Encrypted Traffic Insights (ETI), a feature of Juniper ATP Cloud, notifies SRX Series devices about known threats by providing threat intelligence feeds. These feeds contain lists of known malicious sites, such as Command and Control (C&C) servers, which are identified primarily by their domain names. The SRX device subscribes to and downloads these feeds. It then resolves the domain names to their corresponding IP addresses and populates a dynamic address group (DAG) with these IPs. This DAG is then used in security policies to block traffic to and from these malicious sites. The domain name is the core piece of information in the feed that identifies the known malware site.

A. certificates: Certificate metadata is analyzed by ETI to infer threats in encrypted traffic for unknown sites, not as the primary identifier for known malware sites in threat feeds.

B. dynamic address groups: This is the Junos OS mechanism on the SRX that consumes the threat intelligence; it is populated as a result of the notification, not the information used for the notification itself.

C. MAC addresses: These are Layer 2 hardware addresses and are not relevant for identifying or communicating threats from remote Internet-based malware sites.

1. Juniper Networks TechLibrary

Security Director Cloud Documentation

"Encrypted Traffic Insights Overview." This document states

"Encrypted traffic insights uses the following feeds to detect threats: C&C—Juniper ATP Cloud provides a list of C&C servers. The SRX Series device downloads this list and uses it to detect C&C threats." This establishes the use of feeds for known threats.

2. Juniper Networks TechLibrary

Junos OS Documentation

"Understanding Security Intelligence." This guide explains the mechanism: "The Security Intelligence feature allows you to use feeds of IP addresses

URLs

and domain names to protect your network resources from threats... When you configure a feed

the feed entries are loaded into a dynamic address group (DAG)." This explicitly confirms that domain names are a primary type of information in the feeds used to notify the SRX.

3. Juniper Networks TechLibrary

Junos OS Documentation

"Understanding Encrypted Traffic Insights." This document clarifies the process: "The SRX Series device downloads these feeds and populates the IP addresses into a dynamic address group (DAG)." This shows that the information from the feed (which includes domain names) is processed to populate the DAG for enforcement.