Rule ID
SV-284586r1244873_rule
Version
V1R1
Automated and manual procedures for remediation for critical security updates are managed differently. Continuing to assess and remediate endpoints with risks that could endanger the network could impact network usage for all users. This isolation prevents traffic from flowing with traffic from endpoints that have been fully assessed and authorized. This solution provides a mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If information flow is not enforced based on approved authorizations, the system may become compromised. Information flow control regulates where information is allowed to travel within a system and between interconnected systems. Security attributes may be used to manage information flow control. Unauthenticated devices must not be allowed to connect to remediation services. The Ivanti IPS and client does not need to provide IP transport for evaluation and remediation. However, using this Check and Fix text works as well. This requirement also applies to Zero Trust initiatives. Satisfies: SRG-NET-000015-NAC-000040, SRG-NET-000323-NAC-001233
If automated remediation is not used, this is not applicable. 1. In the Ivanti Policy Secure Web UI, navigate to Endpoint Policy >> Network Access >> Radius Attributes >> Radius Return Attributes. 2. Inspect the policy to ensure it is configured with an assigned location group, roles, and remediation VLAN ID. If the remediation VLAN that is separated from trusted resources is not configured for use, this is a finding.
1. In the Ivanti Policy Secure Web UI, navigate to Endpoint Policy >> Network Access >> Radius Attributes >> Radius Return Attributes. 2. Click "New Policy". 3. Type a Name and Description. 4. Assign Location Groups to which the policy applies. 5. Expand the "Access Control Policy Settings" menu. 6. Click the "Control" radio button. 7. Click the check box for "Control Using VLAN id []" and specify the remediation or redirect VLAN. 8. Select the PPS interface to which endpoints will connect while they are assigned to the above VLAN. 9. Expand "Roles". 10. Select the role to which this policy is applicable and set it for selected below and specify designated role. 11. Click "Save Changes".