Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Spotlight Secure Connector Information Source Overview

 

The first step in configuring the connector is to set up your data feeds or information sources. Spotlight Secure Connector supports three information sources:

  • Custom files

  • Spotlight Cloud

  • WebApp Secure

The following data categories can be obtained from one or more of the information sources.

Information Source

Data Feed

Custom files

Allowlist and blocklists

Spotlight Cloud

GeoIP, C&C

WebApp Secure

WebApp Secure threats

Allowlist and Blocklists

Generally speaking, a allowlist is simply a list of known IP addresses that you trust and a blocklist is a list that you don’t trust. See Example Blocklist . Depending on your requirements, you can set up the connector to either allow what’s on the allowlist and prevent everything else, or prevent what’s on the blocklist and allow everything else. You can create your own list or obtain a list from a third-party vendor.

Example Blocklist

These lists can be stored locally on a system or posted on a webserver. See Figure 1. Spotlight Secure Connector periodically polls the webserver and dynamically updates the security device with the addresses. Or, the list can be assigned to a dynamic address group and used for source or destination match in the security policy.

Allowlist and blocklists must be an ASCII text file with each entry on a separate line. See Example Blocklist .

Figure 1: Using the Custom File Source for Allowlist and Blocklists
Using the Custom File Source for Allowlist
and Blocklists

With this release, Spotlight Secure Connector supports only IP record format.

The IP record format can be any of the following:

  • IP Address—Supports only IPv4 address with this release; for example, 172.16.254.1.

  • IP Range—IP addresses can also be shown as a range; for example, 172.16.0.0 – 172.31.255.255 or 122.140.201-205.*

  • CIDR—Classless Interdomain Routing (CIDR) notation specifies an IP address and its associated routing prefix; for example, 192.168.0.1.0/24.

Once created, you can add your list to the Global Allowlist or Global Blocklist profile. See Figure 2. You can also these lists in dynamic address groups.

Figure 2: Creating a Global Blocklist Profile
Creating a Global Blocklist
Profile

Geolocation IP Address

Geolocation software uses the IP address to determine a person’s geographic location by identifying what country or organization is assigned to that IP address. This technology is widely used by several industries, such as banking, travel, health care, and so forth for preventing fraud, serving targeted marketing content and other functions.

With Security Intelligence, you can use geolocation IP (GeoIP) address to allow or deny traffic to or from a particular geographic region. GeoIP feeds are created with dynamic address groups or from the Spotlight Cloud. You can create a list of allowed countries or a list of countries to exclude with dynamic address groups. See Figure 3.

Figure 3: Creating a GeoIP Dynamic Address Group
Creating a GeoIP Dynamic Address Group

You can create only one Spotlight Cloud information source. Once created, all available Spotlight Cloud feeds are automatically downloaded to the connector for use. See Figure 4.

Figure 4: Example of the Spotlight Cloud Information Source
Example of the Spotlight Cloud
Information Source

Unlike static address groups where you specify the host’s network address, dynamic address groups let you define fields or tags as identifiers. With dynamic address groups you can add or remove hosts in the list without having to reconfigure the security device.

Command and Control Lists

A bot, also called a web robot, is a program that runs automated tasks over the Internet. After a computer is taken over by a bot, it can steal personal information, send spam e-mail, launch distributed denial of service (DDOS) attacks, and perform other malicious actions. Bots are usually part of a collection of infected computers, ranging from a few computers to several thousand, called botnets. Botnets are controlled by a central system called the Command and Control (C&C) server.

With Security Intelligence, the SRX Series device can mitigate traffic when an infected device attempts to contact a known C&C server by comparing IP addresses and URLs feeds. See Figure 5.

Figure 5: Security Intelligence and Infected Host Detection
Security Intelligence and Infected Host
Detection

You can download C&C feeds only from the Spotlight Cloud. You cannot create your own C&C feed, but you can create custom blocklists to block specific IP addresses or URLs. Once you create a Spotlight Cloud information source, all Spotlight Cloud feeds are automatically downloaded to the connector for use. See Figure 6.

Figure 6: Specifying the C&C Source in Security Director
Specifying the C&C Source in
Security Director

Then you can create a profile and policy to mitigate C&C threats. See Figure 7. You can also use C&C lists in dynamic address groups.

Figure 7: Creating a C&C Profile in Security Director
Creating a C&C Profile in
Security Director

WebApp Secure Threats

Once an attacker is identified and fingerprinted on a subscriber’s network using WebApp Secure, the attacker profile is shared with other subscribers, providing a real-time security solution. This approach provides better accuracy when compared with IP-based reputation feeds. See Figure 8.

Figure 8: Example WebApp Secure Deployment
Example WebApp Secure Deployment

Figure 9 shows the dialog box for adding a WebApp Secure information source. Note that you must also configure the WebApp Secure device with the same information.

Figure 9: Creating a WebApp Secure Information Source
Creating a WebApp Secure Information
Source

The group name lets you push feeds to multiple WebApp Secure devices (all devices with the same group name receive the same feed.) In the example in Figure 10, connector 1 pushes feeds to WebApp Secure 1 through 4. WebApp Secure 1 and WebApp Secure 2 receive the same feeds because they share the same group name. WebApp Secure 3 and WebApp Secure 4 receive the same feeds because they share the same group name, but receive different feeds than WebApp Secure 1 and WebApp Secure 2 because they are in different groups.

Figure 10: Group Names Receive the Same Feeds
Group Names Receive the
Same Feeds

About Custom Address Lists

When you import a list, either from your local system or from a server, it is categorized as a Custom Address List feed. See Figure 11. At this point, Security Intelligence does not know whether this is a allowlist, a blocklist or to be used as a dynamic address group.

Figure 11: Custom Address List Feed Category
Custom Address List Feed
Category

If you configure a custom address feed as a blocklist or a allowlist, it becomes a Security Intelligence policy. If you configure it as a dynamic address group, it becomes a firewall policy. This allows flexibility for creating rules. For example, suppose you have a GeoIP dynamic address group set up as a firewall policy to block a region. However, there are certain IP addresses within that region that you want to allow. You can create a allowlist and add it as a Security Intelligence policy to that firewall rule to allow those specific IP addresses.

Note that Spotlight Secure policies have priority over firewall policies and the source priorities (in decreasing order) are as follows:

  • allowlist

  • blocklist

  • C&C

  • GeoIP

Feed Status

The feed status page indicates the feed’s current state on the SRX Series device. The Detailed Status column shows the feed status. Values are pending, storing, and store succeeded. If the status is store succeeded, then the feed is active on the SRX Series device and the Last Update Time column shows when the feed was successfully downloaded to the SRX Series device.

Figure 12: Feed Status Information
Feed Status Information