IF-MAP transfers the session from the Secure Access
to the Access Control seamlessly.
The same thing happens when you access items protected by another Access Control Device.
This is done with a single Login.
IF-MAP is part of the TNC. Trusted Network Connect.
Only the Junos Access Control Service can server as an IF-MAP server.
For that you would need a license.
IF-MAP is a repository of information about the sessions, roles etc.
Each device can connect to the server and get a subset of choice of the data and also update
the server. So the Secure Access can put some data in and then the Access control can connect
use that data and apply it to its session.
Server IF-MAP license MAGX600-iFMAP you need to buy the license for this.
Okay in system IF-MAP overview
Select the - system > IF-MAP federation
Select the server from the choices
Then add clients that will communicate with this server. They need a password or certificate.
(IF-MAP clients do not need a license)
On a client.
Select IF-MAP client
Then add a server URL httsp://ac1.pulse.local/dana-ws/soap/dsifmap
Then add the user and password.
On the clients you set up an Export-Policy.
They will export it to IF-MAP data to the Server
On the clients you set up an Import-policy.
This will interpret the IF-MAP data from the server into roles.
On the IF-MAP client you can see the Active Users TAB
This will give you the data that is being IF-MAPed
On the IF-MAP server you can see the sessions that have been exported/published to it.
Same here.
NSM
Network Security Management.
This is basically an appliance currently that allows you to manage SRX and NetScreen.
You can buy it currently however they are phasing it out for the Junos SPACE
The Firewall has three ways of getting configuration data.
- This is the CLI or webmanagement of the device itself (obvious)
- Junos Pulse Access Control service - because we linked them.
- NSM - NSM centrally manages the firewalls.
It is best practice to make the NSM the authorative one.
Update the Pulse - you can click refresh policies
Avoid CLI changes to the devices that are under the NSM.
Avoid CLI changes to the devices that are under the NSM.
Now, we can add the Pulse to the NSM to make life easier.
Procedure is.
- Install the Junos Pulse Access Control device (MAG)
- As Junos Pulse Access Control Service on the NSM
- Configure and Activate the DMI agent on the Pulse Access Control
- Confirm connectivity and import the configuration into the NSM.
Let's see how its done.
DMI is a set of protocols that run on TCP.
Netconf , XML alarms and structured syslog.
One DMI agent is per device.
Netconf , XML alarms and structured syslog.
One DMI agent is per device.
Under the TAB DMI Agent.
{} Inbound if you are using SSH to manage the device.
{} outbound enabled if you are talking to the NSM
Set up the port to accept on which is 22 ssh
Set up the "outbound connections" primary, backup ports , device and HMAC key 7804
Admin Realm
{} DMI logging
{} DMI logging
STRM
STRM Security Threat response Manager
is basically an event collection and correlation point for collecting all the logs from the security
devices, this way you can view them centrally.
devices, this way you can view them centrally.
This helps associate security breaches with a user and not only an IP.
This is what it looks like
It has hardDrives to store the data of the logging.
Let's configure it.
This is done under
System > log/monitoring you add syslog servers
you can also filter what to log.
you can also filter what to log.
IDP
Juniper has IDP sensors either as dedicated devices.
Juniper has IDP sensors either as dedicated devices.
or on the SRX family.
*If the IDP is a stand alone IDP like the ones above.
Then you need to manually configure the list of IPs for the device to monitor
*If the IDP is a module on the Enforcer (SRX/SSG) then the module
will get the IPs to monitor from the Dynamic Auth table.
The IDP detects malicious traffic.
It notifies the Junos Pulse Secure Access Control Service.
Then you need to manually configure the list of IPs for the device to monitor
*If the IDP is a module on the Enforcer (SRX/SSG) then the module
will get the IPs to monitor from the Dynamic Auth table.
The IDP detects malicious traffic.
It notifies the Junos Pulse Secure Access Control Service.
Which will take an action on the user session.
{They will send the IP ports the attack, time and the severity}
Actions - So the actions you can take can be Manual (by looking at the Active USers)
Automatic - Drop him, disable the user, remediate the user to another role.
The Junos Pulse will display an error message to the disabled user.
Configuration
Configuration
Adding a standalone IDP sensor:
-System > configuration > SensorsAdd the sensor - The port on which to listen
-System > configuration > SensorsAdd the sensor - The port on which to listen
the password
Manually enter the addresses to monitor and the severity that you want. 1 to 5 5 is critical.
Adding a Sensor on an Enforcer:
You can also configure a Sensor on the INFRANET ENFORCER (firewall) by
-UAC > Infranet Enforcer > connection > enforcer
{} USE IDP module as sensor.
-UAC > Infranet Enforcer > connection > enforcer
{} USE IDP module as sensor.
This will use the DYN auth table for the choice of IPs to monitor.
Both have Severity filters that determine what level is reported to the Secure Access.
1-5
Both have Severity filters that determine what level is reported to the Secure Access.
1-5
Policies will be in the Configuration > Sensors > Sensor event policies
You create a RULE based on the IDP signals that come in .
You create a RULE based on the IDP signals that come in .
So EVENT
then action ignore/terminate/disable user/replace his role
Then you select on which ROLES to apply this rule.
On System>> Status>> Active Users
you can see the users and run manual actions on them or reenable them if you want.
So IF-MAP Advantages are
single Sign on
You can get service from any AC in the federation
You can move the Session from the SSL to AC seamlessly .
You can get service from any AC in the federation
You can move the Session from the SSL to AC seamlessly .
No comments:
Post a Comment