Filter and Transmit Threat and Attack Logs to ClearPass
The SRX Series Firewall transmits the threat and attack logs recorded to the ClearPass Policy Manager (CPPM). You can also configure the threats and attacks related to a specific device and their users. CPPM can use the log data to harden the security.
Understanding How the Integrated ClearPass Feature Detects Threats and Attacks and Notifies the CPPM
The integrated ClearPass authentication and enforcement feature allows you to integrate your device with the ClearPass Policy Manager (CPPM) to obtain authenticated user identity information. It also allows the device to send attack and threat logs to the CPPM. This topic focuses on sending attack and threat logs to the CPPM.
When the device features detect threat and attack events, the event is recorded in the device event log. The device uses syslog to forward the logs to the CPPM. The CPPM can evaluate the logs and take action based on matching conditions. As administrator of ClearPass, you can use the information from the device and define appropriate actions on the CPPM to harden your security.
Junos OS on the SRX Series Firewall generates over 100 different types of log entries issued by more than 10 of its modules. Among the device features that generate threat and attack logs are SCREENS, IDP, and Content Security. To avoid overburdening the SRX Series Firewall and the log server, the integrated ClearPass feature allows you to configure the device to send to the CPPM only attack and threat log entries that were written to the event log in response to activity detected by the SCREENS, IDP, and Content Security features.
You can set the following conditions to control the log transmission:
A log stream filter to ensure that only threat and attack logs are sent.
A rate limiter to control the transmission volume. The device log transmission will not exceed the rate-limiting conditions that you set.
For the CPPM to analyze the log information that the sends to it, the content must be formatted in a standard, structured manner. The device log transmission follows the syslog protocol, which has a message format that allows vendor-specific extensions to be provided in a structured way.
Here is an example of an attack log generated by IDP:
<14>1 2014-07-24T1358.362+08:00 bjsolar RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.86 epoch-time="1421996988" message-type="SIG" source-address="192.0.2.66" source-port="32796" destination-address="192.0.2.76" destination-port="21" protocol-name="TCP" service-name="SERVICE_IDP" application-name="NONE" rule-name="1" rulebase-name="IPS" policy-name="idpengine" export-id="4641"repeat-count="0" action="NONE" threat-severity="MEDIUM" attack-name="FTPROOT" nat-source-address="0.0.0.0" nat-source-port="0" nat-destination-address="0.0.0.0" nat-destination-port="0" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="untrust" source-interface-name="ge-0/0/1.0" destination-zone-name="trust" destination-interface-name="ge-0/0/7.0" packet-log-id="0" alert="no" username="N/A" roles="N/A" message="-"]
Table 1 uses the content of this example IDP attack log to identify the parts of an attack log entry. See SRX Series Threat and Attack Logs Sent to Aruba ClearPass for further details on types of attack and threat logs.
Log Entry Component |
Meaning |
Format |
Example |
|---|---|---|---|
Priority |
pri = LOG_USER + severity. Version is always 1 |
pri version |
<14>1 |
Time and Time Zone |
When the log was recorded and in what time zone. |
y-m-dThs.ms+time zone
|
2014-07-24T1358.362+08:00 |
Device/Host Name |
Name of the device from which the event log was sent. This value is configured by the user. |
string, hostname |
bjsolar |
Service Name |
SRX Series feature that issued the event log. |
string service |
SERVICE_IDP |
Application Name |
Application that generated the log entry. |
string application-name |
NONE |
PID |
Process ID. The process ID is not meaningful in this context, so pid is replaced by “-”. The value “-” is a placeholder for process ID. |
pid |
- |
Errmsg Tag |
Log ID name, error message tag. |
string, log-name and tag |
IDP_ATTACK_LOG_EVENT |
Errmsg Tag Square Bracket |
Log content enclosed in square brackets. |
[ ] |
- |
OID |
Product ID provided by the chassis daemon (chassisd). |
junos@oid |
junos@2636.1.1.1.2.86 |
Epoch Time |
The time when the log was generated after the epoch. |
number |
1421996988 |
SRX Series Threat and Attack Logs Sent to Aruba ClearPass
The SRX Series integrated ClearPass authentication and enforcement feature collaborates with Aruba ClearPass in protecting a company’s resources against potential and actual attacks through use of attack and threat event logs. These logs that are generated by the SRX Series SCREENS, IDP, and Content Security components clearly identify the types of attacks and threats that threaten a company’s network security.
The SRX Series Firewall filters from the overall log entries the logs that report on threat and attack events, and it forwards these log entries to the ClearPass Policy Manager (CPPM) to be used in assessing and enforcing the company’s security policy. The SRX Series Firewall transmits the logs in volumes determined by the rate-limiting conditions that you set.
Table 2 identifies the types of threat and attack log entries and the events that they represent.
Log Type |
Description |
|---|---|
RT_SCREEN_ICMP |
ICMP attack |
RT_SCREEN_ICMP_LS |
|
RT_SCREEN_IP |
IP attack |
RT_SCREEN_IP_LS |
|
RT_SCREEN_TCP |
TCP attack |
RT_SCREEN_TCP_LS |
|
RT_SCREEN_TCP_DST_IP |
TCP destination IP attack |
RT_SCREEN_TCP_DST_IP_LS |
|
RT_SCREEN_TCP_SRC_IP |
TCP source IP attack |
RT_SCREEN_TCP_SRC_IP_LS |
|
RT_SCREEN_UDP |
UDP attack |
RT_SCREEN_UDP_LS |
|
AV_VIRUS_DETECTED_MT |
Virus infection A virus was detected by the antivirus scanner. |
AV_VIRUS_DETECTED_MT_LS |
|
ANTISPAM_SPAM_DETECTED_MT |
spam The identified e-mail was detected to be spam. |
ANTISPAM_SPAM_DETECTED_MT_LS |
|
IDP_APPDDOS_APP_ATTACK_EVENT |
Application-level distributed denial of service (AppDDoS) attack The AppDDoS attack occurred when the number of client transactions exceeded the user-configured connection, context, and time binding thresholds. |
IDP_APPDDOS_APP_ATTACK_EVENT_LS |
|
IDP_APPDDOS_APP_STATE_EVENT |
AppDDoS attack The AppDDoS state transition occurred when the number of application transactions exceeded the user-configured connection or context thresholds. |
IDP_APPDDOS_APP_STATE_EVENT_LS |
|
IDP_ATTACK_LOG_EVENT |
Attack discovered by IDP IDP generated a log entry for an attack. |
IDP_ATTACK_LOG_EVENT_LS |
Example: Configuring Integrated ClearPass to Filter and Rate-limit Threat and Attack Logs
The SRX Series Firewall can dynamically send to the ClearPass Policy Manager (CPPM) information about threats and attacks identified by its security modules that protect network resources. It detects attack and attack threats that pertain to the activity of specific devices and their users, and it generates corresponding logs. To control this transmission, you must configure the type of logs to be sent and the rate at which they are sent. You can then use this information in setting policy rules on the CPPM to harden your network security.
This example shows how to configure the SRX Series integrated ClearPass authentication and enforcement feature to filter and transmit only threat and attack logs to the CPPM and to control the volume and rate at which the SRX Series Firewall transmits them.
Requirements
The topology for this example uses the following hardware and software components:
Aruba CPPM implemented in a virtual machine (VM) on a server. The CPPM is configured to use its local authentication source to authenticate users.
SRX Series Firewall running Junos OS that includes the integrated ClearPass feature. The SRX Series Firewall is connected to the Juniper Networks EX4300 switch and to the Internet. The SRX Series Firewall communicates with ClearPass over a secure connection.
Juniper Networks EX4300 switch used as the wired 802.1 access device. The EX4300 Layer 2 switch connects the endpoint users to the network. The SRX Series Firewall is connected to the switch.
Wired, network-connected PC running Microsoft OS. The system is directly connected to the EX4300 switch.
Threat and attack logs are written for activity from these devices triggered by events that the security features catch and protect against.
Overview
The SRX Series integrated ClearPass authentication and enforcement feature participates with Aruba ClearPass in protecting your company’s resources against actual and potential attacks. The SRX Series Firewall informs the CPPM about threats to your network resources and attacks against them through logs that it sends. You can then use this information to assess configuration of your security policy on the CPPM. Based on this information, you can harden your security in regard to individual users or devices.
To control the behavior of this feature, you must configure the SRX Series Firewall to filter for attack and threat log entries and set rate-limiting conditions.
You can tune the behavior of this function in the following ways:
Set a filter to direct the SRX Series Firewall to send only threat and attack logs to the CPPM. This filter allows you to ensure that the SRX Series Firewall and the log server do not need to handle irrelevant logs.
Establish rate limit conditions to control the volume of logs that are sent.
You set the rate-limit parameter to control the volume and rate that logs are sent. For example, you can set the rate-limit parameter to 1000 to specify that a maximum of 1000 logs are sent to ClearPass in 1 second. In this case, if there is an attempt to send 1015 logs, the number of logs over the limit—15 logs, in this case—would be dropped. The logs are not queued or buffered.
You can configure a maximum of three log streams with each individual log defined by its destination, log format, filter, and rate limit. Log messages are sent to all configured log streams. Each stream is individually rate-limited.
To support rate-limiting, log messages are sent out from the device’s local SPU at a divided rate. In the configuration process, the Routing Engine assigns a divided rate to each SPU. The divided rate is equal to the configured rate divided by the number of SPUs on the device:
divided-rate = configured-rate/number-of-SPUs
Topology
Figure 1shows the topology for this example.
Configuration
This example covers how to configure a filter to select threat and attack logs to be sent to ClearPass. It also covers how to set a rate limiter to control the volume of logs sent during a given period. It includes these parts:
- CLI Quick Configuration
- Configuring Integrated ClearPass Authentication and Enforcement to Filter for Threat and Attack Logs Sent to the CPPM
- Results
CLI Quick Configuration
To quickly configure this example, copy the following statements, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the statements into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.
set security log stream threat-attack-logs host 203.0.113.47 set security log mode stream set security log source-interface ge-0/0/1.0 set security log stream to_clearpass format sd-syslog set security log stream to_clearpass filter threat-attack set security log stream to_clearpass rate-limit 1000
Configuring Integrated ClearPass Authentication and Enforcement to Filter for Threat and Attack Logs Sent to the CPPM
Step-by-Step Procedure
Specify a name for the log stream and the IP address of its destination.
[edit security] user@host# set security log stream threat-attack-logs host 203.0.113.47
Set the log mode to stream.
[edit security] user@host# set log mode stream
Set the host source interface number.
[edit security] user@host#set log source-interface ge-0/0/1.0
Set the log stream to use the structured syslog format for sending logs to ClearPass through syslog.
[ edit security] user@host# set log stream to_clearpass format sd-syslog
Specify the type of events to be logged.
[edit security] user@host# set log stream to_clearpass filter threat-attack
Note:This configuration is mutually exclusive in relation to the current category set for the filter.
Set rate limiting for this stream. The range is from 1 through 65,535.
This example specifies that up to 1000 logs per second can be sent to ClearPass. When the maximum is reached, any additional logs are dropped.
[ edit security] user@host# set log stream to_clearpass rate-limit 1000
Results
From configuration mode, confirm your configuration for interfaces by entering the show interfaces command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.
mode stream;
source-interface ge-0/0/1.0;
stream threat-attack-logs {
host {
203.0.113.47;
}
}
stream to_clearpass {
format sd-syslog;
filter threat-attack;
rate-limit {
1000;
}
}