`
`Case 3:17-cv-05659-WHA Document 470-15 Filed 05/13/19 Page 1 of 64
`
`EXHIBIT 13
`
`
`
`Case 3:17-cv-05659-WHA Document 470-15 Filed 05/13/19 Page 2 of 64
`Case 3:17-cv-05659-WHA Document 470-15 Filed 05/13/19 Page 2 of 64
`
`|
`
`:
`
`|
`
`fi
`
`| Dp
`
`
`RLiNumber
`| 23914
`lise
`Saaiment Tie| ditinerAdvanoedAni-WialwarsSeniker
`| on SRX
`:
`ve? WORKS
`Document
`‘Hopper Wang, Xiaosong Yang,Ping
`Owner
`Wu, Andrew Onofreychuk, Lydia Zhao
`Version Date
`| 0540/2523/20142015
`
`Juniper Advanced Anti-Malware Service on SRX
`Software Functional Specification
`
`rw@juniper.net
`Hopper Wang ho
`Xiaosong Yang xyang@juniper.net
`Ping Wu png@juniper.net
`Andrew Onofreychuk aonofreychuk@juniper.net
`Lydia Zhao lydiazhao@juniper.net
`Bruce Kao bkao@juniper.net
`
`TEMPLATE REVISION HISTORY AND GUIDELINES:
`
`The revision history is available through the version control function of the application hosting this template.
`
`Please read the file named: README_BEFORE_EDITING_TEMPLATES.tttin the templates folder BEFORE
`making changes to this template, ensure you check the accuracy of both contents and format:
`- Contents: What has changed
`- Format? Check if owner, version number (everywhere it appears), TL9000 process number and template number
`are current in the document properties dialogue.
`
`
`{ Formatted: Right
`
`-
`
`© Copyright 2012 Juniper Networks,Inc. all rights reserved— Proprietary and Confidential —
`Do not distribute outside of the company without the permission of Juniper Networks engineering
`Printed or downloaded copies are for reference only!
`Template: J3.02.P05.T01—Ver. 14
`Template Owner: Ramesh RN
`
`HIGHLY CONFIDENTIAL - SOURCE CODE
`
`JNPR-FNJN_29002 00173278
`
`
`
`Case 3:17-cv-05659-WHA Document 470-15 Filed 05/13/19 Page 3 of 64
`Case 3:17-cv-05659-WHA Document 470-15 Filed 05/13/19 Page 3 of 64
`
`
`
`|Pefi
`
`iit
`
`J[
`
`|
`
`RL! Number
`
`DocumentTitle
`
`es
`
`
`
`23914
`
`JuniperAdvancedAnti-Malware
`
`-
`| Service on SRX
`Hopper Wang, Xiaosong Yang, Ping
`Wu, Andrew Onofreychuk, Lydia Zhao
`| 0810/2523/20442015
`
`Document
`Owner
`Version Date
`
`Table of Contents
`
`TaD)
`1.2
`1.3
`
`1.
`
`2.
`
`Introduction...» cabatd nad cngaatengahicnp pa nslantaaiianiahvei walacugiacagabdapsuageaaVense Sas aids a’ 1
`REPETENCE...
`ccncaenivecsnesennivsnnsivanindanevtesn tiv eeviiten iitesanitene ts eneiivraniiesoneysoe ic anniudensive esevsonnicsomyvean unaninits
`RLIList..
`es
`
`Feature Parity‘Traceability...
`EdbcSbatclPGRacuraeacacacasestesaoceseuraaeaRaev
`
`Exceptions...
`2.2.
`
`2.3 Assumptions...
`ine
`2.4
`Functional competitive‘data.
`
`APls/Messages ...
`2.6
`
`
`2.6 Manageability...
`2.7
`Examples or InteractionDescriptions...
`
`2.8
`Supportability (Serviceability, Diagnose-ability and‘FaultHandling) awaits
`x 34
`
`Dependencies and Interactions with other Components in the System.
`41
`2.9
`Legal Com siGe@raticis ssccinnsscnnssesscesesanscnaaterndaashanenidandiasannsanespaans idaadpadaspaasespazedihdnedsaaatnsaassn Me
`2.10
`
`3.
`
`4.
`
`Other Requirements ...........cccccccneeees subvisupivectbrdsanecaniedsassnsahespureunvenr’ eddunvite' 44
`
`System Resource Estimation .............:.s:sssecseseseereseecesecesssseseeeesereceenenenenes45
`Performance Related RESOUICES.......scsueperenestenescanesenereesceenentenearennedesesneesentensitennsenne BO
`
`41
`
`5.—-Scaling ANd Performance.......cccescceesseessnrsssareesrenserenosreeseneeseesesenanseaser ceasesFO
`
`5.1
`Target Scaling..........:scecsceene
`5.2.
`Target Performance..
`
`
`
`Compatibility ISSUCS.........ccecccecteneeesneeeneenenenseneeeenenanneneneeseneseneeeensaes wih rahsea47
`
`oana«—-—-
`
`High Availability (HA)............00.00
`9.1.
`9.2 Aggregated Ethernet/ SONET/ IRB ‘Support...
`a
`9.3
`Services/JSF (JUNOS Serviceseae) impact.
`9.4 Multi-Chassis Suprett-
`7
`
`9.5
`64-Bit Support...
`9.6
`IPv6 Support....
`3
`9.7
`Logical System‘Support.acaaseGeHGRAaHHaeHGRASAHRAVNDTNVENAARNG
`We SOK Mi paebes cisccte Sige igcsrrestiarete ih aenanaidtneswensaasmieres 53
`
`10.1
`SDK Customer Usage...
`JUNOS Ready Softwareaanehianiions..
`POCO
`
`
`
`Rize|INS as coeie ss canoes ayecaproterggesteeteagaegeadsenamnziaeest
`
`GIOSSALY........eeccesecseeeneesesereeserseeeeseeseenenersenes
`
`-
`
`
`Security CONSIderations..........cscccecnsssscereesensssrcetesssseaeeessseesersesereseesesseO
`
`«—-—Platforms SUPPOrted .......cccseeccessssensseenesseneesnsnensnesensneeterstascenesenseeeeneeesneeens4
`COMMON INFrastrUcture .......ccccecceesecessenseecseesevevecseeeesucusesseeesunssevsseevereeeneel T
`
`11.
`
`13.
`
`14. Design Specification Exception ........cccccececccccesceeeneneesenecneeeeseereeeeOL
`© Copyright 2012 Juniper Networks,Inc. all rights reserved— Proprietary and Confidential —
`Do not distribute outside of the company without the permission of Juniper Networks engineering
`Printed or downloaded copies are for reference only!
`Template: J3.02.F05.T01—Ver. 1.4
`Template Owner: Ramesh RN
`
`HIGHLY CONFIDENTIAL - SOURCE CODE
`
`JNPR-FNJN_29002 00173279
`
`
`
`Case 3:17-cv-05659-WHA Document 470-15 Filed 05/13/19 Page 4 of 64
`Case 3:17-cv-05659-WHA Document 470-15 Filed 05/13/19 Page 4 of 64
`
`|Dpefi
`
`NETWORKS
`
`J[
`
`|
`
`DocumentTitle
`
`JuniperAdvancedAnti-Malware
`
`
`RLINumber
`| 23914
`jrusz
`[1
`
`
`Service on SRX
`Document
`Hopper Wang, Xiaosong Yang, Ping
`
`Owner
`Wu, Andrew Onofreychuk, Lydia Zhao
`Version Date
`0810/2523/204-42015
`
`
`
`
`15. Functional Specification Approver Checklist......cccsccesesseersnereseeereeeSO
`
`Functional SeeeDocument!Checklist
`
`© Copyright 2012 Juniper Networks,Inc.all rights reserved— Proprietary and Confidential —
`Do not distribute outside of the company without thepermission of Juniper Networks engineering
`Printed or downloaded copies are for reference only!
`Template: J3.02.P065.701—Ver. 1.1
`Template Qwner: Ramesh RN
`
`HIGHLY CONFIDENTIAL - SOURCE CODE
`
`JNPR-FNJN_29002 00173280
`
`
`
`Case 3:17-cv-05659-WHA Document 470-15 Filed 05/13/19 Page 5 of 64
`
`
`|
`
`
`RLINumber—| 23914 | 1.62 | 1
`
`
`
`J | DocumentTitle|JuniperAdvanced Anti-Malware| DpeCfi
`
`a
`Service on SRX
`
`NETWORKS
`
`Document
`Hopper Wang, Xiaosong Yang, Ping
`Owner
`Wu, Andrew Onofreychuk, Lydia Zhao
`| Version Date|0610/2523/20142015
`
`
`
`
`
`® Copyright 2012 Juniper Networks,Inc.all rights reserved— Proprietary and Confidential —
`Do not distribute outside of the company without thepermission of Juniper Networks engineering
`Printed or downloaded copies are for reference only!
`Template: J3.02.P06.701 —Ver. 1.1
`Template Owner: Ramesh RN
`
`HIGHLY CONFIDENTIAL - SOURCE CODE
`
`JNPR-FNJN_29002 00173281
`
`
`
`Case 3:17-cv-05659-WHA Document 470-15 Filed 05/13/19 Page 6 of 64
`Case 3:17-cv-05659-WHA Document 470-15 Filed 05/13/19 Page 6 of 64
`
`
`
`
`
`.
`NETWORRS
`
`
`
`|
`RLINumber
`| 23914
`[rez
`[1
`J | DocumentTitle|JuniperAdvanced Anti-Malware| Dpefi
`i
`
`Service on SRX
`Hopper Wang, Xiaosong Yang, Ping
`Wu, Andrew Onofreychuk, Lydia Zhao
`
`
`
`
`Document
`Owner
`
`Version Date|0510/2523/20142015
`
`|
`
`© Copyright 2012 Juniper Networks,Inc.all rights reserved— Proprietary and Confidential —
`Do not distribute outside of the company without thepermission of Juniper Networks engineering
`Printed or downloaded copies are for reference only!
`Template: J3.02.P065.701—Ver. 1.1
`Template Owner: Ramesh RN
`
`HIGHLY CONFIDENTIAL - SOURCE CODE
`
`JNPR-FNJN_29002 00173282
`
`
`
`Case 3:17-cv-05659-WHA Document 470-15 Filed 05/13/19 Page 7 of 64
`Case 3:17-cv-05659-WHA Document 470-15 Filed 05/13/19 Page 7 of 64
`
`
`
`
`
`NETWORKS
`roa
`ee
`
`Wu, Andrew Onofreychuk, Lydia Zhao
`
`
`
`RLI Number
`23914
`| 1.67
`| 1
`J | DocumentTitle|JuniperAdvanced Anti-Malware| Defi
`
`2 = —
`Service on SRX
`Hopper Wang, Xiaosong Yang, Ping
`Document
`Owner
`| Version Date|010/2523/20142015
`
`
`
`1.
`
`Introduction
`
`Juniper Advanced Anti-Malware solution can differentiate Juniper from competitors and prevent
`Juniper's products, solutions and services fram commoditization. It is a scalable and high performing
`designed to:
`
`«
`e
`«
`
`Inline blocking of known malware downloads
`Eventual notification of previously unknown malware downloads
`Eventual notification of clients which have become infected
`
`Juniper Advanced Anti-Malware (AAMW) solution integrates with SRX (sensor & enforcer), Argon Cloud
`Server (detection engine, web portal, host analyzer, connector and so on) to achieve both ingress and
`egress visibilities and enforcement capabilities.
`
`Argon cloud server implements variety of techniques including fast checking, Anti-virus signatures to the
`comprehensive sandboxing technologies that trick and watch malware exploding, and scores the threat
`and renders a verdict for sensor (SRX) to enforce a policy, either inline block for the current and/or for
`future conversation. Argon cloud is an important part of this solution but should be transparent to the
`customer in many ways when the solution is complete.
`
`5RX acts as a telemetry/inspection sensor and dynamic action enforcer. As the sensor, SRX inspects beth
`ingress and egress network traffic, extracts the interested file content and passes it to Argon cloud
`server. Argon cloud analyzes thefile input from SRX through series of advanced detection technologies
`and returns a verdictof the file indicating if the file is malicious. As the enforcer, SRX takes action based
`on the verdict/threat-level and SRX policy settings.
`
`There are two sets of connections between SRX and Argon cloud. One is on SRX control plane, which is
`used for SRX to download configurations that include file type/categoryfilters, white/black list,file
`magic DB from the Argon Cloud, and send health status/counter reports to the Argon Cloud. Another
`one is on SRX data plane, which is used for SRX to submitfiles and meta-data to the Argon Cloud and to
`receive verdicts returned from the Argon Cloud. All the persistent connections will be re-connectedifit’s.
`broken or timeout for some reason,syslog will be generated and connection counters will be increased.
`
`Figure 1 showsthe high-level architecture of the Argon solution.
`
`© Copyright 2042 Juniper Networks, inc. — Proprietary and Confidential —
`Do not distribute outside of the company without the permission of Juniper Networks engineering
`Printed copies are for reference only!
`Template: J3.02,P05.707 =—Ver 1.1
`Template Owner: Ramesh RN
`
`Page 1
`
`HIGHLY CONFIDENTIAL - SOURCE CODE
`
`JNPR-FNJN_29002 00173283
`
`
`
`Case 3:17-cv-05659-WHA Document 470-15 Filed 05/13/19 Page 8 of 64
`Case 3:17-cv-05659-WHA Document 470-15 Filed 05/13/19 Page 8 of 64
`
`
`|
`RLI Number
`23914
`| 1.67
`| 1
`
`J | DocumentTitle|JuniperAdvanced Anti-Malware| | Pe(
`
`
`
`
`
`NETWORKS
`
`
`
`
` DataPlane
`
`
`Service on SRX
`Hopper Wang, Xiaosong Yang, Ping
`Wu, Andrew Onofreychuk, Lydia Zhao
`9810/2523/20442015
`
`
`
`
`
`Senet _strer_| seer paar feedSoner
`
`Document
`Owner
`Version Date
`
`Juniper Advanced Anti-Malware Solution
`:
`
`Text 1
`
`Argon Cloud
`
`Logging
`
`API
`
`Load
`
`Host
`
`User Portal —
`
`Krypton
`
`
`
`
`
`
`
`(Extracted File Contents)
`
`(Mota Gata)
`
`(Fast File Cheek Table)|Health Status. (C&C Eventiog)
`
`Mapping)|
`Internet
`
`HTTP(s) Server
`
`End Users
`
`
`Log Notification
`
`
`
`
`Figure 1 Juniper Advanced Anti-Malware Solution Architecture
`
`© Copyright 2012 Juniper Networks,Inc. - Proprietary and Confidential —
`Do not distribute outside of the company without the permission of Juniper Networks engineering
`Printed copies are for reference only!
`Template: J3.02.P05.T01 —Ver, 1.1
`Template Owner; Ramesh RN
`
`Page 2
`
`HIGHLY CONFIDENTIAL - SOURCE CODE
`
`JNPR-FNJN_2900200173284
`
`
`
`Case 3:17-cv-05659-WHA Document 470-15 Filed 05/13/19 Page 9 of 64
`Case 3:17-cv-05659-WHA Document 470-15 Filed 05/13/19 Page 9 of 64
`
`J[ | DocumentTitle|JuniperAdvancedAnti-Malware|De(
`
`
`
`
`
`NETWORKS
`
`
`RLI Number
`23914
`| 1.67
`1
`
`
`Semis) SIN
`Hopper Wang, Xiaosong Yang, Ping
`
`
`Wu, Andrew Onofreychuk, Lydia Zhao
`
`Document
`Owner
`| Version Date|0510/2523/20142015
`
`
`
`This document and RLI only focus on the advanced anti-malware service running on the SRx. Details of
`Argon solution can be referred to "Argon Solution Overview" and "Argon SRX Architecture".
`1.1. Reference
`
`1. Market Requirements Document (MRD)
`https://junipernetworks.sharepoint.com/sites/Projects1/etp/_layouts/15/start.aspx#/supporting/Forms/Alllte
`ms.aspx?R ootFolder=/sites/Projects'/etp/supporting/Requirements %20and%20ENG%20Response&Fold
`rCTID=0x01 20004340991 E98C61 B45A93890B65A8EAAS38View=%7B3ESF02B4-1 CEA-46E3-8E4B-
`
`
`E3FE7098419A%7D
`
`2. Argon SRX Architecture
`https://junipernetworks.sharepoint.com/sites/Projects1/AAMW/controlled/Argon%20Technical%20Docum
`ents/Random%2O0technical%20docs/Argon%20SRX%20Architecture. pdf
`
`3. Argon System Specification
`https://junipernetworks.sharepoint.com/sites/Projects1/AAMVV/_layouts/15/WopiFrame.aspx?sourced
`BC58BB70-C968-418C-B35E-
`F2B9FB216AE3}&file=Argon%20System%20Specification.docx&action=default
`4. BrEGN Solution Overviey
` FECFBA F2-183F-46F0-A6AQ-
`
`D4336573C57F %/7D&file=Argon%20Solution %20v9%208.docx&action=default
`5. Argon Sample API
`layouts/15///opiFrame.aspx?sourcedoc={59A
`https ://junipernetworkssharepoint.com/sites/Projects1/etp/
`36468-6F E0-47FA-A011-7EC03B754FD3}&file=Argon%20Client%20APIs.docx&action=default
`6. Argon Soft Configuration
` C337A-757D-4B1E-9D11 -59D2B8332A8E file=A on%20Soft%20Confi uration.docx&action=default
`he RLI23819-Move WFto RTCOM Branch FS
` Move WF to RSeBranch_FS,docx
`
`JUNOS Qosmos DPI Integration Design Specification
`8.
`https ://matrix juniper net/docs/DOC-148132
`9. NextGen Common Protocol Parser
`
`https://matrix.juniper.net/docs/DOC-183601
`10. Syslog over TLS RESONand SSL Enhancements
` SEEraeneatereran Gom%20and%20SSL%20Enhancements,docx
`11. JSF SSL Functional Spec
`
`
`© Copyright 2012 Juniper Networks, Inc. — Proprietary and Confidential —
`Do not distribute outside of the company without the permission of Juniper Networks engineering
`Printed copies are for reference only!
`Template: J3.02,P05,T01 —Ver. 1.1
`Template Owner: Ramesh RN
`
`Page 3
`
`HIGHLY CONFIDENTIAL - SOURCE CODE
`
`JNPR-FNJN_29002 00173285
`
`
`
`Case 3:17-cv-05659-WHA Document 470-15 Filed 05/13/19 Page 10 of 64
`Case 3:17-cv-05659-WHA Document 470-15 Filed 05/13/19 Page 10 of 64
`
`
`RL! Number
`|
`23914
`| 1.62
`| 1
`
`| Document Title|Juniper Advanced Anti-Malware| De fi
`
`
`
`
`NET WUCIROS
`
`
`
`
`
`Service on SRX
`Document
`Hopper Wang, Xiaosong Yang, Ping
`Owner
`Wu, Andrew Onofreychuk, Lydia Zhao
`
`| Version Date|0810/2523/20142015
`
`
`
`12. WebSocket RFC
`ttp://tools.ietf.org/html/rfc6455
`
`
`1.2 RLIList
`
`Description
`RLI No
`
`23914
`Juniper Advanced Anti-Malware Service on SRX
`
`1.3. Feature Parity Traceability
`This feature is not for Parity purpose.
`
`© Copyright 2012 Juniper Networks, Inc, — Proprietary and Confidential —
`Do not distribute outside of the company without the permission of Juniper Networks engineering
`Printed copies are for reference only!
`Template: J3.02,P05 701 —Ver. 1.1
`Template Owner; Ramesh RN
`
`Page 4
`
`HIGHLY CONFIDENTIAL - SOURCE CODE
`
`JNPR-FNJN_29002 00173286
`
`
`
`Case 3:17-cv-05659-WHA Document 470-15 Filed 05/13/19 Page 11 of 64
`Case 3:17-cv-05659-WHA Document 470-15 Filed 05/13/19 Page 11 of 64
`
`jUNIPer
`
`
`
`RL! Number
`23914
`1.67
`| 1
`Document Title|Juniper Advanced Anti-Malware
`
`
`Service on SRX
`NETWORKS
`Hopper Wang, Xiaosong Yang, Ping
`Document
`
`
`Wu, Andrew Onofreychuk, Lydia Zhao
`Owner
`
`
`Version Date
`0510/2523/204.42015
`
`
`
`Functionality
`2.
`~ Control Plane
`
`To enable Juniper Advanced Anti-Malware service on SRX, customer needs to go to the Argon cloud
`web portal to register an accountfirst, apply for the license (freemium or premium), get the httplink of
`the bootstrap packages, then use Junos "op url" command to download Argon bootstrap package and
`script to SRX. The bootstrap package includes related security certificates (e.g., SRX key/certificate,
`Argon Cloud server's CA certificate) for upcoming mutual authentications between 5RX and the Cloud.
`The script will install related security certificates on the SRX and commit the configuration for Argon
`cloud connection includes Argon server's URL and the tls-profile. Once the related certificates are
`installed on SRX, AAMWD daemonstarts to establish the secure connections between SRX and the
`Argon Cloud.
`In future, Security Design (SD) will integrate with Argon Cloud, so at that time customer no
`needs to use Argon cloud web portal, but can use SD for centralized management.
`
`
`
`oar
`Configuration
`i
`
`|
`‘
`'
`i
`
`.
`;
`!
`!
`
`
`
`i
`
` Argon Cloud
`
`vy
`RE a
`
`
`pionsanes©
`cul . =>
`bootstrap
`
`eeeioRAC B/W list
`'
`y
`Sn I Pl ll acl
`s
`cL
`Commands
`ras
`
`
`
`teconv
`PCONN
`USP lec
`1
`PFE
`
`
`
`FW Policy Module | | JSF_AAMW Plugin
`
`Figure 2 SRX Advanced Anti-Malware Service & Control Connections with Argon Cloud
`
`Figure 2 shows JunOS modules running on SRX for advanced anti-malware service and control
`connections with the Argon Cloud.
`
`From this diagram, we can see there are twological connections between SRX and Argon cloud:
`
`1. Bootstrap connection
`
`© Copyright 2012 Juniper Networks, Inc. — Proprietary and Confidential —
`Do not distribute outside of the company without the permission of Juniper Networks engineering
`Printed copies are for reference only!
`Template: J3.02.P05.T01 —Ver, 1.1
`Template Owner: Ramesh RM
`
`Page5
`
`HIGHLY CONFIDENTIAL - SOURCE CODE
`
`JNPR-FNJN_29002 00173287
`
`
`
`Case 3:17-cv-05659-WHA Document 470-15 Filed 05/13/19 Page 12 of 64
`Case 3:17-cv-05659-WHA Document 470-15 Filed 05/13/19 Page 12 of 64
`
`jUNIPer
`
`NETWORKS
`
`
`23914
`| 1.62
`| 1
`RL Number
`Document Title
`Juniper Advanced Anti-Malware
`Service on SRX
`
`
`
`
`Hopper Wang, Xiaosong Yang, Ping
`Document
`
`
`Owner
`Wu, Andrew Onofreychuk, Lydia Zhao
`
`Version Date
`9510/2523/204.42015
`
`The user will use “op url" script to download theinstall package. This is a temporary https
`connection. In this connection, there is not a certificate-based mutual authentication between
`SRX and the Argon Cloud. However, "op url" command can verify file’s integrity by checking
`md5/sha1/sha-256 result after downloading. For example:
`“https: //e
`op url
`loud.juniper.net/customerl/aamw-install-scritp.gz> key
`
`<“8dde21lanl2s733413
`idfho1>.
`
`
`stri
`Note:
`The url ana key
`na crested and copied From cloud I.
`
`maS
`
`In order to do mutual authentications between SRX and Argon Cloud, SRX needs to have SRX-
`cert and private key, and Cloud server's CA cert. These certificates and private key will not
`be available to SRX till the 1st connection is set up, from which Cloud will push the info to the
`SRX. The URLin "op url"is the place to which SRX sets up the 1st connection. In addition, it is
`the user whowill generate the URL (in “op url") in the Cloud web portal and manually copy &
`paste it to the SRX CLI (i-e., in the command of 'op url’). It is assumed the mutual authentication
`is assured consideringit is the same user who performs the actions on creating the URL and
`inputting it on SRX. In addition, the URL (in the "op url") has been designed as a one-time URL,
`meaningthat it will be invalid after the 1use.
`
`2. AAMW Control Plane connection
`
`A persistent TLS connection is set up between AAMWD daemonand Argon Cloud. This secure
`connection is used for SRX to receive soft-configurations (including file type/category mapping,
`customizedprofile,file magic DB, white/black list from the Argon Cloud and send health data to
`the Argon Cloud, A certificate-based mutual authentication is performed between SRX and
`Argon Cloud during the secure channel establishment. At the transport protocol level,
`WebSocketis used as it supports bi-directional real time communication.
`
`1) File categories mapping
`
`This is the global file categories configure which defines category / file type mapping. The
`mappingtable includes category name, mime type, file extension, minimum/maximum size
`of each file type and submission sample rate.
`
`
`
`
`
`
`
`® Copyright 20412 Juniper Networks, Inc. — Proprietary and Confidential -
`Do not distribute outside of the company without the permission of Juniper Networks engineering
`Printed copies are for reference only!
`Template Owner: Ramesh RN
`Temptate: J3.02,F05,T01 —Ver. 1.1
`
`Page 6
`
`HIGHLY CONFIDENTIAL
`
`SOURCE CODE
`
`JNPR-FNJN_29002 00173288
`
`
`
`Case 3:17-cv-05659-WHA Document 470-15 Filed 05/13/19 Page 13 of 64
`Case 3:17-cv-05659-WHA Document 470-15 Filed 05/13/19 Page 13 of 64
`
`jUNIPer
`
`NETWORKS
`
`
`RLI Number
`23914
`| 1.67
`| 1
`Document Title
`Juniper Advanced Anti-Malware
`
`Service on SRX
`
`Hopper Wang, Xiaosong Yang, Ping
`Document
`
`Owner
`Wu, Andrew Onofreychuk, Lydia Zhao
`Version Date
`0810/2523/20142015
`
`
`
`
`
`
`
`
`
`
`Table 1 File Category Mapping Table
`
`2) Updatable fast file check table
`
`
`There is a static fastfile check table forfile fast identifying. It's generated and managed
`by cloud which include some static signature for popular file types.
`
`
`
`< Eg Indent: Left: 0.75", No bulletsor |
`
`pumberag
`
`3) Customer specific profile configuration
`
`Customer is allowed to configure for each profile via Argon Web portal is the file types,
`extensions or file categories that won't be scanned and per-category sample size thresholds.
`For the detailed info, please refer to the document <Argon_Soft Configuration>.
`
`4) Whitelist & Blacklist
`
`Whitelist defines list of file downloading sources from which files downloaded are not
`needed for an anti-malwareinspection. Blacklist defines the list of sources that need to be
`block for file downloading. Therewill be 4 lists: Customer White List, Customer Black list,
`Global White List and Global Black List. Argon cloud will send these 4 lists to SRX.
`
`In each list, there will be 3 types of entries:
`
`®
`
`URLs
`
`URLs can be defined as basic patterns (* and ? wildcards only) or as exactliteral
`matches. The url pattern must start with “http://”, both http and https traffic will be
`matched.
`
`The maximum length of each URL entry is 2048 Bytes.
`IPs
`
`«
`
`IPs can be defined as subnet masks, ranges, or full |P addresses.
`* Hostnames
`
`Hostnames can be defined as basic patterns (* and ? wildcards only), as
`partial/subdomains (e.g. all subdomains of Microsoft.com, or all subdomains of
`cdn.akamai.us), or as literal exact matches.
`The maximum length of each Hostname entry is 128 Bytes.
`Juniper White List or Juniper Black List JNPR B/W List has up to 3K entries; Customer White
`list or Black list has up to 1K entries. Customer can define whitelist and blacklist in Argon
`web portal, which always have higherpriority than other lists.
`
`© Copyright 2012 Juniper Networks, Inc. — Proprietary and Confidential -
`Do notdistribute outside of the company without the permission of Juniper Networks engineering
`Printed copies are for reference only!
`Template: J3.02,P05,T01—Ver, 1.1
`Template Owner: Ramesh RN
`
`Page 7
`
`HIGHLY CONFIDENTIAL - SOURCE CODE
`
`JNPR-FNJN_29002 00173289
`
`
`
`Case 3:17-cv-05659-WHA Document 470-15 Filed 05/13/19 Page 14 of 64
`Case 3:17-cv-05659-WHA Document 470-15 Filed 05/13/19 Page 14 of 64
`
`
`
`
`
`NETWORKS
`Ae
`inte
`
`
`RLI Number
`|
`23914
`| 1.62
`| 1
`
`| DocumentTitle|Juniper Advanced Anti-Malware| Pe (
`
`a eee
`Service on SRX
`Document
`Hopper Wang, Xiaosong Yang, Ping
`
`Owner
`Wu, Andrew Onofreychuk, Lydia Zhao
`| Version Date|0810/2523/20442015
`
`
`
`
`
`The order of Black/Whitelist checking is as follows:
`
`es
`
`Customer WhiteList
`Customer Black List
`Global WhiteList
`Global Black List
`
`During the matching, First match wins.
`
`
`The Whitelist and Blacklist of AAMW service are only focused on inspectingfiles
`downloaded from servers against malwares. While the Whitelist and Blacklist of security
`intelligence are focus on enforcements on the connections from/to C&C servers.
`
`5) Health Data
`
`Health data collected by AAMWD will be sent to Argon Cloud via the same connection every
`5 minutes, andit includes below contents:
`
`Software version
`Model
`Hostname
`
`Cluster
`Ho
`Serial number
`JNIITEPO3BAGE
`
`
`
`
`
`
`
`
`
`
`
`
`Table 2 SRX Health &Telemetry data table
`
`+ Data Plane
`
`Acting as a telemetry sensor and dynamic action enforcer of Juniper Advanced Anti-Malware solution,
`SRX needsto extract the interested file content from HTTP/HTTPs traffic and pushes them to Argon
`Cloud for inspections,, and take enforcement based on the policy settings and the verdict-
`number/threat-level returned from Argon cloud.
`
`® Copyright 2012 Juniper Networks, Inc. — Proprietary and Confidential —
`Do not distribute outside of the company without the permission of Juniper Networks engineering
`Printed copies are for reference only!
`Template: J3.02,P05,T01 —Ver, 1.1
`Template Gwner: Ramesh RN
`
`Page 8
`
`HIGHLY CONFIDENTIAL - SOURCE CODE
`
`JNPR-FNJN_29002 00173290
`
`
`
`Case 3:17-cv-05659-WHA Document 470-15 Filed 05/13/19 Page 15 of 64
`Case 3:17-cv-05659-WHA Document 470-15 Filed 05/13/19 Page 15 of 64
`
`jJUNIPer
`
`
`
`RLINumber
`| 23914
`[ez |i
`Document Title|Juniper Advanced Anti-Malware
`
`Service on SRX
`NETWORKS
`
`
`
`Hopper Wang, Xiaosong Yang, Ping
`Document
`
`Owner
`Wu, Andrew Onofreychuk, Lydia Zhao
`Version Date
`0$10/2523/20142015
`
`
`
`There are multiple connections lunched from SRX PFE side via RTCOM plugin and used for sendingfile
`sample data to Argon cloud and receiving verdicts. It uses the same mutual authentication methods and
`protocol as control plane connection,i.e., TLS + WebSocket. For performance considerations, each SPU
`mightinitialize 16 TCP persistent connections.
`
`© Copyright 2012 Juniper Networks, Inc, —- Proprietary and Confidential —
`Do not distribute outside of the company without the permission of Juniper Networks engineering
`Printed copies are for reference only!
`Template: J3.02,P05.701—Ver 1.1
`Template Owner; Ramesh RN
`
`PageS
`
`HIGHLY CONFIDENTIAL - SOURCE CODE
`
`JNPR-FNJN_29002 00173291
`
`
`
`Case 3:17-cv-05659-WHA Document 470-15 Filed 05/13/19 Page 16 of 64
`Case 3:17-cv-05659-WHA Document 470-15 Filed 05/13/19 Page 16 of 64
`
`
`
`
`
`
`
`NETWORKS
`
`
`
`
`
`
`
`
`|
`RLI Number
`23914
`jasz
`1
`
`J | DocumentTitle|JuniperAdvanced Anti-Malware| | De(
`
`
`Service on SRX
`Document
`Hopper Wang, Xiaosong Yang, Ping
`
`Owner
`Wu, Andrew Onofreychuk, Lydia Zhao
`Version Date
`0$10/2523/20442015
`
`
`
`|
`
`PFE
`
`Formatted: Font: Calibri, 1.1 pt, Font color:
`Text 1
`
`Maal
`Plugin Framework
`| Action|
`Server
`A
`imei
`File Filter
`ri
`._.-PolleyLookup .
`
`Packe
`
`JSF AAMW Plugin
`
`© Copyright 2012 Juniper Networks, Inc. ~ Proprietary and Confidential -
`Do not distribute outside of the company without the permission of Juniper Networks engineering
`Printed copies are for reference only!
`Template: J3.02.F05.T01 —Ver, 7.1
`Template Owner; Ramesh RN
`
`Page 10
`
`HIGHLY CONFIDENTIAL - SOURCE CODE
`
`JNPR-FNJN_29002 00173292
`
`
`
`Case 3:17-cv-05659-WHA Document 470-15 Filed 05/13/19 Page 17 of 64
`Case 3:17-cv-05659-WHA Document 470-15 Filed 05/13/19 Page 17 of 64
`
`jUNIPer
`
`NETWORKS
`
`23914
`
`
`[ez 1
`RLI Number
`Document Title
`Juniper Advanced Anti-Malware
`Service on SRX
`Hopper Wang, Xiaosong Yang, Ping
`Document
`
`Owner Wu, Andrew Onofreychuk, Lydia Zhao
`|Version Date 0510/2523/204.42015
`
`
`
`PFE
`
`
`
`JSF AAWPlugin
`Action ©
`Plugin Frarcewerk
`
`ih setae |
`ecpacrtastiest
`‘SaabPolicy Lopkwp, |
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`QoiMos
`Engine
`
`Buffer
`
`Manage
`© Transport
`
`File
`Contests
`
`Call WebSocket APL
`Socket Simulation
`
`
`
`Figure 3 SRX Advanced Anti-Malware Packets and Event Process Diagram
`
`Figure 3 shows the packets and events workflow on SRX PFE, specifically,
`
`a. Aclientsends HTTP(s) packets to server, the traffic will pass through SRX plugin list.
`
`b.
`
`JDPI plugin gets interest check event for this session, and will query other plugins if having an
`interest in this session.
`
`c. Only when the SRX Advanced Anti-Malware (AAMW) application service has been configured on the
`matched FW policy, and Argon file filters have been downloaded and installed on SRX, the AAMW
`plugin will notify JDP! plugin that it is interested in this session if the session is HTTP(s), and also
`
`© Copyright 2012 Juniper Networks, Inc. — Proprietary and Confidential —
`Do not distribute outside of the company without the permission of Juniper Networks engineering
`Printed copies are for reference only!
`Template Owner: Ramesh RN
`Temptate: J3.02,P05,T01 —Ver. 1.1
`
`Page 11
`
`HIGHLY CONFIDENTIAL
`
`SOURCE CODE
`
`JNPR-FNJN_29002 00173293
`
`
`
`Case 3:17-cv-05659-WHA Document 470-15 Filed 05/13/19 Page 18 of 64
`Case 3:17-cv-05659-WHA Document 470-15 Filed 05/13/19 Page 18 of 64
`
`| Defi
`
`NETWORKS
`
`J |
`
`|
`
`|
`
`
`
`RLI Number
`23914
`| 1ez
`[1
`DocumentTitle
`JuniperAdvanced Anti-Malware
`
`
`
`Document
`Owner
`Version Date
`
`Service on SRX
`Hopper Wang, Xiaosong Yang, Ping
`Wu, Andrew Onofreychuk, Lydia Zhao
`0510/2523/20442015
`
`registers with JDPI for the protocol contexts that it needs. SRX AAMW plugin also registers with JSF
`framework for being interested in this session.
`
`d. After interest check, JDPI plugin will call Qosmos engine to identify the protocol and parse the
`contexts of this session. As AAMW service focuses on the ingress file downloading, SRX will only
`inspectthe file from server to client.
`
`e,
`
`ft.
`
`g.
`
`h.
`
`SRX AAMW plugin will hold the last one or two data packets before taking policy action.
`
`For each packet, JDPI module will copy the packet to Qosmos engine and query Qosmos if any
`application/contextis ready or not.If it is ready, then JDP! sends Application Filter Classification (AFC)
`events or Parsed Context Propagation (PCP) events to each registered plugin. For an AFC event,it
`includes the application type (e.g., HTTP or HTTPs).For a PCP event,it includes the protocol type,
`context type, content length and content. AAMW plugin module will copy and manage interested
`file contents extracted from HTTP/HTTPs traffic.
`
`SRX AAMW plugin processes these events. If it's not HTTP(s), then SRX AAMW plugin ignoresthis
`session and notifies JDP| to deregister HTTP protecal/context. Otherwise, SRX AAMW plugin will
`create a buffer management object to maintain the URI and file context buffers.
`
`5RX will look up Argon Whitelist and Black list IP table first, if not match, then waiting for URL event
`from JOPI. When getting URL event, AAMW plugin will lookup Argon URL/host white list and black
`list. lf the URL or host matches the whitelist, then permitsthis file. If matching the blacklist, then
`block the session.
`
`i. Once the accumulated buffer size is larger than 8192 bytesor file end is reached, SRX AAMW plugin
`will call file identification module to identify the file type. Once getting the file type, SRX AAMW
`plugin will look it up in the file type filters. When.a match is hit, it will send the file content to Argon
`cloud through secure (RTCOM+TLS) connections from SRX SPU. Otherwiseit ignoresthis file content,
`but still inspects this session because there might be HTTPpipeline requests.
`
`J.
`
`Ifthe file size exceeds the maximum file-size-limit defined in file filter, SRX will stop sending the file
`to Argon cloud and ignore the restoffile contents. A file terminate notification will be sent to Argon
`cloud. From http header, SRX may get the length of the file content and will ignore it before sending
`to Argon cloud in this case.
`
`k. Before sendingfile contents to Argon cloud, SRX will check the sample rate of the file type. The
`default sample rate is 100%. The sample rate of each file category is defined in the Argon Cloud and
`can be modified by Argon cloud. It is pushed to SRX through control plane connection. If the
`submission sample rate is not 100% (1.0), e.g. 50% (0.5), SRX will send one of this category/typefile
`to Argon and ignore the next one on the same SPU. The sample rate check interval is 5 minutes.
`
`© Copyright 2012 Juniper Networks, Inc. — Proprietary and Confidential —
`Do not distribute outside of the company without the permission of Juniper Networks engineering
`Printed copies are for reference only!
`Template: J3.02,P05.707 =—Ver 1.1
`Template Owner; Ramesh RN
`
`Page 12
`
`HIGHLY CONFIDENTIAL - SOURCE CODE
`
`JNPR-FNJN_29002 00173294
`
`
`
`Case 3:17-cv-05659-WHA Document 470-15 Filed 05/13/19 Page 19 of 64
`Case 3:17-cv-05659-WHA Document 470-15 Filed 05/13/19 Page 19 of 64
`
`
`
`
`
`re
`a
`NETWORKS
`
`Wu, Andrew Onofreychuk, Lydia Zhao
`
`
`|
`RLI Number
`23914
`| 162
`| 1
`
`J | DocumentTitle|JuniperAdvanced Anti-Malware| Defi
`
`Service on SRX
`—_ eS
`Document
`Hopper Wang, Xiaosong Yang, Ping
`Owner
`
`Version Date 0510/2523/20442015
`
`|
`
`The cannections to Argon cloud is launched on-demand. It is only established when a SRX AAMW
`|.
`policy is matched and SRX needs to sendafile to the Argon Cloud. SRX will keep these connections
`alive after they are established. Once advanced-anti-malwareurl configuration deleted or
`deactivated,all these connections will be shutdown.
`
`m. After getting the file, Argon cloud will conduct malware inspection on it. For each file, Argon cloud
`will return a result with a verdict-number to SRX, If it returns “undetermined”, then SRX will ignore
`the file but still monitoring the session. If it returns a verdict-number, SRX wi