Download pdf - Pulse Policy Secure - Pulse Secure › download › techpubs › ... · The IDP sits within the network and monitors traffic from endpoints that are connected through the Pulse Policy

© 2015 by Pulse Secure, LLC. All rights reserved

Pulse Policy Secure

IDP and Unified Access Control

Product Release 5.3

Document Revision 1.0

Published: 2015-12-21

© 2015 by Pulse Secure, LLC. All rights reserved 2

Pulse Secure, LLC 2700 Zanker Road, Suite 200 San Jose, CA 95134 http://www.pulsesecure.net

© 2015 by Pulse Secure, LLC. All rights reserved

Pulse Secure and the Pulse Secure logo are trademarks of Pulse Secure, LLC in the United States. All other trademarks, service marks, registered

trademarks, or registered service marks are the property of their respective owners.

Pulse Secure, LLC assumes no responsibility for any inaccuracies in this document. Pulse Secure, LLC reserves the right to change, modify, transfer, or

otherwise revise this publication without notice.

Pulse Policy Secure- IDP and Unified Access Control

The information in this document is current as of the date on the title page.

END USER LICENSE AGREEMENT

The Pulse Secure product that is the subject of this technical documentation consists of (or is intended for use with) Pulse Secure software. Use of such

software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at http://www.pulsesecure.net/support/eula. By

downloading, installing or using such software, you agree to the terms and conditions of that EULA.”

http://www.pulsesecure.net/

http://www.pulsesecure.net/support/eula


Table of Contents List of Figures --------------------------------------------------------------------------------------------------------------------------------------- 4

List of Tables ---------------------------------------------------------------------------------------------------------------------------------------- 5

About This Guide ------------------------------------------------------------------------------------------------------------------------------------ 6

Objectives ------------------------------------------------------------------------------------------------------------------------------------------ 6

Audience -------------------------------------------------------------------------------------------------------------------------------------------- 6

Documentation Conventions -------------------------------------------------------------------------------------------------------------- 6

Documentation ---------------------------------------------------------------------------------------------------------------------------------- 8

Obtaining Documentation ----------------------------------------------------------------------------------------------------------------- 8

Documentation Feedback ------------------------------------------------------------------------------------------------------------------- 8

Requesting Technical Support ------------------------------------------------------------------------------------------------------------- 8 Self-Help Online Tools and Resources ----------------------------------------------------------------------------------------------- 8 Opening a Case with PSGSC --------------------------------------------------------------------------------------------------------------- 9

PART 1 Intrusion Detection and Prevention with Unified Access Control ---------------------------------------------- 11

CHAPTER 1 UAC and IDP Interoperability ------------------------------------------------------------------------------------------- 13

About IDP Technology ---------------------------------------------------------------------------------------------------------------------- 13

IDP Deployment Scenarios Overview ------------------------------------------------------------------------------------------------ 14

CHAPTER 2 Configuration --------------------------------------------------------------------------------------------------------------- 17

Understanding Pulse Policy Secure Deployments with IDP Devices ---------------------------------------------------- 17 About IDP Devices ------------------------------------------------------------------------------------------------------------------------- 17 Coordinated Threat Control Overview ------------------------------------------------------------------------------------------- 18 Deployments with IDP Series Devices --------------------------------------------------------------------------------------------- 18 Deployments with IDP-Enabled Infranet Enforcers ------------------------------------------------------------------------ 19 Monitoring IDP-Reported Events --------------------------------------------------------------------------------------------------- 20

Activating IDP for the ScreenOS or Junos Enforcer ------------------------------------------------------------------------------ 20

Managing Interoperation with IDP Devices ---------------------------------------------------------------------------------------- 21 Configuring Communication with an IDP Device ----------------------------------------------------------------------------- 21 Enabling or Disabling IDP Sensors --------------------------------------------------------------------------------------------------- 22 Reconnecting to an IDP Sensor ------------------------------------------------------------------------------------------------------- 22 Refreshing and Displaying the Connection Status --------------------------------------------------------------------------- 23 Deleting an IDP Sensor Entry ---------------------------------------------------------------------------------------------------------- 23

Defining Automatic Response Sensor Event Policies ------------------------------------------------------------------------- 23

Identifying and Managing Quarantined Users Manually ------------------------------------------------------------------ 25

Using Role-Based Policies to Monitor User Activity--------------------------------------------------------------------------- 26

Understanding Coordinated Threat Control in an Federated Deployment ------------------------------------------ 27

Using IDP Devices in a Federated Deployment --------------------------------------------------------------------------------- 28

Index ---------------------------------------------------------------------------------------------------------------------------------------------------- 30


List of Figures

Figure 1: Pulse Policy Secure Series and Standalone IDP Topology ................................................................ 15 Figure 2: Pulse Policy Secure Series and ISG-IDP Topology ............................................................................ 15 Figure 3: IDP in a Layer 2 Deployment ............................................................................................................ 16 Figure 4: IF-MAP Federation in a Heterogeneous Network with IDP ............................................................. 27


List of Tables

Table 1: Notice Icons ......................................................................................................................................... 6 Table 2: Text Conventions ................................................................................................................................. 7


About This Guide

Objectives

Audience

Documentation Conventions

Documentation

Obtaining Documentation

Documentation Feedback

Requesting Technical Support

Objectives

This guide describes basic configuration procedures for Pulse Policy Secure.

Audience

This guide is designed for network administrators who are configuring and maintaining a Pulse Policy

Secure Series device. To use this guide, you need a broad understanding of networks in general and the

Internet in particular, networking principles, and network configuration. Any detailed discussion of these

concepts is beyond the scope of this guide.

Documentation Conventions

Table 1 defines the notice icons used in this guide. Table 2 defines text conventions used throughout this

documentation.

Table 1: Notice Icons

Icon Meaning Description

Informational note Indicates important features or instructions.

Caution

Indicates a situation that may result in loss of data or hardware damage.


Warning Alert regarding risk of personal injury or death.

Laser warning Alert regarding risk of personal injury from a laser.

Table 2: Text Conventions

Convention Description Examples

Bold text Represents keywords, scripts, and tools in text.

Represents a GUI element that the user selects, clicks, checks, or clears.

Specify the keyword exp-msg.

Run the install.sh script.

Use the pkgadd tool.

To cancel the configuration, click Cancel.

Bold text like this

Represents text that the user must enter.

user@host# set cache-entry-age

cache-entry-age

Fixed-width text like this

Represents information as displayed on your terminal’s screen, such as CLI commands in output d i s p l a y s .

nic-locators {

login {

resolution {

resolver-name /realms/

login/A1;

key-type LoginName;

value-type SaeId;

}

Regular sans serif typeface

Represents configuration statements.

Indicates SRC CLI commands and options in text.

Represents examples in procedures.

System Idap server{

Stand-alone;

• Use the request sae modify device failover command with the force option

user@host# . . .

Italic sans serif typeface

Represents variables in SRC CLI commands.

user@host# set local-address

local-address

Angle brackets In text descriptions, indicate optional keywords or variables

Another runtime variable is <gfwif>

Key name Indicates the name of a key on the keyboard

Press Enter

Key names linked with a plus sign (+)

Indicates that you must press two or more keys simultaneously.

Press Ctrl + b

Italic typeface Emphasizes words.

Identifies book names.

Identifies distinguished names.

Identifies files, directories, and paths in text but not in command examples.

There are two levels of access: user and

Privileged.

SRC-PE Getting Started Guide.

o=Users, o=UMC

The /etc/default.properties file.


Backslash

At the end of a line, indicates that the text wraps to the next line.

Plugin.radiusAcct-1.class=\

net.pulsesecure.smgt.sae.plugin\

RadiusTrackingPluginEvent

Words separated by the | symbol

Represent a choice to select one keyword or variable to the left or right of this symbol.

(The keyword or variable may be either optional or required.)

diagnostic | line

Documentation

For a list of related Pulse Policy Secure documentation, see http://www.pulsesecure.net/support. If the

information in the latest Pulse Policy Secure Release Notes differs from the information in the

documentation, follow the Pulse Policy Secure Release Notes.

Obtaining Documentation

To obtain the most current version of all Pulse Secure technical documentation, see the products

documentation page at http://www.pulsesecure.net/techpubs.

Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we can improve the

documentation. You can send your comments to

[email protected]

Requesting Technical Support

Technical product support is available through the Pulse Secure Global Support Center (PSGSC).

Product warranties—For product warranty information, visit

http://www.pulsesecure.net/support

PSGSC hours of operation—The PSGSC centers have resources available 24 hours a

day, 7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, the Pulse Secure Global Support Center (PSGSC) that provides

you with the following features:

Find CSC offerings: http://www.pulsesecure.net/support

Search for known bugs: http://www.pulsesecure.net/support

Find product documentation: http://www.pulsesecure.net/support


http://www.pulsesecure.net/techpubs

mailto:[email protected]






Find solutions and answer questions using our Knowledge Base:


Download the latest versions of software and review release notes:


Search technical bulletins for relevant hardware and software notifications:


Open a case online in the CSC Case Management tool: http://www.pulsesecure.net/support/

To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool:


Opening a Case with PSGSC

You can open a case with PSGSC on the Web or by telephone.

Use the Case Management tool in the CSC at http://www.pulsesecure.net/support

Call 1-844 751 7629 (Toll Free, US).

For international or direct-dial options in countries without toll-free numbers, see:





http://www.pulsesecure.net/support/






PART 1 Intrusion Detection and Prevention with Unified Access Control

UAC and IDP Interoperability

Configuration



CHAPTER 1 UAC and IDP Interoperability

About IDP Technology

IDP Deployment Scenarios Overview


Securing intranet work application and resource traffic is vital to protecting the network. You can add

levels of application security to detect internal threats coming from users who are authenticated through

the Pulse Policy Secure Series device by integrating a Pulse Policy Secure Series device with a Juniper

Networks Intrusion Detection and Prevention (IDP) Sensor.

The Pulse Policy Secure Series device supports standalone IDP and IDP through the Juniper Networks

ISG Series Integrated Security Gateways Infranet Enforcer with the IDP Security Module (supported in

ScreenOS Release 6.2 or greater). With UAC Release 3.1, you can use SRX Series Services Gateway

IDP with Junos 10.0 (SRX 3400/3600/5600/5800). With UAC Release 4.1 and JunosOS Release 11.1,

Coordinated Threat Control (CTC) is supported on all SRX series devices.

The IDP sensor monitors the network on which the IDP system is installed. The sensor’s primary task is to

detect suspicious and anomalous network traffic based on specific rules defined in IDP rule basis.

The IDP device provides the following types of protection (some of which depend upon the specific

configuration):

Protects against attacks from user to application.

Detects and blocks most network worms based on software vulnerabilities.

Detects and blocks non-file-based Trojan Horses.

Detects and blocks effects of spyware. adware, and key loggers.

Detects and blocks many types of malware.

Detects and blocks zero day attacks through the use of anomaly detection.

NOTE: An IDP Sensor can send logs to one Pulse Policy Secure Series device

appliance only. However, a Pulse Policy Secure Series device appliance can

receive logs from more than one IDP Sensor.


Intrusion Detection and Prevention Sensors

Using the Pulse Policy Secure Series device’s admin console, you can configure and manage interaction

attributes between the Pulse Policy Secure Series device and an IDP, including the following:

(With standalone IDP) Global configuration parameters such as the IDP hostname or IP

address, the TCP port over which the sensor communicates with the Pulse Policy Secure

Series device, and the one-time password the Pulse Policy Secure Series device and IDP

use to authenticate with one another.

Various levels of attack severity warnings and the action that the Pulse Policy Secure

Series device takes

If you are using standalone IDP Release 5.0 or later or ISG-IDP Release 6.3 or later, you can configure

IDP policies based on user roles with Network and Security Manager (NSM).

The IDP sits within the network and monitors traffic from endpoints that are connected through the Pulse

Policy Secure Series device. You can position the IDP in-line, or you can configure the IDP in sniffer

mode.

After the Pulse Policy Secure Series device connects with the IDP sensor, the Pulse Policy Secure Series

device registers all of the IP addresses to be monitored for potential threats. With standalone IDP, you

enter the IP addresses to monitor.

Any abnormal events detected by the IDP Sensor are reported to the Pulse Policy Secure Series device,

which you configure to take appropriate action based on the severity level of the reported events. The IDP

Sensor performs reporting functions to allow you to determine what IP address within the network has

launched the attacks in addition to any normal logging the IDP has been configured to undertake.

With a large number of connected users IDP can overwhelm the Pulse Policy Secure Series device with

more alert logs than it can process. In this situation, the number of logs sent by the IDP to the Pulse Policy

Secure Series device can be controlled by decreasing the severity level setting in the IDP connection

settings.

With IDP deployments using the Infranet Enforcer and the IDP Security Module, the Infranet Enforcer can

send messages to OAC or the Pulse debug log.

Related

Documentation


Understanding Pulse Policy Secure Deployments with IDP Devices

Activating IDP for the ScreenOS or Junos Enforcer

Managing Interoperation with IDP Devices

Using Role-Based Policies to Monitor User Activity


Three possible deployment scenarios are shown in the following figures.

In Figure 1 the standalone IDP is located within the internal network. All network traffic originating from

endpoints that are registered with the IDP is monitored. You can deploy IDP in sniffer mode, or inline


Chapter 1: UAC and IDP Interoperability

mode. You can use transparent mode or route mode with an inline mode configuration.

In the first deployment example, the IDP does not monitor IPsec traffic from the user to protected

resources.

Figure 1: Pulse Policy Secure Series and Standalone IDP Topology

To monitor all IPsec traffic from users to protected resources, deploy the IDP behind the Infranet Enforcer,

as shown in Figure 2 .

Figure 2: Pulse Policy Secure Series and ISG-IDP Topology



Figure 3 depicts IDP in a Layer 2 network. The device serves as a policy enforcement point and controls

user access based on Pulse Policy Secure Series device policy decisions.

Figure 3: IDP in a Layer 2 Deployment

You can deploy up to ten IDP devices in a network with the Pulse Policy Secure Series device.

Performance is based on how rapidly sessions are created or changed, the number of events that IDP

sends to the Pulse Policy Secure Series device, and the efficiency of the network links that connect the

devices. IDP devices must be connected over a high-speed LAN link.

In a clustering environment, only one member of a Pulse Policy Secure Series device cluster exchanges

information with an IDP sensor. If the connected Pulse Policy Secure Series device fails or is shut down,

another cluster member will assume the load.

Related

Documentation


Understanding Pulse Policy Secure Deployments with IDP Devices Managing Interoperation with IDP Devices


CHAPTER 2 Configuration




Defining Automatic Response Sensor Event Policies

Identifying and Managing Quarantined Users Manually


Understanding Coordinated Threat Control in an Federated Deployment

Using IDP Devices in a Federated Deployment


This topic provides and overview of deployments with IDP devices. It includes the following content:

About IDP Devices

Coordinated Threat Control Overview

Deployments with IDP Series Devices

Deployments with IDP-Enabled Infranet Enforcers

Monitoring IDP-Reported Events

About IDP Devices

The IDP Sensor is a powerful tool to counteract users who initiate attacks. The IDP sensor monitors the

network on which the IDP system is installed. The IDP sits within the network and monitors traffic from

endpoints that are connected through the Pulse Policy Secure Series device. You can position the IDP in-

line, or you can configure the IDP in sniffer mode. The sensor’s primary task is to detect suspicious and

anomalous network traffic based on specific rules defined in IDP rule bases.



The IDP device provides the following types of protection (some of which depend upon the specific

configuration):

Protects against attacks from user to application.

Detects and blocks most network worms based on software vulnerabilities.

Detects and blocks non-file-based Trojan Horses.

Detects and blocks effects of spyware, adware, and key loggers.

Detects and blocks many types of malware.

Detects and blocks zero day attacks through the use of anomaly detection.

Coordinated Threat Control Overview

In a coordinated threat control deployment, the IDP device reports abnormal events to the Pulse Policy

Secure Series device. The attack logs sent by the IDP device include the source and destination IP

addresses and port numbers of the attacking host, and the resource against which the attack was

launched, along with the attack identifier, severity of the attack, and the time at which the attack was

launched.

The Pulse Policy Secure Series device displays the attack information received from the IDP sensor on

the Active Users page. Based on the attackers IP address and port number, the Pulse Policy Secure

Series device can uniquely identify the user’s session.

When you learn that an attack has been launched by an active user, you can disable the user’s account,

end the user’s session, or remediate to a different role. You can choose automatic or manual actions for

attacks detected by the IDP sensor. For manual action, you look up the information available on the Active

Users page and decide on an action. For automatic action, you configure the action in advance when you

define IDP policies.

The Pulse Policy Secure Series device displays an error message to the user whose account has been

disabled indicating the reason.

Deployments with IDP Series Devices

You can deploy Pulse Policy Secure Series devices with IDP Series devices in coordinated threat control

deployments and user-role-based IDP policy deployments. User-role-based IDP policy deployments

require IDP Series 5.0 or later. To display the version of an associated IDP device in the Access Control

Service admin console, select System > Configuration > Sensors.

NOTE: An IDP Sensor can send logs to one Pulse Policy Secure Series device

appliance only. However, a Pulse Policy Secure Series device appliance can

receive logs from more than one IDP Sensor.


Chapter 2: Configuration

Using the Pulse Policy Secure Series device’s admin console, you can configure and manage interaction

attributes between the Pulse Policy Secure Series device and an IDP Series device, including the

following:

Global configuration parameters such as the IDP hostname or IP address, the TCP port

over which the sensor communicates with the Pulse Policy Secure Series device, and the

one-time password the Pulse Policy Secure Series device and IDP use to authenticate

with one another.

Various levels of attack severity warnings and the action that the Pulse Policy Secure

Series device takes

IP addresses to monitor.

With a large number of connected users IDP can overwhelm the Pulse Policy Secure Series device with

more alert logs than it can process. In this situation, the number of logs sent by the IDP to the Pulse Policy

Secure Series device can be controlled by decreasing the severity level setting in the IDP connection

settings.

NOTE: With Pulse Policy Secure Release 4.0, licensing is no longer required to use

IDP in a UAC deployment.

Deployments with IDP-Enabled Infranet Enforcers

The Pulse Policy Secure Series device also supports IDP through the Juniper Networks ISG Series

Integrated Security Gateways Infranet Enforcer with the IDP Security Module (supported in ScreenOS

Release 6.2 or greater). With UAC Release 3.1, you can use SRX Series Services Gateway IDP with

Junos 10.0 (SRX 3400/3600/5600/5800). With UAC Release 4.1 and JunosOS Release 11.1, coordinated

threat control is supported on all SRX series devices.

Unlike a standalone IDP which requires manual configuration on the IDP to allow communication with the

Pulse Policy Secure, the ScreenOS Enforcer or the Junos Enforcer use the existing communication

channel with the Pulse Policy Secure Series device.

If you are using integrated IDP with the ISG-1000 or ISG-2000, see:

http://www.juniper.net/techpubs/en_US/release-independent/screenos/information-products/pathway-

pages/screenos/product/index.html. If you are using Junos IDP with JunosOS Release 10.0, see Junos OS

Initial Configuration Guide for Security Devices. ISG-IDP and CTC are configured the same on the Pulse Policy

Secure Series device.

When ISG-IDP or Junos IDP are activated, ScreenOS or Junos notifies the Pulse Policy Secure Series device

when an attack event is detected from any endpoint. To avoid overwhelming the SSH connection between the

Pulse Policy Secure Series device and the Infranet Enforcer, the number of attack notifications is limited to ten

per second. If additional attacks are detected, the Infranet Enforcer holds an additional ten notifications in a

queue.

ISG-IDP or Junos devices attached to any node in a cluster may send messages regarding sessions attached

to any node in the cluster.

http://www.juniper.net/techpubs/en_US/release-independent/screenos/information-products/pathway-pages/screenos/product/index.html

http://www.juniper.net/techpubs/en_US/release-independent/screenos/information-products/pathway-pages/screenos/product/index.html



There is a Use IDP module as Sensor check box on the Infranet Enforcer admin console page. If you select the

check box and there is no IDP module or if the Enforcer is not running a compatible version, the Pulse Policy

Secure Series device logs an appropriate message.

With IDP deployments using the Infranet Enforcer and the IDP Security Module, the Infranet Enforcer can send

messages to OAC or the Pulse debug log.

Monitoring IDP-Reported Events

After the IDP Sensor has been set up, you can specify the events you want the IDP to watch for and the

actions that the Pulse Policy Secure Series device takes once a particular event has been noted and reported.

In two locations on the Pulse Policy Secure Series device, you can specify actions to be taken in response to

users that perform attacks:

Sensor Event policies page—Define the policy on this page to generate an automatic

response to users who perform attacks.

Users page—Manually identify and quarantine or disable users on the Active Users page,

which lists users who have performed attacks.

Related

Documentation






To activate ISG-IDP or Junos IDP on the Pulse Policy Secure Series device:

1. Select UAC > Infranet Enforcer in the Pulse Policy Secure Series device admin console.

2. Select the name of the Enforcer on which you want to activate IDP.

3. Select the Use IDP Module as Sensor check box. Additional options are presented.

4. Select For sessions provisioned for this Enforcer only to limit monitored sessions to this device.

This is applicable in an IF-MAP Federation network.

5. Select 1 - INFO through 5 - Critical from the Severity menu. The severity filter allows you to

specify the level of attacks that the Infranet Enforcer reports to the Pulse Policy Secure Series

device. For example, if you select 3, only level 3 attacks or higher are reported.

Related

Documentation







The Sensors tab allows you to specify the system settings the Pulse Policy Secure Series device uses to

establish a connection to an IDP device. Select System > Configuration > Sensors > Sensors. The main

Sensor page displays the sensor, the network address, the state (enabled), the version, and the status of

any configured sensors. The following sections describe tasks related to configuring and managing

interaction between the Pulse Policy Secure Series device and an IDP Sensor:

Configuring Communication with an IDP Device

Enabling or Disabling IDP Sensors

Reconnecting to an IDP Sensor

Refreshing and Displaying the Connection Status

Deleting an IDP Sensor Entry

Configuring Communication with an IDP Device

To configure communication with an IDP device and an IDP log monitoring policy:

1. In the admin console, select System > Configuration > Sensors.

NOTE: To use the IDP sensor with the Pulse Policy Secure Series device you

must enable logging for the applicable policies.

2. Click New Sensor. The admin console displays the New Sensor page.

3. Under Sensor Properties, specify the following information:

Name—A name the Pulse Policy Secure Series device uses to identify the new

connection entry

Hostname—The hostname or IP address of the IDP Sensor to which the Pulse Policy

Secure Series device connects in order to receive application and resource attack alert

messages.

Port—The TCP port on the IDP Sensor to which the Pulse Policy Secure Series

device listens when receiving application and resource attack alert messages.

One-time password—The encrypted password the Pulse Policy Secure Series device

uses when conducting the initial Transport Layer Security (TLS) handshake with the

IDP Sensor. You must enter the encrypted Pulse Policy Secure Series device OTP

password as displayed on the IDP ACM configuration summary screen.

NOTE: The hostname, TCP port, and one-time password must already be

configured on the IDP Sensor before this configuration can be successful.

4. Under Monitoring Options, specify IP addresses to monitor and the minimum alert severity

level the IDP Sensor records and submits to the Pulse Policy Secure Series device:



In the Addresses to Monitor field, specify individual IP addresses and address ranges,

one entry per line. IDP reports attack information only for the IP addresses that you

specify. For IDP to report all events to the Pulse Policy Secure Series device, enter

0.0.0.0/0. For IDP to report only selected events, enter <default> to permit IDP to

report events for events with source IPs that have an active user session on the Pulse

Policy Secure Series device, and/or enter one or more addresses or address ranges

for any endpoint that you want the IDP sensor to report.

NOTE: With ISG-IDP or Junos IDP, you do not need to specify which IP

addresses to monitor. The Infranet Enforcer monitors all IP address for which

auth tables exist.

Select one of the severity options available in the Severity filter drop down list. The

severity level is a number on a scale from 1 to 5, where 1 is informational and 5 is

critical. This option represents the severity of messages the IDP should send to the

Pulse Policy Secure Series device.

5. Click Save Changes.

Enabling or Disabling IDP Sensors

To enable or disable existing IDP Sensor entries on the Pulse Policy Secure Series device:


2. Select the check box for one or more IDP Sensor entries to enable or disable.

3. Click Enable or Disable to enable or disable the specified IDP Sensor entries, respectively.

Reconnecting to an IDP Sensor

When the connection to an IDP Sensor is down, you can use the admin console on the Pulse Policy Secure

Series device to re-establish the connection. You can also use the admin console to refresh the status of

existing connections between the Pulse Policy Secure Series device and the IDP Sensor.

To re-establish communication with an IDP Sensor, you must generate a new One-time Password.

To reconnect to an associated IDP Sensor:


2. Select the check box next to the IDP Sensor to which you want to reconnect.

3. Click Reconnect.

The admin console displays a message indicating that the Pulse Policy Secure Series device is currently

attempting to re-establish connection to the specified IDP Sensor. This page automatically refreshes each

second during the reconnection process. Otherwise, the connection status page automatically refreshes once

every 30 seconds.



Refreshing and Displaying the Connection Status

To refresh and display the connection status for the specified IDP Sensor:


2. Select the check box for one or more IDP Sensor entries to display current connection status.

3. Click Refresh.

Deleting an IDP Sensor Entry

You can delete existing IDP Sensor entries that define a connection between the Pulse Policy Secure

Series device and an IDP Sensor.

To delete one or more existing IDP Sensor entries from the Pulse Policy Secure Series device:


2. Select the check box for the IDP Sensor entry or entries to delete.

3. Click Delete, then confirm that you want to delete the sensor entry or entries.

Related

Documentation





Select System > Configuration > Sensors > Sensor Event Policies. To specify one or more rules specify

the action(s) the Pulse Policy Secure Series device takes when it receives attack alert messages from an

IDP Sensor.

To create a new IDP rule:

1. In the admin console, select System > Configuration > Sensors > Sensor Event Policies.

2. On the Sensor Event Policies page, click New Rules.

3. On the Juniper IDP Rule page, in the Rule: On Receiving... section:

Select an existing event from the Event list.

Click Events to edit an existing event or create a new type of event and add it to the

options in the Events list:

a. Specify a name for the event.

b. Populate the Expressions field by manually entering expressions or by selecting one or

more clauses from the Expressions Dictionary. Click Insert Expression.

For example, to check for all critical/highest severity level attacks, enter the following

expression:

idp.severity >= 4

To check for all critical/highest severity level attacks for HTTP traffic, enter the following

expression:

idp.severity >= 4 AND idp.attackStr = “*HTTP*”

c. When you finish entering the expressions you want to apply to this event, click Add

Expression.



d. Click Close.

4. In the Count this many times section, specify a number between 1 and 256 to determine the

number of times an event occurs before action is taken.

5. In the ...then perform this action section, specify one of the following actions:

Ignore (just log the event)—Specifies that the Pulse Policy Secure Series device

should log the event, but take no further action against the user profile to which this

rule applies. This option is best used to deal with very minor “informational” attack alert

messages that come from the IDP Sensor.

Terminate User Session—Specifies that the Pulse Policy Secure Series device should

immediately terminate the user session and require the user to sign in to the Pulse

Policy Secure Series device again.

Disable user account—Specifies that the Pulse Policy Secure Series device should

disable the user profile associated with this attack alert message, thus rendering the

client unable to sign in to the Pulse Policy Secure Series device until the administrator

re-enables the user account. (This option is applicable only for users who have a local

Pulse Policy Secure Series device user account.)

Replace user’s role with this one—Specifies that the role applied to this user’s profile

should change to the role you select from the associated list. This new role remains

assigned to the user profile until the session terminates. This feature allows you to assign

a user to a specific controlled role of your choice, based on specific IDP events. For

example, if the user performs attacks, you might assign the user to a restricted role that

limits the user’s access and activities.

Select to make this role assignment

Permanent—User remains in the quarantined state across subsequent logins

until the administrator releases the user from the quarantined state.

For this session only—Default. User can log in to another session.

6. In the Roles section, specify:

Policy applies to ALL roles —To apply this policy to all users.

Policy applies to SELECTED roles—To apply this policy only to users who are

mapped to roles in the Selected roles list. Be sure to add roles to this list from the

Available roles list.

Policy applies to all roles OTHER THAN those selected below—To apply this policy to

all users except for those who are mapped to the roles in the Selected roles list. Make

sure to add roles to this list from the Available roles list.


Related

Documentation







When the Pulse Policy Secure Series device quarantines a user based on an attack, you can display

and manage the states by locating the user link in the Active Users page.

A small warning icon is displayed in front of the username.

The linked username.

An enabled Quarantined option button on the specific user’s page. If the user is not

quarantined, the option button is disabled.

To manage quarantined users:

1. Identify quarantined users at System > Status > Active Users.

2. Locate the quarantined user and click on the username link. The user page opens, showing

a number of options.

3. Click Disabled to disallow a user from authenticating.

4. Click Quarantined to leave a user in a quarantined state. The Quarantined option is enabled

only if the user is already quarantined.

NOTE: The Pulse Policy Secure Series device assigns quarantined users to the

quarantined role, regardless of their login realm.


6. To re-enable previously quarantined or disabled users, select Authentication > Auth.

Servers > Select Server > Users and click the link for the given user.

NOTE: You can also disable users from this location.

7. Click Enabled to release the user from quarantine.


All Sensor events are logged at System > Log/Monitoring > Sensors > Log.

Related

Documentation







If you are using IDP Release 5.0 or greater or ScreenOS ISG-IDP Release 6.3 or greater, you can add

enhanced user management capabilities to your Pulse Policy Secure Series device IDP deployment. This

feature is supported for endpoints using OAC, Pulse, and users who connect with agentless access.

Junos IDP does not support this feature at this time

Using Network and Security Manager (NSM), you can configure application policies that are role-based to

monitor endpoints and enforce IDP rules.

When a user session is established on the Pulse Policy Secure Series device, the Pulse Policy Secure

Series device pushes session information including IP address, username and the roles to which the user

is assigned to the IDP. The session information allows IDP to apply policies based on user roles, or on the

username which is added to the IDP log.

Since role selection for a user can be based on the results of Host Checker policies, you can set policies

that are based on Host Checker results. For example, if a user is assigned to a restrictive role based on

the results of a Host Checker policy requiring a particular instant messaging software patch, you can

restrict instant messenger traffic for that role.

The Pulse Policy Secure Series device keeps the IDP device updated when a user’s role changes or

when a session is deleted. IDP’s application policy enforcement reflects the most currently available

information about a user.

For OAC users who authenticate via Layer 2, there is a short gap in role-based application policy

enforcement until the endpoint obtains an IP address. During this period, IDP policies based on source IP

are enforced.

If role-based policies are less restrictive than IP address based policies, some users could be

inadvertently blocked during this period. Once session information is obtained about the endpoint IDP re-

evaluates the endpoint and applies the less restrictive policies.

If role-based policies are more restrictive than IP address based policies, IDP cannot apply the more

restrictive policies, and an endpoint could engage in potentially damaging behavior prior to session

information being sent.

If you are using the Pulse Policy Secure Series device and IDP in a network that employs IF-MAP client

and server Federation, and IDP detects an attack that is attributed to a session, IDP informs the Pulse

Policy Secure Series device about the attack. Upon notification, the Pulse Policy Secure Series device

publishes the information to any attached IF-MAP servers. The IF-MAP server notifies the Pulse Policy

Secure Series device that originally published the session and the Pulse Policy Secure Series device

takes the appropriate action based on the applicable Sensor Event Policies.

Related

Documentation








You can use Juniper Networks IDP Series Intrusion Detection and Prevention Appliance with Federation

to detect attacks from within the network. Any endpoint that is on any connected Pulse Policy Secure

Series device or SA appliance can be monitored for suspect activity. IF-MAP clients can work together to

provide coordinated threat control across all attached enforcement points.

Endpoints running Network Connect that access a SA appliance can be monitored by standalone IDP.

Endpoints that access a Pulse Policy Secure Series device can be monitored by either standalone IDP,

Integrated Security Gateway Intrusion Detection and Prevention ISG-IDP, or SRX Series Services

Gateway IDP.

The IDP device reports attacks to the Pulse Policy Secure Series device or SA appliance to which it is

connected. The Pulse Policy Secure Series device or SA appliance configured as an IF-MAP client reports

the user’s activity to the IF-MAP server using IF-MAP. The IF-MAP server notifies the authenticating Pulse

Policy Secure Series device or SA appliance about the attack, and the authenticating device applies its

IDP sensor policies. If new roles or restrictions are imposed on the endpoint based on policies configured

on the device, the Pulse Policy Secure Series device or the SA appliance publishes the new session

information for the endpoint to the IF-MAP server.

When any other Pulse Policy Secure Series device or SA appliance polls the IF-MAP server, the newly

published session information for the user determines the protected resources that the user can access.

See the Unified Access Control Administration Guide.

Figure 4 demonstrates a configuration with IDP incorporated.

Figure 4: IF-MAP Federation in a Heterogeneous Network with IDP



The following steps summarize the interaction with IDP in an IF-MAP federated network.

1. The endpoint successfully accesses Pulse Policy Secure Series device or SA appliance 1 and

publishes session data to the IF-MAP server through Session-Export policies

2. The endpoint attempts to access protected resources behind the Infranet Enforcer, which is

connected to Pulse Policy Secure Series device 3. Pulse Policy Secure Series device 3 uses IF-

MAP to query the IF-MAP server for session information about the endpoint. After receiving

session information, Pulse Policy Secure Series device 3 uses Session-Import policies to

determine roles and then provisions an auth table entry on the Infranet Enforcer. Pulse Policy

Secure Series device 3 subscribes to updates about the endpoint’s session data.

3. After the endpoint is successfully connected to resources behind the Infranet Enforcer, IDP

detects an attack originating from the endpoint.

4. IDP notifies Pulse Policy Secure Series device 2 of the attack. (If IDP is standalone IDP, Pulse

Policy Secure Series device 2 could also be an SA appliance. If IDP is an Infranet Enforcer with

the ISG-IDP security module, Pulse Policy Secure Series device 2 cannot be an SA appliance,

because the SA appliance does not communicate with the Infranet Enforcer.)

5. Pulse Policy Secure Series device 2 updates the endpoint session data on the IF-MAP server

with information about the attack.

6. The IF-MAP server notifies Pulse Policy Secure Series device 1 or SA appliance 1 (the original

authenticating device) about the attack. The authenticating Pulse Policy Secure Series device or

SA appliance is responsible for consuming the attack.

7. The authenticating Pulse Policy Secure Series device or SA appliance applies its sensor policies

to the endpoint and updates the endpoint’s session according to actions specified in the sensor

policies. For example, the endpoint must be assigned a more restrictive role. The Pulse Policy

Secure Series device or SA appliance publishes the new session information to the IF-MAP

server, and the new information replaces the old data.

8. The IF-MAP server notifies any Pulse Policy Secure Series devices that subscribe to updates

about the endpoint. This includes Pulse Policy Secure Series device 3, which is connected to the

Infranet Enforcer.

9. Pulse Policy Secure Series device 3 applies Session-Import policies to the new session data for

the endpoint and pushes the resulting roles to the Infranet Enforcer.

10. If the new set of roles denies access to the protected resources, access is denied.

Related

Documentation Using IDP Devices in a Federated Deployment

Using IDP Devices in a Federated Deployment

This example details how to configure two Pulse Policy Secure Series device clusters with an ISG-IDP device to

provide protection in an IF-MAP federated network.

1. Configure data center 1 active/passive cluster as an IF-MAP server. Data center 1 resources are

protected with an ISG-IDP Infranet Enforcer.

2. Configure data center 2 active/passive cluster as an IF-MAP client connected to data center 1.

3. Configure source IP policies on the data center 1 Enforcer for users who need access to

protected resources, including users whose sessions are federated from data center 2.



4. Configure the IDP sensor to communicate with the Pulse Policy Secure Series device in data

center 1. Make addresses to monitor on the Pulse Policy Secure Series Appliances in data

center 1 to include IP addresses from users from data center 2.

5. Configure sensor event policies on each Pulse Policy Secure in the network. Configure the

sensor event policy on the Pulse Policy Secure Series appliance through which users are

authenticated. Each authenticating Pulse Policy Secure or SA needs to have sensor event

policies configured, even if the authenticating device does not connect directly to a sensor.

When a user successfully accesses data center 1 and attempts to access resources on data center 2, the

user's session is published to the IF-MAP server. The data center 2 Pulse Policy Secure appliance

subscribes to the session information. If the user launches an attack, the IDP rules configured on data

center 1 are applied

Related

Documentation Understanding Coordinated Threat Control in an Federated Deployment


Index A

application policy enforcement, with IDP.................26

C

conventions

notice icons............................................................6

text conventions...................................................7

technical support................................................8

contacting PSGSC..............................................9

D

Documentation comments on.......................................8

I

IDP and IF-MAP, concepts................................................27

IDP and Junos, configuring.............................................19

IDP and role-based policies...........................................26

IDP and ScreenOS, configuring....................................19

IDP configuration................................................................13, 18

IDP deployment examples..............................................14

IDP interaction....................................................................17

IDP licensing.......................................................................19

IDP sensor policies.............................................21

IDP with IF-MAP, example...................................28

IDP, automatic response........................................23

IDP, interoperability.................................................17

IDP, quarantining users manually........................25

IDP, using with

UAC........................................................................13, 18

IF-MAP and IDP.........................................................27

IF-MAP with IDP, example...................................28

J

Junos CTC..................................................................19

Junos IDP, activating................................................20

L

licensing, IDP...........................................................19

N notice icons.............................................................6

R role-based policies, IDP.......................................26

S ScreenOS IDP, activating....................................20 ScreenOS ISG-IDP................................................19 sensor policies for IDP, configuring..................21

T technical support

contacting PSGSC...................................................8 text conventions........................................................7

