Deploying IDP Series with an IC Series Device to Implement User-Role-Based Security Policies

The IDP Series user role-based policy feature depends on integration with the Juniper Networks IC Series Unified Access Control (UAC) appliance. The following sections provide an overview of the deployment requirements:

Purpose

The user role-based policy feature enables you to specify user roles as match criteria in IDP rulebase and application policy enforcement (APE) rulebase rules. Matching based on user role rather than IP address both simplifies and finely tunes your rules. In many networks, the IP address is dynamically assigned. To protect your network, you would have to cast a wide net for traffic sources. In most cases, you would specify a subnet mask or specify Any source (in the latter case, this means you really are not matching on source). For the purpose of intrusion detection and prevention, a wide net is not necessarily a bad thing: you do want to inspect any session that could potentially contain an attack. Use of role-based rules with a terminal match, however, will improve performance by providing faster matching with specific source targets and rulebase termination. In addition, you are likely to find that user role-based logs are easier to analyze because they provide visibility into the user role associated with an attack event or application usage.

UAC integration with IDP Series devices also improves end user experience authenticating to your network. In a UAC deployment, you use the Host Checker feature to quarantine users with vulnerable hosts. Instead of using a firewall to shut down access to network resources, you can use IDP security policies to enable access and inspect the traffic to guard against threats.

In the APE rulebase, role-based rules are indispensable to supporting the business cases that demand a nuanced approach to application policy enforcement. They enable you to enforce business policies such as “Contractors, Part-Time, and Temporary employees may not use peer-to-peer filesharing applications; full-time employees may use them, but only with a limited pool of bandwidth.”

Topology

In a user-role-based policy deployment, the Juniper Networks devices communicate using Transport Layer Security (TLS).

Figure 26 shows an IDP Series deployment with an IC Series UAC device.

Figure 26: Coordinated Threat Control Deployment Diagram: IC Series Deployment

Image g036679.gif

Understanding Communication Between IC Series and IDP Series Devices

When an endpoint client authenticates to the network through the IC Series device, the IC Series device assigns a role to the authenticated user and sends session information to the IDP Series device. Session information includes IP address, username, and the roles to which the user is assigned.

When you configure communication between IC Series and IDP Series devices, the IC Series device sends its session table to the IDP Series device. Figure 27 illustrates the communication between IDP Series and IC Series devices.

Figure 27: Communication Among User-Role-Based Policy Deployment Components

Image g036625.gif

If the user IP address changes, user role changes, or the session is deleted, the IC Series device sends updates to the IDP Series session table.

Assuming you also have configured communication between the IC Series device and NSM, the IC Series device sends user role information to the NSM via the IC Series — NSM connection. You use NSM to configure policy rules that match user roles and then push the policy from NSM to the IDP Series device.

When the user traffic traverses the IDP Series device, the IDP system inspects the session to see if there is a match. If the security policy has user-role-based rules, the IDP system looks up the IP address in the session table to see if the IP address is a match for any role. If any role matches, the IDP system uses the role and other matching criteria to attempt to match user-role-based rules. If no user-role-based rule matches, the IDP system attempts to match the IP address-based rules.

If you have enabled logging, the IDP Series device sends logs to both the IC Series device and NSM.

Configuration Overview

From the IDP Series side, you use the Appliance Configuration Manager (ACM) to generate a one-time password the IC Series device will use to connect to the IDP Series device. Figure 28 shows the ACM page used to generate a password.

Figure 28: ACM: Generating a One-Time Password for the Connection from an IC Series Device

Image s036694.gif

From the IC Series side, you configure the connection to the IDP Series device, specifying the IP address, port 7103, and the one-time password. Figure 29 shows the IC Series Admin Console Sensor Configuration page.

Figure 29: IC Series Admin Console: Configuring the Connection to the IDP Series Appliance

Image s036695.gif

Related Documentation

The following related topics are included in the IDP Series Concepts and Examples Guide:

The following related topics are included in the IDP Series Administration Guide: