Help Center User GuideWhat's New
 
X
User Guide
What's New
Contents  

Encrypted Traffic Insights Overview

Access this page from the Monitor > Encrypted Traffic menu.

Encrypted traffic insights helps you to detect malicious threats that are hidden in encrypted traffic without intercepting and decrypting the traffic.

Benefits of encrypted traffic insights

Table 58 lists the information that is available on the Encrypted Traffic Insights page.

Table 58: Encrypted Traffic Insights

Field

Guideline

External Server IP

The IP address of the external server.

External Server Hostname

The host name of the external server.

Highest Threat Level

The threat level on the external server based on encrypted traffic insights.

Count

The number of times hosts on the network have attempted to contact this server.

Country

The country where the external server is located.

Last Seen

The date and time of the most recent external server hit.

Category

Additional category information known about this server, for example, botnets, malware, etc.

Encrypted Traffic Insights and Detection

The encrypted traffic insights combines rapid response and network analysis (both static and dynamic) to detect and remediate malicious activity hidden in encrypted sessions. Figure 22 shows the staged approach for encrypted traffic insights.

Figure 22: Encrypted Traffic Insights and Detection

Encrypted
Traffic Insights and Detection

Workflow

This section provides the topology and workflow to perform encrypted traffic insights.

Figure 23 shows the logical topology of encrypted traffic insights workflow.

Figure 23: Topology for encrypted traffic insights

Topology
for encrypted traffic insights

Step

Description

1

A client host, who is located behind an SRX Series device requests a file to be downloaded from the Internet.

2

The SRX series device receives the response from the Internet. The SRX series device extracts the server certificate from the session and compares its signature with the blocklist certificate signatures. If a match occurs, then connection is blocked.

Note: The Juniper Networks ATP Cloud feed keeps the SRX device up to date with a feed of certificates associated with known malware sites.

3

The SRX device collects the metadata and connection statistics and sends it to the ATP Cloud for analysis.

4

The ATP Cloud performs behavioral analysis to classify the traffic as benign or malicious.

5

If a malicious connection is detected, the threat score of the host is recalculated. If the new score is above the threshold, then the client host is added to infected host list, The client host might be blocked based on policy configurations on SRX Series devices.

Configurations on SRX Series Devices

Procedure

To enable encrypted traffic insights on SRX Series devices, include the following CLI configurations:

  1. Configure the security-metadata-streaming policy.

    set services security-metadata-streaming policy policy-name http action permit

    set services security-metadata-streaming policy policy-name http notification log

  2. Attach the security-metadata-streaming policy to a security firewall policy.

    set security policies from-zone zone-name to-zone zone-name application-services security-metadata-streaming-policy policy-name

Use the show services security-metadata-streaming statistics command to view the statistics of security metadata streaming policy.

show services security-metadata-streaming statistics

user@host> show services security-metadata-streaming statistics
Security Metadata Streaming session statistics:
  Session inspected:    10
  Session whitelisted:   0
  Session detected:      6

Security Metadata Streaming submission statistics:
  Records submission success:         8
  Records submission failure:         2

To view the list of servers that are allowlisted for encrypted traffic insights, use the show services security-metadata-streaming whitelist command.

show services security-metadata-streaming whitelist

user@host> show services security-metadata-streaming whitelist
No. IP-start IP-end Feed Address
1 192 0.5.0 192.0.5.1 eta_custom_whitelist ID-80001400

Related Documentation

Help us to improve. Rate this article.
Feedback Received. Thank You!

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      
X

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:
Email:

Need product assistance? Contact Juniper Support

Submit