cancel
Showing results for 
Search instead for 
Did you mean: 

Need help, SA + IDP as threats control

NDCool_
Contributor

Need help, SA + IDP as threats control

Hi All,

I have some questions about threats control,

Does SA can do an action to showing a warning messages or give a redirect html page to users when got some treats event from IDP as a sensor?
So user will know why are they was disconected from SA.

Or has any idea with my issue ? because this is a requirement from our client.
6 REPLIES 6
muttbarker_
Valued Contributor

Re: Need help, SA + IDP as threats control

IDP - SA integration allows for a user session to be terminated, disabled or have a role mapping change take place. In the event of termination or disabling of a session the user is given an error message allowing them to understand why this action was taken.

If you role map you can of course do all sorts of fun things like directing to a specific WEB page, special help pages, notification messages....

So you should most certainly achieve your customers objectives.

NDCool_
Contributor

Re: Need help, SA + IDP as threats control

Hi Kevin,

Thanks your reply.
Do you have any document guide about this ? So we configured it at quarantine role or where ?
could you explain to me more details ?


thanks
Andi

JNCIA-EX
muttbarker_
Valued Contributor

Re: Need help, SA + IDP as threats control

Hey Andi - under the system tab go to Configuration and then go to the sensors tab. Two steps -

#1 define your sensor(s)

#2 define the policies that wil control the actions that are to be taken when the sensor detects an event (Sensor Event Policies).

The admin guide does an ok job of describing the setup steps necessary to integrate the two. The "Event Polices" component is really where the bulk of the work is done. You have to define the events that will occur and then the actions you want taken. Actions, like I said are terminate, disable, role map.

Events take some thought - you will be using the Expressions capability of the SA box. There are a bunch of pre-built expressions for the IDP that you will build from.

So step #1 is to get the two boxes talking -

Step #2 is to create an event based on a traffic occurance that is fairly common - log it initially (ignore) so you can track it to confirm that you know how to write rules.

If you have issues getting events into the sensor in a regular enough basis to write rules then pick up either Metasploit to attack the sensor, or if you don't want to actually attack the sensor then use NMAP -great at triggering alerts in the IDP if you have a fairly broad screening policy.

NDCool_
Contributor

Re: Need help, SA + IDP as threats control

Hi Kevin,

So.. by default if user was terminated, disable or mapped to Quarantine Role, SA will show a pop up reason why the are was disconnected from NC, isn't right ?

If we want to give the user redirect pages, we can do by map the user role, configured at Quarantine user role to redirect to html warning page, it's possible ?

btw thank you Kevin to respond my questions.

thanks

Andi

muttbarker_
Valued Contributor

Re: Need help, SA + IDP as threats control

Hey Andi - was off stuck in a data center for a few days doing a customer install so just saw your latest message. Yes -the user gets a message screen if they are bumped off the SA - and yes, you can create custom html help pages, etc.. along with messages on the role page if/when you direct the user to a new role.
mmesojedec_
Occasional Contributor

Re: Need help, SA + IDP as threats control

Hi

I attached the document that describe SA-IDP integration.

Regards,

mmesojedec

JNCIS-SSL, JNCIA-FW, JNCIA-IDP


Message Edited by mmesojedec on 12-11-2008 12:54 PM
Message Edited by mmesojedec on 12-11-2008 12:55 PM