Alert-Based Admission Control with McAfee ePolicy Orchestrator (ePO)

Overview

This section describes how to integrate McAfee ePO server with IPS to support alert-based admission control in your network. It describes how to configure Ivanti Policy Secure (IPS) to provide Alert-based admission control protection for your network using McAfee ePolicy Orchestrator (ePO).

Prerequisites

This guide assumes you are familiar with the use of the following products and their related terminology.

  • Ivanti Policy Secure at version 9.1R5

  • McAfee ePolicy Orchestrator (ePO) server version 5.9.0 and above

Ivanti Policy Secure (IPS) integration with the McAfee ePolicy Orchestrator (ePO) provides complete visibility of network endpoints and provide end to end network security. The IPS integration with McAfee ePO server allows Admin to perform user access control based on alerts received from the McAfee ePO server.

If ePO detects that an endpoint on the network has become non-compliant, ePO can send IPS the non-compliant IP address and an event label. IPS resolves the event as a property on the endpoint, and can take automated actions until the endpoint is remediated and becomes compliant.

The authentication process is described below:

  1. User downloads a malicious file from the Internet. The perimeter firewall scans the file and, based on user-defined policies, sends the file for analysis.

  2. McAfee agent running on the Endpoint detects the malicious activity and sends the information to McAfee ePO server.

  3. Based on the alert rules configured on McAfee ePO server, it generates alerts and sends automatically to IPS with the help of Ivanti Policy Secure Extension.

  4. McAfee ePO server sends alert to IPS to isolate the endpoint from the network. The Alert includes severity for the affected endpoint to IPS.

  5. The IPS server quarantines/blocks the endpoint based on the configured Admission control policies.

McAfee ePO server receives Threat events from different Endpoint Security (ENS) modules like Firewall, Threat Intelligence Exchange (TIE)/Adaptive Threat Protection (ATP), Threat Prevention and others.

In this example, the endpoint is connected to a third-party switch. The switch has 802.1X/MAB authentication enabled. As an alternate, SNMP enforcement mechanism can also be used.