Integrate AWS GuardDuty with vSRX Virtual Firewall
Solution Overview
Amazon Web Services (AWS) GuardDuty is a continuous security monitoring service that identifies unexpected, potentially unauthorized, and malicious activity within your AWS environment. The threats detected by AWS GuardDuty is sent as a security feed to the vSRX Virtual Firewall in the your AWS environment. The vSRX Virtual Firewall can access the feeds either by directly downloading it from the AWS S3 bucket, or if the firewall device is enrolled with ATP Cloud, the feed is pushed to the firewall device along with the ATP Cloud security intelligence (SecIntel) feeds. In turn, the vSRX Virtual Firewall enables you to take actions on the feed and block or log connections to the threat sources identified in the feed. For more information about AWS components, see AWS Documentation.
The deployment scenarios that are supported in this solution are:
Direct Integration of AWS GuardDuty with vSRX Virtual Firewall
You don’t need a Juniper ATP Cloud license for this deployment. The threat feeds from AWS GuardDuty are processed through the AWS Lambda function and then stored in the AWS S3 bucket. You must configure, and deploy the AWS Lambda function. Once deployed, the Lambda function translates the data from AWS GuardDuty findings into a list of malicious IP addresses and URLs. The resultant list is stored in a configured AWS S3 bucket in the format that can be ingested by the vSRX Virtual Firewall. You must configure vSRX Virtual Firewall to periodically download the threat feeds from the AWS S3 bucket. You must also ensure that IDP signature package is already available on your firewall device for the traffic to hit SecIntel policy.
Figure 1: Direct Ingestion of threat feeds by vSRX Virtual FirewallIntegration of AWS GuardDuty with vSRX Virtual Firewall using ATP Cloud
You must install a Juniper ATP Cloud premium license on your SRX Series Firewalls and vSRX Virtual Firewall for this deployment. The threat feeds from AWS GuardDuty are processed through the AWS Lambda function. You must configure and deploy the Lambda function and enable ATP Cloud on your vSRX Virtual Firewall. The AWS Lambda function sends the threat feed to ATP Cloud (upload feeds to C&C category) using OpenAPIs. The threat feeds are pushed to all enrolled vSRX Virtual Firewall along with the ATP Cloud security intelligence (SecIntel) feeds.
Figure 2: Ingestion of threat feeds through ATP Cloud
Workflow to Integrate AWS GuardDuty with vSRX Virtual Firewall
- Retrieve Necessary Files from GitHub Repository
- Configure S3 Bucket
- Configure GuardDuty
- Configure Lambda Function
- Configure CloudWatch
- Configure Direct Integration of vSRX Virtual Firewall with AWS GuardDuty
- Configure vSRX Virtual Firewall with AWS GuardDuty using ATP Cloud
- Use case for AWS GuardDuty
Retrieve Necessary Files from GitHub Repository
To retrieve necessary files:
Configure S3 Bucket
This step is required only if the threat feeds are directly ingested by vSRX Virtual Firewall. You need not configure S3 bucket if the ingestion of threat feeds is through ATP Cloud.
Configure GuardDuty
To configure AWS guardduty:
Configure Lambda Function
To create Lambda function:
Configure CloudWatch
Create rules and specify the event source (GuardDuty) and event target (Lambda function).
To create rules:
Configure Direct Integration of vSRX Virtual Firewall with AWS GuardDuty
The following section lists the CLI configurations that are required on vSRX Virtual Firewall.
This example configures a profile name, a profile rule and the threat level scores. Anything that matches these threat level scores is considered malware or an infected host. The ATP Cloud threat level maps one-to-one with the Severity Level in AWS GuardDuty.
You can change the severity level in AWS GuardDuty anytime, but the severity level must always match the threat level that you configure on your vSRX Virtual Firewall.
To configure vSRX Virtual Firewall with AWS GuardDuty (without using ATP Cloud):
To check the security intelligence statistics, use the show services security-intelligence statistics command.
> show services security-intelligence statistics Logical system: root-logical-system Category CC: Profile secintel_profile: Total processed sessions: 0 Permit sessions: 0 Block drop sessions: 0 Block close sessions: 0 Close redirect sessions: 0
Configure vSRX Virtual Firewall with AWS GuardDuty using ATP Cloud
To configure vSRX Virtual Firewall with AWS GuardDuty using ATP Cloud:
To check the security-intelligence status, use the show services
security-intelligence update status
command.
show services security-intelligence update status Current action :Downloading feed cc_ip_data (20200330.35) in category CC. Last update status :Feed cc_ip_data (20200330.4) of category CC not changed Last connection status:succeeded Last update time :2020-03-30 14:42:05 PDT
To check the security intelligence statistics, use the show services
security-intelligence statistics
command.
> show services security-intelligence statistics Logical system: root-logical-system Category Whitelist: Profile Whitelist: Total processed sessions: 337 Permit sessions: 0 Category Blacklist: Profile Blacklist: Total processed sessions: 337 Block drop sessions: 0 Category CC: Profile secintel_profile: Total processed sessions: 337 Permit sessions: 0 Block drop sessions: 337 Block close sessions: 0 Close redirect sessions: 0 Category Infected-Hosts: Profile ih_profile: Total processed sessions: 0 Permit sessions: 0 Block drop sessions: 0 Block close sessions: 0 Close redirect sessions: 0
No additional configuration is required in ATP Cloud Web portal when the vSRX Virtual Firewall is integrated with ATP Cloud. All settings, including the SecIntel configuration, is automatically created while enrolling the vSRX Virtual Firewall with ATP Cloud.
Use case for AWS GuardDuty
In this example, let us configure the vSRX Virtual Firewall to download the threat feeds.