Pass the Juniper JNCIP-SEC JN0-636 Questions and answers with ExamsMirror

Juniper MX and SRX series devices support the integration of Seclntel feeds, which provide information about known command and control servers, for the purpose of blocking access to them. These devices can be configured to use the Seclntel feeds without the need for Security Director to manage the feeds.

EX series and QFX series devices are not capable of working in this situation, as they do not support the integration of Seclntel feeds.

According to the Juniper documentation, the two Juniper devices that work in this situation are MX Series devices and SRX Series devices. These devices can use the Juniper SecIntel feeds to block access to known command and control servers without using Security Director to manage the feeds. The Juniper SecIntel feeds are curated and verified threat intelligence data that are continuously collected from Juniper ATP Cloud, Juniper Threat Labs, and other sources. The SecIntel feeds include command and control IPs, URLs, certificate hashes, and domains that are used by attackers to control malware or maintain their connection to the network1.

The MX Series devices and the SRX Series devices can subscribe to the SecIntel feeds by using the following steps:

Configure the SecIntel service on the device by specifying the SecIntel URL, the SecIntel policy, and the SecIntel license2.

Configure the SecIntel policy on the device by specifying the SecIntel feeds, the SecIntel actions, and the SecIntel logging3.

Apply the SecIntel policy to the security zones or the firewall policies on the device by using the secintel-policy option4.

Once the SecIntel service is configured and applied, the MX Series devices and the SRX Series devices will receive the SecIntel feeds from Juniper ATP Cloud and use them to block the traffic from or to the command and control servers. The SecIntel service will also send the SecIntel logs to Juniper ATP Cloud or a third-party SIEM solution for further analysis and reporting.

The following devices are not suitable or incorrect for this situation:

EX Series devices: EX Series devices are Ethernet switches that can integrate with SecIntel to block infected hosts at the switch port. However, they cannot use the SecIntel feeds to block command and control servers, as they do not support the SecIntel service or policy.

QFX Series devices: QFX Series devices are Ethernet switches that can integrate with SecIntel to block infected hosts at the switch port. However, they cannot use the SecIntel feeds to block command and control servers, as they do not support the SecIntel service or policy.

References: 1: SecIntel Threat Intelligence 2: Configuring SecIntel Service 3: Configuring SecIntel Policy 4: Applying SecIntel Policy : [SecIntel Logging] : [SecIntel Integration with EX Series Switches] : [SecIntel Integration with QFX Series Switches]

According to the exhibit, which is a configuration snippet of the SRX Series device, the global mode for the device is set to switching mode. This means that the device is operating as a Layer 2 switch and does not apply any security policies to the traffic between hosts in the same broadcast domain1. Therefore, the traffic between two hosts in the same broadcast domain are not matching any security policies.

To solve this problem, the user should change the global mode to transparent bridge mode. This means that the device will operate as a Layer 2 transparent bridge and apply security policies to the traffic between hosts in the same broadcast domain2. This will allow the user to enforce security policies based on the source and destination IP addresses, ports, and protocols of the traffic.

To change the global mode to transparent bridge mode, the user should use the following command:

set protocols l2-learning global-mode transparent-bridge

This command will set the global mode for the SRX Series device as Layer 2 transparent bridge mode. After changing the mode, the user must reboot the device for the configuration to take effect2.

References: 1: global-mode (Protocols) 2: Configuring Layer 2 Transparent Mode

According to the Juniper documentation, the infected host score is a global setting that determines the minimum threat level required for a host to be considered infected and blocked by Juniper ATP Cloud. The infected host score can be configured from 1 to 10, where 1 is the lowest and 10 is the highest. The default infected host score is 5, which means that any host with a threat level of 5 or higher will be automatically blocked by Juniper ATP Cloud. However, the infected host score can be changed to a higher value, such as 6 or 7, to reduce the number of false positives and allow more traffic to pass through. In the exhibit, the host has a threat level of 5, which indicates that it is infected with malware and has attempted to contact command-and-control servers. However, some of the events have not been automatically mitigated, which means that the host has not been blocked by Juniper ATP Cloud. A possible reason for this behavior is that the infected host score is globally set above a threat level of 5, such as 6 or 7, which means that the host does not meet the minimum threshold for blocking. Therefore, the correct answer is C. The infected host score is globally set above a threat level of 5. References: [Configuring the Infected Host Score] 1, [Compromised Hosts: More Information] 2

1: https://www.juniper.net/documentation/us/en/software/sky-atp/atp-cloud-user-guide/topics/task/sky-atp-infected-host-score.html  2: https://www.juniper.net/documentation/us/en/software/sky-atp/atp-cloud-user-guide/topics/concept/sky-atp-infected-host-overview.html

The exhibit shows the output of the show security intelligence category summary command on the SRX-1 device. This command displays the status of the security intelligence categories configured on the device. In the output, we can see that there are two categories configured - Proxy_Nodes and Proxy_Node3. The Proxy_Nodes category is a custom category that is created by the SRX-1 device using the adaptive threat profiling feature. The Proxy_Node3 category is a third-party category that is downloaded from the Juniper ATP Cloud service. The Proxy_Nodes category contains the IP addresses that match the security policy named Proxy-ATP on the SRX-1 device. The Proxy_Node3 category contains the IP addresses that are associated with the Tor network.

The two statements that are true based on the exhibit are:

The SRX-1 device creates the Proxy_Nodes feed, so it cannot use it in another security policy. This is because the adaptive threat profiling feature does not allow the device that creates the feed to use it in another security policy. The feed is intended to be shared with other devices in the same realm through the Juniper ATP Cloud service. The SRX-1 device can only use the feeds that are created by other devices or downloaded from third-party sources.

You can only use the Proxy_Node3 feed as the destination-address match criteria of another security policy on a different SRX Series device. This is because the Proxy_Node3 feed is a third-party feed that is downloaded from the Juniper ATP Cloud service. The SRX-1 device can use this feed as a dynamic address object in its security policies. However, the feed is configured with the destination-only option, which means that it can only be used as the destination-address match criteria of a security policy. The source-address match criteria of a security policy cannot use this feed.

References: Juniper Security, Professional (JNCIP-SEC) Reference Materials source and documents: https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/show-security-intelligence-category-summary.html https://www.juniper.net/documentation/en_US/junos/topics/concept/security-intelligence-third-party-feed-configuring.html https://www.juniper.net/documentation/en_US/junos/topics/concept/security-adaptive-threat-profiling-overview.html

The two security intelligence feed types that are supported are:

A. Infected host feed. An infected host feed is a security intelligence feed that contains the IP addresses of hosts that are infected by malware or compromised by attackers. The SRX Series device can download the infected host feed from the Juniper ATP Cloud or generate its own infected host feed based on the detection events from IDP. The SRX Series device can use the infected host feed to block or quarantine the traffic to or from the infected hosts based on the security policies1.

B. Command and Control feed. A command and control feed is a security intelligence feed that contains the IP addresses of servers that are used by malware or attackers to communicate with infected hosts. The SRX Series device can download the command and control feed from the Juniper ATP Cloud or generate its own command and control feed based on the detection events from IDP. The SRX Series device can use the command and control feed to block or log the traffic to or from the command and control servers based on the security policies2.

The other options are incorrect because:

C. Custom feeds. Custom feeds are not a security intelligence feed type, but a feature that allows you to create your own security intelligence feeds based on your own criteria and sources. You can configure custom feeds by using the Junos Space Security Director or the CLI. Custom feeds are not supported by the Juniper ATP Cloud or the IDP3.

D. Malicious URL feed. Malicious URL feed is not a security intelligence feed type, but a feature that allows you to block or log the traffic to or from malicious URLs based on the security policies. The SRX Series device can download the malicious URL feed from the Juniper ATP Cloud or the Juniper Threat Labs. Malicious URL feed is not supported by the IDP4.

References:

Infected Host Feed Overview

Command and Control Feed Overview

Custom Feed Overview

Malicious URL Feed Overview

The SRX Series device in transparent mode uses packet flooding to learn about unknown devices in a network. Packet flooding is a process wherein the device sends out packets to every device it knows about or suspects in the network. When the packets are returned, the device can identify and classify the unknown devices in the network.

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-user-auth-configure-jims.html

The exhibit shows the output of the show security macsec statistics interface ge-0/0/70 detail command on an SRX Series device. This command displays the statistics for the Media Access Control Security (MACsec) feature on the ge-0/0/70 interface. MACsec is a feature that provides point-to-point security on Ethernet links by using encryption and data integrity checks. MACsec uses two types of keys to secure the traffic: the Connectivity Association Key (CAK) and the Secure Association Key (SAK). The CAK is used for authentication and key exchange between the MACsec peers. The SAK is used for encryption and decryption of the MACsec traffic.

The two statements that are true based on the exhibit are:

The data that traverses the ge-0/0/70 interface is secured by a secure association key. This is because the exhibit shows that the interface has a Secure Channel (SC) and a Secure Association (SA) established. The SC is a logical connection between the MACsec peers that carries the encrypted traffic. The SA is a subset of the SC that contains the SAK and other parameters for encrypting and decrypting the traffic. The exhibit shows that the interface has encrypted and protected packets, which means that the traffic is secured by the SAK.

The data that traverses the ge-0/0/70 interface cannot be intercepted and read by anyone. This is because the exhibit shows that the interface has encryption enabled. The encryption option indicates whether the MACsec traffic is encrypted or not. If encryption is enabled, the traffic is encrypted by the SAK and cannot be viewed by anyone monitoring the link. If encryption is disabled, the traffic is only protected by the SAK and can be viewed by anyone monitoring the link.

References: Juniper Security, Professional (JNCIP-SEC) Reference Materials source and documents: https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/show-security-macsec-statistics-interface-detail.html https://www.juniper.net/documentation/en_US/junos/topics/concept/security-macsec-overview.html

To share threat intelligence from your environment with third party tools, you need to enable Juniper ATP Cloud to share threat intelligence and configure application tokens in the Juniper ATP Cloud to limit who has access. The other options are incorrect because:

A. Configuring application tokens in the SRX Series firewalls is not necessary or sufficient to share threat intelligence with third party tools. Application tokens are used to authenticate and authorize requests to the Juniper ATP Cloud API, which can be used to perform various operations such as submitting files, querying C&C feeds, and managing allowlists and blocklists1. However, to share threat intelligence with third party tools, you need to enable the TAXII service in the Juniper ATP Cloud, which is a different protocol for exchanging threat information2.

D. Enabling SRX Series firewalls to share threat intelligence with third party tools is not possible or supported. SRX Series firewalls can send potentially malicious objects and files to the Juniper ATP Cloud for analysis and receive threat intelligence from the Juniper ATP Cloud to block malicious traffic3. However, SRX Series firewalls cannot directly share threat intelligence with third party tools. You need to use the Juniper ATP Cloud as the intermediary for threat intelligence sharing.

Therefore, the correct answer is B and C. You need to enable Juniper ATP Cloud to share threat intelligence and configure application tokens in the Juniper ATP Cloud to limit who has access. To do so, you need to perform the following steps:

Enable and configure the TAXII service in the Juniper ATP Cloud. TAXII (Trusted Automated eXchange of Indicator Information) is a protocol for communication over HTTPS of threat information between parties. STIX (Structured Threat Information eXpression) is a language used for reporting and sharing threat information using TAXII. Juniper ATP Cloud can contribute to STIX reports by sharing the threat intelligence it gathers from file scanning. Juniper ATP Cloud also uses threat information from STIX reports as well as other sources for threat prevention2. To enable and configure the TAXII service, you need to select Configure > Threat Intelligence Sharing in the Juniper ATP Cloud WebUI, move the knob to the right to Enable TAXII, and move the slidebar to designate a file sharing threshold2.

Configure application tokens in the Juniper ATP Cloud. Application tokens are used to authenticate and authorize requests to the Juniper ATP Cloud API and the TAXII service. You can create and manage application tokens in the Juniper ATP Cloud WebUI by selecting Configure > Application Tokens. You can specify the name, description, expiration date, and permissions of each token. You can also revoke or delete tokens as needed. You can use the application tokens to limit who has access to your shared threat intelligence by granting or denying permissions to the TAXII service1.

References:

Threat Intelligence Open API Setup Guide

Configure Threat Intelligence Sharing

About Juniper Advanced Threat Prevention Cloud

NAT (Network Address Translation) is a method to map one IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. There are different types of NAT, one of them is the persistent NAT which is a type of NAT that allows you to map the same internal IP address to the same external IP address each time a host initiates a connection.