This chapter describes what Access Policies do and how the various elements that comprise an Access Policy are related. It is divided into the following two main sections:
A firewall provides a network boundary with a single point of entry and exit-a choke point. Because all incoming and outgoing traffic must pass through the choke point, you can screen and direct all that traffic through the implementation of a set of Access Policies-the Access Control List (ACL).
Access Policies allow you to permit, deny, encrypt, authenticate, prioritize, schedule, and monitor the traffic attempting to cross your firewall, whether incoming, outgoing, to the DMZ (NetScreen-10 and -100), or from the DMZ. You decide which users and what information can enter and leave, and when and where they can go.
|
|
Note: Access Policies set in the root system of the NetScreen-1000 do not affect Access Policies set in Virtual Systems.
|
.
An Access Policy must contain the following elements:
· Addresses (source and destination)
· Action (permit, deny, tunnel)
An Access Policy can also contain the following elements:
The remainder of this section examines each of the above elements in turn.
Addresses are objects that identify network devices such as hosts and networks by their location in relation to the firewall-on the Trusted side, the Untrusted side, or in the DMZ (NetScreen-10 and -100). Individual hosts are specified using the mask 255.255.255.255, indicating that all 4 bytes of the address are significant. Networks are specified using their subnet mask to indicate which bytes are significant. To create an Access Policy for specific addresses, you must first create entries for the relevant hosts and networks in the address book.
You can also create address groups and apply Access Policies to them as you would to other address book entries.
When using address groups as elements of Access Policies, be aware that because the NetScreen device applies the Access Policy to each address in the group, the number of available Access Policies can become depleted more quickly than expected. This is a danger especially when you use address groups for both the source and destination.
Services are objects that identify application protocols using layer 4 information such as standard and accepted TCP and UDP port numbers for application services like Telnet, FTP, SMTP, and HTTP. NetScreen includes predefined core Internet services. Additionally, the administrator can define custom services. You can define Access Policies that specify which services are permitted, denied, encrypted, authenticated, logged, or counted, and which trigger an alarm.
Actions are objects that describe what the firewall does to the traffic it receives.
·
Permit allows the packet to pass the firewall.
·
Deny blocks the packet from traversing the firewall.
·
Tunnel encrypts and authenticates data using IPSec. After selecting Tunnel, specify which VPN tunnel to use.
The NetScreen device applies the specified action on traffic that matches the first two criteria: addresses (source and destination) and service.
You can apply a single Access Policy or multiple Access Policies to any VPN tunnel that you have configured. In the WebUI, the VPN Tunnel option provides a drop-down list of all such tunnels. In the CLI, you can see all available tunnels with the
get vpn command.
Selecting this option requires the user at the source address to authenticate his/her identity by supplying a user name and password before traffic is allowed to traverse the firewall or enter the VPN tunnel. The NetScreen device can use the internal user database or an external RADIUS, SecurID, or LDAP server to perform the authentication check.
By associating a schedule to an Access Policy, you can determine when the Access Policy is in effect. You can configure schedules on a recurring basis and as a one-time event. Schedules provide a powerful tool in controlling the flow of network traffic and in enforcing network security. For an example of the latter, if you were concerned about employees transmitting important data outside the company, you might set an Access Policy that blocked outbound FTP-Put and MAIL traffic after normal business hours.
In the WebUI, define schedules in the Schedule section. In the CLI, use the set schedule command. For more information on setting schedules, see.
|
|
Note: In the WebUI, scheduled Access Policies appear in green to indicate that the current time is not within the defined schedule. When a scheduled Access Policy becomes active, it appears in red.
|
When you enable
logging in an Access Policy, the NetScreen device logs all connections to which that particular Access Policy applies. You can view the logs through either the WebUI or CLI, and the graphs in the Monitor section of the WebUI.
When you enable
counting in an Access Policy, the NetScreen device counts the total number of bytes of traffic to which this Access Policy applies and records the information in historical graphs.
You can set a threshold that triggers an alarm when the traffic permitted by the Access Policy exceeds a specified number of bytes per second, bytes per minute, or both. Because the traffic alarm requires the NetScreen device to monitor the total number of bytes, you must also enable the counting feature.
You can set parameters for the control and shaping of traffic for each Access Policy. The traffic shaping parameters include:
Guaranteed Bandwidth: Guaranteed throughput in kilobits per second (kbps). Traffic below this threshold passes with the highest priority without being subject to any traffic management or shaping mechanism.
Maximum Bandwidth: Secured bandwidth available to the type of connection being specified in kilobits per second (kbps). Traffic beyond this threshold will be throttled and dropped.
|
|
Note: It is advised that you do not use rates less than 10 kbps. Rates below this threshold lead to dropped packets and excessive retries that defeat the purpose of traffic management.
|
Traffic Priority: When traffic bandwidth falls between the guaranteed and maximum settings, the NetScreen device passes higher priority traffic first, and lower priority traffic only if there is no other higher priority traffic. There are eight priority levels.
DS Codepoint Marking: Differentiated Services (DiffServ) is a system for tagging (or "marking") traffic at a position within a hierarchy of priority. The eight NetScreen priority levels can be mapped to the DiffServ system. By default, the highest priority (priority 0) maps to the first three bits (111) in the DS field (see RFC 2472) or the IP precedence field in the TOS byte (see RFC 1349) in the IP packet header. The lowest priority (priority 8) in the NetScreen system maps to 000 in the DiffServ system.
To change the mapping between the NetScreen priority levels and the DS system, use the following CLI command:
set traffic-shaping ip_precedence <number for priority 0 (highest priority)> <number for priority 1> <number for priority 2> <number for priority 3> <number for priority 4> <number for priority 5> <number for priority 6> <number for priority 7>
This section describes the management of Access Policies: viewing, creating, ordering and reordering, modifying, and removing Access Policies.
To view Access Policies through the WebUI, click
Policy >> Incoming | Outgoing | To DMZ | From DMZ. In the CLI, use the
get policy command.
When viewing a list of Access Policies, the WebUI uses icons to provide you a graphical summary of policy components. The table below defines the different icons used in the Access Policies page.
|
|
|
|
|
|
|
All traffic meeting the criteria is passed.
|
|
|
|
All traffic meeting the criteria is denied.
|
|
|
|
All traffic meeting the criteria is encrypted.
|
|
|
|
There is a VPN configuration error (Action: Tunnel; VPN Tunnel: None), so no encryption is applied.
|
|
|
|
The user must authenticate himself/herself when initiating a connection.
|
|
|
|
All traffic is logged and made available for syslog and e-mail, if enabled.
|
|
|
|
The amount of traffic is counted in bytes per second.
|
|
|
|
Indicates that you have set alarm thresholds.
|
|
|
|
Bandwidth shaping is active.
|
|
|
|
An Access Policy is only active during the time defined by the chosen schedule.
|
Access Policies define the security of your network. You can set Access Policies to accept, deny, encrypt, and authenticate the network traffic travelling through the Netscreen device.
|
|
Note: The default policy for the NetScreen-10, -100, and 1000 is to deny all access. The NetScreen-5 default Access Policy denies all inbound traffic but allows all outbound traffic.
|
You assign an Access Policy for one of four directions, based on the intended source and destination addresses: Incoming, Outgoing, To DMZ, or From DMZ.
The differences are categorized as follows:
Example: Typical ACL for a Small-to-Medium Enterprise
A small software firm, ABC Design, has divided its Trusted network into two subnets:
· Engineering (with the defined address "Engineering")
· The rest of the company (with the defined address "Office").
It also has a DMZ for its Web and mail servers.
The following example presents a typical set of Access Policies for the following users:
· Engineering is permitted to use all the services for outbound traffic except FTP-Put, IMAP, MAIL, and POP3.
· Office is permitted to use e-mail and access the Internet, provided they authenticate themselves.
· The entire company can access the company Web and mail servers on the DMZ.
· There is also a group of system administrators (with the defined address "Sys-admins"), who have complete user and administrative access to the servers on the DMZ.
|
|
|
|
|
|
|
|
Com (service group: FTP-Put, IMAP, MAIL, POP3)
|
|
|
|
|
|
|
|
|
|
Internet (service group: FTP-Get, HTTP, HTTPS)
|
|
Incoming (Default Access Policy)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Web (service group: HTTP, HTTPS)
|
|
|
|
|
e-mail (service group: IMAP, MAIL, POP3)
|
|
|
|
|
|
|
1. Policy >> Outgoing >> New Policy: Enter the following, and then click
OK:
Source Address: Inside Any
Destination Address: Outside Any
2. Policy >> Outgoing >> New Policy: Enter the following, and then click
OK:
Source Address: Engineering
Destination Address: Outside Any
3. Policy >> Outgoing >> New Policy: Enter the following, and then click
OK:
Destination Address: Outside Any
Authentication: (select)
|
|
Note: For incoming traffic, use the default Access Policy to deny everything.
|
4. Policy >> To DMZ >> New Policy: Enter the following, and then click
OK:
Source Address: Outside Any
Destination Address: mail.abc.com
5. Policy >> To DMZ >> New Policy: Enter the following, and then click
OK:
Source Address: Outside Any
Destination Address: www.abc.com
6. Policy >> To DMZ >> New Policy: Enter the following, and then click
OK:
Source Address: Inside Any
Destination Address: mail.abc.com
7. Policy >> To DMZ >> New Policy: Enter the following, and then click
OK:
Source Address: Inside Any
Destination Address: www.abc.com
8. Policy >> To DMZ >> New Policy: Enter the following, and then click
OK:
Source Address: Sys-admins
Destination Address: DMZ Any
9. Policy >> From DMZ >> New Policy: Enter the following, and then click
OK:
Source Address: mail.abc.com
Destination Address: Outside Any
1. set policy outgoing "inside any" "outside any" com deny
2. set policy outgoing engineering "outside any" any permit
3. set policy outgoing office "outside any" internet permit auth
4. set policy todmz "outside any" mail.abc.com mail permit
5. set policy todmz "outside any" www.abc.com web permit
6. set policy todmz "inside any" mail.abc.com e-mail permit
7. set policy todmz "inside any" www.abc.com internet permit
8. set policy todmz sys-admins "dmz any" any permit
9. set policy fromdmz mail.abc.com "outside any" mail permit
Modifying Access Policies
After you create an Access Policy, you can always return to it to make modifications. In the WebUI, you click the
Edit link in the Configure column for the Access Policy that you want to change. In the Policy Configuration dialog box that appears for that Access Policy, make your changes and then click
OK. In the CLI, you use the
set policy command.
Example: Disabling an Access Policy through the Schedule Feature
NetScreen does not provide a specific method for enabling and disabling Access Policies. After you create an Access Policy, it is automatically enabled. However, you can use the schedule feature to effectively accomplish the same enabling and disabling function.
You must first, create a schedule for a one-time event that started and stopped in the past and name it "disable." Then you apply that schedule to whatever Access Policy you want to disable. When you want to enable it again, change the schedule back to None (or to another schedule).
Policy >> Incoming | Outgoing | To DMZ | From DMZ >> Edit: In the Schedule drop-down list, select
disable, and then click
OK.
1. set policy {incoming | outgoing | todmz | fromdmz} <source address> <destination address> <service> <action> schedule disable
Reordering Access Policies
The NetScreen device checks all attempts to traverse the firewall against Access Policies, beginning with the first one listed in the ACL for the appropriate direction (outgoing, incoming, to DMZ, from DMZ) and moving through the list. Because action applies to the first matching Access Policy, you must arrange them from the most specific to the most general. (Whereas a specific Access Policy does not preclude the application of a more general Access Policy located down the list, a general Access Policy appearing before a specific one does.)
To move an Access Policy to a different position in the ACL, do the following:
1. Policy >> Incoming | Outgoing | To DMZ | From DMZ: Click the circular arrows in the Configure column to display the Move Policy Micro dialog box:
2. Change the order of the Access Policy to fit your needs, and then click the
OK button.
The Access Policies page reappears with the Access Policy you moved in its new position.
1. set policy move <id number> {before | after} <number>
Example: Reordering Home-to-Office Access Policies
By setting priority levels and guaranteed bandwidth levels for outbound traffic, you can ensure that important traffic always has enough bandwidth. At home, you might want to set up the following three Access Policies on your NetScreen-5 to ensure that you can still reach your office through your home-to-office VPN even when your children are playing games on the Internet. (These Access Policies also ensure that you have enough bandwidth to play games on the Internet when your children are doing the same thing.)
|
|
|
|
|
|
Guaranteed and Maximum Bandwidth 1
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Tunnel (VPN Tunnel: home-corp)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1
The bandwidth for the Trusted and Untrusted interface is set at 5 Mbps per interface.
|
Note that if the three Access Policies are ordered as shown above, the NetScreen device only applies the first Access Policy to outgoing traffic. You must move the Access Policy #0 to the bottom of the list.
1. Policy >> Outgoing: Click the circular arrows in the Configure column for Access Policy ID #0.
2. In the Move Policy Micro dialog box that appears, enter the following, and then click
OK:
1. set policy move 0 after 2
Removing an Access Policy
In addition to modifying an Access Policy, you can also delete it from the ACL. In the WebUI, you click
Remove in the Configure column for the Access Policy that you want to remove. When the system message prompts for confirmation to proceed with the removal, click
Yes. In the CLI, use the
unset policy <number> command.
1
"Com" is a service group with the following members: FTP-Put, MAIL, IMAP, and POP3.
2
"Internet" is a service group with the following members: FTP-Get, HTTP, and HTTPS.
3
"Web" is a service group with the following members: HTTP and HTTPS.
4
"e-mail" is a service group with the following members: MAIL, IMAP, and POP3.
