beautypg.com

Ip rules and ip policies, Security policies, Section 3.6, “ip rules and ip policies – Amer Networks E5Web GUI User Manual

Page 191

background image

3.6. IP Rules and IP Policies

3.6.1. Security Policies

Before examining IP rule sets in detail, we will first look at the generic concept of security polices
to which IP rule sets belong.

Security Policy Characteristics

cOS Core security policies are configured by the administrator to regulate the way in which traffic
can flow through the Clavister Security Gateway. Such policies are described by the contents of
different cOS Core rule sets. These rule sets share a uniform means of specifying filtering criteria
which determine the type of traffic to which they will apply. The possible filtering criteria consist
of the following:

Source Interface

An Interface or Interface Group where the packet is received
at the Clavister Security Gateway. This could also be a VPN
tunnel.

Source Network

The network that contains the source IP address of the packet.
This might be a cOS Core IP object which could define a single
IP address or range of addresses.

Destination Interface

An Interface or an Interface Group from which the packet
would leave the Clavister Security Gateway. This could also be a
VPN tunnel.

Destination Network

The network to which the destination IP address of the packet
belongs. This might be a cOS Core IP object which could define
a single IP address or range of addresses.

Service

The protocol type to which the packet belongs. Service objects
define a protocol/port type. Examples are HTTP and ICMP.
Service objects also define any ALG which is to be applied to the
traffic

cOS Core provides a large number of predefined service objects
but administrator defined custom services can also be created.
Existing service objects can also be collected together into
service groups.

See Section 3.3, “Services” for more information about this topic.

The cOS Core Security Policy Rule Sets

The principle cOS Core rule sets that define cOS Core security policies, and which use the same
filtering parameters described above (networks/interfaces/service), include:

IP Rules

IP Rule objects determine which traffic is permitted to pass through the Clavister Security
Gateway as well as determining if the traffic is subject to address translation. The network
filter for these rules can be IPv4 or IPv6 addresses (but not both in a single rule). They are
described further later in this section.

IP Policies

Chapter 3: Fundamentals

191

This manual is related to the following products:
See also other documents in the category Amer Networks Computer Accessories: