`Case 3:17-cv-05659-WHA Document 470-5 Filed 05/13/19 Page 1 of 127
`
`
`
`
`
`EXHIBIT 3
`EXHIBIT 3
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 470-5 Filed 05/13/19 Page 2 of 127
`
`Sky Advanced Threat Prevention Administration
`Guide
`
`Modified: 2017-09- 08
`
`Copyright © 2017, Juniper Networks, Inc.
`
`FINJAN-JN 005246
`
`
`
`Case 3:17-cv-05659-WHA Document 470-5 Filed 05/13/19 Page 3 of 127
`
`Juniper Networks, Inc.
`11331nnovation Way
`Sunnyvale, California 94089
`USA
`408- 745-2000
`www.juniper.net
`
`Copyright © 2017 Juniper Networks, Inc. All rights reservec.
`
`Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. and/or its affiliates in
`the United States and other countries. All other trademarks may be property of their respective owners.
`
`Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,
`transfer, or otherwise revise this publication without notice.
`
`Sky Advanced Threat Prevention Administration Guide
`Copyright © 2017 Juniper Networks, Inc. All rights reservec.
`
`The information in this document is current as of the date on the title page.
`
`YEAR 2000 NOTICE
`
`Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time- relatec limitations through the
`year 2038. However, the NTP application is known to have some difficulty in the year 2036.
`
`END USER LICENSE AGREEMENT
`
`The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks
`software. Use of such software is subject to the terms and conditions of the End User License Agreement ("EULA") posted at
`http://www.juniper.net/support/eula/. By downloading, installing or using such software, you agree to the terms and conditions of that
`EULA.
`
`Copyright © 2017, Juniper Networks, Inc.
`
`FINJAN-JN 005247
`
`
`
`Case 3:17-cv-05659-WHA Document 470-5 Filed 05/13/19 Page 4 of 127
`
`Table of Contents
`
`About the Documentation ... . . . . .......... ........ ........ . . . .. ...... xi
`Documentation and Release Notes .................................. xi
`Documentation Conventions . . ........ ......... .................... xi
`Documentation Feedback . ... .. ........... . ... ..... ............ . . xiii
`Requesting Technical Support ... . . ... .... . ........... . ... .... ..... xiv
`Self-Help Online Tools and Resources .... ......... . . .......... . . xiv
`Opening a Case with JTAC ..................................... xiv
`
`Part 1
`
`Chapterl
`
`Overview and Installation
`Sky Advanced Threat Prevention Overview ............................ 3
`
`Malware Today . .............. ......... ....... .... . . . . ... . . . ......... 3
`Juniper Networks Sky Advanced Threat Prevention .. ............ ........... 3
`Sky ATP Features ..................................... .... ....... 5
`How the SRX Series Device Remediates Traffic ........................ 6
`Sky ATP Use Cases ............................................... 7
`How is Malware Analyzed and Detected? ................................ 8
`Cache Lookup ................ ............ ....................... 9
`Antivirus Scan ................................................... 9
`Static Analysis .................................................. 10
`Dynamic Analysis ............................................... 10
`Machine Learning Algorithm .. ............. . . . .. ... ................ 10
`Threat Levels .................................................... 11
`Sky Advanced Threat Prevention License Types ........................... 11
`Additional License Requirements ................................... 13
`File Limitations . . ................ ... ............. . . . ...... . ......... 13
`Installing Sky Advanced Threat Prevention ........................... 15
`
`Sky Advanced Threat Prevention Installation Overview ..................... 15
`Managing the Sky Advanced Threat Prevention License ..................... 15
`Obtaining the Premium License Key ... ... .. ......................... 16
`License Management and SRX Series Devices ........................ 16
`Sky ATP Premium Evaluation License for vSRX ........................ 17
`License Management and vSRX Deployments ......................... 17
`High Availability ............ ......... ........... .............. ... 18
`Registering a Sky Advanced Threat Prevention Account .................... 19
`Downloading and Running the Sky Advanced Threat Prevention Script ........ 23
`
`Chapter2
`
`Copyright © 2017, Juniper Networks, Inc.
`
`iii
`
`FINJAN-JN 005248
`
`
`
`Case 3:17-cv-05659-WHA Document 470-5 Filed 05/13/19 Page 5 of 127
`
`Sky Advanced Threat Prevention Administration Guide
`
`Part 2
`
`Chapter3
`
`Configuring Sky Advanced Threat Prevention
`
`Configuration Overview ............................................ 31
`
`Sky Advanced Threat Prevention Configuration Overview ........... . . . ..... 31
`Configuring Cloud Feeds for Sky Advanced Threat Prevention ......... . . .... 33
`Sky Advanced Threat Prevention Web Ul Overview ...... . .. . . . . . . . ........ 33
`Accessing the Web Ul . . . ......... . . . . .... . .... . . ... . ..... . ....... 34
`
`Chapter4
`
`Updating the Administrator Profile .................................. 37
`
`Chapter 5
`
`Chapter 6
`
`Chapter7
`
`ChapterS
`
`Chapter9
`
`Chapter 10
`
`Chapterll
`
`Sky Advanced Threat Prevention Administrator Profile Overview . . . .......... 37
`Reset Password . . . . . . . . ........ . . ... . . . .. . . ............. . . . . . ...... 38
`Adding and Removing SRX Series Devices . ..... . .. .. ................. 41
`
`Enrolling an SRX Series Device With Sky Advanced Threat Prevention ......... 41
`Disenrolling an SRX Series Device from Sky Advanced Threat Prevention . . .... 43
`Removing an SRX Series Device From Sky Advanced Threat Prevention ....... 43
`Creating Custom Whitelists and Blacklists ........................... 45
`
`Sky Advanced Threat Prevention Whi telist and Blacklist Overview . . . ........ 45
`Using IP-Based Geolocations . . . . ................................... 47
`
`Geolocation IPs and Sky Advanced Threat Prevention ...................... 47
`Configuring Sky Advanced Threat Prevention With Geolocation IP ..... . . ..... 48
`Scanning Email Attachments ....................................... 51
`
`Email Management Overview ..... . . .. . . . . . . .............. . . . . . . . ..... 51
`Email Management: Configure SMTP ............... . ... . ......... . . . . .. 52
`Email Management: Configure Blacklists and Whi telists . . . . . . ... . .. . . . . . . .. 55
`SMTP Quarantine Overview .. . . . . . . ..... .......... . . ..... ............ 55
`Configuring the SMTP Email Management Policy ......................... 57
`Configuring Reverse Proxy ..... .... . . . .... ......... . . . . .... ........... 62
`Identifying Hosts Communicating with Command and Control Servers .. 65
`
`Sky Advanced Threat Prevention Command and Control Overview . . .... . . ... 65
`Configuring the SRX Series Device to Block Outbound Requests to a C&C
`H~ .......... . ... . . . . ...... . . .. . .. . . . . ..... .. . ............. .. ~
`Identifying Infected Hosts . ............................ . ............ 69
`
`Sky Advanced Threat Prevention Inf ected Host Overview ................... 69
`About Block Drop and Block Close .... ............ . . . . ..... .. . .. . ... 73
`Host Details . .................. . . . .............. . . .. . . .......... 73
`Configuring the SRX Series Devices to Block Inf ected Hosts ... . . . . . . .. ...... 75
`Creating the Sky Advanced Threat Prevention Profile .................. 77
`Sky Advanced Threat Prevention Profile Overview ... . .... ............. .... 77
`
`Chapterl2
`
`Creating the Sky Advanced Threat Prevention Policy .................. 79
`
`Sky Advanced Threat Prevention Policy Overview ........... ........ . . .... 79
`Enabling Sky ATP for Encrypted HTTPS Connections ..... . . .... . . ......... 82
`Example: Configuring a Sky Advanced Threat Prevention Policy Using the CLI .. 83
`
`iv
`
`Copyright © 2017, Juniper Networks, Inc.
`
`FINJAN-JN 005249
`
`
`
`Case 3:17-cv-05659-WHA Document 470-5 Filed 05/13/19 Page 6 of 127
`
`Table of Contents
`
`Part3
`
`Monitoring Sky Advanced Threat Prevention
`
`Chapter13
`
`Viewing File Scan Results ................. . ............ ..... ....... 89
`
`Chapter14
`
`Sky Advanced Threat Prevention Scanned File Overview ................... 89
`Viewing Reports ............. ............................ .......... 91
`
`Sky Advanced Threat Prevention Reports Overview ........................ 91
`Adding Sky Advanced Threat Prevention Reports to the Dashboard .......... 92
`
`Part 4
`Chapter15
`
`Troubleshooting Sky Advanced Threat Prevention
`Troubleshooting .................................................. 95
`
`Sky Advanced Threat Prevention Troubleshooting Overview . .. ......... . . .. 95
`Troubleshooting Sky Advanced Threat Prevention: Checking DNS and Routing
`Configurations ... .... . . . . ............ . . . . . . . . ... .............. . 96
`Troubleshooting Sky Advanced Threat Prevention: Checking Certificates . . . ... 98
`Troubleshooting Sky Advanced Threat Prevention: Checking the Routing Engine
`Status . ..... . ... .... . . . . . . . . . . . . ...... ... . . . ..... .......... . . . 99
`request services advanced-anti-malware data-connection ................. 101
`request services advanced-anti-malware diagnostic ...................... 103
`Troubleshooting Sky Advanced Threat Prevention: Checking the
`application-identification License ................................. 106
`Viewing Sky Advanced Threat Prevention System Log Messages ... . . . . ..... 106
`Configuring traceoptions . ................. ................. .... .... . 107
`Viewing the traceoptions Log File ..................................... 109
`Turning Off traceoptions ........................... ... . ..... .. . ..... 109
`Sky Advanced Threat Prevention Dashboard Reports Not Displaying ......... 110
`Sky Advanced Threat Prevention RMA Process ....... . .. .. . .. ............ 110
`
`Copyright © 2017, Juniper Networks, Inc.
`
`v
`
`FINJAN-JN 005250
`
`
`
`Case 3:17-cv-05659-WHA Document 470-5 Filed 05/13/19 Page 7 of 127
`
`Sky Advanced Threat Prevention Administration Guide
`
`vi
`
`Copyright © 2017, Juniper Networks, Inc.
`
`FINJAN-JN 005251
`
`
`
`Case 3:17-cv-05659-WHA Document 470-5 Filed 05/13/19 Page 8 of 127
`
`List of Figures
`
`Part 1
`Chapterl
`
`Overview and Installation
`Sky Advanced Threat Prevention Overview ............................ 3
`
`Figure 1: Sky ATP Overview . . . ......... ....... .......... . . . .. . . . . . . . . . . 4
`Figure 2: Sky ATP Components ......................................... 5
`Figure 3: Inspecting Inbound Files for Malware ............................. 7
`Figure 4: Sky ATP Use Cases .... . . . . . .................. ...... . . ........ 8
`Figure 5: Example Sky ATP Pipeline Approach for Analyzing Malware .......... 9
`Figure 6: Submission State Column Displays Device Submit Status .. ..... . . . . 14
`Installing Sky Advanced Threat Prevention ........................... 15
`
`Figure 7: Sky ATP Login ......... ......... ............................. 19
`Figure 8: Creating Your Sky ATP Realm Name ........................... . 20
`Figure 9: Entering Your Sky ATP Contact Information ... . ..... ... ....... .... 21
`Figure 10: Creating Your Sky ATP Credentials ............................. 22
`Figure 11: Enrolling Your SRX Series Device ............................... 24
`Figure 12: Example Enrolled SRX Series Device ............................ 25
`
`Configuring Sky Advanced Threat Prevention
`
`Configuration Overview ............................................ 31
`
`Figure 13: Web Ullnfotip .......... . . .. .............. . . . ..... . . ..... ... 34
`Figure 14: Sky ATP Web Ul Login Page ........................ ......... .. 35
`Figure 15: Logging Out of the Management Interface ............. . . ...... .. 35
`Adding and Removing SRX Series Devices . ........................... 41
`
`Figure 16: Disenrolling an SRX Series Device ........... . ... .... ........... 43
`
`Chapter2
`
`Part 2
`
`Chapter3
`
`Chapter 5
`
`Chapter 6
`
`Creating Custom Whitelists and Blacklists ........................... 45
`
`ChapterS
`
`ChapterlO
`
`Figure 17: Example Sky ATP Whitelist ....... ... ...................... .. . 46
`Scanning Email Attachments ....................................... 51
`
`Figure 18: Email Management Overview ................................. 52
`Identifying Infected Hosts . ......................................... 69
`
`Figure 19: Infected Host from Mal ware .................................. 70
`Figure 20: Viewing Infected Hosts ...................................... 71
`
`Part3
`Chapterl3
`
`Monitoring Sky Advanced Threat Prevention
`Viewing File Scan Results .......................................... 89
`
`Figure 21: List of Inspected Files and Their Results ......................... 89
`Figure 22: Viewing Scanned File Details ... ........ ...... ................ 90
`
`Copyright © 2017, Juniper Networks, Inc.
`
`vii
`
`FINJAN-JN 005252
`
`
`
`Case 3:17-cv-05659-WHA Document 470-5 Filed 05/13/19 Page 9 of 127
`
`Sky Advanced Threat Prevention Administration Guide
`
`Chapterl4
`
`Viewing Reports 0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0 91
`
`0
`
`Figure 23: Example Web Ul Dashboard 0
`Figure 24: Dragging a Report Widget to the Dashboard 0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0 9 2
`0 9 2
`
`viii
`
`Copyright © 2017, Juniper Networks, Inc.
`
`FINJAN-JN 005253
`
`
`
`Case 3:17-cv-05659-WHA Document 470-5 Filed 05/13/19 Page 10 of 127
`
`List of Tables
`
`About the Documentation ... .. .. ......................... .......... xi
`
`Table 1: Notice Icons . ............ . . . . ...... . .......... ..... ... .. . .... xii
`Table 2: Text and Syntax Conventions ....... .................. .... . . . ... xii
`
`Part 1
`Chapterl
`
`Overview and Installation
`Sky Advanced Threat Prevention Overview ............................ 3
`
`Table 3: Sky ATP Components ............ . . . .............. ............ 6
`Table 4: Threat Level Definitions .. ..... ................................. 11
`Table 5: Comparing the Sky ATP Free Model, Basic-Threat Feed, and Premium
`Model . ............ . ... .......................... ............ .. 12
`Table 6: Maximum Number of Files Per Day Per Device Submitted to Cloud for
`Inspection .................................................. . ... 13
`
`Configuring Sky Advanced Threat Prevention
`Configuration Overview ............................................ 31
`
`Table 7: Configuring Sky ATP .. . . ..................... . . . .. ............ 31
`Updating the Administrator Profile .................................. 37
`
`Table 8: Sky ATP Administrator Tabs .................................... 37
`Adding and Removing SRX Series Devices . ........................... 41
`
`Table 9: Button Actions ............... . . .. . ..... . .. .... . ............. 42
`
`Part 2
`Chapter3
`
`Chapter4
`
`Chapter 5
`
`ChapterS
`
`Scanning Email Attachments ....................................... 51
`
`Table 10: Configure Quarantine Malicious Messages . . ..... ............ . . . . 53
`Table 11: Configure Deliver with Warning Headers .. . ...... . .. . ............ 54
`Table 12: Permit .................................................... 54
`Table 13: Blocked Email Summary View ............................. .... 56
`Table 14: Blocked Email Detail View . .................................. . 56
`Table 15: Comparing Reverse Proxy Before and After Junos OS Release
`15.1X49-D80 .............................................. . . ... 62
`Table 16: Supported SSL Proxy Configurations .................... ........ 63
`Creating the Sky Advanced Threat Prevention Profile .................. 77
`
`Table 17: File Category Contents ......................... ............ ... 77
`Creating the Sky Advanced Threat Prevention Policy .................. 79
`
`Table 18: Sky ATP Security Policy Additions . . . . . . .... . . ... . ... ... . ..... .. 80
`
`Chapterll
`
`Chapterl2
`
`Copyright © 2017, Juniper Networks, Inc.
`
`ix
`
`FINJAN-JN 005254
`
`
`
`Case 3:17-cv-05659-WHA Document 470-5 Filed 05/13/19 Page 11 of 127
`
`Sky Advanced Threat Prevention Administration Guide
`
`Part 4
`
`Troubleshooting Sky Advanced Threat Prevention
`
`Chapter15
`
`Troubleshooting ............. . .................................... 95
`
`Table 19: Troubleshooting Sky ATP .... . . . .............................. 96
`Table 20: Data Connection Test Output ................................. 101
`Table 21: aamw-diagnostics Script Error Messages ....................... 104
`
`X
`
`Copyright © 2017, Juniper Networks, Inc.
`
`FINJAN-JN 005255
`
`
`
`Case 3:17-cv-05659-WHA Document 470-5 Filed 05/13/19 Page 12 of 127
`
`About the Documentation
`
`Documentation and Release Notes on page xi
`
`Documentation Conventions on page xi
`
`Documentation Feedback on page xiii
`
`Requesting Technical Support on page xiv
`
`Documentation and Release Notes
`
`To obtain the most current version of all Juniper Networks® technical documentation.
`see the product documentation page on the Juniper Networks website at
`http://www.juniper.net/techpubs/.
`
`If the information in the latest release notes differs from the information in the
`documentation, follow the product Release Notes.
`
`Juniper Networks Books publishes books by Juniper Networks engineers and subject
`matter experts. These books go beyond the technical documentation to explore the
`nuances of network architecture, deployment, and administration. The current list can
`be viewed at http://www.juniper.net/books.
`
`Documentation Conventions
`
`Table 1 on page xii defines notice icons used in this guide.
`
`Copyright © 2017, Juniper Networks, Inc.
`
`xi
`
`FINJAN-JN 005256
`
`
`
`Case 3:17-cv-05659-WHA Document 470-5 Filed 05/13/19 Page 13 of 127
`
`Sky Advanced Threat Prevention Administration Guide
`
`Table 1: Notice Icons
`
`Icon
`
`Mean1ng
`
`Description
`
`0
`
`0
`
`Informational note
`
`Indicates important features or instructions.
`
`Caution
`
`Indicates a situation that might result in loss of data or hardware damage.
`
`Warning
`
`Alerts you to the risk of personal injury or death.
`
`Laser warning
`
`Alerts you to the risk of personal injury from a laser.
`
`Ti p
`
`Indicates helpful information.
`
`Best practice
`
`Alerts you to a recommended use or implementation.
`
`Table 2 on page xii defines t he text and syntax convent ions used in t his guide.
`
`Table 2: Text and Syntax Conventions
`
`Convent1on
`
`Descnption
`
`Examples
`
`Bold text like this
`
`Represents text that you type.
`
`To enter configuration mode, type the
`configure command:
`
`user@host > configure
`
`Fixed-width text like t hi s
`
`Represents output that appears on the
`terminal screen.
`
`use r@host> show chassis alarms
`
`No al arms c urrent l y active
`
`Italic text like this
`
`Italic text like this
`
`Introduces or emphasizes important
`new terms.
`Identifies guide names.
`Identifies RFC and Internet draft titles.
`
`A policy term is a named structure
`that defines match conditions and
`actions.
`lunas OS CLI User Guide
`RFC 1997, BGP Communities Attribute
`
`Represents variables (options for which Configure the machine's domain name:
`you substitute a value) in commands or
`configuration statements.
`
`[edit]
`root@# set system domain-name
`domain-name
`
`xii
`
`Copyright © 2017, Juniper Networks, Inc.
`
`FINJAN-JN 005257
`
`
`
`Case 3:17-cv-05659-WHA Document 470-5 Filed 05/13/19 Page 14 of 127
`
`About the Documentation
`
`Table 2: Text and Syntax Conventions (continued)
`
`Conventton
`
`Text like this
`
`Descrtption
`
`Examples
`
`Represents names of conf iguration
`statements, commands, files, and
`directories; configurat ion hierarchy levels;
`or labels on rout ing platform
`components.
`
`To configure a st ub area, include the
`stub statement at t he [edit protocols
`ospf area area-id] hierarchy level.
`The console port is labeled CONSOLE.
`
`< > (angle brackets)
`
`Encloses opt ional keywords or variables.
`
`stub <default-metric metric>;
`
`I (pipe symbol)
`
`#(pound sign)
`
`Indicates a choice between t he mut ually
`exclusive keywords or variables on ei ther
`side of t he symbol. The set of choices is
`often enclosed in parent heses for clarity.
`
`broadcast I multicast
`
`(string/ I string21 string3)
`
`Indicates a comment specif ied on t he
`same line as t he configurat ion statement
`to which it applies.
`
`rsvp { #Required for dynamic MPLS only
`
`[ ] (square brackets)
`
`Encloses a variable for which you can
`substi t ute one or more values.
`
`community name members [
`community-ids ]
`
`Indention and braces ( ! } )
`
`; (semicolon)
`
`Ident if ies a level in t he configurat ion
`hierarchy.
`
`Ident if ies a leaf statement at a
`conf iguration hierarchy level.
`
`[edit]
`routing-options {
`static {
`route default {
`next hop address;
`retain;
`
`}
`
`}
`
`GUl Conventions
`
`Bold text like this
`
`Represents graphical user interface (GUI)
`items you click or select.
`
`In the Logical Interfaces box, select
`All Interfaces.
`To cancel the configurat ion, click
`Cancel.
`
`> (bold right angle bracket )
`
`Separates levels in a hierarchy of menu
`select ions.
`
`In the configurat ion editor hierarchy,
`select Protocols>Ospf.
`
`Documentation Feedback
`
`We encourage you to provide feed b ack, com men ts, and suggestio ns so t hat w e can
`im prove t he docum en tatio n. You can provide feedback by using ei t h er of t he following
`m etho ds:
`
`Online f eedback rating system-On any page of t he Juniper Networ ks Tech library site
`at http://www.juniper.net/techpubs/ index.html, simply cli c k t he stars to rate t he con tent,
`a nd use t he po p-up form to provid e us w it h informatio n a bo u t your experienc e.
`A ltern ately, you ca n use t he online feedback form at
`http://www.juniper.net/ techpubs/ feedbackl.
`
`Copyright © 2017, Juniper Networks, Inc.
`
`xi ii
`
`FINJAN-JN 005258
`
`
`
`Case 3:17-cv-05659-WHA Document 470-5 Filed 05/13/19 Page 15 of 127
`
`Sky Advanced Threat Prevention Administration Guide
`
`E-mail-Send your comments to techpubs-comments@juniper.net.lnclude the document
`or topic name, URL or page number, and software version (if applicable).
`
`Requesting Technical Support
`
`Technical product support is available through the Juniper Networks Technical Assistance
`Center (JTAC). If you are a customer with an active J-Care or Partner Support Service
`support contract, or are covered under warranty, and need post-sales technical support,
`you can access our tools and resources online or open a case with JTAC.
`
`JTAC policies-For a complete understanding of our JTAC procedures and policies,
`review the JTAC User Guide located at
`http://www.juniper.net/us/ en/ local/ pdf/ resource-guides/ 7100059-en.pdf.
`
`Product warranties-For product warranty information, visit
`http://www.j uniper.net/ support/ warranty/ .
`
`JTAC hours of operation-The JTAC centers have resources available 24 hours a day,
`7 days a week, 365 days a year.
`
`Self-Help Online Tools and Resources
`
`For quick and easy problem resolution, Juniper Networks has designed an online
`self-service portal called the Customer Support Center (CSC) that provides you with the
`following features:
`
`Find CSC offerings: http://www.juniper.net/customers/ support/
`
`Search for known bugs: https:l/prsearch.juniper.net/
`
`Find product documentation: http://www.juniper.net/documentation/
`
`Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
`
`Download the latest versions of software and review release notes:
`http://www.juniper.net/customers/ csc/ software/
`
`Search technical bulletins for relevant hardware and software notifications:
`http://kb.juniper.net/lnfoCenter/
`
`Join and participate in the Juniper Networks Community Forum:
`http://www.juniper.net/ company/ communities/
`
`Open a case online in the esc Case Management tool: http://www.juniper.net/cm/
`
`To verify service entitlement by product serial number, use our Serial Number Entitlement
`(SNE) Tool: https:l/entitlementsearch.juniper.net/entitlementsearch/
`
`Opening a Case with JTAC
`
`You can open a case with JTAC on the Web or by telephone.
`
`Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .
`
`Calll-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
`
`xiv
`
`Copyright© 2017, Juniper Networks, Inc.
`
`FINJAN-JN 005259
`
`
`
`Case 3:17-cv-05659-WHA Document 470-5 Filed 05/13/19 Page 16 of 127
`
`About the Docum entation
`
`For international or direct-dial options in coun tries without toll-free numbers, see
`http://www.juniper.net/support/requesting-support.html.
`
`Copyright © 2017, Juniper Networks, Inc.
`
`XV
`
`FINJAN-JN 005260
`
`
`
`Case 3:17-cv-05659-WHA Document 470-5 Filed 05/13/19 Page 17 of 127
`
`Sky Advanced Threat Prevention Administration Guide
`
`xvi
`
`Copyright © 2017, Juniper Networks, Inc.
`
`FINJAN-JN 005261
`
`
`
`Case 3:17-cv-05659-WHA Document 470-5 Filed 05/13/19 Page 18 of 127
`
`PARTl
`
`Overview and Installation
`
`Sky Advanced Threat Prevention Overview on page 3
`
`Installing Sky Advanced Threat Prevention on page 15
`
`Copyright © 2017, Juniper Networks, Inc.
`
`FINJAN-JN 005262
`
`
`
`Case 3:17-cv-05659-WHA Document 470-5 Filed 05/13/19 Page 19 of 127
`
`Sky Advanced Threat Prevention Administration Guide
`
`2
`
`Copyright © 2017, Juniper Networks, Inc.
`
`FINJAN-JN 005263
`
`
`
`Case 3:17-cv-05659-WHA Document 470-5 Filed 05/13/19 Page 20 of 127
`
`CHAPTERl
`
`Sky Advanced Threat Prevention Overview
`
`Mal ware Today on page 3
`
`Juniper Networks Sky Advanced Threat Prevention on page 3
`
`How is Mal ware Analyzed and Detected? on page 8
`
`Sky Advanced Threat Prevention License Types on page ll
`
`File Limitations on page 13
`
`Mal ware Today
`
`Mal ware, or malicious software, is software that attempts to gain access to a computer
`without the owner's knowledge. There are many types of malware, such as rootkit,
`ransomware, spyware and bats. One of the many goals of mal ware is to infiltrate a rich
`target where it can carry out a wide range of undetected malicious activities over months
`or years, including data theft, espionage, and disruption or destruction of infrastructure
`and processes. Although methods vary, the commonality of these specialized attacks is
`that they are created to avoid detection by mainstream security technologies, such as
`antivirus, firewalls, and content inspection gateways.
`
`The threat landscape has evolved. Malware started out as experiments or pranks but
`has recently become widespread and sophisticated. Attackers have migrated from using
`broad, unfocused tactics and are now creating specialized mal ware, intended for a select
`target or groups of targets, with the ultimate goal of becoming embedded in the target's
`infrastructure. Preliminary results published by Symantec suggest that "the release rate
`of malicious code and other unwanted programs may be exceeding that of legitimate
`software applications."
`
`With the emergence of these specialized threats, a new category of security has also
`emerged with the purpose of detecting, analyzing, and preventing advanced threats that
`are able to avoid more detection by the more traditional security methods. Juniper
`Network's solution for preventing advanced and emerging threats is Sky Advanced Threat
`Prevention (Sky ATP), a cloud-based anti-malware solution for SRX Series devices.
`
`Juniper Networks Sky Advanced Threat Prevention
`
`Juniper Networks Sky Advanced Threat Prevention (Sky ATP) is a security framework
`that protects all hosts in your network against evolving security threats by employing
`
`Copyright © 2017, Juniper Networks, Inc.
`
`3
`
`FINJAN-JN 005264
`
`
`
`Case 3:17-cv-05659-WHA Document 470-5 Filed 05/13/19 Page 21 of 127
`
`Sky Advanced Threat Prevention Administration Guide
`
`cloud-based threat detection software with a next-generation firewall system. See
`Figure 1 on page 4.
`
`Figure 1: Sky ATP Overview
`
`•
`
`• Advanced Threat Prevention
`· Sandbox with Deception
`• Static Analysis
`
`Sky Advanced
`Threat Prevention Cloud
`
`4
`Mt¥ifAH
`SRX Series
`
`Customer
`
`N
`a)
`(J'I
`N
`.;t
`0
`ell
`
`Sky ATP protects your network by performing the following tasks:
`
`The SRX Series device extracts potentially malicious objects and files and sends them
`to the cloud for analysis.
`
`Known malicious files are quickly identified and dropped before they can infect a host.
`
`Multiple techniques identify new mal ware. adding it to the known list of malware.
`
`Correlation between newly identified mal ware and known Command and Control
`(C&C) sites aids analysis.
`
`The SRX Series device blocks known malicious file downloads and outbound C&C
`traffic.
`
`Sky ATP supports the following modes:
`
`Layer3 mode
`
`Tap mode
`
`Transparent mode using MAC address. For more information. see Transparent mode
`on SRX Series devices.
`
`Secure wire mode (high-level transparent mode using the interface to directly passing
`traffic, not by MAC address.) For more information, see Understanding Secure Wire.
`
`4
`
`Copyright © 2017, Juniper Networks, Inc.
`
`FINJAN-JN 005265
`
`
`
`Case 3:17-cv-05659-WHA Document 470-5 Filed 05/13/19 Page 22 of 127
`
`Chapter l: Sky Advanced Threat Prevention Overview
`
`Sky ATP Features
`
`Sky ATP is a cloud-based solution. Cloud environments are flexible and scalable. and a
`shared environment ensures that everyone benefits from new threat intelligence in near
`real-time. Your sensitive data is secured even though it is in a cloud shared environment.
`Security analysts can update their defense when new attack techniques are discovered
`and distribute the threat intelligence with very little delay.
`
`In addition. Sky ATP offers the following features:
`
`Integrated with the SRX Series device to simplify deployment and enhance the
`anti-threat capabilities of the firewall.
`
`Delivers protection against "zero-day" threats using a combination of tools to provide
`robust coverage against sophisticated, evasive threats.
`
`Checks inbound and outbound traffic with policy enhancements that allow users to
`stop mal ware. quarantine infected systems. prevent data exfiltration. and disrupt
`lateral movement.
`
`High availability to provide uninterrupted service.
`
`Scalable to handle increasing loads that require more computing resources. increased
`network bandwidth to receive more customer submissions. and a large storage for
`malware.
`
`Provides deep inspection, actionable reporting, and inline mal ware blocking.
`
`A Pis for C&C feeds, whitelist and blacklist operations. and file submission. See the
`Threat Intelligence Open API Setup Guide for more information.
`
`Figure 2 on page S lists the Sky ATP components.
`
`Figure 2: Sky ATP Components
`
`r 1
`
`SRX$er1es
`
`Know n C&C Servers
`
`Content (f-Ile)
`Extraction on SRX
`
`Fast Vll!rdlct~
`X - - 'for_••-·1--lno.;..B:..Iod<;.;_ln..:g_
`
`Sec tntet Events
`~ --L-----<c_&_c ·_H_its_·> __ _.
`0--:::Qu-:•-:ran:7tl~ne:--
`
`Comcromlsed
`Systems
`
`Feed Analysis and Efficacy
`
`Copyright© 2017, Juniper Networks, Inc.
`
`5
`
`FINJAN-JN 005266
`
`
`
`Case 3:17-cv-05659-WHA Document 470-5 Filed 05/13/19 Page 23 of 127
`
`Sky Advanced Threat Prevention Administration Guide
`
`Table 3 on page 6 briefly describes each Sky ATP component's operation.
`
`Table 3: Sky ATP Components
`
`Component
`
`Operation
`
`Command and control
`(C&C) cloud feeds
`
`C&C feeds are essentially a list of servers that are known command
`and control for bot nets. The list also includes servers that are
`known sources for mal ware downloads.
`
`GeoiP cloud feeds
`
`GeoiP feeds is an up-to-date mapping of IP addresses to
`geographical regions. This gives you the ability to filter traffic to
`and from specific geographies in the world.
`
`Infected host cloud feeds
`
`Infected hosts indicate local devices that are potentially
`compromised because they appear to be part of a C&C network
`or other exhibit other symptoms.
`
`Whitelists, blacklists and
`custom cloud feeds
`
`A whitelist is simply a list of known IP addresses that you trust
`and a blacklist is a list that you do not trust.
`
`NOTE: Custom feeds are not supported in this release.
`
`SRX Series device
`
`Submits extracted file content for analysis an