Understanding Ivanti Policy Secure Deployments with IDP Devices

About IDP Devices

The IDP Sensor is a powerful tool to counteract users who initiate attacks. The IDP sensor monitors the network on which the IDP system is installed. The IDP sits within the network and monitors traffic from endpoints that are connected through Ivanti Policy Secure. You can position the IDP in-line, or you can configure the IDP in sniffer mode. The sensor’s primary task is to detect suspicious and anomalous network traffic based on specific rules defined in IDP rulebases.

The IDP device provides the following types of protection (some of which depend upon the specific configuration):

  • Protects against attacks from user to application.

  • Detects and blocks most network worms based on software vulnerabilities.

  • Detects and blocks non-file-based Trojan Horses.

  • Detects and blocks effects of spyware, adware, and key loggers.

  • Detects and blocks many types of malware.

  • Detects and blocks zero day attacks through the use of anomaly detection.

Coordinated Threat Control Overview

In a coordinated threat control deployment, the IDP device reports abnormal events to Ivanti Policy Secure. The attack logs sent by the IDP device include the source and destination IP addresses and port numbers of the attacking host, and the resource against which the attack was launched, along with the attack identifier, severity of the attack, and the time at which the attack was launched

Ivanti Policy Secure displays the attack information received from the IDP sensor on the Active Users page. Based on the attackers IP address and port number, Ivanti Policy Secure can uniquely identify the user’s session.

When you learn that an attack has been launched by an active user, you can disable the user’s account, end the user’s session, or remediate to a different role. You can choose automatic or manual actions for attacks detected by the IDP sensor. For manual action, you look up the information available on the Active Users page and decide on an action. For automatic action, you configure the action in advance when you define IDP policies.

Ivanti Policy Secure displays an error message to the user whose account has been disabled indicating the reason.

Deployments with IDP Series Devices

You can deploy Ivanti Policy Secure with IDP Series devices in coordinated threat control deployments and user-role-based IDP policy deployments. User-role-based IDP policy deployments require IDP Series 5.0 or later. To display the version of an associated IDP device in Ivanti Policy Secure admin console, select System > Configuration > Sensors.

An IDP Sensor can send logs to one Ivanti Policy Secure only. However, Ivanti Policy Secure can receive logs from more than one IDP Sensor.

Using the admin console, you can configure and manage interaction attributes between Ivanti Policy Secure and an IDP Series device, including the following:

  • Global configuration parameters such as the IDP hostname or IP address, the TCP port over which the sensor communicates with Ivanti Policy Secure, and the one-time password Ivanti Policy Secure and IDP use to authenticate with one another.

  • Various levels of attack severity warnings and the action that Ivanti Policy Secure takes

  • IP addresses to monitor.

With a large number of connected users IDP can overwhelm Ivanti Policy Secure with more alert logs than it can process. In this situation, the number of logs sent by the IDP to Ivanti Policy Secure can be controlled by decreasing the severity level setting in the IDP connection settings.

Deployments with IDP-Enabled Infranet Enforcers

Ivanti Policy Secure also supports IDP through the Juniper Networks ISG Series Integrated Security Gateways Infranet Enforcer with the IDP Security Module (supported in ScreenOS Release 6.2 or later).

Unlike a standalone IDP which requires manual configuration on the IDP to allow communication with the Ivanti Policy Secure, the ScreenOS Enforcer or the Junos Enforcer use the existing communication channel with Ivanti Policy Secure.

If you are using integrated IDP with the ISG-1000 or ISG-2000, see, https://www.juniper.net/techpubs/en_US/release-independent/screenos/information-products/pathway-pages/screenos/product/index.html. If you are using Junos IDP with Junos OS Release 10.0, see Junos OS Initial Configuration Guide for Security Devices. ISG-IDP and CTC are configured the same on Ivanti Policy Secure.

When ISG-IDP or Junos IDP are activated, ScreenOS or Junos notifies Ivanti Policy Secure when an attack event is detected from any endpoint. To avoid overwhelming the SSH connection between Ivanti Policy Secure and the Infranet Enforcer, the number of attack notifications is limited to ten per second. If additional attacks are detected, the Infranet Enforcer holds an additional ten notifications in a queue.

ISG-IDP or Junos devices attached to any node in a cluster may send messages regarding sessions attached to any node in the cluster.

There is a Use IDP module as Sensor check box on the Infranet Enforcer admin console page. If you select the check box and there is no IDP module or if the Enforcer is not running a compatible version, Ivanti Policy Secure logs an appropriate message.

With IDP deployments using the Infranet Enforcer and the IDP Security Module, the Infranet Enforcer can send messages to Pulse debug log.

Monitoring IDP-Reported Events

After the IDP Sensor has been set up, you can specify the events you want the IDP to watch for and the actions that Ivanti Policy Secure takes once a particular event has been noted and reported.

In two locations on Ivanti Policy Secure, you can specify actions to be taken in response to users that perform attacks:

  • Sensor Event policies page—Define the policy on this page to generate an automatic response to users who perform attacks.

  • Users page—Manually identify and quarantine or disable users on the Active Users page, which lists users who have performed attacks.