX Series device and the log server do not need to handle irrelevant logs.

  • Establish rate limit conditions to control the volume of logs that are sent.

    You set the rate-limit parameter to control the volume and rate that logs are sent. For example, you can set the rate-limit parameter to 1000 to specify that a maximum of 1000 logs are sent to ClearPass in 1 second. In this case, if there is an attempt to send 1015 logs, the number of logs over the limit—15 logs, in this case—would be dropped. The logs are not queued or buffered.

You can configure a maximum of three log streams with each individual log defined by its destination, log format, filter, and rate limit. Log messages are sent to all configured log streams. Each stream is individually rate-limited.

Note

To support rate-limiting, log messages are sent out from the device’s local SPU at a divided rate. In the configuration process, the Routing Engine assigns a divided rate to each SPU. The divided rate is equal to the configured rate divided by the number of SPUs on the device:

Topology

Figure 1shows the topology for this example.

Figure 1: Integrated ClearPass Authentication and Enforcement Deployment Topology
Integrated ClearPass Authentication and Enforcement
Deployment Topology

Configuration

This example covers how to configure a filter to select threat and attack logs to be sent to ClearPass. It also covers how to set a rate limiter to control the volume of logs sent during a given period. It includes these parts:

CLI Quick Configuration

To quickly configure this example, copy the following statements, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the statements into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Configuring Integrated ClearPass Authentication and Enforcement to Filter for Threat and Attack Logs Sent to the CPPM

Step-by-Step Procedure

  1. Specify a name for the log stream and the IP address of its destination.
  2. Set the log mode to stream.
  3. Set the host source interface number.
  4. Set the log stream to use the structured syslog format for sending logs to ClearPass through syslog.
  5. Specify the type of events to be logged.
    Note

    This configuration is mutually exclusive in relation to the current category set for the filter.

  6. Set rate limiting for this stream. The range is from 1 through 65,535.

    This example specifies that up to 1000 logs per second can be sent to ClearPass. When the maximum is reached, any additional logs are dropped.

Results

From configuration mode, confirm your configuration for interfaces by entering the show interfaces command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.