Redirecting Web Requests to an IDP Captive Portal
You can configure the SDX software to redirect subscriber Web requests to an IDP captive portal page in response to IDP security rules that detect problem traffic sent by or received by a subscriber. A captive portal is simply a Web page that receives redirected HTTP requests. The SDX application library provides a sample IDP captive portal that is a Java 2 Platform, Enterprise Edition (J2EE) Web application. We provide the application for demonstration purposes. You use an SDX service to redirect Web requests to a captive portal.
You can use the sample IDP captive portal as a basis for a captive portal for your environment, or you can develop a different captive portal based on the sample.
The sample IDP captive portal:
- Provides the source IP address or destination IP address of the problem traffic and provides a description of the incident.
The following page shows a sample IDP captive portal page that identifies incoming as well as outgoing traffic problems that IDP detected. The help buttons 
provide information about what the subscriber can do in response to the problem. For example, for the incoming traffic the Help could recommend that the subscriber use firewall software.
- Displays general information if the SDX software cannot collect information about the type of traffic that causes a problem; for example, if the IDP management server cannot access the record servlet in the IDP captive portal.
- Lets the subscriber display the Web page that he or she was trying to access when the request was redirected to the captive portal page and be reminded of the error at another time.
- Lets the subscriber prevent display of the IDP captive portal page again for the same incident.
This feature is useful for a subscriber who is addressing a detected problem and who does not want to be redirected to the IDP captive portal page again while addressing the issue. It is not intended that the subscriber simply ignore the problem.
If a new problem occurs, the portal displays a new page.
Sequence for Redirecting Traffic
The sample IDP captive portal takes the following actions in response to incidents detected by IDP:
- The portal's record servlet records HTTP messages that it receives from the IDP management server. The messages include the source and destination IP addresses of problem traffic and a problem description.
- The IDP management server activates a service that policy-routes the subscriber's Web traffic to the SDX redirect server.
- When the subscriber tries to access the Web, the SDX redirect server responds to the subscriber's Web traffic by redirecting the subscriber to the IDP captive portal through an HTTP redirect process.
- The IDP captive portal then retrieves the subscriber's IP address and the stored messages for this IP address, and displays messages appropriate to the subscriber.
About the Record Servlet
The record servlet receives messages from the SDX idpsdx.py script that runs in IDP. It posts messages to a specified URL. The default URL is http(s)://<hostname>:<port>/idpPortal/Record.
The following example shows the type of information that IDP sends to the record servlet. The parameter name in the message appears to the left of the equals sign and the value to the right.
fixed.timeGeneratedGMT=2005/01/20 17:41:33
fixed.timeReceivedGMT=2005/01/20 17:41:44
fixed.deviceAddress=10.227.6.116
fixed.devinVIN=A97B-3867-3062-D6E6
fixed.sourceAddress=10.227.6.238
fixed.sourcePort=35170
fixed.destinationAddress=10.227.6.252
fixed.destinationPort=8
fixed.inboundInterface=eth0
fixed.outboundInterface=
fixed.virtualDevice=s0
fixed.attack=ICMP:EXPLOIT:FLOOD
fixed.policy=FirstPolicy
fixed.policyVersion=6
fixed.rulebase=IDS
fixed.ruleNumber=10
fixed.miscellaneous=repeated 3 times
fixed.bytes=0
fixed.packets=0
fixed.elapsed=0
fixed.protocol=ICMP
fixed.category=ATTACK
fixed.subCategory=ICMP_FLOOD
fixed.action=NONE
fixed.severity=MEDIUM
fixed.isAlert=no
The record servlet maps addresses to messages for the types of incidents to be recorded to:
If the servlet receives more than one record for the same source and destination address at the same time (fixed.timeGeneratedGMT) with the same ID (fixed.attack), the servlet stores the record once and increases the value of a counter by one for each subsequent occurrence.
For information about the SDX idpsdx.py script that runs in IDP Manager, see Chapter 7, Enabling SDX Actions from IDP Manager.