Redirecting Web Requests to an IDP Captive Portal

You can configure the SRC software to redirect subscriber Web requests to an IDP captive portal page in response to IDP security rules that detect problem traffic sent by or received by a subscriber. A captive portal is simply a Web page that receives redirected HTTP requests. The SRC application library provides a sample IDP captive portal that is a Java 2 Platform, Enterprise Edition (J2EE) Web application. We provide the application for demonstration purposes. You use an SRC service to redirect Web requests to a captive portal.

You can use the sample IDP captive portal as a basis for a captive portal for your environment, or you can develop a different captive portal based on the sample.

The sample IDP captive portal:

Provides the source IP address or destination IP address of the problem traffic and provides a description of the incident.

The following page shows a sample IDP captive portal page that identifies incoming as well as outgoing traffic problems that IDP detected. The help buttons provide information about what the subscriber can do in response to the problem. For example, for the incoming traffic the Help could recommend that the subscriber use firewall software.

Displays general information if the SRC software cannot collect information about the type of traffic that causes a problem; for example, if the IDP management server cannot access the record servlet in the IDP captive portal.

Lets the subscriber display the Web page that he or she was trying to access when the request was redirected to the captive portal page and be reminded of the error at another time.

Lets the subscriber prevent display of the IDP captive portal page again for the same incident.

This feature is useful for a subscriber who is addressing a detected problem and who does not want to be redirected to the IDP captive portal page again while addressing the issue. It is not intended that the subscriber simply ignore the problem.

If a new problem occurs, the portal displays a new page.

Sequence for Redirecting Traffic

The sample IDP captive portal takes the following actions in response to incidents detected by IDP:

About the Record Servlet

The record servlet receives messages from the idpsdx.py script that runs in IDP. It posts messages to a specified URL. The default URL is http(s)://<hostname>:<port>/idpPortal/Record.

The following example shows the type of information that IDP sends to the record servlet. The parameter name in the message appears to the left of the equals sign and the value to the right.


            
               fixed.timeGeneratedGMT=2005/01/20 17:41:33
               fixed.timeReceivedGMT=2005/01/20 17:41:44
               fixed.deviceAddress=10.227.6.116
               fixed.devinVIN=A97B-3867-3062-D6E6
               fixed.sourceAddress=10.227.6.238
               fixed.sourcePort=35170
               fixed.destinationAddress=10.227.6.252
               fixed.destinationPort=8
               fixed.inboundInterface=eth0
               fixed.outboundInterface=
               fixed.virtualDevice=s0
               fixed.attack=ICMP:EXPLOIT:FLOOD
               fixed.policy=FirstPolicy
               fixed.policyVersion=6
               fixed.rulebase=IDS
               fixed.ruleNumber=10
               fixed.miscellaneous=repeated 3 times
               fixed.bytes=0
               fixed.packets=0
               fixed.elapsed=0
               fixed.protocol=ICMP
               fixed.category=ATTACK
               fixed.subCategory=ICMP_FLOOD
               fixed.action=NONE
               fixed.severity=MEDIUM
               fixed.isAlert=no

The record servlet maps addresses to messages for the types of incidents to be recorded to:

If the servlet receives more than one record for the same source and destination address at the same time (fixed.timeGeneratedGMT) with the same ID (fixed.attack), the servlet stores the record once and increases the value of a counter by one for each subsequent occurrence.