TOC PREV NEXT

Put your logo here!



Chapter 11
Access Policies
This chapter describes what Access Policies do and how the various elements that comprise an Access Policy are related. It is divided into the following two main sections:
· "Access Policies Defined" on page 11187
· "Access Policies Applied" on page 11192
Access Policies Defined
A firewall provides a network boundary with a single point of entry and exit-a choke point. Because all incoming and outgoing traffic must pass through the choke point, you can screen and direct all that traffic through the implementation of a set of Access Policies-the Access Control List (ACL).
Access Policies allow you to permit, deny, encrypt, authenticate, prioritize, schedule, and monitor the traffic attempting to cross your firewall, whether incoming, outgoing, to the DMZ (NetScreen-10 and -100), or from the DMZ. You decide which users and what information can enter and leave, and when and where they can go.
Note: Access Policies set in the root system of the NetScreen-1000 do not affect Access Policies set in Virtual Systems.
.
Anatomy of a Policy
An Access Policy must contain the following elements:
· Addresses (source and destination)
· Service
· Action (permit, deny, tunnel)
An Access Policy can also contain the following elements:
· VPN tunneling
· Authentication
· Logging
· Counting
· Traffic alarm settings
· Scheduling
· Traffic shaping
The remainder of this section examines each of the above elements in turn.

Addresses
Addresses are objects that identify network devices such as hosts and networks by their location in relation to the firewall-on the Trusted side, the Untrusted side, or in the DMZ (NetScreen-10 and -100). Individual hosts are specified using the mask 255.255.255.255, indicating that all 4 bytes of the address are significant. Networks are specified using their subnet mask to indicate which bytes are significant. To create an Access Policy for specific addresses, you must first create entries for the relevant hosts and networks in the address book.
You can also create address groups and apply Access Policies to them as you would to other address book entries.
When using address groups as elements of Access Policies, be aware that because the NetScreen device applies the Access Policy to each address in the group, the number of available Access Policies can become depleted more quickly than expected. This is a danger especially when you use address groups for both the source and destination.
Services
Services are objects that identify application protocols using layer 4 information such as standard and accepted TCP and UDP port numbers for application services like Telnet, FTP, SMTP, and HTTP. NetScreen includes predefined core Internet services. Additionally, the administrator can define custom services. You can define Access Policies that specify which services are permitted, denied, encrypted, authenticated, logged, or counted, and which trigger an alarm.
Actions
Actions are objects that describe what the firewall does to the traffic it receives.
· Permit allows the packet to pass the firewall.
· Deny blocks the packet from traversing the firewall.
· Tunnel encrypts and authenticates data using IPSec. After selecting Tunnel, specify which VPN tunnel to use.
The NetScreen device applies the specified action on traffic that matches the first two criteria: addresses (source and destination) and service.
VPN Tunnel
You can apply a single Access Policy or multiple Access Policies to any VPN tunnel that you have configured. In the WebUI, the VPN Tunnel option provides a drop-down list of all such tunnels. In the CLI, you can see all available tunnels with the get vpn command.
Authentication
Selecting this option requires the user at the source address to authenticate his/her identity by supplying a user name and password before traffic is allowed to traverse the firewall or enter the VPN tunnel. The NetScreen device can use the internal user database or an external RADIUS, SecurID, or LDAP server to perform the authentication check.
Schedules
By associating a schedule to an Access Policy, you can determine when the Access Policy is in effect. You can configure schedules on a recurring basis and as a one-time event. Schedules provide a powerful tool in controlling the flow of network traffic and in enforcing network security. For an example of the latter, if you were concerned about employees transmitting important data outside the company, you might set an Access Policy that blocked outbound FTP-Put and MAIL traffic after normal business hours.
In the WebUI, define schedules in the Schedule section. In the CLI, use the set schedule command. For more information on setting schedules, see.
Note: In the WebUI, scheduled Access Policies appear in green to indicate that the current time is not within the defined schedule. When a scheduled Access Policy becomes active, it appears in red.

Logging
When you enable logging in an Access Policy, the NetScreen device logs all connections to which that particular Access Policy applies. You can view the logs through either the WebUI or CLI, and the graphs in the Monitor section of the WebUI.
Counting
When you enable counting in an Access Policy, the NetScreen device counts the total number of bytes of traffic to which this Access Policy applies and records the information in historical graphs.
Alarm Threshold
You can set a threshold that triggers an alarm when the traffic permitted by the Access Policy exceeds a specified number of bytes per second, bytes per minute, or both. Because the traffic alarm requires the NetScreen device to monitor the total number of bytes, you must also enable the counting feature.
Traffic Shaping
You can set parameters for the control and shaping of traffic for each Access Policy. The traffic shaping parameters include:
Guaranteed Bandwidth: Guaranteed throughput in kilobits per second (kbps). Traffic below this threshold passes with the highest priority without being subject to any traffic management or shaping mechanism.
Maximum Bandwidth: Secured bandwidth available to the type of connection being specified in kilobits per second (kbps). Traffic beyond this threshold will be throttled and dropped.
Note: It is advised that you do not use rates less than 10 kbps. Rates below this threshold lead to dropped packets and excessive retries that defeat the purpose of traffic management.

Traffic Priority: When traffic bandwidth falls between the guaranteed and maximum settings, the NetScreen device passes higher priority traffic first, and lower priority traffic only if there is no other higher priority traffic. There are eight priority levels.
DS Codepoint Marking: Differentiated Services (DiffServ) is a system for tagging (or "marking") traffic at a position within a hierarchy of priority. The eight NetScreen priority levels can be mapped to the DiffServ system. By default, the highest priority (priority 0) maps to the first three bits (111) in the DS field (see RFC 2472) or the IP precedence field in the TOS byte (see RFC 1349) in the IP packet header. The lowest priority (priority 8) in the NetScreen system maps to 000 in the DiffServ system.
To change the mapping between the NetScreen priority levels and the DS system, use the following CLI command:
set traffic-shaping ip_precedence <number for priority 0 (highest priority)> <number for priority 1> <number for priority 2> <number for priority 3> <number for priority 4> <number for priority 5> <number for priority 6> <number for priority 7>
Access Policies Applied
This section describes the management of Access Policies: viewing, creating, ordering and reordering, modifying, and removing Access Policies.
Viewing Access Policies
To view Access Policies through the WebUI, click Policy >> Incoming | Outgoing | To DMZ | From DMZ. In the CLI, use the get policy command.
Access Policy Icons
When viewing a list of Access Policies, the WebUI uses icons to provide you a graphical summary of policy components. The table below defines the different icons used in the Access Policies page.
Icon
Function
Description
Permit
All traffic meeting the criteria is passed.
Deny
All traffic meeting the criteria is denied.
Encrypt enabled
All traffic meeting the criteria is encrypted.
Encrypt disabled
There is a VPN configuration error (Action: Tunnel; VPN Tunnel: None), so no encryption is applied.
Authenticate
The user must authenticate himself/herself when initiating a connection.
Log
All traffic is logged and made available for syslog and e-mail, if enabled.
Count
The amount of traffic is counted in bytes per second.
Alarm
Indicates that you have set alarm thresholds.
Traffic Shaping
Bandwidth shaping is active.
Schedule
An Access Policy is only active during the time defined by the chosen schedule.

Creating Access Policies
Access Policies define the security of your network. You can set Access Policies to accept, deny, encrypt, and authenticate the network traffic travelling through the Netscreen device.
Note: The default policy for the NetScreen-10, -100, and 1000 is to deny all access. The NetScreen-5 default Access Policy denies all inbound traffic but allows all outbound traffic.

Access Policy Location
You assign an Access Policy for one of four directions, based on the intended source and destination addresses: Incoming, Outgoing, To DMZ, or From DMZ.
The differences are categorized as follows:
TRAFFIC
Outgoing
Incoming
To DMZ
From DMZ
Source
Trusted
Untrusted
Trusted Untrusted
DMZ
Destination
Untrusted
Trusted
MIP
VIP
DMZ
Trusted Untrusted

Example: Typical ACL for a Small-to-Medium Enterprise
A small software firm, ABC Design, has divided its Trusted network into two subnets:
· Engineering (with the defined address "Engineering")
· The rest of the company (with the defined address "Office").
It also has a DMZ for its Web and mail servers.
The following example presents a typical set of Access Policies for the following users:
· Engineering is permitted to use all the services for outbound traffic except FTP-Put, IMAP, MAIL, and POP3.
· Office is permitted to use e-mail and access the Internet, provided they authenticate themselves.
· The entire company can access the company Web and mail servers on the DMZ.
· There is also a group of system administrators (with the defined address "Sys-admins"), who have complete user and administrative access to the servers on the DMZ.

Outgoing
Source
Destination
Service
Action
Inside Any
Outside Any
Com (service group: FTP-Put, IMAP, MAIL, POP3)
Deny
Engineering
Outside Any
Any
Permit
Office
Outside Any
Internet (service group: FTP-Get, HTTP, HTTPS)
Permit
(+ Authentication)

Incoming (Default Access Policy)
Source
Destination
Service
Action
Outside Any
Inside Any
Any
Deny

To DMZ
Source
Destination
Service
Action
Outside Any
mail.abc.com
MAIL
Permit
Outside Any
www.abc.com
Web (service group: HTTP, HTTPS)
Permit
Inside Any
mail.abc.com
e-mail (service group: IMAP, MAIL, POP3)
Permit
Inside Any
www.abc.com
Internet
Permit

From DMZ
Source
Destination
Service
Action
mail.abc.com
Outside Any
MAIL
Permit


WebUI
1. Policy >> Outgoing >> New Policy: Enter the following, and then click OK:
Source Address: Inside Any
Destination Address: Outside Any
Service: Com1
Action: Deny
2. Policy >> Outgoing >> New Policy: Enter the following, and then click OK:
Source Address: Engineering
Destination Address: Outside Any
Service: ANY
Action: Permit
3. Policy >> Outgoing >> New Policy: Enter the following, and then click OK:
Source Address: Office
Destination Address: Outside Any
Service: Internet2
Action: Permit
Authentication: (select)
Note: For incoming traffic, use the default Access Policy to deny everything.

4. Policy >> To DMZ >> New Policy: Enter the following, and then click OK:
Source Address: Outside Any
Destination Address: mail.abc.com
Service: MAIL
Action: Permit
5. Policy >> To DMZ >> New Policy: Enter the following, and then click OK:
Source Address: Outside Any
Destination Address: www.abc.com
Service: Web3
Action: Permit
6. Policy >> To DMZ >> New Policy: Enter the following, and then click OK:
Source Address: Inside Any
Destination Address: mail.abc.com
Service: e-mail4
Action: Permit
7. Policy >> To DMZ >> New Policy: Enter the following, and then click OK:
Source Address: Inside Any
Destination Address: www.abc.com
Service: Internet
Action: Permit
8. Policy >> To DMZ >> New Policy: Enter the following, and then click OK:
Source Address: Sys-admins
Destination Address: DMZ Any
Service: Any
Action: Permit
9. Policy >> From DMZ >> New Policy: Enter the following, and then click OK:
Source Address: mail.abc.com
Destination Address: Outside Any
Service: MAIL
Action: Permit
CLI
1. set policy outgoing "inside any" "outside any" com deny
2. set policy outgoing engineering "outside any" any permit
3. set policy outgoing office "outside any" internet permit auth
4. set policy todmz "outside any" mail.abc.com mail permit
5. set policy todmz "outside any" www.abc.com web permit
6. set policy todmz "inside any" mail.abc.com e-mail permit
7. set policy todmz "inside any" www.abc.com internet permit
8. set policy todmz sys-admins "dmz any" any permit
9. set policy fromdmz mail.abc.com "outside any" mail permit
10. save
Modifying Access Policies
After you create an Access Policy, you can always return to it to make modifications. In the WebUI, you click the Edit link in the Configure column for the Access Policy that you want to change. In the Policy Configuration dialog box that appears for that Access Policy, make your changes and then click OK. In the CLI, you use the set policy command.
Example: Disabling an Access Policy through the Schedule Feature
NetScreen does not provide a specific method for enabling and disabling Access Policies. After you create an Access Policy, it is automatically enabled. However, you can use the schedule feature to effectively accomplish the same enabling and disabling function.
You must first, create a schedule for a one-time event that started and stopped in the past and name it "disable." Then you apply that schedule to whatever Access Policy you want to disable. When you want to enable it again, change the schedule back to None (or to another schedule).
WebUI
Policy >> Incoming | Outgoing | To DMZ | From DMZ >> Edit: In the Schedule drop-down list, select disable, and then click OK.
CLI
1. set policy {incoming | outgoing | todmz | fromdmz} <source address> <destination address> <service> <action> schedule disable
2. save
Reordering Access Policies
The NetScreen device checks all attempts to traverse the firewall against Access Policies, beginning with the first one listed in the ACL for the appropriate direction (outgoing, incoming, to DMZ, from DMZ) and moving through the list. Because action applies to the first matching Access Policy, you must arrange them from the most specific to the most general. (Whereas a specific Access Policy does not preclude the application of a more general Access Policy located down the list, a general Access Policy appearing before a specific one does.)
To move an Access Policy to a different position in the ACL, do the following:
WebUI
1. Policy >> Incoming | Outgoing | To DMZ | From DMZ: Click the circular arrows in the Configure column to display the Move Policy Micro dialog box:


2. Change the order of the Access Policy to fit your needs, and then click the OK button.

The Access Policies page reappears with the Access Policy you moved in its new position.
CLI
1. set policy move <id number> {before | after} <number>
2. save
Example: Reordering Home-to-Office Access Policies
By setting priority levels and guaranteed bandwidth levels for outbound traffic, you can ensure that important traffic always has enough bandwidth. At home, you might want to set up the following three Access Policies on your NetScreen-5 to ensure that you can still reach your office through your home-to-office VPN even when your children are playing games on the Internet. (These Access Policies also ensure that you have enough bandwidth to play games on the Internet when your children are doing the same thing.)
Outgoing Access Policies
ID
Source
Destination
Service
Action
Guaranteed and Maximum Bandwidth1
Priority
0
Inside Any
Outside Any
Any
Permit
0 Kbps
Low priority
1
Mom/Dad
corp-net
Any
Tunnel
(VPN Tunnel: home-corp)
3500 Kbps
High priority
2
Mom/Dad
Outside Any
Any
Permit
1500 Kbps
2nd priority
1
The bandwidth for the Trusted and Untrusted interface is set at 5 Mbps per interface.


Note that if the three Access Policies are ordered as shown above, the NetScreen device only applies the first Access Policy to outgoing traffic. You must move the Access Policy #0 to the bottom of the list.
WebUI
1. Policy >> Outgoing: Click the circular arrows in the Configure column for Access Policy ID #0.
2. In the Move Policy Micro dialog box that appears, enter the following, and then click OK:
After: (select)
ID: 2
CLI
1. set policy move 0 after 2
2. save
Removing an Access Policy
In addition to modifying an Access Policy, you can also delete it from the ACL. In the WebUI, you click Remove in the Configure column for the Access Policy that you want to remove. When the system message prompts for confirmation to proceed with the removal, click Yes. In the CLI, use the unset policy <number> command.
1
"Com" is a service group with the following members: FTP-Put, MAIL, IMAP, and POP3.

2
"Internet" is a service group with the following members: FTP-Get, HTTP, and HTTPS.

3
"Web" is a service group with the following members: HTTP and HTTPS.

4
"e-mail" is a service group with the following members: MAIL, IMAP, and POP3.



NetScreen Technologies Inc.
http://www.netscreen.com
Voice: (408) 730-6000
Fax: (408) 730-6100
sales@netscreen.com
TOC PREV NEXT