Dynamic Address Entry and Security Intelligence Services
In a typical security environment, traffic flowing across an enforcement point is evaluated against a security policy that is defined on that enforcement point. When a policy match occurs, a specific action, such as block, is applied to the traffic. The threat information that is used by the security policy to evaluate the traffic, typically IP source and destination addresses, is part of the policy.
A Dynamic Address Entry (DAE) provides dynamic IP address information to security policies. A DAE is a group of IP addresses, not just a single IP prefix, that can be imported into Spotlight Secure Connector from external sources. These IP addresses are for specific domains or for entities that have a common attribute such as a particular undesired location that poses a threat. The administrator can then configure security policies to use the DAE within a security policy. When the DAE is updated, the changes automatically become part of the security policy. There is no need to update the policy manually.
Any data source that is available to Spotlight Secure Connector can be used as a DAE.
Dynamic Address Entry Configuration on the SRX Series Enforcement Point for Security Intelligence
Security Intelligence feeds support security policy enforcements without requiring a configuration commit action. After you have created a security policy through Security Director and published it to one or more SRX Series enforcement points, updated threat intelligence updates are passed from Spotlight Secure Connector to the SRX Series enforcement point automatically.
A category is a list of feeds of the same type. The type defines SRX Series enforcement point criteria for feed lookup and enforcement. A feed is a collection of objects, and an object defines criteria for a positive threat match. A SecIntel object can be of the following types:
IP addresses—IPv4 or IPv6 Classless Interdomain Routing (CIDR) ranges, prefixes, or a single address entry.
Command and Control servers—IP addresses, URLs, and domain names. SRX Series enforcement points support IPv4 URLs for Command and Control (CC) objects.
WebApp Secure—IP addresses and session cookies that WebApp Secure uses to track potentially malicious (Web) clients.
An object is declared as matched only if all the criteria within that object have matched. For example, a CC object might have IP, URL, domain name, and/or IPS signature in combination or in isolation.
Some typical examples of object matching criteria include the following:
Always allow specific IP addresses (allowlist) to minimize false positives.
Always deny or redirect certain IP addresses (blocklist) to minimize false negatives.
The security policy enforces the following policy match hierarchy:
Firewall policies. Allowlist, blocklist, and other policies including GeoIP are matched first.
SecIntel service policies based on allowlist feeds, blocklist feeds, and other service feeds including CC and WebApp Secure feeds.
The Dynamic Address Entry (DAE) feature allows feed-based IP objects to be used in security policies to either deny or allow traffic baed on either source or destination IP criteria. The key difference with DAE is that feed data on SRX Series enforcement points can be updated dynamically; no configuration commit action is required.
A security administrator defines the DAE as an import of IP objects (an IP list feed) using Security Director, and uses the DAE in firewall security policies.
The properties for IP lists can include the following:
GeoIP filters (Country, County, City, Zip, and so on)