beautypg.com

Amer Networks E5Web GUI User Manual

Page 192

background image

The IP Policy object is an alternative to using IP Rule objects. They are designed to simply the
creation of policies and make it easier to define such common tasks as address translation. IP
Policy
objects are implemented in the background by IP Rule objects and one IP Policy may
correspond to more than one IP Rule.

Pipe Rules

These determine which traffic triggers traffic shaping to take place and are described in
Section 10.1, “Traffic Shaping”.

Policy-based Routing Rules

These rules determine the routing table to be used by traffic and are described in Section 4.3,
“Policy-based Routing”
. The network filter for these rules can be IPv4 or IPv6 addresses (but
not both in a single rule).

IDP Rules

These determine which traffic is subject to IDP scanning and are described in Section 6.5,
“Intrusion Detection and Prevention”
.

Authentication Rules

These determine which traffic triggers authentication to take place (source net/interface
only) and are described in Chapter 8, User Authentication.

The Default main IP Rule Set

IP rule sets are the most important of these security policy rule sets. They determine the critical
packet filtering function of cOS Core, regulating what is allowed or not allowed to pass through
the Clavister Security Gateway, and if necessary, how address translations like NAT are applied. IP
rule sets can contain both IP Rule and IP Policy objects. By default, one IP rule set always exist and
this has the name main.

There are two possible approaches to how traffic traversing the Clavister Security Gateway could
be dealt with:

Everything is denied unless specifically permitted.

Or everything is permitted unless specifically denied.

To provide the best security, the first of these approaches is adopted by cOS Core. This means
that when first installed and started, the cOS Core has no rules defined in the main IP rule set and
all traffic is therefore dropped. In order to permit any traffic to traverse the Clavister Security
Gateway (as well as allowing cOS Core to respond to ICMP Ping requests), some IP rules must be
defined by the administrator.

Each IP rule or IP policy that is added by the administrator will define the following basic filtering
criteria:

From what interface to what interface traffic flows.

From what network to what network the traffic flows.

What kind of protocol is affected (the service).

What action the rule will take when a match on the filter triggers.

Chapter 3: Fundamentals

192

This manual is related to the following products: