Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    IDP Rulebase Example: User-Role-Based Policies

    Suppose your enterprise uses Juniper Networks Unified Access Control (UAC) to authenticate access to the corporate network. When you initially rolled out the solution, Host Checker quarantined and denied network access to many users with noncompliant systems, and you received a lot of negative feedback about end user inconvenience and lost productivity. You can ameliorate these concerns when you deploy the IDP Series device with user session signaling from UAC. When the IDP Series device is protecting your network, users who were formerly flagged for quarantine because Host Checker identified vulnerabilities do not need to be denied access. With role-based IDP security policies, you can adopt a remediation plan that allows access, and even if the vulnerability has been exploited, your network will be protected by the IDP role-focused security policy.

    To deploy this solution, follow these basic steps:

    1. Read the release notes for the IDP Series device and the IC Series device to verify version compatibility requirements.
    2. Deploy a UAC solution for user access to the network. For details, see the Unified Access Control Administration Guide.
    3. Use UAC to create roles you want to use in your security policy. For security rules, you want to leverage results of the Host Checker to map users with vulnerable systems to roles that identify the vulnerabilities, such as “Laptop Users,” “Unauthorized Instant Messenger Installed,” or “Windows XP Patch Required.” Figure 1 shows the IC Series Admin Console Role Mapping page.

      Figure 1: IC Series Admin Console: Configuring User Roles

      Image s036726.gif

      For details on configuring roles and role mapping, see the Unified Access Control Administration Guide or UAC online Help.

    4. Configure communication between the IC Series device and the IDP Series device so you can use the IDP user-role-based policy feature:

      • From the IDP Series side, you use the Appliance Configuration Manager (ACM) to generate a one-time password the IC Series device will use to connect to the IDP Series device. Figure 2 shows the ACM page used to generate a password for the IC Series connection.

        Figure 2: ACM: Generating a One-Time Password for the Connection from the IC Series Appliance

        Image s036694.gif
      • From the IC Series side, you configure the connection to the IDP Series device, specifying the IP address, port 7103, and the one-time password. Figure 3 shows the IC Series Admin Console Sensor Configuration page.

        Figure 3: IC Series Admin Console: Configuring the Connection to the IDP Appliance

        Image s036695.gif
      For details, see the UAC online Help.
    5. In NSM, configure IDP rulebase rules that inspect traffic from users with vulnerable systems. Push the security policy to the IDP Series device.

    Figure 4 shows a rule where the IDP Series device inspects traffic from vulnerable hosts for the relevant Recommended attack objects.

    Figure 4: IDP Rulebase: User-Role-Based Rules

    Image s036681.gif

    Published: 2011-02-08