Providing Threat Mitigation Services with IDP > Defining Actions to Be Taken for Subscriber Traffic

Defining Actions to Be Taken for Subscriber Traffic

When IDP processes subscriber traffic that it receives, it identifies malicious traffic as defined by IDP security rules that are configured within IDP. For SDX-managed subscriber traffic, you can configure the SDX software to:

• Redirect subscriber Web requests to an IDP captive portal page that provides information about the problem encountered.
• Activate SDX services to take actions such as limiting the bandwidth available to the subscriber.
• Send e-mail to the subscriber to provide information about a problem encountered by mapping IP addresses to subscriber names.

After you configure SDX components to take action in response to an incident reported by IDP, you enable the action on IDP. See Enabling SDX Actions from IDP Manager.

Redirecting Web Requests

You can configure the SDX software to redirect subscriber Web requests to an IDP captive portal page in response to IDP security rules that detect problem traffic sent by or received by a subscriber. A captive portal is simply a Web page that receives redirected HTTP requests. The SDX application library provides a sample IDP captive portal that is a Java 2 Platform, Enterprise Edition (J2EE) Web application. We provide the application for demonstration purposes.

The sample IDP captive portal is similar to the sample captive portal for residential subscribers, and uses the same redirect server to redirect traffic. See SDX Components Guide, Vol. 2, Chapter 1, Overview of the Residential Portal.

You use an SDX service to redirect Web requests to a captive portal. For information about the type of service that you configure to redirect Web requests to a captive portal, see Applying SDX Services to Subscribers Associated with Problem Traffic.

You can use the sample IDP captive portal as a basis for a captive portal for your environment, or you can develop a different captive portal based on the sample.

Developing and Customizing the Sample IDP Captive Portal

The /webapp directory on the SDX application library CD contains the idpPortal.war file. The idpPortal.war file provides:

• Complete source code for the IDP captive portal in the WEB-INF/src directory
• Documentation for the Java classes used in the sample IDP captive portal in the /javadoc directory

For information about expanding the idpPortal.war file, see Configuring Properties for the Sample IDP Captive Portal.

The IDP captive portal uses the SAE CORBA remote application programming interface (API) to perform actions such as activating, deactivating, or scheduling services. For information about the SAE CORBA remote API, see the SAE CORBA remote API online documentation on the SDX software distribution in the directory SDK/doc/idl/index.html.

Overview of the Sample IDP Captive Portal

The sample IDP captive portal:

• Provides the source IP address or destination IP address of the problem traffic and provides a description of the incident.

The following page shows a sample IDP captive portal page that identifies incoming as well as outgoing traffic problems that IDP detected. The help buttons provide information about what the subscriber can do in response to the problem. For example, for the incoming traffic the Help could recommend that the subscriber use firewall software.

• Displays general information if the SDX software cannot collect information about the type of traffic that causes a problem; for example, if the IDP management server cannot access the record servlet in the IDP captive portal.
• Lets the subscriber display the Web page that he or she was trying to access when the request was redirected to the captive portal page and be reminded of the error at another time.
• Lets the subscriber prevent display of the IDP captive portal page again for the same incident.

This feature is useful for a subscriber who is addressing a detected problem and who does not want to be redirected to the IDP captive portal page again while addressing the issue. It is not intended that the subscriber simply ignore the problem.

If a new problem occurs, the portal displays a new page.

Sequence for Redirecting Traffic

The sample IDP captive portal takes the following actions in response to incidents detected by IDP:

1. The portal's record servlet records HTTP messages that it receives from the IDP management server. The messages include the source and destination IP addresses of problem traffic and a problem description.
2. The IDP management server activates a service that policy-routes the subscriber's Web traffic to the SDX redirect server.
3. When the subscriber tries to access the Web, the SDX redirect server responds to the subscriber's Web traffic by redirecting the subscriber to the IDP captive portal through an HTTP redirect process.
4. The IDP captive portal then retrieves the subscriber's IP address and the stored messages for this IP address, and displays messages appropriate to the subscriber.

About the Record Servlet

The record servlet receives messages from the SDX script that runs in IDP. See Enabling SDX Actions from IDP Manager. It posts messages to a specified URL. The default URL is http(s)://<hostname>:<port>/idpPortal/Record.

The following example shows the type of information that IDP sends to the record servlet. The parameter name in the message appears to the left of the equals sign and the value to the right.

fixed.timeGeneratedGMT=2005/01/20 17:41:33

fixed.timeReceivedGMT=2005/01/20 17:41:44

fixed.deviceAddress=10.227.6.116

fixed.devinVIN=A97B-3867-3062-D6E6

fixed.sourceAddress=10.227.6.238

fixed.sourcePort=35170

fixed.destinationAddress=10.227.6.252

fixed.destinationPort=8

fixed.inboundInterface=eth0

fixed.outboundInterface=

fixed.virtualDevice=s0

fixed.attack=ICMP:EXPLOIT:FLOOD

fixed.policy=FirstPolicy

fixed.policyVersion=6

fixed.rulebase=IDS

fixed.ruleNumber=10

fixed.miscellaneous=repeated 3 times

fixed.bytes=0

fixed.packets=0

fixed.elapsed=0

fixed.protocol=ICMP

fixed.category=ATTACK

fixed.subCategory=ICMP_FLOOD

fixed.action=NONE

fixed.severity=MEDIUM

fixed.isAlert=no

The record servlet maps addresses to messages for the types of incidents to be recorded to:

• fixed.sourceAddress—Source IP address
• fixed.destinationAddress—Destination IP address

If the servlet receives more than one record for the same source and destination address at the same time (fixed.timeGeneratedGMT) with the same ID (fixed.attack), the servlet stores the record once and increases the value of a counter by one for each subsequent occurrence.

Configuration Tasks to Deploy the Sample IDP Captive Portal

The tasks to deploy the sample IDP captive portal are:

1. Configuring Properties for the Sample IDP Captive Portal
2. Deploying the Updated WAR File
3. Accessing the IDP Captive Portal
4. Configuring the Redirect Server to Redirect Traffic to the IDP Captive Portal

Configuring Properties for the Sample IDP Captive Portal

The sample IDP captive portal provided with the SDX software is designed to be used with the IDP integration implementation and the sample data. To use the sample IDP captive portal, edit the WEB-INF/portal.props. The /opt/UMC/idp/idpPortal.war file contains the WEB-INF/portal.props file.

To edit the WEB-INF/portal.props file:

1. Copy the idpPortal.war file to a temporary folder, and work in that folder.
2. Extract the WEB-INF/portal.props file from the idpPortal.war file.

jar xvf idpPortal.war WEB-INF/portal.props

3. With a text editor, edit the WEB-INF/portal.props file:

• Review the basic portal properties listed in Basic Portal Properties, and update fields as needed.
• Review the entries for the SAE locator listed in Locator Properties, and change as needed to accommodate your SDX configuration.
• Configure properties in the network information collector (NIC) proxy configuration section of the file. For information about the values to configure for NIC properties, see SDX Components Guide, Vol. 2, Chapter 13, Configuring Applications to Communicate with an SAE.

4. Replace the WEB-INF/portal.props file and any other updated files in the idpPortal.war file.

jar uvf idpPortal.war WEB-INF/portal.props

Basic Portal Properties

The following list describes properties to specify how the portal uses records received from IDP.

Attack.Record.number

• Maximum number of incident records to be stored for use by the IDP captive portal.
• Value—Integer in the range 1-2147483648
• Default—100

Attack.Record.removeStep

• Number of records to be deleted when the number of records stored reaches the limit specified by the Attack.Record.number property. The records are sequentially removed, starting with the oldest record, then the next oldest, and so forth.
• Value—<number>
• Guidelines—This number must be less than the value configured for Attack.Record.number.
• Default—10

DateTime.Format

• Format in which to display the date and time of an incident.
• Value—yyyy/MM/dd hh:mm:ss, where yyyy represents the year, MM the month, dd the day, hh the hour, mm the minute, and ss the second
• Guidelines—For more information about this property, including its value see

http://java.sun.com/j2se/1.4.2/docs/api/java/text/SimpleDateFormat.html

• Default—No value

<incident-name>

• Name of a parameter that indicates the type of security incident encountered, and provides a description of the parameter.
• Value—<parameter>=<description>
• Guidelines—Enter the parameter and description in the section "Attack Name and the corresponding description."

For information about security parameters, see the IDP documentation at

http://www.juniper.net/techpubs/software/management/idp/

• Default—No value
• Example

ICMP.EXPLOIT.FLOOD = Network traffic that is flooded by ICMP Echo Request Packet

TROJAN.AUTOPROXY.INFECTED-HOST = AutoProxy trojan attempts to contact a master server and register the IP address and open ports of the infected host

Attack.Captive.service

• Name of the service for the IDP captive portal. The IDP management server activates this service for subscribers who receive or send malicious traffic. If you use a "remind me later" control on the Web page and the subscriber selects this control, the portal deactivates this service and schedules service activation for a later time. If you use a "don't show this page again" control and the subscriber selects this control, the portal deactivates this service.
• Value—<service name>
• Default—Quarantine

Attack.showRemindLater

• Specifies whether the IDP captive portal page provides the Remind me again in field. This field lets subscribers specify a time at which the portal reminds them of the security incident.
• Value—true or false
• Default—true

Attack.showIgnore

• Specifies whether the IDP captive portal page provides the Don't show this page again field. The field lets subscribers stop display of the captive portal page for incidents that have already been detected. The portal displays another page when another incident occurs.
• Value—true or false
• Default—true

Locator Properties

The following list describes locator properties that you change to conform to your configuration. Other configuration properties in the portal.props file are specific to NIC proxy configuration. For information about NIC proxy configuration, see SDX Components Guide, Vol. 2, Chapter 13, Configuring Applications to Communicate with an SAE.

Factory.locator

• Method that the portal uses to locate the SAE.
• Value

• net.juniper.smgt.ssp.LocalFeatureLocator—Uses the locally configured object reference
• net.juniper.smgt.ssp.DistributedFeatureLocator—Uses NIC configuration

• Guidelines—If you specify net.juniper.smgt.ssp.LocalFeatureLocator, configure a value for LocalFeatureLocator.objectRef.

LocalFeatureLocator.objectRef

• Location of the SAE server.
• Value—Location in one of the following formats:

• Absolute path to the interoperable object reference (IOR) file in the form file://<absolutePath>
• Corbaloc URL in the format corbaloc::<host>:<port>/SAE

• <host>—IP address or host on which the SAE is installed.
• <port>—Port used by the SAE on the specified host. The default is 8801.

• The actual IOR in the form IOR:<objectReference>

• Default—No value
• Examples

• Absolute path—file:///opt/UMC/sae/var/run/sae.ior
• corbaloc URL—corbaloc::10.10.6.171:8801/SAE
• Actual IOR—

IOR:000000000000002438444C3A736D67742E6A756E697...

DistributedFeatureLocator.locName

• Namespace for the NIC proxy configuration.
• Value—<namespace>
• Default—/, which indicates the root namespace
• Example—DistributedFeatureLocator.locName = /nicProxy indicates that the NIC proxy configuration is in /nicProxy.

Config.java.naming.provider.url

• Location of the LDAP server.
• Value—ldap://<IP address>:<port number>
• Default—No value
• Example—ldap://127.0.0.1:389

Config.net.juniper.smgt.des.backup_provider_urls

• Location of a backup LDAP server.
• Value—ldap://<IP address>:<port number>, with more than one URL separated by commas
• Default—No value

Deploying the Updated WAR File

To deploy the updated idpPortal.war file:

• Copy the file to the deployment directory for your Web server.

If you are using JBoss, copy the file to the /opt/UMC/jboss/server/default/deploy directory. JBoss automatically starts the Web application when a new WAR file is copied into the deploy directory.

Accessing the IDP Captive Portal

Access the portal to ensure that you can view the page and to review the page setup. To access the IDP captive portal:

• Enter a URL in the following form in your Web browser, and press Enter.

http(s)://<host>:<port>/idpPortal

Configuring the Redirect Server to Redirect Traffic to the IDP Captive Portal

To configure the SDX redirect server to redirect Web requests to the IDP captive portal:

1. Follow the instructions for configuring the redirect server in SDX Components Guide, Vol. 2, Chapter 1, Overview of the Residential Portal.
2. In the /opt/UMC/redir/etc/redir.properties file, specify the URL of the IDP captive portal for the redir.url property. This entry has the form

redir.url=http(s)://<host>:<port>/idpPortal/PortalDisplay.jsp

Applying SDX Services to Subscribers Associated with Problem Traffic

You can configure services to control subscriber traffic, such as limiting bandwidth available to a subscriber, in response to detection of malicious traffic sent or received by a subscriber. The following example describes how to configure policies to decrease the amount of bandwidth available to the subscriber and to redirect subscriber Web requests to an IDP captive portal as implemented in the sample data. You can also create separate services or a service for only one of these actions.

To limit bandwidth and redirect subscriber Web requests to a captive portal:

1. In Policy Editor, create a policy that defines an action to be taken, such as a policy that limits a subscriber's bandwidth and redirects Web requests to a captive portal.

For a sample policy group, see policyGroupName=Quarantine, ou=idp, o=Policies, o=UMC in the sample data.

2. (Optional) In SDX Admin, create a scope for the value-added services that define actions to be taken in response to IDP rules configured in IDP.
3. If you created a scope in Step 2:

1. In that scope, create a value-added service that defines actions to be taken in response to IDP rules. Then set the type to normal, and specify the policy group configured in Step 1.

For a sample service, see serviceName=Quarantine, l=IDP-Subscriber, o=Scopes, o=umc in the sample data.

1. Assign the scope to a subscriber folder to make the service available to subscribers.

4. Create service subscriptions for subscribers. In the sample data, we create a subscription at the folder level to allow all subscribers in the folder to inherit the subscription.

For a sample implementation, see serviceName=Quarantine, ou=subscribers, retailerName=SP-IDP, o=Users, o=umc in the sample data.

Sending E-Mail to Subscribers

You can also manage subscribers who have sent or received problem traffic by sending them an e-mail message that gives them information about the problem detected. The SDX application library provides a demonstration application, named IDP E-Mailer, that uses the gateway extension feature for Dynamic Service Activator to send e-mail notifications to subscribers. For information about developing gateway clients that use the gateway extension, see Chapter 2, Activating Services Through SOAP.

The SDX software lets you map an IP address, which IDP identifies to be associated with problem traffic, to a subscriber so that a message can be sent to the subscriber. In the sample application, you specify a domain to append to subscriber names to formulate an e-mail address. In a production implementation, you could integrate information from a customer database to gain access to actual e-mail addresses. You can use the sample IDP E-Mailer as a basis for an application specific to your environment.

The idpemail.war file comprises the files for the IDP E-Mailer servlet. You can locate this file on the SDX application library CD in the /webapp directory. You can deploy the file as it is as a demonstration application, or you can customize the files in the WAR file. The SDX application library supplies complete source code for the IDP E-Mailer servlet in the WEB-INF/src directory in the idpemail.war file.

Overview of IDP E-Mailer

When an incident activates the IDP E-Mailer application for a subscriber, the following arguments are provided to the application in the following order:

1. Source of the incident
2. Destination of the incident
3. Description of the incident

The application uses this information when it creates the e-mail message.

The demonstration IDP E-Mailer application is a servlet that maps a subscriber's IP address (for addresses identified as the source or destination of detrimental traffic) to an e-mail address and then sends e-mail to the designated subscriber in the following manner:

1. Uses NIC to locate the SAE that manages the specified IP address.
2. Uses the SAE CORBA remote API to obtain the subscriber session for the IP address.
3. If the subscriber session is active, obtains the login name associated with the subscriber session.
4. Creates the e-mail address by appending a domain name that is specified in the IDP E-Mailer configuration to the subscriber login name. For example, for a domain specified as mycompany.com, and a subscriber login of ChrisB, the e-mail address would be ChrisB@mycompany.com.
5. Creates a message that includes the text received from IDP that specifies the IP address of the source of the detrimental traffic received, or the destination of the detrimental traffic being sent, and a description of the incident.
6. Sends the message.

The configuration for IDP E-Mailer specifies:

• Text to appear on the subject line of the e-mail
• Introductory text to appear in the body of an e-mail message for detrimental traffic sent by the subscriber
• Introductory text to appear in the body of an e-mail message for detrimental traffic sent to the subscriber

Configuring Deployment Properties for IDP E-Mailer

The configuration for the application specifies that the directory server resides on the local system. If the directory server resides on another system, edit the WEB-INF/bootstrap.properties file.

To customize files and properties for the IDP E-Mailer application:

1. Copy the idpemail.war file to a temporary folder, and work in that folder.
2. Extract the bootstrap properties file from the idpemail.war file.

jar xvf idpemail.war WEB-INF/bootstrap.properties

3. (Optional) With a text editor, edit the WEB-INF/bootstrap.properties file.

The file provides the default local directory location. To change the location of the directory server, edit the Config.java.naming.provider.url property.

4. Replace the WEB-INF/bootstrap.properties file and any other updated files in the idpemail.war file. To replace the WEB-INF/bootstrap.properties file, enter:

jar uvf idpemail.war WEB-INF/bootstrap.properties

Configuring Application Properties for IDP E-Mailer

You configure the IDP E-Mailer application as you would other gateway applications, including configuration for Dynamic Service Activator and logging. For information about configuring a gateway client, see Chapter 2, Activating Services Through SOAP.

The idpEmailer.xml file provides the configuration properties for the IDP E-Mailer application. You can use the template file idpEmailer.conf to create other configuration files for IDP E-Mailer.

Configuring General Properties

The general properties for IDP E-Mailer specify the configuration namespaces used by parts of the application.

To configure general properties for IDP E-Mailer:

1. In SDX Configuration Editor, open the IdpEmailer.xml file, and click the IDP E-Mailer tab.

The IDP E-Mailer pane appears.

2. Use the following field descriptions to complete the properties.

Logging Subsystem Configuration Namespace

• Namespace that defines the properties for the logging operations.
• Value—Path, relative to the static configuration DN, that defines the object for the namespace
• Default—/WebApplication
• Property name—loggingNamespace

NIC Proxy Configuration Namespace for IP Subscriber

• Namespace that defines the properties for the NIC proxy operations.
• Value—Path, relative to the static configuration DN, that defines the object for the namespace
• Default—/WebApplication/IdpEmailer/nicProxyIp
• Property name—nicProxyIpNamespace

E-Mail Configuration Namespace for IDP E-Mailer

• Namespace that defines the properties for the IDP E-Mailer operations.
• Value—Path, relative to the static configuration DN, that defines the object for the namespace
• Default—/WebApplication/IdpEmailer/email
• Property name—emailNamespace

Configuring a NIC Proxy

To configure a NIC proxy for IDP E-Mailer:

1. In SDX Configuration Editor, open the IdpEmailer.xml file, and click the NIC Proxy Configurations tab.

The NIC Proxy Configurations pane appears.

2. Configure the NIC proxy for IDP E-Mailer as you would any NIC proxy. For the demonstration application set the following values:

• Key Type—Subscriber's IP address
• Value Type—SAE server ID

For information about configuring NIC proxies, see SDX Components Guide, Vol. 2, Chapter 13, Configuring Applications to Communicate with an SAE.

Configuring Logging

To configure logging for IDP E-Mailer, see SDX Components Guide, Vol. 1, Chapter 10, Configuring Logging for SDX Components.

Configuring E-Mail Properties

Configure retailer-specific properties for sending e-mail in the E-Mail Configurations pane.

To configure e-mail properties for IDP E-Mailer:

1. In SDX Configuration Editor, open the IdpEmailer.xml file, and click the E-Mail Configurations tab.

The E-Mail Configurations pane appears.

2. Use the following field descriptions to complete the properties.

E-Mail Host

• Hostname or IP address of the Simple Mail Transport Protocol (SMTP) server to be used to send e-mail messages to subscribers in response to detection of malicious traffic sent or received by subscribers.
• Value—<hostname> or <IP address>
• Default—No value
• Property name—EmailHostName

E-Mail Domain

• Domain name to be added to a subscriber's login name to form the subscriber's e-mail address.
• Value—<domain name>
• Guidelines—This implementation of IDP E-Mailer identifies a single domain name for all subscribers who are notified by e-mail of incidents.
• Default—No value
• Property name—EmailDomainName

E-Mail Sender Address

• E-mail address from which e-mail messages are sent. These messages provide information about incidents that IDP detected.
• Value—<e-mail address>
• Default—No value
• Property name—EmailSenderName

E-Mail Subject

• Text to appear in the Subject line of each message sent in response to an incident detected by IDP for which e-mail is to be sent.
• Value—Text
• Default—No value
• Property name—EmailSubject

Introductory Text for Intrusive Traffic Received

• Introductory text to appear in the message body for detrimental traffic received by the subscriber. Text received from IDP that describes the incident appears after this introductory text.
• Value—Text
• Default—No value
• Property name—EmailSourceOfIntrusion

Introductory Text for Intrusive Traffic Sent

• Introductory text to appear in the message body for detrimental traffic sent by the subscriber. Text received from IDP that describes the incident appears after this introductory text.
• Value—Text
• Default—No value
• Property name—EmailDestinationOfIntrusion

Deploying IDP E-Mailer

To deploy the updated idpemail.war file:

• Copy the file to the deployment directory for your Web server.

If you are using JBoss, copy the file to the /opt/UMC/jboss/ server/default/deploy directory. JBoss automatically starts the Web application when a new WAR file is copied into the deploy directory.