- Related Topics
- User-Role-Based Policy Feature Overview
- Understanding Communication Between IDP Series and IC Series Appliances
- Generating a One-Time Password for Communication with SA Series SSL VPN and IC Series Unified Access Control Appliances (ACM Procedure)
- Verifying Integration with an IC Series Unified Access Control Appliance
IDP Rulebase Example: User-Role-Based Policies
Suppose your enterprise uses Juniper Networks Unified Access Control (UAC) to authenticate access to the corporate network. When you initially rolled out the solution, Host Checker quarantined and denied network access to many users with noncompliant systems, and you received a lot of negative feedback about end user inconvenience and lost productivity. You can ameliorate these concerns when you deploy the IDP appliance with user session signaling from UAC. When the IDP appliance is protecting your network, users who were formerly flagged for quarantine because Host Checker identified vulnerabilities do not need to be denied access. With role-based IDP security policies, you can adopt a remediation plan that allows access, and even if the vulnerability has been exploited, your network will be protected by the IDP role-focused security policy.
To deploy this solution, follow these basic steps:
- Read the release notes for the IDP Series appliance and the IC Series appliance to verify version compatibility requirements.
- Deploy a UAC solution for user access to the network. For details, see the Unified Access Control Administration Guide.
- Use UAC to create roles you want to use in your
security policy. For security rules, you want to leverage results
of the Host Checker to map users with vulnerable systems to roles
that identify the vulnerabilities, such as “Laptop Users,”
“Unauthorized Instant Messenger Installed,” or “Windows
XP Patch Required.” Figure 1 shows the IC Series Admin Console Role Mapping page.
Figure 1: IC Series Admin Console: Configuring User Roles
For details on configuring roles and role mapping, see the Unified Access Control Administration Guide or UAC online Help.
Configure communication between the IC Series appliance and the IDP Series appliance so you can use the IDP user-role-based policy feature:
- From the IDP Series side, you use the Appliance Configuration
Manager (ACM) to generate a one-time password the IC Series appliance
will use to connect to the IDP Series appliance. Figure 2 shows the ACM page used to generate a password for the IC
Series connection.
Figure 2: ACM: Generating a One-Time Password for the Connection from the IC Series Appliance
- From the IC Series side, you configure the connection
to the IDP appliance, specifying the IP address, port 7103, and the
one-time password. Figure 3 shows the IC Series
Admin Console Sensor Configuration page.
Figure 3: IC Series Admin Console: Configuring the Connection to the IDP Appliance
- From the IDP Series side, you use the Appliance Configuration
Manager (ACM) to generate a one-time password the IC Series appliance
will use to connect to the IDP Series appliance. Figure 2 shows the ACM page used to generate a password for the IC
Series connection.
- In NSM, configure IDP rulebase rules that inspect traffic from users with vulnerable systems. Push the security policy to the IDP appliance.
Figure 4 shows a rule where the IDP appliance inspects traffic from vulnerable hosts for the relevant Recommended attack objects.
Figure 4: IDP Rulebase: User-Role-Based Rules
