pulse policy secure - pulse secure › download › techpubs › ... · the idp sits within the...
TRANSCRIPT
© 2015 by Pulse Secure, LLC. All rights reserved
Pulse Policy Secure
IDP and Unified Access Control
Product Release 5.3
Document Revision 1.0
Published: 2015-12-21
© 2015 by Pulse Secure, LLC. All rights reserved 2
Pulse Secure, LLC 2700 Zanker Road, Suite 200 San Jose, CA 95134 http://www.pulsesecure.net
© 2015 by Pulse Secure, LLC. All rights reserved
Pulse Secure and the Pulse Secure logo are trademarks of Pulse Secure, LLC in the United States. All other trademarks, service marks, registered
trademarks, or registered service marks are the property of their respective owners.
Pulse Secure, LLC assumes no responsibility for any inaccuracies in this document. Pulse Secure, LLC reserves the right to change, modify, transfer, or
otherwise revise this publication without notice.
Pulse Policy Secure- IDP and Unified Access Control
The information in this document is current as of the date on the title page.
END USER LICENSE AGREEMENT
The Pulse Secure product that is the subject of this technical documentation consists of (or is intended for use with) Pulse Secure software. Use of such
software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at http://www.pulsesecure.net/support/eula. By
downloading, installing or using such software, you agree to the terms and conditions of that EULA.”
© 2015 by Pulse Secure, LLC. All rights reserved 3
Table of Contents List of Figures --------------------------------------------------------------------------------------------------------------------------------------- 4
List of Tables ---------------------------------------------------------------------------------------------------------------------------------------- 5
About This Guide ------------------------------------------------------------------------------------------------------------------------------------ 6
Objectives ------------------------------------------------------------------------------------------------------------------------------------------ 6
Audience -------------------------------------------------------------------------------------------------------------------------------------------- 6
Documentation Conventions -------------------------------------------------------------------------------------------------------------- 6
Documentation ---------------------------------------------------------------------------------------------------------------------------------- 8
Obtaining Documentation ----------------------------------------------------------------------------------------------------------------- 8
Documentation Feedback ------------------------------------------------------------------------------------------------------------------- 8
Requesting Technical Support ------------------------------------------------------------------------------------------------------------- 8 Self-Help Online Tools and Resources ----------------------------------------------------------------------------------------------- 8 Opening a Case with PSGSC --------------------------------------------------------------------------------------------------------------- 9
PART 1 Intrusion Detection and Prevention with Unified Access Control ---------------------------------------------- 11
CHAPTER 1 UAC and IDP Interoperability ------------------------------------------------------------------------------------------- 13
About IDP Technology ---------------------------------------------------------------------------------------------------------------------- 13
IDP Deployment Scenarios Overview ------------------------------------------------------------------------------------------------ 14
CHAPTER 2 Configuration --------------------------------------------------------------------------------------------------------------- 17
Understanding Pulse Policy Secure Deployments with IDP Devices ---------------------------------------------------- 17 About IDP Devices ------------------------------------------------------------------------------------------------------------------------- 17 Coordinated Threat Control Overview ------------------------------------------------------------------------------------------- 18 Deployments with IDP Series Devices --------------------------------------------------------------------------------------------- 18 Deployments with IDP-Enabled Infranet Enforcers ------------------------------------------------------------------------ 19 Monitoring IDP-Reported Events --------------------------------------------------------------------------------------------------- 20
Activating IDP for the ScreenOS or Junos Enforcer ------------------------------------------------------------------------------ 20
Managing Interoperation with IDP Devices ---------------------------------------------------------------------------------------- 21 Configuring Communication with an IDP Device ----------------------------------------------------------------------------- 21 Enabling or Disabling IDP Sensors --------------------------------------------------------------------------------------------------- 22 Reconnecting to an IDP Sensor ------------------------------------------------------------------------------------------------------- 22 Refreshing and Displaying the Connection Status --------------------------------------------------------------------------- 23 Deleting an IDP Sensor Entry ---------------------------------------------------------------------------------------------------------- 23
Defining Automatic Response Sensor Event Policies ------------------------------------------------------------------------- 23
Identifying and Managing Quarantined Users Manually ------------------------------------------------------------------ 25
Using Role-Based Policies to Monitor User Activity--------------------------------------------------------------------------- 26
Understanding Coordinated Threat Control in an Federated Deployment ------------------------------------------ 27
Using IDP Devices in a Federated Deployment --------------------------------------------------------------------------------- 28
Index ---------------------------------------------------------------------------------------------------------------------------------------------------- 30
© 2015 by Pulse Secure, LLC. All rights reserved 4
List of Figures
Figure 1: Pulse Policy Secure Series and Standalone IDP Topology ................................................................ 15 Figure 2: Pulse Policy Secure Series and ISG-IDP Topology ............................................................................ 15 Figure 3: IDP in a Layer 2 Deployment ............................................................................................................ 16 Figure 4: IF-MAP Federation in a Heterogeneous Network with IDP ............................................................. 27
© 2015 by Pulse Secure, LLC. All rights reserved 5
List of Tables
Table 1: Notice Icons ......................................................................................................................................... 6 Table 2: Text Conventions ................................................................................................................................. 7
© 2015 by Pulse Secure, LLC. All rights reserved 6
About This Guide
Objectives
Audience
Documentation Conventions
Documentation
Obtaining Documentation
Documentation Feedback
Requesting Technical Support
Objectives
This guide describes basic configuration procedures for Pulse Policy Secure.
Audience
This guide is designed for network administrators who are configuring and maintaining a Pulse Policy
Secure Series device. To use this guide, you need a broad understanding of networks in general and the
Internet in particular, networking principles, and network configuration. Any detailed discussion of these
concepts is beyond the scope of this guide.
Documentation Conventions
Table 1 defines the notice icons used in this guide. Table 2 defines text conventions used throughout this
documentation.
Table 1: Notice Icons
Icon Meaning Description
Informational note Indicates important features or instructions.
Caution
Indicates a situation that may result in loss of data or hardware damage.
© 2015 by Pulse Secure, LLC. All rights reserved 7
Warning Alert regarding risk of personal injury or death.
Laser warning Alert regarding risk of personal injury from a laser.
Table 2: Text Conventions
Convention Description Examples
Bold text Represents keywords, scripts, and tools in text.
Represents a GUI element that the user selects, clicks, checks, or clears.
Specify the keyword exp-msg.
Run the install.sh script.
Use the pkgadd tool.
To cancel the configuration, click Cancel.
Bold text like this
Represents text that the user must enter.
user@host# set cache-entry-age
cache-entry-age
Fixed-width text like this
Represents information as displayed on your terminal’s screen, such as CLI commands in output d i s p l a y s .
nic-locators {
login {
resolution {
resolver-name /realms/
login/A1;
key-type LoginName;
value-type SaeId;
}
Regular sans serif typeface
Represents configuration statements.
Indicates SRC CLI commands and options in text.
Represents examples in procedures.
System Idap server{
Stand-alone;
• Use the request sae modify device failover command with the force option
user@host# . . .
Italic sans serif typeface
Represents variables in SRC CLI commands.
user@host# set local-address
local-address
Angle brackets In text descriptions, indicate optional keywords or variables
Another runtime variable is <gfwif>
Key name Indicates the name of a key on the keyboard
Press Enter
Key names linked with a plus sign (+)
Indicates that you must press two or more keys simultaneously.
Press Ctrl + b
Italic typeface Emphasizes words.
Identifies book names.
Identifies distinguished names.
Identifies files, directories, and paths in text but not in command examples.
There are two levels of access: user and
Privileged.
SRC-PE Getting Started Guide.
o=Users, o=UMC
The /etc/default.properties file.
© 2015 by Pulse Secure, LLC. All rights reserved 8
Backslash
At the end of a line, indicates that the text wraps to the next line.
Plugin.radiusAcct-1.class=\
net.pulsesecure.smgt.sae.plugin\
RadiusTrackingPluginEvent
Words separated by the | symbol
Represent a choice to select one keyword or variable to the left or right of this symbol.
(The keyword or variable may be either optional or required.)
diagnostic | line
Documentation
For a list of related Pulse Policy Secure documentation, see http://www.pulsesecure.net/support. If the
information in the latest Pulse Policy Secure Release Notes differs from the information in the
documentation, follow the Pulse Policy Secure Release Notes.
Obtaining Documentation
To obtain the most current version of all Pulse Secure technical documentation, see the products
documentation page at http://www.pulsesecure.net/techpubs.
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can improve the
documentation. You can send your comments to
Requesting Technical Support
Technical product support is available through the Pulse Secure Global Support Center (PSGSC).
Product warranties—For product warranty information, visit
http://www.pulsesecure.net/support
PSGSC hours of operation—The PSGSC centers have resources available 24 hours a
day, 7 days a week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, the Pulse Secure Global Support Center (PSGSC) that provides
you with the following features:
Find CSC offerings: http://www.pulsesecure.net/support
Search for known bugs: http://www.pulsesecure.net/support
Find product documentation: http://www.pulsesecure.net/support
© 2015 by Pulse Secure, LLC. All rights reserved 9
Find solutions and answer questions using our Knowledge Base:
http://www.pulsesecure.net/support
Download the latest versions of software and review release notes:
http://www.pulsesecure.net/support
Search technical bulletins for relevant hardware and software notifications:
http://www.pulsesecure.net/support
Open a case online in the CSC Case Management tool: http://www.pulsesecure.net/support/
To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool:
http://www.pulsesecure.net/support
Opening a Case with PSGSC
You can open a case with PSGSC on the Web or by telephone.
Use the Case Management tool in the CSC at http://www.pulsesecure.net/support
Call 1-844 751 7629 (Toll Free, US).
For international or direct-dial options in countries without toll-free numbers, see:
http://www.pulsesecure.net/support
© 2015 by Pulse Secure, LLC. All rights reserved 10
© 2015 by Pulse Secure, LLC. All rights reserved 11
PART 1 Intrusion Detection and Prevention with Unified Access Control
UAC and IDP Interoperability
Configuration
© 2015 by Pulse Secure, LLC. All rights reserved 12
© 2015 by Pulse Secure, LLC. All rights reserved 13
CHAPTER 1 UAC and IDP Interoperability
About IDP Technology
IDP Deployment Scenarios Overview
About IDP Technology
Securing intranet work application and resource traffic is vital to protecting the network. You can add
levels of application security to detect internal threats coming from users who are authenticated through
the Pulse Policy Secure Series device by integrating a Pulse Policy Secure Series device with a Juniper
Networks Intrusion Detection and Prevention (IDP) Sensor.
The Pulse Policy Secure Series device supports standalone IDP and IDP through the Juniper Networks
ISG Series Integrated Security Gateways Infranet Enforcer with the IDP Security Module (supported in
ScreenOS Release 6.2 or greater). With UAC Release 3.1, you can use SRX Series Services Gateway
IDP with Junos 10.0 (SRX 3400/3600/5600/5800). With UAC Release 4.1 and JunosOS Release 11.1,
Coordinated Threat Control (CTC) is supported on all SRX series devices.
The IDP sensor monitors the network on which the IDP system is installed. The sensor’s primary task is to
detect suspicious and anomalous network traffic based on specific rules defined in IDP rule basis.
The IDP device provides the following types of protection (some of which depend upon the specific
configuration):
Protects against attacks from user to application.
Detects and blocks most network worms based on software vulnerabilities.
Detects and blocks non-file-based Trojan Horses.
Detects and blocks effects of spyware. adware, and key loggers.
Detects and blocks many types of malware.
Detects and blocks zero day attacks through the use of anomaly detection.
NOTE: An IDP Sensor can send logs to one Pulse Policy Secure Series device
appliance only. However, a Pulse Policy Secure Series device appliance can
receive logs from more than one IDP Sensor.
© 2015 by Pulse Secure, LLC. All rights reserved 14
Intrusion Detection and Prevention Sensors
Using the Pulse Policy Secure Series device’s admin console, you can configure and manage interaction
attributes between the Pulse Policy Secure Series device and an IDP, including the following:
(With standalone IDP) Global configuration parameters such as the IDP hostname or IP
address, the TCP port over which the sensor communicates with the Pulse Policy Secure
Series device, and the one-time password the Pulse Policy Secure Series device and IDP
use to authenticate with one another.
Various levels of attack severity warnings and the action that the Pulse Policy Secure
Series device takes
If you are using standalone IDP Release 5.0 or later or ISG-IDP Release 6.3 or later, you can configure
IDP policies based on user roles with Network and Security Manager (NSM).
The IDP sits within the network and monitors traffic from endpoints that are connected through the Pulse
Policy Secure Series device. You can position the IDP in-line, or you can configure the IDP in sniffer
mode.
After the Pulse Policy Secure Series device connects with the IDP sensor, the Pulse Policy Secure Series
device registers all of the IP addresses to be monitored for potential threats. With standalone IDP, you
enter the IP addresses to monitor.
Any abnormal events detected by the IDP Sensor are reported to the Pulse Policy Secure Series device,
which you configure to take appropriate action based on the severity level of the reported events. The IDP
Sensor performs reporting functions to allow you to determine what IP address within the network has
launched the attacks in addition to any normal logging the IDP has been configured to undertake.
With a large number of connected users IDP can overwhelm the Pulse Policy Secure Series device with
more alert logs than it can process. In this situation, the number of logs sent by the IDP to the Pulse Policy
Secure Series device can be controlled by decreasing the severity level setting in the IDP connection
settings.
With IDP deployments using the Infranet Enforcer and the IDP Security Module, the Infranet Enforcer can
send messages to OAC or the Pulse debug log.
Related
Documentation
IDP Deployment Scenarios Overview
Understanding Pulse Policy Secure Deployments with IDP Devices
Activating IDP for the ScreenOS or Junos Enforcer
Managing Interoperation with IDP Devices
Using Role-Based Policies to Monitor User Activity
IDP Deployment Scenarios Overview
Three possible deployment scenarios are shown in the following figures.
In Figure 1 the standalone IDP is located within the internal network. All network traffic originating from
endpoints that are registered with the IDP is monitored. You can deploy IDP in sniffer mode, or inline
© 2015 by Pulse Secure, LLC. All rights reserved 15
Chapter 1: UAC and IDP Interoperability
mode. You can use transparent mode or route mode with an inline mode configuration.
In the first deployment example, the IDP does not monitor IPsec traffic from the user to protected
resources.
Figure 1: Pulse Policy Secure Series and Standalone IDP Topology
To monitor all IPsec traffic from users to protected resources, deploy the IDP behind the Infranet Enforcer,
as shown in Figure 2 .
Figure 2: Pulse Policy Secure Series and ISG-IDP Topology
© 2015 by Pulse Secure, LLC. All rights reserved 16
Intrusion Detection and Prevention Sensors
Figure 3 depicts IDP in a Layer 2 network. The device serves as a policy enforcement point and controls
user access based on Pulse Policy Secure Series device policy decisions.
Figure 3: IDP in a Layer 2 Deployment
You can deploy up to ten IDP devices in a network with the Pulse Policy Secure Series device.
Performance is based on how rapidly sessions are created or changed, the number of events that IDP
sends to the Pulse Policy Secure Series device, and the efficiency of the network links that connect the
devices. IDP devices must be connected over a high-speed LAN link.
In a clustering environment, only one member of a Pulse Policy Secure Series device cluster exchanges
information with an IDP sensor. If the connected Pulse Policy Secure Series device fails or is shut down,
another cluster member will assume the load.
Related
Documentation
About IDP Technology
Understanding Pulse Policy Secure Deployments with IDP Devices Managing Interoperation with IDP Devices
© 2015 by Pulse Secure, LLC. All rights reserved 17
CHAPTER 2 Configuration
Understanding Pulse Policy Secure Deployments with IDP Devices
Activating IDP for the ScreenOS or Junos Enforcer
Managing Interoperation with IDP Devices
Defining Automatic Response Sensor Event Policies
Identifying and Managing Quarantined Users Manually
Using Role-Based Policies to Monitor User Activity
Understanding Coordinated Threat Control in an Federated Deployment
Using IDP Devices in a Federated Deployment
Understanding Pulse Policy Secure Deployments with IDP Devices
This topic provides and overview of deployments with IDP devices. It includes the following content:
About IDP Devices
Coordinated Threat Control Overview
Deployments with IDP Series Devices
Deployments with IDP-Enabled Infranet Enforcers
Monitoring IDP-Reported Events
About IDP Devices
The IDP Sensor is a powerful tool to counteract users who initiate attacks. The IDP sensor monitors the
network on which the IDP system is installed. The IDP sits within the network and monitors traffic from
endpoints that are connected through the Pulse Policy Secure Series device. You can position the IDP in-
line, or you can configure the IDP in sniffer mode. The sensor’s primary task is to detect suspicious and
anomalous network traffic based on specific rules defined in IDP rule bases.
© 2015 by Pulse Secure, LLC. All rights reserved 18
Intrusion Detection and Prevention Sensors
The IDP device provides the following types of protection (some of which depend upon the specific
configuration):
Protects against attacks from user to application.
Detects and blocks most network worms based on software vulnerabilities.
Detects and blocks non-file-based Trojan Horses.
Detects and blocks effects of spyware, adware, and key loggers.
Detects and blocks many types of malware.
Detects and blocks zero day attacks through the use of anomaly detection.
Coordinated Threat Control Overview
In a coordinated threat control deployment, the IDP device reports abnormal events to the Pulse Policy
Secure Series device. The attack logs sent by the IDP device include the source and destination IP
addresses and port numbers of the attacking host, and the resource against which the attack was
launched, along with the attack identifier, severity of the attack, and the time at which the attack was
launched.
The Pulse Policy Secure Series device displays the attack information received from the IDP sensor on
the Active Users page. Based on the attackers IP address and port number, the Pulse Policy Secure
Series device can uniquely identify the user’s session.
When you learn that an attack has been launched by an active user, you can disable the user’s account,
end the user’s session, or remediate to a different role. You can choose automatic or manual actions for
attacks detected by the IDP sensor. For manual action, you look up the information available on the Active
Users page and decide on an action. For automatic action, you configure the action in advance when you
define IDP policies.
The Pulse Policy Secure Series device displays an error message to the user whose account has been
disabled indicating the reason.
Deployments with IDP Series Devices
You can deploy Pulse Policy Secure Series devices with IDP Series devices in coordinated threat control
deployments and user-role-based IDP policy deployments. User-role-based IDP policy deployments
require IDP Series 5.0 or later. To display the version of an associated IDP device in the Access Control
Service admin console, select System > Configuration > Sensors.
NOTE: An IDP Sensor can send logs to one Pulse Policy Secure Series device
appliance only. However, a Pulse Policy Secure Series device appliance can
receive logs from more than one IDP Sensor.
© 2015 by Pulse Secure, LLC. All rights reserved 19
Chapter 2: Configuration
Using the Pulse Policy Secure Series device’s admin console, you can configure and manage interaction
attributes between the Pulse Policy Secure Series device and an IDP Series device, including the
following:
Global configuration parameters such as the IDP hostname or IP address, the TCP port
over which the sensor communicates with the Pulse Policy Secure Series device, and the
one-time password the Pulse Policy Secure Series device and IDP use to authenticate
with one another.
Various levels of attack severity warnings and the action that the Pulse Policy Secure
Series device takes
IP addresses to monitor.
With a large number of connected users IDP can overwhelm the Pulse Policy Secure Series device with
more alert logs than it can process. In this situation, the number of logs sent by the IDP to the Pulse Policy
Secure Series device can be controlled by decreasing the severity level setting in the IDP connection
settings.
NOTE: With Pulse Policy Secure Release 4.0, licensing is no longer required to use
IDP in a UAC deployment.
Deployments with IDP-Enabled Infranet Enforcers
The Pulse Policy Secure Series device also supports IDP through the Juniper Networks ISG Series
Integrated Security Gateways Infranet Enforcer with the IDP Security Module (supported in ScreenOS
Release 6.2 or greater). With UAC Release 3.1, you can use SRX Series Services Gateway IDP with
Junos 10.0 (SRX 3400/3600/5600/5800). With UAC Release 4.1 and JunosOS Release 11.1, coordinated
threat control is supported on all SRX series devices.
Unlike a standalone IDP which requires manual configuration on the IDP to allow communication with the
Pulse Policy Secure, the ScreenOS Enforcer or the Junos Enforcer use the existing communication
channel with the Pulse Policy Secure Series device.
If you are using integrated IDP with the ISG-1000 or ISG-2000, see:
http://www.juniper.net/techpubs/en_US/release-independent/screenos/information-products/pathway-
pages/screenos/product/index.html. If you are using Junos IDP with JunosOS Release 10.0, see Junos OS
Initial Configuration Guide for Security Devices. ISG-IDP and CTC are configured the same on the Pulse Policy
Secure Series device.
When ISG-IDP or Junos IDP are activated, ScreenOS or Junos notifies the Pulse Policy Secure Series device
when an attack event is detected from any endpoint. To avoid overwhelming the SSH connection between the
Pulse Policy Secure Series device and the Infranet Enforcer, the number of attack notifications is limited to ten
per second. If additional attacks are detected, the Infranet Enforcer holds an additional ten notifications in a
queue.
ISG-IDP or Junos devices attached to any node in a cluster may send messages regarding sessions attached
to any node in the cluster.
© 2015 by Pulse Secure, LLC. All rights reserved 20
Intrusion Detection and Prevention Sensors
There is a Use IDP module as Sensor check box on the Infranet Enforcer admin console page. If you select the
check box and there is no IDP module or if the Enforcer is not running a compatible version, the Pulse Policy
Secure Series device logs an appropriate message.
With IDP deployments using the Infranet Enforcer and the IDP Security Module, the Infranet Enforcer can send
messages to OAC or the Pulse debug log.
Monitoring IDP-Reported Events
After the IDP Sensor has been set up, you can specify the events you want the IDP to watch for and the
actions that the Pulse Policy Secure Series device takes once a particular event has been noted and reported.
In two locations on the Pulse Policy Secure Series device, you can specify actions to be taken in response to
users that perform attacks:
Sensor Event policies page—Define the policy on this page to generate an automatic
response to users who perform attacks.
Users page—Manually identify and quarantine or disable users on the Active Users page,
which lists users who have performed attacks.
Related
Documentation
Managing Interoperation with IDP Devices
IDP Deployment Scenarios Overview
Using Role-Based Policies to Monitor User Activity
Activating IDP for the ScreenOS or Junos Enforcer
Activating IDP for the ScreenOS or Junos Enforcer
To activate ISG-IDP or Junos IDP on the Pulse Policy Secure Series device:
1. Select UAC > Infranet Enforcer in the Pulse Policy Secure Series device admin console.
2. Select the name of the Enforcer on which you want to activate IDP.
3. Select the Use IDP Module as Sensor check box. Additional options are presented.
4. Select For sessions provisioned for this Enforcer only to limit monitored sessions to this device.
This is applicable in an IF-MAP Federation network.
5. Select 1 - INFO through 5 - Critical from the Severity menu. The severity filter allows you to
specify the level of attacks that the Infranet Enforcer reports to the Pulse Policy Secure Series
device. For example, if you select 3, only level 3 attacks or higher are reported.
Related
Documentation
IDP Deployment Scenarios Overview
Understanding Pulse Policy Secure Deployments with IDP Devices
Managing Interoperation with IDP Devices
© 2015 by Pulse Secure, LLC. All rights reserved 21
Chapter 2: Configuration
Managing Interoperation with IDP Devices
The Sensors tab allows you to specify the system settings the Pulse Policy Secure Series device uses to
establish a connection to an IDP device. Select System > Configuration > Sensors > Sensors. The main
Sensor page displays the sensor, the network address, the state (enabled), the version, and the status of
any configured sensors. The following sections describe tasks related to configuring and managing
interaction between the Pulse Policy Secure Series device and an IDP Sensor:
Configuring Communication with an IDP Device
Enabling or Disabling IDP Sensors
Reconnecting to an IDP Sensor
Refreshing and Displaying the Connection Status
Deleting an IDP Sensor Entry
Configuring Communication with an IDP Device
To configure communication with an IDP device and an IDP log monitoring policy:
1. In the admin console, select System > Configuration > Sensors.
NOTE: To use the IDP sensor with the Pulse Policy Secure Series device you
must enable logging for the applicable policies.
2. Click New Sensor. The admin console displays the New Sensor page.
3. Under Sensor Properties, specify the following information:
Name—A name the Pulse Policy Secure Series device uses to identify the new
connection entry
Hostname—The hostname or IP address of the IDP Sensor to which the Pulse Policy
Secure Series device connects in order to receive application and resource attack alert
messages.
Port—The TCP port on the IDP Sensor to which the Pulse Policy Secure Series
device listens when receiving application and resource attack alert messages.
One-time password—The encrypted password the Pulse Policy Secure Series device
uses when conducting the initial Transport Layer Security (TLS) handshake with the
IDP Sensor. You must enter the encrypted Pulse Policy Secure Series device OTP
password as displayed on the IDP ACM configuration summary screen.
NOTE: The hostname, TCP port, and one-time password must already be
configured on the IDP Sensor before this configuration can be successful.
4. Under Monitoring Options, specify IP addresses to monitor and the minimum alert severity
level the IDP Sensor records and submits to the Pulse Policy Secure Series device:
© 2015 by Pulse Secure, LLC. All rights reserved 22
Intrusion Detection and Prevention Sensors
In the Addresses to Monitor field, specify individual IP addresses and address ranges,
one entry per line. IDP reports attack information only for the IP addresses that you
specify. For IDP to report all events to the Pulse Policy Secure Series device, enter
0.0.0.0/0. For IDP to report only selected events, enter <default> to permit IDP to
report events for events with source IPs that have an active user session on the Pulse
Policy Secure Series device, and/or enter one or more addresses or address ranges
for any endpoint that you want the IDP sensor to report.
NOTE: With ISG-IDP or Junos IDP, you do not need to specify which IP
addresses to monitor. The Infranet Enforcer monitors all IP address for which
auth tables exist.
Select one of the severity options available in the Severity filter drop down list. The
severity level is a number on a scale from 1 to 5, where 1 is informational and 5 is
critical. This option represents the severity of messages the IDP should send to the
Pulse Policy Secure Series device.
5. Click Save Changes.
Enabling or Disabling IDP Sensors
To enable or disable existing IDP Sensor entries on the Pulse Policy Secure Series device:
1. In the admin console, select System > Configuration > Sensors.
2. Select the check box for one or more IDP Sensor entries to enable or disable.
3. Click Enable or Disable to enable or disable the specified IDP Sensor entries, respectively.
Reconnecting to an IDP Sensor
When the connection to an IDP Sensor is down, you can use the admin console on the Pulse Policy Secure
Series device to re-establish the connection. You can also use the admin console to refresh the status of
existing connections between the Pulse Policy Secure Series device and the IDP Sensor.
To re-establish communication with an IDP Sensor, you must generate a new One-time Password.
To reconnect to an associated IDP Sensor:
1. In the admin console, select System > Configuration > Sensors.
2. Select the check box next to the IDP Sensor to which you want to reconnect.
3. Click Reconnect.
The admin console displays a message indicating that the Pulse Policy Secure Series device is currently
attempting to re-establish connection to the specified IDP Sensor. This page automatically refreshes each
second during the reconnection process. Otherwise, the connection status page automatically refreshes once
every 30 seconds.
© 2015 by Pulse Secure, LLC. All rights reserved 23
Chapter 2: Configuration
Refreshing and Displaying the Connection Status
To refresh and display the connection status for the specified IDP Sensor:
1. In the admin console, select System > Configuration > Sensors.
2. Select the check box for one or more IDP Sensor entries to display current connection status.
3. Click Refresh.
Deleting an IDP Sensor Entry
You can delete existing IDP Sensor entries that define a connection between the Pulse Policy Secure
Series device and an IDP Sensor.
To delete one or more existing IDP Sensor entries from the Pulse Policy Secure Series device:
1. In the admin console, select System > Configuration > Sensors.
2. Select the check box for the IDP Sensor entry or entries to delete.
3. Click Delete, then confirm that you want to delete the sensor entry or entries.
Related
Documentation
Defining Automatic Response Sensor Event Policies
Identifying and Managing Quarantined Users Manually
Using Role-Based Policies to Monitor User Activity
Defining Automatic Response Sensor Event Policies
Select System > Configuration > Sensors > Sensor Event Policies. To specify one or more rules specify
the action(s) the Pulse Policy Secure Series device takes when it receives attack alert messages from an
IDP Sensor.
To create a new IDP rule:
1. In the admin console, select System > Configuration > Sensors > Sensor Event Policies.
2. On the Sensor Event Policies page, click New Rules.
3. On the Juniper IDP Rule page, in the Rule: On Receiving... section:
Select an existing event from the Event list.
Click Events to edit an existing event or create a new type of event and add it to the
options in the Events list:
a. Specify a name for the event.
b. Populate the Expressions field by manually entering expressions or by selecting one or
more clauses from the Expressions Dictionary. Click Insert Expression.
For example, to check for all critical/highest severity level attacks, enter the following
expression:
idp.severity >= 4
To check for all critical/highest severity level attacks for HTTP traffic, enter the following
expression:
idp.severity >= 4 AND idp.attackStr = “*HTTP*”
c. When you finish entering the expressions you want to apply to this event, click Add
Expression.
© 2015 by Pulse Secure, LLC. All rights reserved 24
Intrusion Detection and Prevention Sensors
d. Click Close.
4. In the Count this many times section, specify a number between 1 and 256 to determine the
number of times an event occurs before action is taken.
5. In the ...then perform this action section, specify one of the following actions:
Ignore (just log the event)—Specifies that the Pulse Policy Secure Series device
should log the event, but take no further action against the user profile to which this
rule applies. This option is best used to deal with very minor “informational” attack alert
messages that come from the IDP Sensor.
Terminate User Session—Specifies that the Pulse Policy Secure Series device should
immediately terminate the user session and require the user to sign in to the Pulse
Policy Secure Series device again.
Disable user account—Specifies that the Pulse Policy Secure Series device should
disable the user profile associated with this attack alert message, thus rendering the
client unable to sign in to the Pulse Policy Secure Series device until the administrator
re-enables the user account. (This option is applicable only for users who have a local
Pulse Policy Secure Series device user account.)
Replace user’s role with this one—Specifies that the role applied to this user’s profile
should change to the role you select from the associated list. This new role remains
assigned to the user profile until the session terminates. This feature allows you to assign
a user to a specific controlled role of your choice, based on specific IDP events. For
example, if the user performs attacks, you might assign the user to a restricted role that
limits the user’s access and activities.
Select to make this role assignment
Permanent—User remains in the quarantined state across subsequent logins
until the administrator releases the user from the quarantined state.
For this session only—Default. User can log in to another session.
6. In the Roles section, specify:
Policy applies to ALL roles —To apply this policy to all users.
Policy applies to SELECTED roles—To apply this policy only to users who are
mapped to roles in the Selected roles list. Be sure to add roles to this list from the
Available roles list.
Policy applies to all roles OTHER THAN those selected below—To apply this policy to
all users except for those who are mapped to the roles in the Selected roles list. Make
sure to add roles to this list from the Available roles list.
7. Click Save Changes.
Related
Documentation
Managing Interoperation with IDP Devices
Identifying and Managing Quarantined Users Manually
Using Role-Based Policies to Monitor User Activity
© 2015 by Pulse Secure, LLC. All rights reserved 25
Chapter 2: Configuration
Identifying and Managing Quarantined Users Manually
When the Pulse Policy Secure Series device quarantines a user based on an attack, you can display
and manage the states by locating the user link in the Active Users page.
A small warning icon is displayed in front of the username.
The linked username.
An enabled Quarantined option button on the specific user’s page. If the user is not
quarantined, the option button is disabled.
To manage quarantined users:
1. Identify quarantined users at System > Status > Active Users.
2. Locate the quarantined user and click on the username link. The user page opens, showing
a number of options.
3. Click Disabled to disallow a user from authenticating.
4. Click Quarantined to leave a user in a quarantined state. The Quarantined option is enabled
only if the user is already quarantined.
NOTE: The Pulse Policy Secure Series device assigns quarantined users to the
quarantined role, regardless of their login realm.
5. Click Save Changes.
6. To re-enable previously quarantined or disabled users, select Authentication > Auth.
Servers > Select Server > Users and click the link for the given user.
NOTE: You can also disable users from this location.
7. Click Enabled to release the user from quarantine.
8. Click Save Changes.
All Sensor events are logged at System > Log/Monitoring > Sensors > Log.
Related
Documentation
Managing Interoperation with IDP Devices
Defining Automatic Response Sensor Event Policies
Using Role-Based Policies to Monitor User Activity
© 2015 by Pulse Secure, LLC. All rights reserved 26
Intrusion Detection and Prevention Sensors
Using Role-Based Policies to Monitor User Activity
If you are using IDP Release 5.0 or greater or ScreenOS ISG-IDP Release 6.3 or greater, you can add
enhanced user management capabilities to your Pulse Policy Secure Series device IDP deployment. This
feature is supported for endpoints using OAC, Pulse, and users who connect with agentless access.
Junos IDP does not support this feature at this time
Using Network and Security Manager (NSM), you can configure application policies that are role-based to
monitor endpoints and enforce IDP rules.
When a user session is established on the Pulse Policy Secure Series device, the Pulse Policy Secure
Series device pushes session information including IP address, username and the roles to which the user
is assigned to the IDP. The session information allows IDP to apply policies based on user roles, or on the
username which is added to the IDP log.
Since role selection for a user can be based on the results of Host Checker policies, you can set policies
that are based on Host Checker results. For example, if a user is assigned to a restrictive role based on
the results of a Host Checker policy requiring a particular instant messaging software patch, you can
restrict instant messenger traffic for that role.
The Pulse Policy Secure Series device keeps the IDP device updated when a user’s role changes or
when a session is deleted. IDP’s application policy enforcement reflects the most currently available
information about a user.
For OAC users who authenticate via Layer 2, there is a short gap in role-based application policy
enforcement until the endpoint obtains an IP address. During this period, IDP policies based on source IP
are enforced.
If role-based policies are less restrictive than IP address based policies, some users could be
inadvertently blocked during this period. Once session information is obtained about the endpoint IDP re-
evaluates the endpoint and applies the less restrictive policies.
If role-based policies are more restrictive than IP address based policies, IDP cannot apply the more
restrictive policies, and an endpoint could engage in potentially damaging behavior prior to session
information being sent.
If you are using the Pulse Policy Secure Series device and IDP in a network that employs IF-MAP client
and server Federation, and IDP detects an attack that is attributed to a session, IDP informs the Pulse
Policy Secure Series device about the attack. Upon notification, the Pulse Policy Secure Series device
publishes the information to any attached IF-MAP servers. The IF-MAP server notifies the Pulse Policy
Secure Series device that originally published the session and the Pulse Policy Secure Series device
takes the appropriate action based on the applicable Sensor Event Policies.
Related
Documentation
About IDP Technology
Defining Automatic Response Sensor Event Policies
Managing Interoperation with IDP Devices
Understanding Coordinated Threat Control in an Federated Deployment
© 2015 by Pulse Secure, LLC. All rights reserved 27
Chapter 2: Configuration
Understanding Coordinated Threat Control in an Federated Deployment
You can use Juniper Networks IDP Series Intrusion Detection and Prevention Appliance with Federation
to detect attacks from within the network. Any endpoint that is on any connected Pulse Policy Secure
Series device or SA appliance can be monitored for suspect activity. IF-MAP clients can work together to
provide coordinated threat control across all attached enforcement points.
Endpoints running Network Connect that access a SA appliance can be monitored by standalone IDP.
Endpoints that access a Pulse Policy Secure Series device can be monitored by either standalone IDP,
Integrated Security Gateway Intrusion Detection and Prevention ISG-IDP, or SRX Series Services
Gateway IDP.
The IDP device reports attacks to the Pulse Policy Secure Series device or SA appliance to which it is
connected. The Pulse Policy Secure Series device or SA appliance configured as an IF-MAP client reports
the user’s activity to the IF-MAP server using IF-MAP. The IF-MAP server notifies the authenticating Pulse
Policy Secure Series device or SA appliance about the attack, and the authenticating device applies its
IDP sensor policies. If new roles or restrictions are imposed on the endpoint based on policies configured
on the device, the Pulse Policy Secure Series device or the SA appliance publishes the new session
information for the endpoint to the IF-MAP server.
When any other Pulse Policy Secure Series device or SA appliance polls the IF-MAP server, the newly
published session information for the user determines the protected resources that the user can access.
See the Unified Access Control Administration Guide.
Figure 4 demonstrates a configuration with IDP incorporated.
Figure 4: IF-MAP Federation in a Heterogeneous Network with IDP
© 2015 by Pulse Secure, LLC. All rights reserved 28
Intrusion Detection and Prevention Sensors
The following steps summarize the interaction with IDP in an IF-MAP federated network.
1. The endpoint successfully accesses Pulse Policy Secure Series device or SA appliance 1 and
publishes session data to the IF-MAP server through Session-Export policies
2. The endpoint attempts to access protected resources behind the Infranet Enforcer, which is
connected to Pulse Policy Secure Series device 3. Pulse Policy Secure Series device 3 uses IF-
MAP to query the IF-MAP server for session information about the endpoint. After receiving
session information, Pulse Policy Secure Series device 3 uses Session-Import policies to
determine roles and then provisions an auth table entry on the Infranet Enforcer. Pulse Policy
Secure Series device 3 subscribes to updates about the endpoint’s session data.
3. After the endpoint is successfully connected to resources behind the Infranet Enforcer, IDP
detects an attack originating from the endpoint.
4. IDP notifies Pulse Policy Secure Series device 2 of the attack. (If IDP is standalone IDP, Pulse
Policy Secure Series device 2 could also be an SA appliance. If IDP is an Infranet Enforcer with
the ISG-IDP security module, Pulse Policy Secure Series device 2 cannot be an SA appliance,
because the SA appliance does not communicate with the Infranet Enforcer.)
5. Pulse Policy Secure Series device 2 updates the endpoint session data on the IF-MAP server
with information about the attack.
6. The IF-MAP server notifies Pulse Policy Secure Series device 1 or SA appliance 1 (the original
authenticating device) about the attack. The authenticating Pulse Policy Secure Series device or
SA appliance is responsible for consuming the attack.
7. The authenticating Pulse Policy Secure Series device or SA appliance applies its sensor policies
to the endpoint and updates the endpoint’s session according to actions specified in the sensor
policies. For example, the endpoint must be assigned a more restrictive role. The Pulse Policy
Secure Series device or SA appliance publishes the new session information to the IF-MAP
server, and the new information replaces the old data.
8. The IF-MAP server notifies any Pulse Policy Secure Series devices that subscribe to updates
about the endpoint. This includes Pulse Policy Secure Series device 3, which is connected to the
Infranet Enforcer.
9. Pulse Policy Secure Series device 3 applies Session-Import policies to the new session data for
the endpoint and pushes the resulting roles to the Infranet Enforcer.
10. If the new set of roles denies access to the protected resources, access is denied.
Related
Documentation Using IDP Devices in a Federated Deployment
Using IDP Devices in a Federated Deployment
This example details how to configure two Pulse Policy Secure Series device clusters with an ISG-IDP device to
provide protection in an IF-MAP federated network.
1. Configure data center 1 active/passive cluster as an IF-MAP server. Data center 1 resources are
protected with an ISG-IDP Infranet Enforcer.
2. Configure data center 2 active/passive cluster as an IF-MAP client connected to data center 1.
3. Configure source IP policies on the data center 1 Enforcer for users who need access to
protected resources, including users whose sessions are federated from data center 2.
© 2015 by Pulse Secure, LLC. All rights reserved 29
Chapter 2: Configuration
4. Configure the IDP sensor to communicate with the Pulse Policy Secure Series device in data
center 1. Make addresses to monitor on the Pulse Policy Secure Series Appliances in data
center 1 to include IP addresses from users from data center 2.
5. Configure sensor event policies on each Pulse Policy Secure in the network. Configure the
sensor event policy on the Pulse Policy Secure Series appliance through which users are
authenticated. Each authenticating Pulse Policy Secure or SA needs to have sensor event
policies configured, even if the authenticating device does not connect directly to a sensor.
When a user successfully accesses data center 1 and attempts to access resources on data center 2, the
user's session is published to the IF-MAP server. The data center 2 Pulse Policy Secure appliance
subscribes to the session information. If the user launches an attack, the IDP rules configured on data
center 1 are applied
Related
Documentation Understanding Coordinated Threat Control in an Federated Deployment
© 2015 by Pulse Secure, LLC. All rights reserved 30
Index A
application policy enforcement, with IDP.................26
C
conventions
notice icons............................................................6
text conventions...................................................7
technical support................................................8
contacting PSGSC..............................................9
D
Documentation comments on.......................................8
I
IDP and IF-MAP, concepts................................................27
IDP and Junos, configuring.............................................19
IDP and role-based policies...........................................26
IDP and ScreenOS, configuring....................................19
IDP configuration................................................................13, 18
IDP deployment examples..............................................14
IDP interaction....................................................................17
IDP licensing.......................................................................19
IDP sensor policies.............................................21
IDP with IF-MAP, example...................................28
IDP, automatic response........................................23
IDP, interoperability.................................................17
IDP, quarantining users manually........................25
IDP, using with
UAC........................................................................13, 18
IF-MAP and IDP.........................................................27
IF-MAP with IDP, example...................................28
J
Junos CTC..................................................................19
Junos IDP, activating................................................20
L
licensing, IDP...........................................................19
N notice icons.............................................................6
R role-based policies, IDP.......................................26
S ScreenOS IDP, activating....................................20 ScreenOS ISG-IDP................................................19 sensor policies for IDP, configuring..................21
T technical support
contacting PSGSC...................................................8 text conventions........................................................7
© 2015 by Pulse Secure, LLC. All rights reserved 31
Intrusion Detection and Prevention Sensors