Step 2: Up and Running
Juniper Cloud Workload Protection agents inspect your web applications at runtime to automatically detect known and unknown vulnerabilities. In this section, we show you how to install agents, protect your web applications, view attacks, and remediate vulnerabilities in your test environment or block attacks in your production environment.
Install Juniper Cloud Workload Protection Agents
You can install Juniper Cloud Workload Protection agents in two separate environments:
- For applications in pre-production or development phase, use Juniper Cloud Workload Protection agents for interactive application security testing (IAST) to find vulnerabilities during the development phase. IAST scans the network for vulnerabilities, and detects and reports exploits. IAST works with third-party code and custom code to pinpoint the location of the vulnerable code at every stage.
- For applications in the production phase, use Juniper Cloud Workload Protection agents for runtime protection. Realtime attack protection detects and reports active exploits against your application without using a signature. You can automatically block attacks to secure your applications without additional software updates or manual intervention.
- Install Juniper Cloud Workload Protection Agents for Vulnerability Detection
- Install Juniper Cloud Workload Protection Agents for Runtime Protection
- Protect Web Applications and APIs
- Run the Sample Exploits Script
Install Juniper Cloud Workload Protection Agents for Vulnerability Detection
Juniper Cloud Workload Protection agents integrate with your CI/CD pipeline to find vulnerabilities. The agents provide information on the vulnerability, how it could be exploited, and how to fix it in your applications. This helps developers understand the severity of a vulnerability as well as how to remediate it at the source.
Here's how to install vulnerability detection agents on node/VM/EC2 in Docker environment:
- Log in to the Juniper Cloud Workload Protection portal.
- Navigate to Installation.
- Select the VM/Node Installation option.
- Set the following options:
- Version: Select the latest available version (1.10.23).
- Installation mode: Docker.
- Policy Group Name: IAST.
Be sure you use the proper settings for these parameters as they determine which agent installation files are downloaded.
- Follow the instructions on the screen and download the zip file for VM installation on your Docker host.
- Unzip the downloaded file on your host.
unzip vm-all.zip
- Navigate to the extracted k2install directory.
cd k2install
- Install the Juniper Cloud Workload Protection agents. In this example, we'll
use the
prevent-web
option (default option).bash k2install.sh -i prevent-web
- Verify that the
prevent-web
agent is running on the host system.$ docker ps | grep -w "k2agent" c77da5d434c5 k2cyber/k2-agent-v1:1.10.23 "/bin/bash -c '/usr/…" 3 minutes ago Up 3 minutes k2agent"
- Click Finish to return to the main menu.
After you run the script, Juniper Cloud Workload Protection creates a policy.
To view the IAST policy, navigate to Policy > Web applications > Policies in the Juniper Cloud Workload Protection portal.
Select the IAST deployment environment and click the Edit/show policies actions icon to see policy details.
Install Juniper Cloud Workload Protection Agents for Runtime Protection
Here's how to install Juniper Cloud Workload Protection agents on Node/VM/EC2 in a Docker container:
- Log in to the Juniper Cloud Workload Protection portal.
- Navigate to Installation.
- Select the VM/Node Installation option.
- Set the following options:
- Version: Select the latest available version (1.10.23).
- Installation mode: Docker.
- Policy Group Name: PRODUCTION.
Be sure you use the proper settings for these parameters as they determine which agent installation files are downloaded.
- Follow the instructions on the screen and download the zip file for VM installation on your Docker host.
- Unzip the downloaded file on your host.
unzip vm-all.zip
- Navigate to the extracted k2install directory.
cd k2install
- Install the Juniper Cloud Workload Protection agents. In this example, we'll
use the
prevent-web
option (default option).bash k2install.sh -i prevent-web
- Verify that the
prevent-web
agent is running on the host system.$ docker ps | grep -w "k2agent" c77da5d434c5 k2cyber/k2-agent-v1:1.10.23 "/bin/bash -c '/usr/…" 3 minutes ago Up 3 minutes k2agent"
- Click Finish to return to the main menu.
To view the production policy, navigate to Policy > Web applications > Policies in the Juniper Cloud Workload Protection portal.
Select the PRODUCTION deployment environment and click the Edit/show policies actions icon to see policy details.
Now you're ready to launch your applications with a language agent to protect your web applications and API.
Protect Web Applications and APIs
Juniper Cloud Workload Protection uses:
- RASP mode to stop hackers’ attempts to compromise web applications and data
- IAST mode to identify and manage security risks associated with vulnerabilities discovered in running web applications.
To enable RASP mode or IAST mode, you'll need to launch your application with a Juniper Cloud Workload Protection agent communication language on both servers you used for applications in pre-production (IAST) and applications in production (RASP).
Select type such as Java, Node.js, PHP, or Ruby and follow the instructions on the screen to attach the language agent.
Here's how to install and attach a Java Language Agent with your Java application hosted on your virtual machine. You can also select other environments such as Kubernetes, AWS ECS, AWS Fargate, and Windows.
-
Locate the Java ACL in one of the following locations (LANGUAGE_COLLECTORS_HOME):
-
For root-user: /opt/k2-ic
-
For non-root users: ${HOME}/k2-ic where ${HOME} points to the home directory of the Linux user.
-
For a shareable-directory [sharable-directory]/k2-ic. The shareable-directory is available in the env.properties file when you install the agent.
For any containerized Java web application (Docker/K8s), the host path LANGUAGE_COLLECTORS_HOME is available at /opt/k2-ic inside the container with option
z
. -
- Attach the Java ACL to the Java application by adding the following command
to JVM arguments.
If you're using Java 9 or above, add the java.sql module to your environment file by adding a JVM argument (-javaagent:/opt/k2-ic/K2-JavaAgent-1.0.0-jar-with-dependencies.jar
--add-modules java.sql
) to your application startup script. -
Verify that the application is protected. In the Juniper Cloud Workload Protection portal, navigate to Applications on the left-side navigation bar and click the Protected processes tab.
Click the down arrow symbol next to the application path to view details for the protected application. You can identify protected applications by their host name or container name. The details confirm that your application is successfully registered and protected with Juniper Cloud Workload Protection.
Run the Sample Exploits Script
To verify that your configuration is working, run a sample test. We've provided a script in the \k2install\demo_scripts\ installation folder on your host.
Run the run_script.sh script to generate exploitable vulnerabilities. When you run the script, the script launches the application in your environment and subsequently launches the attack. Juniper Cloud Workload Protection immediately detects these attacks, so that you can verify everything is working properly.
You can run this script across Java, Node.JSand NGINX web server, all running as docker containers.
Use one of the following commands to run an exploit applicable to your setup:
bash run_script.sh sql-injection JAVA bash run_script.sh verademo JAVA bash run_script.sh forkexec JAVA bash run_script.sh struts-cve-2017-5638 JAVA bash run_script.sh easybuggy JAVA bash run_script.sh spiracle JAVA bash run_script.sh java-sec-code JAVA bash run_script.sh tomcat-cve-2017-12617 JAVA bash run_script.sh nginx BINARY bash run_script.sh dnsmasq BINARY bash run_script.sh node-demo-app sqli NODE.JS bash run_script.sh node-demo-app rce NODE.JS bash run_script.sh node-demo-app rci NODE.JS bash run_script.sh node-demo-app ssrf NODE.JS bash run_script.sh node-demo-app file-access NODE.JS" bash run_script.sh node-demo-app nosqli NODE.JS
The script fetches the relevant Docker container from the Internet, launches it on some local ports (8091 or 9090 by default) and returns the following message:
APPLICATION SETUP IS READY FOR ATTACK!
Press any key to continue. The script launches a local attack from the container, and displays one of the following messages:
If you're running the script for a pre-production server (IAST), then the script returns the following message:
Juniper Cloud Workload Protection detects the attack but does not block it.ATTACK SUCCESSFUL
-
If you're running the script for a production server (RASP), then the script returns the following message:
K2 has detected an attack !
Juniper Cloud Workload Protection portal also reports detected and blocked attacks. You can see the detected attacks in the Juniper Cloud Workload Protection portal under the Attacks tab.
Runtime Protection through vSRX Virtual Firewall
You can setup runtime protection through a vSRX virtual firewall to efficiently block intruders with Juniper Cloud Workload Protection. As a first step, you'll need to integrate your vSRX instance with Juniper Cloud Workload Protection.
Juniper Cloud Workload Protection identifies threat sources by their IP address, and groups those addresses into a dynamic-address group in two separate feeds: one feed for allowed IP addresses, and one feed for blocked IP addresses (attacker's IP addresses). The vSRX instance uses these two feeds to create dynamic address entries in security policies to prevent intruders from accessing protected resources.
When you integrate a vSRX instance with Juniper Cloud Workload Protection, the portal provides a validated configuration for your vSRX instance. You can copy the configuration to your firewall and then modify it to match your policy configuration.
- Go to Settings > Firewall Integration. The page displays the list of firewalls, feeds, the allowlist and the blocklist.
- Click + on the right side of the page to add a new firewall configuration.
- Enter the following details in the Firewall Configuration window:
- Firewall: vSRX
- SNAT Enabled: False
- Policy configuration: False. When you select False, Juniper Cloud Workload Protection does not push the configuration to the vSRX instance; it displays a configuration that you can apply on your vSRX instance to adapt to the current environment.
- Firewall IP: IP address of your vSRX instance
- Blocked list feed: Select the blocked IP address list if you want to block IP addresses manually and automatically. Use the Blocked list tab to create a list of manually blocked IP addresses.
- Allowed list feed: Select the allowed IP address list if you want to allow IP addresses manually and automatically. Use the Allowed list tab to create a list of manually allowed IP addresses.
- Update Interval: Select 30 seconds. This is the time period at which the vSRX collects the information from Juniper Cloud Workload Protection.
- Enter Create to save the details.
- Select the Blocked list tab and enter the IP addresses you want to block
manually. Enter the following details:
- Firewall: Select the type of firewall from the drop-down list.
- Feed name: Select the feed name from the list.
- Blocked IP: Enter the IP address you want to block.
- Valid until: Select the duration for the validity of the blocked IP address.
-
Enter Save to save the details. Juniper Cloud Workload Protection adds blocked IP address entries automatically based on RASP detections.
- Select the Allowed list tab and enter the following details:
- Firewall: Select the type of firewall from the list.
- Feed name: Select the feed name from the list.
- Allowed IP: Enter the IP address you want to allow.
- Valid until: Select the duration for the validity of the allowed IP address.
- Enter Save to save the details.
- Click View configuration. The Firewall Configuration
window shows feed names for allowed and blocked IP address lists.
- Click the Download policy configuration option to download the configuration template file on your host machine. You'll need to edit the configuration as per your requirements before applying it on your vSRX instance manually.
- You can also view the details of blocked IP addresses on your vSRX instance. An
attack triggers a dynamic-address entry on the vSRX instance. Use the
show security dynamic-address
command to view the dynamic-address entry.user@vSRX-host> show security dynamic-address No. IP-start IP-end Feed Address 1 10.7.9.1 10.7.9.1 DEFAULTALLOWEDLIST DEFAULTALLOWEDLIST 2 10.1.1.2 10.1.1.2 DEFAULTBLOCKEDLIST DEFAULTBLOCKEDLIST Instance default Total number of matching entries: 2 Instance geoip Total number of matching entries: 0 Instance advanced-anti-malware Total number of matching entries: 0
The output shows that the allowed list and the blocked list are added as dynamic-address entries on the vSRX instance. In the output, the existing entries of IP address 10.7.9.1 (allowed list) and 10.1.1.2 (blocked list) are samples.
You can integrate Juniper Cloud Workload Protection with both physical and virtual SRX Series routers. As a best practice, setup the integration at all connection points within your data center or cloud environment. Integration can include other vSRX instances on non-produced applications such as those that run on bare metal servers, SRX Series firewalls running at the edge or perimeter of your network, and as connectors to other data centers or cloud environments.
View Attacks
You can view the details of attacks that are blocked by Juniper Cloud Workload Protection using the Attacks option on navigation bar. The Attacks page displays the incident name, IP address of the intruder, attack time, and details of the attack.
When an attack occurs, the most recent attack appears on the top of the page. Click Actions to block the attack or mark as not an attack. Click Detail to gather more details on the attack.
Block Malicious API Calls and Intruders' IP Addresses
You can block malicious API calls from attackers and block intruders' IP addresses with Juniper Cloud Workload Protection.
Here's how to configure policies for vulnerability detection and runtime protection:
- Go to Policy> Web application.
- Click the edit button for your PRODUCTION policy (default policy). You'll see three sections at the top: Agent Config, Agent Policies, and Global Policy Parameters.
- Click the Agent Policies tab. Scroll to the
Protection mode.
-
Enable the following three options to enable attack protection mode along with detection and reporting:
- Protection Mode
- API blocking
- Protect all API's
Now you're all set with Juniper Cloud Workload Protection!