Security Intelligence and Custom Feeds
The Juniper Security Intelligence Solution (SecIntel) is designed so that you can customize it for your unique environment. For example, you can define allowlist and blocklist feeds based on local information or from a third party and include it within the SecIntel enforcement configuration.
Your custom security intelligence information that is used for policy enforcement can be provided by a trusted third party or generated from known IP addresses. The custom information must be posted in a file that is accessible to Spotlight Secure Connector. Spotlight Secure Connector polls the file according to a configured schedule and updates the SRX Series enforcement point security policy without an explicit commit or configuration change. Figure 1 shows how SecIntel uses allowlists and blocklists to protect a network.
The security administrator creates formatted lists that contain allowlisted IP addresses and blocklisted IP addresses. The security administrator can use local information and also third-party lists. The information only needs to be formatted according to the simple rules appropriate for use with Spotlight Secure Connector.
Spotlight Secure Connector makes the information available to security policies on the SRX Series enforcement point.
As the threat intelligence is updated on Spotlight Secure Connector, the SRX Series enforcement point can poll Spotlight Secure Connector to keep security policy threat intelligence updated on the deployed security policies.
All traffic that matches the feed data is handled according to the security policy configuration. Allowlisted addresses are allowed to pass while block listed addresses are blocked. The SRX Series enforcement point security policies perform real-time enforcement. All threat events are logged by Log Director.
Web application traffic is protected. False positive and false negatives are minimized.