Junos Pulse Secure Access Service

Similar documents
Juniper Secure Analytics

Junos Pulse Secure Access Service

Junos Space. Reports. Release Published: Copyright 2014, Juniper Networks, Inc.

Juniper Secure Analytics Virtual Appliance Installation Guide

STRM Series to JSA Series

CBA850 3G/4G/LTE Wireless WAN Bridge Application Guide

Subscriber Traffic Redirection

Virtual Route Reflector

Web Device Manager Guide

Juniper Secure Analytics

Junos Space Virtual Appliance Installation and Configuration Guide

Juniper Secure Analytics

Service Now Getting Started Guide

Junos Space Virtual Appliance Installation and Configuration Guide

JunosE Software for E Series Broadband Services Routers

Pulse Policy Secure. Guest Access Solution Configuration Guide. Product Release 5.2. Document Revision 1.0 Published:

Junos Space Service Now Getting Started Guide

Junos Space Virtual Appliance Installation and Configuration Guide

Mac OS X Quick Start Guide

Junosphere. Connector Guide. Release 2.4. Published: Revision 4. Copyright 2012, Juniper Networks, Inc.

Junos Pulse Secure Access Service

Junos Pulse Access Control Service

Pulse Policy Secure. Getting Started Guide. Product Release 5.1. Document Revision 1.0 Published:

Security Director. Security Director Installation and Upgrade Guide. Modified: Copyright 2018, Juniper Networks, Inc.

Flow Monitoring Feature Guide for EX9200 Switches

Juniper Extension Toolkit Applications Guide

Juniper Secure Analytics

Junos Space. Network Director API. Release 3.0. Modified: Copyright 2017, Juniper Networks, Inc.

Device Security Feature Guide for EX9200 Switches

Junos Space Network Management Platform

Juniper Extension Toolkit Applications Guide

Junos OS. NETCONF Java Toolkit Developer Guide. Modified: Copyright 2017, Juniper Networks, Inc.

Juniper Secure Analytics Log Event Extended Format Guide

Junos OS. Unified Access Control Solution Guide for SRX Series Services Gateways. Release Junos Pulse Access Control Service 4.2/Junos OS 12.

NSM Plug-In Users Guide

Juniper Secure Analytics Tuning Guide

Security Director. Security Director Installation and Upgrade Guide. Modified: Copyright 2017, Juniper Networks, Inc.

NSM Plug-In Users Guide

vmx Getting Started Guide for Microsoft Azure Release 17.4 Modified: Copyright 2018, Juniper Networks, Inc.

Junos Snapshot Administrator in Python

JUNOSPHERE RELEASE NOTES

Pulse Policy Secure. Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example. Product Release 5.2

Junos OS. J-Web User Guide for Security Devices. Modified: Copyright 2017, Juniper Networks, Inc.

Third-Party Network Devices with Scripting Service in the SRC Network

Junos Space. Junos Space Frequently Asked Questions. Release Modified: Copyright 2016, Juniper Networks, Inc.

Junos OS. J-Web User Guide. Modified: Copyright 2018, Juniper Networks, Inc.

Subscriber Management in a Wireless Roaming Environment

JunosE Software for E Series Broadband Services Routers

Security Director. Security Director Installation and Upgrade Guide. Modified: Copyright 2018, Juniper Networks, Inc.

JUNOSPHERE RELEASE NOTES

Cloud CPE Centralized Deployment Model

vmx Getting Started Guide for AWS Release 15.1F6 Modified: Copyright 2018, Juniper Networks, Inc.

Juniper Secure Analytics

Service Automation Monitoring and Troubleshooting

Junos OS. IDP Series Appliance to SRX Series Services Gateway Migration Guide. Modified: Copyright 2017, Juniper Networks, Inc.

EX2500 Ethernet Switch 3.1 Release Notes

Junos OS Radio-to-Router Protocols for Security Devices

JUNOS OS. NETCONF XML Management Protocol Guide. Release Published: Copyright 2011, Juniper Networks, Inc.

JunosE Software for E Series Broadband Services Routers

Juniper Extension Toolkit Developer Guide

JunosV App Engine. Administration Guide. Release Published: Copyright 2014, Juniper Networks, Inc.

Junos Space High Availability Deployment Guide

Juniper Secure Analytics Patch Release Notes

Junos Space. CLI Configlets. Release Modified: Copyright 2016, Juniper Networks, Inc.

Junos Pulse. Client Customization Developer Guide. Release 5.0. Published: Copyright 2013, Juniper Networks, Inc.

Junos OS. Layer 2 Bridging and Switching Configuration Guide for Security Devices. Release Published:

vmx Getting Started Guide for AWS Release 17.2 Modified: Copyright 2018, Juniper Networks, Inc.

Cloud Analytics Engine Feature Guide for the QFX Series

PCMM Devices in an SRC-Managed Network

Junos Space. Network Director API. Release 2.5. Modified: Copyright 2016, Juniper Networks, Inc.

Juniper Secure Analytics Patch Release Notes

Upgrading STRM to

Juniper Secure Analytics Patch Release Notes

Getting Started with NFX250 Network Services Platform

Security Certificates for the SRC Software

Junos OS. Common Criteria Evaluation Configuration Guide for Devices Running Junos OS Release Releases 13.2X50-D19 and 13.

Complete Hardware Guide for EX2200 Ethernet Switches

STRM Administration Guide

Juniper Secure Analytics Patch Release Notes

Troubleshooting Guide

Complete Hardware Guide for EX4200 Ethernet Switches

Junos Pulse Mobile Security Dashboard

Interface and Subscriber Classification Scripts

Junos OS. ICMP Router Discovery Protocol Feature Guide. Modified: Copyright 2017, Juniper Networks, Inc.

Junos Pulse Access Control Service

Junos OS. Junos Telemetry Interface Feature Guide. Modified: Copyright 2017, Juniper Networks, Inc.

IDP Detector Engine Release Notes

EX2500 Ethernet Switch 3.0 Release Notes

Adaptive Log Exporter Users Guide

JUNOSPHERE RELEASE NOTES

Junos Pulse Mobile Security Dashboard

Cloud Analytics Engine Compute Agent API Reference

Pulse Policy Secure. Enterprise Guest User Access Manager Feature Guide. Product Release 5.1. Document Revision 1.0 Published:

Offboard storage. Release Modified: Copyright 2016, Juniper Networks, Inc.

Virtual Route Reflector

Contrail HealthBot User Guide

Coordinated Threat Control

SRX 5600 and SRX 5800 Services Gateway Routing Engine Installation Instructions

Juniper Secure Analytics Configuring Offboard Storage Guide

Wireless LAN. SmartPass Quick Start Guide. Release 9.0. Published: Copyright 2013, Juniper Networks, Inc.

Transcription:

Junos Pulse Secure Access Service Intrusion Detection and Prevention Sensors Release 8.0 Published: 2013-11-15

Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net All rights reserved. Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785. Junos Pulse Secure Access Service Intrusion Detection and Prevention Sensors Release 8.0 All rights reserved. The information in this document is current as of the date on the title page. YEAR 2000 NOTICE Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036. END USER LICENSE AGREEMENT The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement ( EULA ) posted at http://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions of that EULA. ii

Table of Contents About the Documentation............................................ ix Documentation and Release Notes.................................. ix Supported Platforms............................................. ix Documentation Conventions....................................... ix Documentation Feedback......................................... xi Requesting Technical Support...................................... xi Self-Help Online Tools and Resources........................... xii Opening a Case with JTAC..................................... xii Part 1 Overview Chapter 1 IDP............................................................... 3 About IDP.......................................................... 3 IDP Deployment Scenarios............................................ 4 Part 2 Configuration Chapter 2 IDP............................................................... 9 Configuring the Secure Access Service to Interoperate with IDP............... 9 Interaction Between the IC Series and IDP............................ 9 Configuring IDP Sensor Policies........................................ 10 Part 3 Administration Chapter 3 Quarantined Users................................................. 15 Identifying and Managing Quarantined Users Manually..................... 15 Chapter 4 Sensor Event Polices............................................... 17 Defining Automatic Response Sensor Event Policies....................... 17 Part 4 Index Index.......................................................... 21 iii

Intrusion Detection and Prevention Sensors iv

List of Figures Part 1 Overview Chapter 1 IDP............................................................... 3 Figure 1: Secure Access Service and IDP Topology Scenario 1................. 4 Figure 2: Secure Access Service and IDP Topology Scenario 2................. 5 Part 3 Administration Chapter 3 Quarantined Users................................................. 15 Figure 3: Managing Quarantined Users.................................. 16 v

Intrusion Detection and Prevention Sensors vi

List of Tables About the Documentation.......................................... ix Table 1: Notice Icons.................................................. x Table 2: Text and Syntax Conventions.................................... x vii

Intrusion Detection and Prevention Sensors viii

About the Documentation Documentation and Release Notes Documentation and Release Notes on page ix Supported Platforms on page ix Documentation Conventions on page ix Documentation Feedback on page xi Requesting Technical Support on page xi Supported Platforms To obtain the most current version of all Juniper Networks technical documentation, see the product documentation page on the Juniper Networks website at http://www.juniper.net/techpubs/. If the information in the latest release notes differs from the information in the documentation, follow the product Release Notes. Juniper Networks Books publishes books by Juniper Networks engineers and subject matter experts. These books go beyond the technical documentation to explore the nuances of network architecture, deployment, and administration. The current list can be viewed at http://www.juniper.net/books. For the features described in this document, the following platforms are supported: MAG Series SA Series Documentation Conventions Table 1 on page x defines notice icons used in this guide. ix

Intrusion Detection and Prevention Sensors Table 1: Notice Icons Icon Meaning Description Informational note Indicates important features or instructions. Caution Indicates a situation that might result in loss of data or hardware damage. Warning Alerts you to the risk of personal injury or death. Laser warning Alerts you to the risk of personal injury from a laser. Table 2: Text and Syntax Conventions Table 2 on page x defines the text and syntax conventions used in this guide. Convention Description Examples Bold text like this Represents text that you type. To enter configuration mode, type the configure command: user@host> configure Fixed-width text like this Italic text like this Represents output that appears on the terminal screen. Introduces or emphasizes important new terms. Identifies guide names. Identifies RFC and Internet draft titles. user@host> show chassis alarms No alarms currently active A policy term is a named structure that defines match conditions and actions. Junos OS CLI User Guide RFC 1997, BGP Communities Attribute Italic text like this Text like this Represents variables (options for which you substitute a value) in commands or configuration statements. Represents names of configuration statements, commands, files, and directories; configuration hierarchy levels; or labels on routing platform components. Configure the machine s domain name: [edit] root@# set system domain-name domain-name To configure a stub area, include the stub statement at the [edit protocols ospf area area-id] hierarchy level. The console port is labeled CONSOLE. < > (angle brackets) Encloses optional keywords or variables. stub <default-metric metric>; x

About the Documentation Table 2: Text and Syntax Conventions (continued) Convention Description Examples (pipe symbol) Indicates a choice between the mutually exclusive keywords or variables on either side of the symbol. The set of choices is often enclosed in parentheses for clarity. broadcast multicast (string1 string2 string3) # (pound sign) Indicates a comment specified on the same line as the configuration statement to which it applies. rsvp { # Required for dynamic MPLS only [ ] (square brackets) Encloses a variable for which you can substitute one or more values. community name members [ community-ids ] Indention and braces ( { } ) ; (semicolon) Identifies a level in the configuration hierarchy. Identifies a leaf statement at a configuration hierarchy level. [edit] routing-options { static { route default { nexthop address; retain; } } } GUI Conventions Bold text like this Represents graphical user interface (GUI) items you click or select. In the Logical Interfaces box, select All Interfaces. To cancel the configuration, click Cancel. > (bold right angle bracket) Separates levels in a hierarchy of menu selections. In the configuration editor hierarchy, select Protocols>Ospf. Documentation Feedback We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can send your comments to techpubs-comments@juniper.net, or fill out the documentation feedback form at https://www.juniper.net/cgi-bin/docbugreport/. If you are using e-mail, be sure to include the following information with your comments: Document or topic name URL or page number Software release version (if applicable) Requesting Technical Support Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support contract, xi

Intrusion Detection and Prevention Sensors or are covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC. JTAC policies For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf. Product warranties For product warranty information, visit http://www.juniper.net/support/warranty/. JTAC hours of operation The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year. Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: Find CSC offerings: http://www.juniper.net/customers/support/ Search for known bugs: http://www2.juniper.net/kb/ Find product documentation: http://www.juniper.net/techpubs/ Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/ Download the latest versions of software and review release notes: http://www.juniper.net/customers/csc/software/ Search technical bulletins for relevant hardware and software notifications: https://www.juniper.net/alerts/ Join and participate in the Juniper Networks Community Forum: http://www.juniper.net/company/communities/ Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/ To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool: https://tools.juniper.net/serialnumberentitlementsearch/ Opening a Case with JTAC You can open a case with JTAC on the Web or by telephone. Use the Case Management tool in the CSC at http://www.juniper.net/cm/. Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico). For international or direct-dial options in countries without toll-free numbers, see http://www.juniper.net/support/requesting-support.html. xii

PART 1 Overview IDP on page 3 1

Intrusion Detection and Prevention Sensors 2

CHAPTER 1 IDP About IDP on page 3 IDP Deployment Scenarios on page 4 About IDP Securing intranet work application and resource traffic is vital to protecting your network from hostile outside intrusion. You can add levels of application security to your remote access network by integrating a Juniper Networks Secure Access Service with a Juniper Networks Intrusion Detection and Prevention (IDP) Sensor. The IDP device may provide the following types of protection in this solution (some forms of protection depend upon the specific configuration): The IDP sensor monitors the network on which the IDP system is installed. The sensor s primary task is to detect suspicious and anomalous network traffic based on specific rules defined in IDP rulebases. The IDP device provides the following types of protection (some forms of protection depend upon the specific configuration): Protects against attacks from user to application and from application to user (from a server-side endpoint) Detects and blocks most network worms based on software vulnerabilities Detects and blocks non-file-based Trojan Horses Detects and blocks effects of spyware. adware, and key loggers Detects and blocks many types of malware Detects and blocks zero day attacks through the use of anomaly detection NOTE: An IDP Sensor can send logs to one Secure Access Service only. However, the Secure Access Service can receive logs from more than one IDP Sensor. You do not need a special license from Juniper Networks to enable interaction between the Secure Access Service and the IDP. 3

Intrusion Detection and Prevention Sensors Using the Secure Access Service admin console, you can configure and manage interaction attributes between the Secure Access Service and an IDP, including the following: Global configuration parameters such as the IDP hostname or IP address, the TCP port over which the sensor communicates with the Secure Access Service, and the one-time password the Secure Access Service and IDP use to authenticate with one another. Dynamically changing the IDP configuration from the Secure Access Service and alerting the IDP of changes in the IP address pool available to remote users. Various levels of attack severity warnings. The IDP sits behind the Secure Access Service on your internal network and monitors traffic flowing from the Secure Access Service into the LAN. Any abnormal events detected by the IDP Sensor are reported to the Secure Access Service, which you configure to take appropriate action based on the severity level of the reported events. The IDP Sensor performs reporting functions in addition to any normal logging the IDP has been configured to undertake. You can use an IDP Sensor on the Secure Access Service cluster, if the cluster is configured with a virtual IP (VIP) address. Related Documentation IDP Deployment Scenarios on page 4 Configuring the Secure Access Service to Interoperate with IDP on page 9 Configuring IDP Sensor Policies on page 10 IDP Deployment Scenarios The two most likely deployment scenarios are as follows: Customer use of the Secure Access Service for extended enterprise access and IDP for security of all perimeter traffic including but not limited to traffic from the Secure Access Service. The following figure illustrates this scenario, in which the Secure Access Service is deployed in the DMZ or on the LAN and the IDP is deployed in-line behind the firewall and in front of the LAN. Figure 1: Secure Access Service and IDP Topology Scenario 1 4

Chapter 1: IDP In the second deployment scenario, IDP is only used to protect traffic that comes through the Secure Access Service but not in-line with other perimeter traffic. The following figure illustrates this deployment scenario. Figure 2: Secure Access Service and IDP Topology Scenario 2 Related Documentation About IDP on page 3 Configuring the Secure Access Service to Interoperate with IDP on page 9 5

Intrusion Detection and Prevention Sensors 6

PART 2 Configuration IDP on page 9 7

Intrusion Detection and Prevention Sensors 8

CHAPTER 2 IDP Configuring the Secure Access Service to Interoperate with IDP on page 9 Configuring IDP Sensor Policies on page 10 Configuring the Secure Access Service to Interoperate with IDP The IDP Sensor is a powerful tool to counter users who initiate attacks. Integration with the Secure Access Service allows you to configure automatic responses as well as manually monitor and manage users. To configure the Secure Access Service to interoperate with an associated standalone IDP Sensor, you must first ensure the IDP has been configured according to the instructions described in the Signaling Setup appendix of IDP Series Concepts and Examples Guide, Version 5.1rX. Once the IDP Sensor has been set up, you can specify the events you want the IDP to watch for and the actions that the Secure Access Service takes once a particular event has been noted and reported. There are two locations on the Secure Access Service where you can specify actions to be taken in response to users that perform attacks: Sensor Event policies page Define the policy on this page to generate an automatic response to users who perform attacks. Users page Manually identify and quarantine or disable users on the System > Status > Active Users page, which lists users who have performed attacks. Interaction Between the IC Series and IDP The Secure Access Service reads attack information as it is being sent by the IDP sensor. The Secure Access Service receives the source and destination IP addresses and port numbers of the attacking host and the resource against which the attack was launched, along with the attack identifier, severity of the attack, and the time at which the attack was launched. The Secure Access Service incorporates and displays the attack information received from the IDP sensor on the System > Status > Active Users page. Based on the attackers 9

Intrusion Detection and Prevention Sensors IP address and port number, the Secure Access Service can uniquely identify the user s session. You can choose automatic or manual actions for attacks detected by the IDP sensor. For manual action, you look up the information available on the Active Users page and decide on an action. For automatic action, you configure the action in advance when you define your IDP policies. Related Documentation Configuring IDP Sensor Policies on page 10 Configuring IDP Sensor Policies The Sensors tab allows you to specify the system settings the Secure Access Service uses to establish a connection to a Juniper Network s Intrusion Detection and Prevention (IDP) device. Use the System > Configuration > Sensors > Sensors tab to perform a number of tasks related to configuring and managing interaction between the Secure Access Service and an IDP Sensor. The main Sensor page displays the sensor, the network address, the state (enabled), the version, and the status of any configured sensors. Creating a New IDP Sensor Entry In IDP versions prior to 5.0, the Secure Access Service sends only the user IP address. With version 5.0, the Secure Access Service sends session information including the user, user role and IP address. To enable or disable existing IDP Sensor entries on the Secure Access Service: 1. In the admin console, choose System > Configuration > Sensors. NOTE: To use the IDP sensor with the Secure Access Service you must enable logging for the applicable policies. 2. Click New Sensor. The admin console displays the New Sensor page. 3. Under Sensor Properties, specify the following information: Name A name the Secure Access Service uses to identify the new connection entry Hostname The hostname or IP address of the IDP Sensor to which the Secure Access Service connects in order to receive application and resource attack alert messages Port The TCP port on the IDP Sensor to which the Secure Access Service listens when receiving application and resource attack alert messages One-time password The encrypted password the Secure Access Service uses when conducting the initial Transport Layer Security (TLS) handshake with the IDP Sensor. You must enter the encrypted Secure Access Service OTP password as displayed on the IDP ACM configuration summary screen. 10

Chapter 2: IDP NOTE: The hostname, TCP port, and one-time password must already be configured on the IDP Sensor before this configuration can be successful. 4. Under Monitoring Options, specify IP addresses to monitor and the minimum alert severity level the IDP Sensor will record and submit to the Secure Access Service: In the Addresses to Monitor field, specify individual IP addresses and address ranges, one entry per line. IDP reports attack information only for the IP addresses that you specify. If you want IDP to report all events to the Secure Access Service, enter 0.0.0.0/0. If you want IDP to report only selected events, enter <default> to permit IDP to report events for events with source IPs that have an active user session on the Secure Access Service, and /or enter one or more addresses or address ranges for any endpoint that you want the IDP sensor to report. Select one of the severity options available in the Severity filter drop down list. The severity level is a number on a scale from 1 to 5, where 1 is informational and 5 is critical. This option represents the severity of messages the IDP should send to the Secure Access Service. 5. Click Save Changes. Enabling or Disabling IDP Sensors To enable or disable existing IDP Sensor entries on the Secure Access Service: 1. In the admin console, choose System > Configuration > Sensors. 2. Select the checkbox next to one or more IDP Sensor entries you want to enable or disable. 3. Click Enable or Disable to enable or disable the specified IDP Sensor entries, respectively. You can delete existing IDP Sensor entries that define a connection between the Secure Access Service and an IDP Sensor. To delete one or more existing IDP Sensor entries from the Secure Access Service: 1. In the admin console, choose System > Configuration > Sensors. 2. Select the checkbox next to the IDP Sensor entry or entries you want to delete. 3. Click Delete and then confirm that you want to delete the sensor entry or entries. Reconnecting to an IDP Sensor When the connection to an IDP Sensor is down, you can use the admin console on the Secure Access Service to re-establish the connection. You can also use the admin console to refresh the status of existing connections between the Secure Access Service and the IDP Sensor. 11

Intrusion Detection and Prevention Sensors If you need to re-establish communication with an IDP Sensor, you must generate a new One-time Password. To reconnect to an associated IDP Sensor: 1. In the admin console, choose System > Configuration > Sensors. 2. Select the checkbox next to the IDP Sensor to which you want to reconnect. 3. Click Reconnect. The admin console displays a message informing you that the Secure Access Service is currently attempting to re-establish connection to the specified IDP Sensor. This page automatically refreshes each second during the reconnection process. Otherwise, the connection status page automatically refreshes once every 30 seconds. Refreshing and Displaying the Connection Status To refresh and display the connection status for the specified IDP Sensor: 1. In the admin console, choose System > Configuration > Sensors. 2. Select the checkbox next to one or more IDP Sensor entries for which you want to display current connection status. 3. Click Refresh. Related Documentation About IDP on page 3 Configuring the Secure Access Service to Interoperate with IDP on page 9 12

PART 3 Administration Quarantined Users on page 15 Sensor Event Polices on page 17 13

Intrusion Detection and Prevention Sensors 14

CHAPTER 3 Quarantined Users Identifying and Managing Quarantined Users Manually on page 15 Identifying and Managing Quarantined Users Manually When the Secure Access Service quarantines a user based on an attack, you can display and manage the states by locating the user link in the System > Status > Active Users page. A small warning icon displayed in front of the user name. The hyperlinked user name. An enabled Quarantined option button on the specific user s page. If the user is not quarantined, the option button is disabled. You can manage quarantined users from either the admin GUI or by logging in as a user with administrative rights on the local authentication server. To manage quarantined users: 1. Identify quarantined users at System > Status > Active Users. 2. Locate the quarantined user from the Authentication > Auth. Servers > System Local on the admin GUI or from the Admin Users window on the local authentication server. You must be logged in to the local authentication server as an administrator user in order to see the Admin User option. 3. Click the username link. The user page opens, showing a number of options. 15

Intrusion Detection and Prevention Sensors Figure 3: Managing Quarantined Users 4. Click Disabled to disallow a user from authenticating. 5. Click Quarantined to leave a user in a quarantined state. The Quarantined option is only enabled if the user is already quarantined. NOTE: The Secure Access Service assigns quarantined users to the quarantined role, regardless of their login realm. 6. Click Save Changes. 7. To re-enable previously quarantined or disabled users, select Authentication > Auth. Servers > Select Server > Users and click the link for the given user. NOTE: You can also disable users from this location. 8. Click Enabled to release the user from quarantine. 9. Click Save Changes. All Sensor events are logged at System > Log/Monitoring > Sensors > Log. Related Documentation Defining Automatic Response Sensor Event Policies on page 17 Displaying Active Users 16

CHAPTER 4 Sensor Event Polices Defining Automatic Response Sensor Event Policies on page 17 Defining Automatic Response Sensor Event Policies Use the System > Configuration > Sensors > Sensor Event Policies tab to specify one or more rules that specify the action(s) the Secure Access Service takes when it receives attack alert messages from an IDP Sensor. To create a new IDP rule: 1. In the admin console, select System > Configuration > Sensors > Sensor Event Policies. 2. On the Sensor Event Policies page, click New Rules. 3. On the Juniper IDP Rule page, in the Rule: On Receiving... section: Select an existing event from the Event drop-down list. Click Events to edit an existing event or create a new type of event and add it to the options in the Events drop-down list: a. Specify a name for the event. b. Populate the Expressions field by manually entering expressions or by selecting one or more clauses from the Expressions Dictionary and clicking Insert Expression. For example, to check for all critical/highest severity level attacks, enter the following expression: idp.severity >= 4 To check for all critical/highest severity level attacks for HTTP traffic, enter the following expression: idp.severity >= 4 AND idp.attackstr = *HTTP* c. When you have finished entering the expressions you want to apply to this event, click Add Expression. d. Click Close. 4. In the Count this many times section, specify a number between 1 and 256 to determine the number of times an event must occur before action is taken. 17

Intrusion Detection and Prevention Sensors 5. In the...then perform this action section, specify one of the following actions: Ignore (just log the event) Specifies that the Secure Access Service should log the event, but take no further action against the user profile to which this rule applies. This option is best used to deal with very minor informational attack alert messages that come from the IDP Sensor. Terminate User Session Specifies that the Secure Access Service should immediately terminate the user session and require the user to sign in to the Secure Access Service again. Disable user account Specifies that the Secure Access Service should disable the user profile associated with this attack alert message, thus rendering the client unable to sign in to the Secure Access Service until the administrator re-enables the user account. (This option is only applicable for users who have a local Secure Access Service user account.) Replace user s role with this one Specifies that the role applied to this user s profile should change to the role you select from the associated dropdown list. This new role remains assigned to the user profile until the session terminates. This feature allows you to assign a user to a specific controlled role of your choice, based on specific IDP events. For example, if the user performs attacks, you might assign the user to a restricted role that limits the user s access and activities. Choose to make this role assignment: Permanent User remains in the quarantined state across subsequent logins until the administrator releases the user from the quarantined state. For this session only Default. User can log in to another session. 6. In the Roles section, specify: Policy applies to ALL roles To apply this policy to all users. Policy applies to SELECTED roles To apply this policy only to users who are mapped to roles in the Selected roles list. Make sure to add roles to this list from the Available roles list. Policy applies to all roles OTHER THAN those selected below To apply this policy to all users except for those who are mapped to the roles in the Selected roles list. Make sure to add roles to this list from the Available roles list. 7. Click Save Changes. Related Documentation Configuring the Secure Access Service to Interoperate with IDP on page 9 18

PART 4 Index Index on page 21 19

Intrusion Detection and Prevention Sensors 20

M manuals comments on...xi Index Symbols #, comments in configuration statements...xi ( ), in syntax descriptions...xi < >, in syntax descriptions...x [ ], in configuration statements...xi { }, in configuration statements...xi (pipe), in syntax descriptions...xi P parentheses, in syntax descriptions...xi S sensor policies for IDP, configuring...10 support, technical See technical support syntax conventions...x T technical support contacting JTAC...xi B braces, in configuration statements...xi brackets angle, in syntax descriptions...x square, in configuration statements...xi C comments, in configuration statements...xi conventions text and syntax...x curly braces, in configuration statements...xi customer support...xi contacting JTAC...xi D documentation comments on...xi F font conventions...x I IDP configuration...3 IDP deployment examples...4 IDP interaction...9 IDP sensor policies...10 IDP, automatic response...17 IDP, interoperability...9 IDP, quarantining users manually...15 IDP, using with UAC...3 21

Intrusion Detection and Prevention Sensors 22

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback