ICS Admission Control Using IPS

Admission control feature is extended to ICS sessions using IF-MAP server. When Firewall/SIEM detects compromised remote devices the Firewall/SIEM sends threat alert to IPS. IPS then instructs ICS to act (For example, terminate session, change roles, disable user account) based on the configured admission control policies.

This section explains how IPS can receive alerts from remote users and provide an action to ICS (remote) based on the configured admission control policies. This feature is supported for the admission control clients, which alerts IPS with VPN Tunneling IP address of endpoints. VPN Tunneling IP Address of the user is mandatory in the received alert/message to identify the user session.

This feature is supported for the admission control clients, which alerts IPS with VPN Tunneling IP address of endpoints. VPN Tunneling IP Address of the user is mandatory in the received alert/message to identify the user session.

The below set of actions can be performed on ICS sessions based on the configured policies:

  • Ignore (only log): Received event details are logged and no specific actions are taken.
  • Terminate the session: Terminate the user session on the ICS for the received messages.
  • Disable the user account:  Disable the user on the ICS for the received messages.
  • Change user roles: Change the roles assigned to the user on ICS so that restriction/privileges for the user can be changed.

The end user flow is described below:

  • Remote user logs in and the user session is created on ICS.
  • User session is exported to IF-MAP server (IPS) as fed-wide session.
  • User accesses resources and performs a restricted action. For example, accesses a restricted site. The firewall device detects this as a threat and a corresponding event is generated and sent to the IPS.
  • IPS looks for the local session if it is available and applies the action based on the policy configured.
  • If local session is not available and if Enable Admission Control on Federation-Wide Sessions is enabled, then the policy applies on the fed-wide session.
  • ICS IF-MAP client takes the action on local session based on the policy configured.

Configuring ICS Admission Control

  1. Administrator configures the required admission control client (like firewalls, SIEMs, EPP etc.) on IPS Admin UI to receive alert/threat information.
  2. Select Endpoint Policy > Admission Control > Configure > Clients > New Client.
  3. Enable Admission Control on Federation-Wide Sessions.
  4. Administrator configures a set of policies that define what actions are to be taken on user sessions, based on the data in the threat events.
  5. On IPS Admin UI and ICS Admin UI, administrator enables IF-MAP server under System > IF-MAP > Overview.
  6. On ICS Admin UI, administrator enables IF-MAP client under System > IF-MAP > Overview and add IF-MAP server url. Once configured, ICS (IF-MAP client) connects to IF-MAP server (IPS).

9.1R12 or later build is required for both Federation client and Fed server to use this feature.

Admission Control is supported with the following vendors: