Overview of Alert-Based Admission Control with IBM QRadar

Ivanti Policy Secure (IPS) integration with the IBM QRadar provides complete visibility of network endpoints, including unmanaged endpoints and provide end to end network security. The IPS integration with IBM QRadar integration allows Admin to perform user access control based on alerts received from the IBM QRadar.

IBM QRadar receives log or threat information from various log sources such as Palo Alto Network firewall. Based on the offense rules configured on IBM QRadar an offense is created to trigger alerts to IPS. IPS takes action on user session by blocking or quarantining the user.

The authentication process is described below:

1. User downloads a file from the Internet. The perimeter firewall scans the file and, based on user-defined policies, sends the file for analysis.

2. Firewall detects that the file contains malware and a threat alert sylog gets generated and sent to IBM QRadar.

3. Based on the offense rules configured on IBM QRadar. It generates alerts and this has to be manually sent to IPS with the help of Ivanti App.

4. The offense includes severity, credibility and other information for the affected endpoint.

5. The IPS server quarantines/blocks the endpoint based on the configured Admission control policies.

In this example, the endpoint is connected to a third-party switch. The switch has 802.1X/MAB authentication enabled. As an alternate, SNMP enforcement mechanism can also be used.