Understanding IPS Deployments with IDP Devices

This topic provides and overview of deployments with IDP devices.

About IDP Devices

The IDP Sensor is a powerful tool to counteract users who initiate attacks. The IDP sensor monitors the network on which the IDP system is installed. The IDP sits within the network and monitors traffic from endpoints that are connected through IPS. You can position the IDP in-line, or you can configure the IDP in sniffer mode. The sensor’s primary task is to detect suspicious and anomalous network traffic based on specific rules defined in IDP rulebases.

The IDP device provides the following types of protection (some of which depend upon the specific configuration):

  • Protects against attacks from user to application.
  • Detects and blocks most network worms based on software vulnerabilities.
  • Detects and blocks non-file-based Trojan Horses.
  • Detects and blocks effects of spyware, adware, and key loggers.
  • Detects and blocks many types of malware.
  • Detects and blocks zero day attacks through the use of anomaly detection.

Coordinated Threat Control Overview

In a coordinated threat control deployment, the IDP device reports abnormal events to IPS. The attack logs sent by the IDP device include the source and destination IP addresses and port numbers of the attacking host, and the resource against which the attack was launched, along with the attack identifier, severity of the attack, and the time at which the attack was launched.

IPS displays the attack information received from the IDP sensor on the Active Users page. Based on the attackers IP address and port number, IPS can uniquely identify the user’s session.

When you learn that an attack has been launched by an active user, you can disable the user’s account, end the user’s session, or remediate to a different role. You can choose automatic or manual actions for attacks detected by the IDP sensor. For manual action, you look up the information available on the Active Users page and decide on an action. For automatic action, you configure the action in advance when you define IDP policies.

IPS displays an error message to the user whose account has been disabled indicating the reason.

Deployments with IDP Series Devices

You can deploy IPS with IDP Series devices in coordinated threat control deployments and user-role-based IDP policy deployments. User-role-based IDP policy deployments require IDP Series 5.0 or later.

Using the admin console, you can configure and manage interaction attributes between IPS and an IDP Series device, including the following:

  • Global configuration parameters such as the IDP hostname or IP address, the TCP port over which the sensor communicates with IPS, and the one-time password IPS and IDP use to authenticate with one another.
  • Various levels of attack severity warnings and the action that IPS takes
  • IP addresses to monitor.

With a large number of connected users IDP can overwhelm IPS with more alert logs than it can process. In this situation, the number of logs sent by the IDP to IPS can be controlled by decreasing the severity level setting in the IDP connection settings.

Deployments with IDP-Enabled Infranet Enforcers

IPS also supports IDP through the Juniper Networks ISG Series Integrated Security Gateways Infranet Enforcer with the IDP Security Module (supported in ScreenOS Release 6.2 or later).

Unlike a standalone IDP which requires manual configuration on the IDP to allow communication with the IPS, the ScreenOS Enforcer or the Junos Enforcer use the existing communication channel with IPS.

When ISG-IDP or Junos IDP are activated, ScreenOS or Junos notifies IPS when an attack event is detected from any endpoint. To avoid overwhelming the SSH connection between IPS and the Infranet Enforcer, the number of attack notifications is limited to ten per second. If additional attacks are detected, the Infranet Enforcer holds an additional ten notifications in a queue.

ISG-IDP or Junos devices attached to any node in a cluster may send messages regarding sessions attached to any node in the cluster.

With IDP deployments using the Infranet Enforcer and the IDP Security Module, the Infranet Enforcer can send messages to debug log.

Monitoring IDP-Reported Events

After the IDP Sensor has been set up, you can specify the events you want the IDP to watch for and the actions that Ivanti Policy Secure takes once a particular event has been noted and reported.

On Ivanti Policy Secure, you can specify actions to be taken in response to users that perform attacks:

  • Users page—Manually identify and quarantine or disable users on the Active Users page, which lists users who have performed attacks.