Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Juniper Networks Security Intelligence


Juniper Networks Security Intelligence (SecIntel) is a security framework that protects webservers in the DMZ against evolving security threats by employing threat detection software, both local and cloud-based security information, and control software with a next-generation firewall system.

SecIntel delivers dynamic threat intelligence to the firewall. It enables automatic and dynamic traffic filtering at both the network and application layers. A SecIntel solution includes, at a minimum, one or more Juniper Networks SRX Series Services Gateways and Spotlight Secure Connector, a premises-hosted application that accepts and distributes threat intelligence information to enforcement points. In addition, the SecIntel framework integrates Juniper Networks WebApp Secure, which protects websites from attackers by using Web intrusion prevention to detect, track, profile, and block attackers in real time, and Log Director for detailed logging, reporting, and event visualization of SRX Series activity. Optional Spotlight Secure cloud-based threat intelligence feeds provide a stream of information about evolving threats that is gathered, analyzed, and prioritized by Juniper Networks from multiple collection points.

SecIntel offers the following features:

  • Dynamic security policies and flexible enforcement options on the firewall to react to rapidly changing threats. The security policy on the firewall can use dynamic intelligence sources, both local and cloud based. The SecIntel security policy enables a wide range of enforcement actions beyond just “allow” or “deny.”

  • An open platform approach that can adapt to customer needs and use cases. You can easily employ local intelligence and third-party information sources in threat recognition.

  • Tunable controls. The SecIntel security policy recognizes threat levels, which allows you to fine-tune your security policy response to different types of threats.

  • Centrally managed security data for one or many firewalls. One control point brokers the feeds from the data sources and passes the information directly to the firewall security policies.

  • Actionable intelligence with fewer false positives. Normalized threat scores enable intuitive security policies. Cloud-based security intelligence and prioritized threat feeds maximize firewall resources.

SecIntel employs the following threat-detection mechanisms:

  • Juniper Networks WebApp Secure—WebApp Secure protects websites from attackers. Its Web intrusion prevention system uses deception to detect, track, profile, and block attackers in real time by inserting detection points into your webserver's output to identify attackers before they can do damage. WebApp Secure then tracks the attackers, profiles their behavior, and deploys countermeasures.

    WebApp Secure sits between your webservers and the outside world. It inspects HTTP and HTTPS traffic and functions as a reverse proxy. WebApp Secure seeks out potential attack attempts or probes by adding detection points to outbound Web traffic and removing detection points from inbound Web traffic. These detection points are transparent to common, legitimate users. It then monitors and strips these points from the requests coming back from the user's browser. Any change to a detection point is an indicator of an attempted attack. The system logs incidents to a database of attacker profiles and exposes them to the security administrators through a Web-based interface. System administrators can then apply automated abuse-prevention policies or respond manually.

SecIntel uses the following information sources:

  • Spotlight Secure—Spotlight Secure, formerly known as Spotlight Cloud, is a cloud-based dynamic intelligence service for WebApp Secure. It enables a two-way communication process that shares information about attackers and attacks to and from a Spotlight server run by Juniper Networks. The updates allow WebApp Secure to positively identify attackers that have attacked other Juniper customers. This service also provides additional details about sessions, which allows Juniper to make more informed decisions on how to respond to threats. The Spotlight Secure service provides the following information feeds that target the following specific threats:

    Spotlight Command and Control

    • Blocks Command and Control (CC) connections.

    • Blocks botnet activity.

    • Identifies and isolates internal infections.

    Spotlight GeoIP

    • Blocks traffic from specified countries.

  • Local and third-party information—You can create allowlists and blocklists using locally derived information and use it as part of your firewall security policies. A allowlist is a list of known IP addresses that you trust, and a blocklist identifies IP addresses that you do not trust. You configure the lists through Spotlight Secure Connector. Typically, you configure a security policy to either allow traffic from allowlist addresses and prevent everything else or block blocklist address traffic and allow everything else. You can create your own lists or obtain lists from a third-party vendor.

Spotlight Secure Connector is the central connection point between information sources and enforcement points. Spotlight Secure Connector receives the information feeds from Spotlight Secure and from the locally defined information sources, and makes that threat information available to the enforcement points. Spotlight Secure Connector manages the flow of threat information and serves as the interface where the security administrator defines and publishes security policies to the enforcement points. Spotlight Secure Connector is a virtual machine that runs within the Juniper Space Fabric and is managed through Security Director. Junos Space is a comprehensive network management solution that enables management applications that improve the agility of network platforms and applications.


The Spotlight Secure Connector information consumers periodically query Spotlight Secure Connector for updates. Spotlight Secure Connector does not push data to the consumers.

Figure 1: Junos Space > Security Director > Security Intelligence
Junos Space > Security Director > Security Intelligence

Enforcement points (security devices):

  • SecIntel uses SRX Series Services Gateways as enforcement points.

    SRX Series Services Gateways are high-performance network security solutions for enterprises and service providers. SRX Series deliver next-generation firewall protection with application awareness, intrusion prevention system (IPS), and extensive user role-based control options. Next-generation firewalls can perform full packet inspection and can apply security policies based on Layer 7 information. You configure security policies from within Spotlight Secure Connector and then publish them to the enforcement points. The Security Intelligence Supported Platforms Guide provides complete details on supported enforcement points.

Security Intelligence in the Network

Figure 2 shows the how the components of the SecIntel solution work together.

Figure 2: Security Intelligence in the Network
Security Intelligence in the Network

Spotlight Secure delivers optimized threat intelligence on known threats to Spotlight Secure Connector.

Spotlight Secure Connector brings together all the available threat intelligence and makes it available to the security policies on the enforcement point. One instance of Spotlight Secure Connector can support many enforcement points with threat intelligence from Spotlight Secure, from local and third-party sources, and from evolving threat information discovered by WebApp Secure.

As the threat intelligence is updated on Spotlight Secure Connector, the SRX Series enforcement point can poll Spotlight Secure Connector and update the security policy threat intelligence on the deployed security policies.

Webserver traffic is monitored by WebApp Secure for new threats while the SRX Series enforcement point security policies perform real-time enforcement.

Web application traffic is protected.

Enforcement actions include discarding or redirecting network traffic that is identified as a threat. All threat events are logged by Log Director.