How to quickly configure Kaspersky Anti-Virus on Juniper SRX gateway
Hello!
It so happened that for the past few years I have been working as an instructor for Juniper Networks equipment in one of the authorized training centers in Moscow. As many know, Juniper is a network equipment company — routers, switches, and security devices. It is not so well known that Juniper SRX security devices make it possible to check the traffic passing through them using a domestic anti-virus module (namely, Kaspersky Lab).
')
This article is designed for those people who already have a Juniper SRX and who want (or want to read) to try a bunch of Juniper-KAV in action.
Junos Unified Threat Management (UTM) security complex, optionally available in the Juniper SRX line of gateways, includes anti-spam, web filtering, content filtering, as well as the famous Kaspersky Anti-Virus. When enabled, these services provide effective additional protection for the perimeter of the network. Despite this, many system administrators, for whatever reason, refuse to adopt UTM. So, many are not ready to purchase additional licenses, do not want to waste time and effort on additional configuration, and also fear a possible decline in performance.
This “recipe” allows you to easily generate 30-day trial license keys, as well as quickly set up a key element of the UTM complex - Full AV, a full-featured Kaspersky Anti-Virus, to protect the network from malware (viruses, worms, Trojans, polymorphic malware in HTTP). -, FTP and mail traffic). A trial license will allow you to test the antivirus and, if you consider it appropriate, then purchase it, as well as facilitate familiarity with the antivirus and the procedure for its deployment. You can activate a trial license once a year on each device with a specific serial number.
The examples of commands and configurations given below are suitable for any models of the Juniper SRX branch line (“branch”) with a large (from 1 GB) RAM (branch SRX line includes all models from SRX100 to SRX650). To check your device model, run the following command:
If at the end of the model number you see the letters H or H2, then you can continue to configure the UTM functionality.
To configure, you need an Internet connection (standard channel to your provider) and a configured DNS server. For example, these parameters might look like this:
I mean that currently your device does not have a license for Kaspersky Anti-Virus for Juniper, but if in doubt, run the following command:
As a result, the system will display all licenses activated for the current device. Then, to generate test keys, run the command:
(To obtain trial keys, you must have an Internet connection and a correctly configured DNS.) Repeat the show system license command after a few minutes to make sure that the keys are added to the repository. The system should display something in the spirit of:
If the new license does not appear, check the errors in the log file (show log messages command).
If the license is successfully obtained, then you need to configure the UTM functionality - in our case, Kaspersky Anti-Virus. Do not be afraid of the theoretical calculations below - in fact, one team is enough to get started!
In general, to configure UTM on the Juniper SRX gateway, you need to configure the following interconnected elements:
At first glance, everything looks difficult, but these parameters allow you to flexibly configure the gateway for all sorts of operating scenarios. And one more good news - in the Junos system, there are initially ready (default) profiles of the UTM functionality and UTM policies for the antivirus (and other UTM elements). To view them, you need to run the following configuration commands (they refer to the hidden configuration group junos-defaults, which stores the Junos default settings):
As you can see, the system displays the already configured profile junior-av-defaults UTM functionality referenced by junos-av-policy. The specific settings in the default profile depend on the hardware of the gateway. You can both work with the default profile and policies, and create individual profiles and policies based on them. In the first case, in order to successfully start working with UTM, it is enough to add links to UTM policies to the required security policies, indicating that the traffic must be scanned by the antivirus (it is not necessary to scan all traffic with the antivirus).
For example, if you have a policy that regulates the transfer of HTTP and FTP traffic from trusted to a non-trusted zone:
then you can activate the antivirus using the following command, and then evaluate the result:
And don't forget to commit.
Now, with the help of the following command, make sure that the UTM functionality works and the virus signature database is uploaded to the SRX gateway (by default, it is automatically updated every 60 minutes):
Now let's test the freshly installed Kaspersky Anti-Virus for Juniper. To do this, we will try to download the EICAR test file from the server to the final host (this harmless file is specifically designed to test the antivirus; it can be downloaded from http://www.eicar.org ):
As you can see, the antivirus did not allow the file to be downloaded (more precisely, its contents were replaced with a warning about a virus, and the same warning was displayed by an FTP client). Now you can check the logs and statistics:
From the output of the command it is clear that at this stage the antivirus is working correctly.
In conclusion, I note that using Kaspersky Anti-Virus for the Juniper SRX gateway seems advisable, even if you already have another anti-virus installed on the network end nodes. The basic configuration of Kaspersky Anti-Virus for Juniper SRX is extremely simple, moreover, you can evaluate its effectiveness at no cost by using a trial license.
Additional information about configuring antivirus for Juniper SRX and the available options can be found at the following links:
http://www.juniper.net/us/en/local/pdf/app-notes/3500158-en.pdf
http://www.juniper.net/us/en/local/pdf/app-notes/3500153-en.pdf
The following articles from the Juniper Knowledge Base may also be helpful:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB16620
http://kb.juniper.net/InfoCenter/index?page=content&id=KB17283
Thanks for attention! Hope this information will be helpful. I will try to answer your questions.
It so happened that for the past few years I have been working as an instructor for Juniper Networks equipment in one of the authorized training centers in Moscow. As many know, Juniper is a network equipment company — routers, switches, and security devices. It is not so well known that Juniper SRX security devices make it possible to check the traffic passing through them using a domestic anti-virus module (namely, Kaspersky Lab).
')
This article is designed for those people who already have a Juniper SRX and who want (or want to read) to try a bunch of Juniper-KAV in action.
Junos Unified Threat Management (UTM) security complex, optionally available in the Juniper SRX line of gateways, includes anti-spam, web filtering, content filtering, as well as the famous Kaspersky Anti-Virus. When enabled, these services provide effective additional protection for the perimeter of the network. Despite this, many system administrators, for whatever reason, refuse to adopt UTM. So, many are not ready to purchase additional licenses, do not want to waste time and effort on additional configuration, and also fear a possible decline in performance.
This “recipe” allows you to easily generate 30-day trial license keys, as well as quickly set up a key element of the UTM complex - Full AV, a full-featured Kaspersky Anti-Virus, to protect the network from malware (viruses, worms, Trojans, polymorphic malware in HTTP). -, FTP and mail traffic). A trial license will allow you to test the antivirus and, if you consider it appropriate, then purchase it, as well as facilitate familiarity with the antivirus and the procedure for its deployment. You can activate a trial license once a year on each device with a specific serial number.
The examples of commands and configurations given below are suitable for any models of the Juniper SRX branch line (“branch”) with a large (from 1 GB) RAM (branch SRX line includes all models from SRX100 to SRX650). To check your device model, run the following command:
pk@inet-gw> show chassis hardware detail | match chassis Chassis XXXXXXXXXX SRX210H If at the end of the model number you see the letters H or H2, then you can continue to configure the UTM functionality.
To configure, you need an Internet connection (standard channel to your provider) and a configured DNS server. For example, these parameters might look like this:
pk@inet-gw> show configuration | display set | match "name-server|0.0.0.0" set system name-server 8.8.8.8 set routing-options static route 0.0.0.0/0 next-hop 192.168.1.254 I mean that currently your device does not have a license for Kaspersky Anti-Virus for Juniper, but if in doubt, run the following command:
pk@inet-gw> show system license As a result, the system will display all licenses activated for the current device. Then, to generate test keys, run the command:
pk@inet-gw> request system license update trial (To obtain trial keys, you must have an Internet connection and a correctly configured DNS.) Repeat the show system license command after a few minutes to make sure that the keys are added to the repository. The system should display something in the spirit of:
pk@inet-gw> show system license License usage: Licenses Licenses Licenses Expiry Feature name used installed needed av_key_kaspersky_engine 0 1 0 2014-11-04 00:00:00 UTC ............. If the new license does not appear, check the errors in the log file (show log messages command).
If the license is successfully obtained, then you need to configure the UTM functionality - in our case, Kaspersky Anti-Virus. Do not be afraid of the theoretical calculations below - in fact, one team is enough to get started!
In general, to configure UTM on the Juniper SRX gateway, you need to configure the following interconnected elements:
- The UTM-functional profile (UTM profile), into which the individual settings of the selected elements are placed (in our case, the antivirus)
- UTM policy (UTM policy) that refers to UTM-functional profiles for different types of traffic (if in simple terms, this guide for the gateway: “perform anti-virus scanning of HTTP traffic using settings from the my-profile fi-le-1 profile”)
- A security policy that allows traffic and directs it to the UTM (and refers to the UTM policy).
At first glance, everything looks difficult, but these parameters allow you to flexibly configure the gateway for all sorts of operating scenarios. And one more good news - in the Junos system, there are initially ready (default) profiles of the UTM functionality and UTM policies for the antivirus (and other UTM elements). To view them, you need to run the following configuration commands (they refer to the hidden configuration group junos-defaults, which stores the Junos default settings):
pk@inet-gw# show groups junos-defaults security utm feature-profile anti-virus kaspersky-lab-engine { pattern-update { url http://update.juniper-updates.net/AV/JSR/; interval 60; } profile junos-av-defaults { fallback-options { default log-and-permit; corrupt-file log-and-permit; password-file log-and-permit; decompress-layer log-and-permit; content-size log-and-permit; engine-not-ready log-and-permit; timeout log-and-permit; out-of-resources log-and-permit; too-many-requests log-and-permit; } scan-options { intelligent-prescreening; scan-mode all; content-size-limit 10000; timeout 180; decompress-layer-limit 2; } notification-options { virus-detection { type message; no-notify-mail-sender; custom-message "VIRUS WARNING"; } fallback-block { type message; no-notify-mail-sender; } } } } pk@inet-gw# show groups junos-defaults security utm utm-policy junos-av-policy anti-virus { http-profile junos-av-defaults; ftp { upload-profile junos-av-defaults; download-profile junos-av-defaults; } smtp-profile junos-av-defaults; pop3-profile junos-av-defaults; imap-profile junos-av-defaults; } As you can see, the system displays the already configured profile junior-av-defaults UTM functionality referenced by junos-av-policy. The specific settings in the default profile depend on the hardware of the gateway. You can both work with the default profile and policies, and create individual profiles and policies based on them. In the first case, in order to successfully start working with UTM, it is enough to add links to UTM policies to the required security policies, indicating that the traffic must be scanned by the antivirus (it is not necessary to scan all traffic with the antivirus).
For example, if you have a policy that regulates the transfer of HTTP and FTP traffic from trusted to a non-trusted zone:
pk@inet-gw# show security policies from-zone Trust to-zone Untrust policy Trust-to-Untrust { match { source-address any; destination-address any; application [ junos-http junos-ftp ]; } then { permit; } } } then you can activate the antivirus using the following command, and then evaluate the result:
pk@inet-gw# set security policies from-zone Trust to-zone Untrust policy Trust-to-Untrust then permit application-services utm-policy junos-av-policy pk@inet-gw# show security policies from-zone Trust to-zone Untrust from-zone Trust to-zone Untrust { policy Trust-to-Untrust { match { source-address any; destination-address any; application [ junos-http junos-ftp ]; } then { permit { application-services { utm-policy junos-av-policy; } } } } } And don't forget to commit.
Now, with the help of the following command, make sure that the UTM functionality works and the virus signature database is uploaded to the SRX gateway (by default, it is automatically updated every 60 minutes):
pk@inet-gw> show security utm anti-virus status UTM anti-virus status: Anti-virus key expire date: 2014-07-04 00:00:00 Update server: http://update.juniper-updates.net/AV/SRX240/ Interval: 60 minutes Pattern update status: next update in 52 minutes Last result: new database loaded Anti-virus signature version: 06/21/2014 20:24 GMT, virus records: 561261 Anti-virus signature compiler version: N/A Scan engine type: kaspersky-lab-engine Scan engine information: last action result: No error(0x00000000) Now let's test the freshly installed Kaspersky Anti-Virus for Juniper. To do this, we will try to download the EICAR test file from the server to the final host (this harmless file is specifically designed to test the antivirus; it can be downloaded from http://www.eicar.org ):
lab@host> ftp 192.168.1.112 Connected to 192.168.1.112. 220 (vsFTPd 2.0.5) Name (192.168.1.112:lab): lab 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> get eicar.com local: eicar.com remote: eicar.com 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for eicar.com (68 bytes). |**********************************************************************************************************************************************************| 100% 95 --:-- ETA 550 192.168.1.112:21->10.1.0.15:51306 VIRUS WARNING For eicar.com with virus EICAR-Test-File. 95 bytes received in 0.00 seconds (129.03 KB/s) ftp> bye 221 Goodbye. As you can see, the antivirus did not allow the file to be downloaded (more precisely, its contents were replaced with a warning about a virus, and the same warning was displayed by an FTP client). Now you can check the logs and statistics:
pk@inet-gw> show log messages | match AV_VIRUS Oct 24 06:18:31 inet-gw RT_UTM: AV_VIRUS_DETECTED_MT: AntiVirus: Virus detected: from 192.168.1.112:20 to 10.1.0.15:14375 source-zone Untrust eicar.com file eicar.com virus EICAR-Test-File URL:http://www.viruslist.com/en/search?VN=EICAR-Test-File username N/A roles N/A pk@inet-gw> show security utm anti-virus statistics UTM Anti Virus statistics: Intelligent-prescreening passed: 0 MIME-whitelist passed: 0 URL-whitelist passed: 0 Scan Mode: scan-all: 1 Scan-extension: 0 Scan Request: Total Clean Threat-found Fallback 1 0 1 0 ..... From the output of the command it is clear that at this stage the antivirus is working correctly.
In conclusion, I note that using Kaspersky Anti-Virus for the Juniper SRX gateway seems advisable, even if you already have another anti-virus installed on the network end nodes. The basic configuration of Kaspersky Anti-Virus for Juniper SRX is extremely simple, moreover, you can evaluate its effectiveness at no cost by using a trial license.
Additional information about configuring antivirus for Juniper SRX and the available options can be found at the following links:
http://www.juniper.net/us/en/local/pdf/app-notes/3500158-en.pdf
http://www.juniper.net/us/en/local/pdf/app-notes/3500153-en.pdf
The following articles from the Juniper Knowledge Base may also be helpful:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB16620
http://kb.juniper.net/InfoCenter/index?page=content&id=KB17283
Thanks for attention! Hope this information will be helpful. I will try to answer your questions.
Source: https://habr.com/ru/post/241295/
All Articles