Configuring the SRX Series Devices to Block Infected Hosts

Procedure

1. Define a profile for both the infected host and CC. In this example, the infected host profile is named ih-profile and the action is block drop anything with a threat level higher than 5. The CC host profile is named cc-profile and is based on outbound requests to a C&C host, so add C&C rules to the profile (threat levels 8 and above are blocked.)

   root@host# 
   set services security-intelligence profile ih-profile category Infected-Hosts rule if-rule match threat-level [5 6 7 8 9 10]
   root@host# set services security-intelligence profile ih-profile category Infected-Hosts rule if-rule then action block drop
   root@host# set services security-intelligence profile ih-profile category Infected-Hosts rule if-rule then log
   
   root@host# set services security-intelligence profile cc-profile category CC
   root@host# set services security-intelligence profile cc-profile rule CC_rule match threat-level [8 9 10] 
   root@host# set services security-intelligence profile cc-profile rule CC_rule then action block drop
   root@host# set services security-intelligence profile cc-profile rule CC_rule then log
   root@host# set services security-intelligence profile cc-profile default-rule then action permit

   As of Junos 18.1R1. there is support for the block action with HTTP URL redirection for Infected Hosts. During the processing of a session IP address, if the IP address in on the infected hosts list and HTTP traffic is using ports 80 or 8080, infected hosts HTTP redirection can be done. If HTTP traffic is using dynamic ports, HTTP traffic redirection cannot be done. See command below.

2. Verify your command using the show services security-intelligence CLI command. It should look similar to this:

   root@host# show services security-intelligence profile ih-profile
   category Infected-Hosts;
   rule if-rule {
       match {
           threat-level [ 5 6 7 8 9 10 ];
       }
       then {
           action {
               block {
                   drop;
               }
           }
           log;
       }
   }
   

   root@host# show services security-intelligence profile cc-profile
   category CC;
   rule CC_rule {
       match {
           threat-level [ 8 9 10 ];
       }
       then {
           action {
               block {
                   drop;
               }
           }
           log;
       }
   }
   

3. Configure the security intelligence policy to include both profiles created in Step 1. In this example, the policy is named infected-host-cc-policy.

   root@host# set services security-intelligence policy infected-host-cc-policy Infected-Hosts ih-profile
   root@host# set services security-intelligence policy infected-host-cc-policy CC cc-profile

4. Configure the firewall policy to include the security intelligence policy. This example sets the trust-to-untrust zone.

   root@host# set security policies from-zone trust to-zone untrust policy p2 match source-address any destination-address any application any
   root@host# set security policies from-zone trust to-zone untrust policy p2 then permit application-services security-intelligence-policy infected-host-cc-policy
   

5. Verify your command using the show security policies CLI command. It should look similar to this:

   root@host# show security policies
   ...
   from-zone trust to-zone untrust {
       policy p2 {
           match {
               source-address any;
               destination-address any;
               application any;
           }
           then {
               permit {
                   application-services {
                        security-intelligence-policy infected-host-cc-policy;
                   }
               }
           }
       }
   }
   ...
   [edit]

6. Commit your changes.