Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Integrate AWS GuardDuty with vSRX Firewalls

Solution Overview

Amazon Web Services (AWS) GuardDuty is a continuous security monitoring service that identifies unexpected, potentially unauthorized, and malicious activity within your AWS environment. The threats detected by AWS GuardDuty is sent as a security feed to the vSRX firewalls in the your AWS environment. The vSRX firewalls can access the feeds either by directly downloading it from the AWS S3 bucket, or if the firewall device is enrolled with ATP Cloud, the feed is pushed to the firewall device along with the ATP Cloud security intelligence (SecIntel) feeds. In turn, the vSRX firewall enables you to take actions on the feed and block or log connections to the threat sources identified in the feed. For more information about AWS components, see AWS Documentation.

The deployment scenarios that are supported in this solution are:

  • Direct Integration of AWS GuardDuty with vSRX firewalls

    You don’t need a Juniper ATP Cloud license for this deployment. The threat feeds from AWS GuardDuty are processed through the AWS Lambda function and then stored in the AWS S3 bucket. You must configure, and deploy the AWS Lambda function. Once deployed, the Lambda function translates the data from AWS GuardDuty findings into a list of malicious IP addresses and URLs. The resultant list is stored in a configured AWS S3 bucket in the format that can be ingested by the vSRX firewalls. You must configure vSRX firewalls to periodically download the threat feeds from the AWS S3 bucket. You must also ensure that IDP signature package is already available on your firewall device for the traffic to hit SecIntel policy.

    Figure 1: Direct Ingestion of threat feeds by vSRX FirewallsDirect Ingestion of threat feeds by vSRX Firewalls
  • Integration of AWS GuardDuty with vSRX firewalls using ATP Cloud

    You must install a Juniper ATP Cloud premium license on your SRX Series devices and vSRX instances for this deployment. The threat feeds from AWS GuardDuty are processed through the AWS Lambda function. You must configure and deploy the Lambda function and enable ATP Cloud on your vSRX firewalls. The AWS Lambda function sends the threat feed to ATP Cloud (upload feeds to C&C category) using OpenAPIs. The threat feeds are pushed to all enrolled vSRX firewalls along with the ATP Cloud security intelligence (SecIntel) feeds.

    Figure 2: Ingestion of threat feeds through ATP CloudIngestion of threat feeds through ATP Cloud

Workflow to Integrate AWS GuardDuty with vSRX Firewalls

Retrieve Necessary Files from GitHub Repository

To retrieve necessary files:

  1. Navigate to GitHub repository https://github.com/Juniper/vSRX-AWS.
  2. Click the Code drop-down list.
  3. Click Download ZIP.

    The vSRX-AWS-master.zip file is downloaded onto your system. You will need the manifest.xml and cc_schema files found within the SRX-GD-Threatfeed folder.

Configure S3 Bucket

This step is required only if the threat feeds are directly ingested by vSRX firewalls. You need not configure S3 bucket if the ingestion of threat feeds is through ATP Cloud.

  1. Log in to your AWS Management console, navigate to the Create Bucket page.
  2. Assign a name and a region to the S3 Bucket.
  3. Uncheck the Block all public access option.
  4. Leave the remaining options in the default states and click Create bucket.
    The green alert at the top confirms our new bucket.
  5. Click the newly created bucket to view more options.
  6. Under the Objects tab, we’ll upload the two files we retrieved earlier by clicking Upload and then Add Files.
  7. Navigate to the cc_schema and manifest files and then click Upload.
  8. Select the two files, now listed on the Objects tab, and then click the Actions drop-down list.
  9. Choose Make Public.
    This action enables anyone to access and read the files.
  10. Click Make Public.
    Best Practice:
    • Make a note of the S3 bucket name for future references.

    • The S3 bucket access must always be public so that the SRX Series device can download the files and feed from the S3 bucket.
    • Configure the S3 bucket such that download or read operation does not require any API keys.

    • Write access on S3 bucket is only available with the Lambda function.

    • For S3 configuration details, see Setting up Amazon S3.

Configure GuardDuty

GuardDuty findings can be exported to either S3 bucket or CloudWatch events. In this solution we export the findings to CloudWatch events. Eventually CloudWatch events rule will trigger Lambda Function to convert findings into a compatible format with vSRX firewalls and push to AWS S3 bucket.

To configure AWS guardduty:

  1. Log in to your AWS account.
  2. Click Services tab and search for GuardDuty.
  3. Select GuardDuty service.

    The GuardDuty Findings page appears displaying the list of events that are generated by GuardDuty.

  4. Click Settings in the left pane.

    The About GuardDuty page appears.

  5. In Finding export options section, select the frequency for updated findings. The available options are:
    • Update CWE and S3 every 6 hours (default)

    • Update CWE and S3 every 1 hour

    • Update CWE and S3 every 15 minutes

  6. Choose an option and click Save.

    Based on the frequency that you have selected, the GuardDuty service generates events at regular intervals and share the events with Cloud Watch Events (CWE) Service.

Configure Lambda Function

AWS Lambda function uploads GuardDuty findings to ATP Cloud using the ATP Cloud OpenAPI. Lambda function updates the AWS S3 bucket with feed information in the standard SRX manifest file format. Lambda must be configured with the application token generated per realm in the ATP Cloud Web Portal. The threat feed is available under the C&C category.

To create Lambda function:

  1. Navigate to Services > Lambda.
  2. Click Create Function.
  3. Assign a name to the Lambda function.
  4. Choose the Runtime language the function will be written in. for example, Runtime python 3.6.
  5. In the Execution role section, choose Use an existing role.
  6. In the Existing role drop-down list, select the guardduty-lambdarole-test option.

    Open the link that now appears below the drop-down list to review the role details.

    Note:

    You must provide an appropriate Identity and Access Management (IAM) role. Create a new IAM role and assign the role to the Lambda function. This enables Lambda function to upload or write/read objects to/from the S3 bucket. For more information, see Create an IAM user

  7. With the role details in order, return to the Lambda page and click Create Function.
  8. To upload a Lambda file.
    1. Log in to GitHub repository https://github.com/Juniper/vSRX-AWS, navigate to SRX-GD-ThreatFeed folder, and download the SRX-GD-ThreatFeed.zip lambda file.
    2. Navigate to Lambda > Functions > your_lambda_function_name.
    3. Click Actions > Upload a .zip file. Upload SRX-GD-ThreatFeed.zip file from Function code section.
    4. Click OK.

      The Lambda configurations are displayed in the Environment variables section. Follow the guidelines in Table 1 to configure Lambda.

  9. Configure Lambda function.
    1. Navigate to Lambda > Functions > your_lambda_function_name > Edit Environment variables.
    2. Complete the configurations according to guidelines provided in Table 1.
      Table 1: AWS Lambda Configurations

      Parameters

      Description

      MAX_ENTRIES

      Defines the maximum number of entries that will be retained in the corresponding data file. Older entries will expire once this limit is reached.

      Default value: 10000

      Range:1000-100000

      Example: 1000

      IP_FEED_NAME

      Defines the CC IP feed name, which is also the key name for S3 data file. If there is a False Alarm entry that needs to be removed; you must manually delete it from the corresponding key derived from IP_FEED_NAME parameter.

      Example: custom_cc_(content_type)_data

      DNS_FEED

      Defines the CC DNS feed name, which is also the key name for S3 data file. If there is a False Alarm entry that needs to be removed; you must manually delete it from the corresponding key derived from DNS_FEED parameter.

      Example: custom_cc_dns_(content_type)_data

      S3_BUCKET

      Name of S3 Bucket. The bucket name is used in S3 URL name as well.

      Example: guardduty-integration-test

      SEVERITY_LEVEL

      Level beyond which AWS Guardduty event IPs/URLs are added to the feed file.

      Note:

      Severity Level maps one-to-one with ATP Cloud Threat Levels.

      Default value: 8

      Range: 1-10

      Example: 4

      SKY_APPLICATION_TOKEN

      Used to upload entries into the ATP Cloud OpenAPI. You must log in to Juniper ATP Cloud Web Portal and generate the application token. You must have at least one device configured with premium license to generate the application token.

      Example: TOKEN_VALUE

      SKY_OPENAPI_BASE_PATH

      Base path for the Sky Open APIs, which are used to upload feeds from Lambda function to ATP Cloud.

      Example: https://threat-api.sky.junipersecurity.net/v1/cloudfeeds

      FEED_TTL

      Use the Time to Live (TTL) to specify the number of days for the feed to be active. The feed entries will expire on SRX Series device if it is not updated within the TTL.

      Default value: 3456000

      Range: 86400-31556952

      FEED_UPDATE_INTERVAL

      Update interval for the feeds.

      Default value: 300

      Range: 300-86400

      Note:
      • In case of Direct Ingestion of threat feeds by vSRX firewalls, you need not define SKY_APPLICATION_TOKEN and SKY_OPENAPI_BASE_PATH parameters. If these parameters are not configured, the feeds are directly uploaded to AWS S3 bucket.

      • In case of Ingestion of threat feeds through ATP Cloud, you must define SKY_APPLICATION_TOKEN and SKY_OPENAPI_BASE_PATH parameters. These parameters must be configured to upload the feeds from AWS Lambda to ATP Cloud. You need not define S3_BUCKET parameter.

  10. Configure time-out settings. Navigate to Lambda > Functions > your_lambda_function_name > Basic settings and update Timeout to 10sec.
  11. Click Save.

Configure CloudWatch

Create rules and specify the event source (GuardDuty) and event target (Lambda function).

To create rules:

  1. Select Events > Rules.

    The Rules page appears.

  2. Click Create Rule.
  3. Under Event Source section, select the service name as GuardDuty and event type as GuardDuty Finding.
  4. In the Targets section, click Add Targets and ensure the Lambda function is selected.

    By specifying GuardDuty and the Lambda function as the event source and target, the CloudWatch Logs Insights will allow you to search and analyze your logs.

  5. Click Configure Details.
  6. On the Rule Definition page, specify a name for the rule.
  7. Click Create Rule.

Configure Direct Integration of vSRX firewall with AWS GuardDuty

The following section lists the CLI configurations that are required on vSRX firewalls.

This example configures a profile name, a profile rule and the threat level scores. Anything that matches these threat level scores is considered malware or an infected host. The ATP Cloud threat level maps one-to-one with the Severity Level in AWS GuardDuty.

Note:

You can change the severity level in AWS GuardDuty anytime, but the severity level must always match the threat level that you configure on your vSRX firewalls.

To configure vSRX firewall with AWS GuardDuty (without using ATP Cloud):

  1. Open a console window and log in to the vSRX device.

    login as: root@user-vsrx

    % cli

  2. Issue the show configuration command to view the existing SecIntel details.

    root@user-vsrx> show configuration | display set | match security-intel

  3. Ensure that the IDP security package is downloaded to your vSRX series device. To manually download and install the IDP security package from the Juniper Security Engineering portal, use the following command

    root@user-vsrx> request security idp security-package download

    root@user-vsrx> request security idp security-package download status

    root@user-vsrx> request security idp security-package install

    root@user-vsrx> request security idp security-package install status

  4. Enter configuration mode.

    root@user-vsrx> configure

  5. Configure security intelligence URL.

    root@user-vsrx# set services security-intelligence url https://guardduty-integration-test.s3-us-west-2.amazonaws.com/manifest.xml

  6. Configure security intelligence profile and policy. In this example the profile name is secintel_profile and threat levels 8 and above are blocked.
  7. Configure a security policy and assign the security intelligence policy to the security policy.

    root@user-vsrx# set security policies from-zone trust to-zone untrust policy 1 match source-address any

    root@user-vsrx# set security policies from-zone trust to-zone untrust policy 1 match destination-address any

    root@user-vsrx# set security policies from-zone trust to-zone untrust policy 1 match application any

    root@user-vsrx# set security policies from-zone trust to-zone untrust policy 1 then permit application-services security-intelligence-policy secintel_policy

  8. Run the request services security-intelligence download status command to check the SecIntel feed download status.

    root@user-vsrx# request services security-intelligence download status

    The vSRX firewall has started checking for both DNS and IP Feeds for the CC category, which we configured earlier with the Lambda function.

  9. Run the following command to display the details for the SecIntel category.
    root@user-vsrx# show services security-intelligence category detail category-name CC feed-name cc_guardduty_ip count 10 start 0 all-logical-systems-tenants
  10. Issue the run show security dynamic-address category-name CC command to view the matching entries.

    We can see from the IP addresses that the vSRX is receiving the feeds and has been directly integrated with AWS GuardDuty.

To check the security intelligence statistics, use the show services security-intelligence statistics command.

Configure vSRX Firewall with AWS GuardDuty using ATP Cloud

To configure vSRX firewall with AWS GuardDuty using ATP Cloud:

  1. Install ATP Cloud license.
  2. Enroll vSRX to ATP Cloud. See Enrolling an SRX Series Device With Juniper Advanced Threat Prevention Cloud

    root@user-vsrx# request services advanced-anti-malware enroll https://amer.sky.junipersecurity.net/v2/skyatp/ui_api/bootstrap/enroll/HASH/HASH.slax

    The enrollment script will generate the aamw-ssl tls profile, which will be used in the Step 3.
  3. Configure security intelligence URL.
    set services security-intelligence url https://cloudfeeds.argonqa.junipersecurity.net/api/manifest.xmlset services security-intelligence authentication tls-profile aamw-ssl
  4. Configure security intelligence profiles and policies. In this example the profile name is secintel_profile and threat level 8 and above are blocked.

    set services security-intelligence profile secintel_profile category CC

    set services security-intelligence profile secintel_profile rule secintel_rule match threat-level 8

    set services security-intelligence profile secintel_profile rule secintel_rule match threat-level 9

    set services security-intelligence profile secintel_profile rule secintel_rule match threat-level 10

    set services security-intelligence profile secintel_profile rule secintel_rule then action block drop

    set services security-intelligence profile secintel_profile rule secintel_rule then log

    set services security-intelligence profile ih_profile category Infected-Hosts

    set services security-intelligence profile ih_profile rule ih_rule match threat-level 8

    set services security-intelligence profile ih_profile rule ih_rule match threat-level 9

    set services security-intelligence profile ih_profile rule ih_rule match threat-level 10

    set services security-intelligence profile ih_profile rule ih_rule then action block drop

    set services security-intelligence profile ih_profile rule ih_rule then log

    set services security-intelligence policy secintel_policy Infected-Hosts ih_profile

    set services security-intelligence policy secintel_policy CC secintel_profile

  5. Configure a security policy and assign the security intelligence policy to the security policy.

    set security policies from-zone trust to-zone untrust policy 1 then permit application-services security-intelligence-policy secintel_policy

    commit

To check the security-intelligence status, use the show services security-intelligence update status command.

To check the security intelligence statistics, use the show services security-intelligence statistics command.

No additional configuration is required in ATP Cloud Web portal when the vSRX firewall is integrated with ATP Cloud. All settings, including the SecIntel configuration, is automatically created while enrolling the vSRX firewall with ATP Cloud.

Use-case for AWS GuardDuty

In this example, let us configure the vSRX firewall to download the threat feeds.

  1. Log in to the vSRX device.

    login as: root@user-vsrx

    % cli

  2. Issue the show configuration command to view the existing SecIntel details.
    root@user-vsrx> show configuration | display set | match security-intel
  3. Enter configuration mode.
    root@user-vsrx> configure
  4. Configure the SecIntel URL on the SRX Series device:

    root@user-vsrx> set services security-intelligence url guardduty-url

  5. Commit the configuration.
    root@user-vsrx> commit
  6. Run the cat /var/db/secinteld/tmp/manifest.xml from shell and verify if the manifest file is downloaded successfully.
  7. If it is not then run the following command
    root@user-vsrx> request services security-intelligence download
  8. Verify if the manifest file is downloaded successfully.
  9. Once the manifest file is downloaded, run the following commands.

    root@user-vsrx> show services security-intelligence category detail category-name CC feed-name feed_name_gd

  10. Run the following command from CLI to check if the feed is present under the dynamic address:

    root@user-vsrx> show security dynamic-address category-name CC

  11. Pick any IP address from the list, for example, 1.0.210.98 and run a ping test from the client and verify that the secintel CC block drop counters are incrementing.

    You should be able to get a response for the ping. Make sure you verify the traffic passing from the client is hitting the SecIntel policy on the SRX Series device.

    Note:

    IDP signature package is required for the traffic to hit SecIntel policy, please run the request security idp security-package download command if you do not have the signature package already.

    Run the root@user-vsrx> show security flow session source-prefix Client_IP command.