Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring Sensors (NSM Procedure)

    The IDP sensor is a powerful tool to counter users who initiate attacks. Integration with the Secure Access device allows you to configure automatic responses as well as manually monitor and manage users.

    To configure IDP sensors:

    1. In the NSM navigation tree, select Device Manager > Devices. Click the Device Tree tab, and then double-click the Secure Access device for which you want to configure sensors.
    2. Click the Configuration tab, and select System > Configuration > Sensors. The corresponding workspace appears.
    3. Add or modify settings as specified in Table 1.
    4. Click one:
      • OK—Saves the changes.
      • Cancel—Cancels the modification.

    Table 1: Configuring IDP Sensor Details

    OptionFunction Your Action
    Sensors tab

    Name

    Specifies the name that the Secure Access device uses to identify the new connection entry.

    Enter the name.

    Hostname

    Specifies the hostname or IP address of the IDP sensor to which the Secure Access device connects to receive application and resource attack alert messages.

    Enter the hostname or IP address.

    TCP Port

    Specifies the TCP port on the IDP sensor to which the Secure Access device listens when receiving application and resource attack alert messages.

    Enter the port.

    One Time Password

    Specifies the encrypted password the Secure Access device uses when conducting the initial Transport Layer Security (TLS) handshake with the IDP sensor.

    Enter the encrypted Secure Access device OTP password as displayed on the IDP ACM configuration summary screen.

    Addresses to monitor > New Addresses to monitor

    Allows you to specify individual IP addresses and address ranges the IDP sensor monitors for potential attacks, one entry per line. IDP reports attack information only for the IP addresses that you specify.

    Enter the IP addresses.

    Severity Filter

    Specifies the severity level from 1 to 5, where 1 is informational and 5 is critical.

    Select one of the options available from the drop–down list.

    Enable/Disable Sensor

    Enables the specified IDP sensor entries, respectively.

    Select the Enable/Disable Sensor check box to enable this feature.

    Sensor Event Policies tab

    Name

    Specifies the rule name of the action(s) the Secure Access device takes when it receives attack alert messages from an IDP sensor.

    Enter the rule name.

    Event

    Allows you to specifiy an event.

    Select an event from the drop–down list.

    Event Count

    Determines the number of times an event must occur before action is taken.

    Enter a number between 1 and 256 to determine the number of times an event must occur before action is taken.

    Action to be taken

    Allows you to specify the action(s) the Secure Access device takes when it receives attack alert messages from an IDP sensor.

    Select one of the following options from the drop-down list:

    • Ignore (just log the event)— Secure Access device logs the event, and takes no further action against the user profile to which this rule applies.
    • Terminate user session— Secure Access device immediately terminates the user session and requires the user to sign in to the Secure Access device again.
    • Disable user account—Secure Access device disables the user profile associated with this attack alert message, thus rendering the client unable to sign in to the Secure Access device until the administrator reenables the user account. (This option is only applicable for users who have a local Secure Access device user account.)
    • Replace user role—Specifies that the role applied to this user’s profile should change to the role you select from the associated drop-down list. This new role remains assigned to the user profile until the session terminates.

    Replace user role with this role

    Allows you to change the user role applied to this user’s profile with this role.

    Note: This option is enabled only when you select Replace user role from the Action to be taken drop–down list.

    Select a role from the drop-down list.

    Replace user role..

    Allows you to make this role assignment.

    Note: This option is enabled only when you select Replace user role from the Action to be taken drop–down list.

    Select one of the following options from the drop-down list:

    • Permanent—User remains in the quarantined state across subsequent logins until the administrator releases the user from the quarantined state.
    • For this session only—Default. User can log in to another session.

    Applies to Roles

    Allows you to apply this policy to all roles or only to the users mapped or only to the users who are not mapped to roles.

    Select one of the following options from the drop-down list:

    • All—Applies this policy to all users.
    • Selected—Applies this policy only to users who are mapped to roles in the Selected roles list. Make sure to add roles to this list from the Available roles list.
    • Except those selected—Applies this policy to all users except for those who are mapped to the roles in the members list. Make sure to add roles to this list from the Available roles list.

    Role Selection

    Allows you to select and map roles to user.

    Select a role and click Add.

    Sensor Events tab

    Name

    Specify a name for the event.

    Enter the name.

    Expressions

    Specifies the expressions.

    Enter the expressions or select one or more clauses from the expressions dictionary and click insert expression.

    For example, to check for all critical/highest severity level attacks, enter the following expression: idp.severity >= 4

    Published: 2013-01-03