Caution: use the network option with care – Amer Networks E5Web GUI User Manual

policy that allows the connections.

When specifying the Source Network for an IP rule or policy, a user defined IP object can be used
where the Authentication Group property for that IP object is defined. This will mean that the IP
rule or policy will then only apply to logged-in clients who also belong to the source network's
associated group.

Alternatively, the Destination Network could also be used so that only authenticated servers are
available to clients. Authentication of a server is achieved by opening a single connection once
to cOS Core as though the server were a client.

The purpose of this is to restrict access to certain networks to a particular group by having IP
rules or policies which will only apply to members of that group. To gain access to a resource
there must be an IP rule or policy that allows it and the client must belong to the same group as
that specified for the Source Network or Destination Network address object.

Granting Administration Privileges

When a user is defined, it can also be added to two default administration groups:

•

The administrators group

Members of this group can log into cOS Core through the Web Interface or InControl as well
as through the remote CLI interface and are allowed to edit the cOS Core configuration.

•

The auditors group

This is similar to the administrators group but members are only allowed to view the
configuration and cannot change it.

PPTP/L2TP Configuration

If a client is connecting to the Clavister Security Gateway using PPTP/L2TP then the following
three options called also be specified for the local cOS Core user database:

•

Static Client IP Address

This is the IP address which the client must have if it is to be authenticated. If it is not
specified then the user can have any IP. This option offers extra security for users with fixed IP
addresses.

•

Network behind user

If a network is specified for this user then when the user connects, a route is automatically
added to the cOS Core main routing table. This existence of this added route means that any
traffic destined for the specified network will be correctly routed through the user's
PPTP/L2TP tunnel.

When the connection to the user ends, the route is automatically removed by cOS Core.

Caution: Use the network option with care

The administrator should think carefully what the consequences of using this option
will be. For example, setting this option to all-nets will possibly direct all Internet
traffic through the tunnel to this user.

•

Metric for Networks

Chapter 8: User Authentication

523