Worksheets for Defining Security Policies
Here are directions and worksheets to help you analyze and define your company's security policy requirements. Once established, SunScreen 3.1 Lite controls access to the network through a set of rules and interface definitions that are created in the administration GUI. The information you accumulate in this section will be used to define your policies. See the SunScreen Reference Manualfor more information. You can find a useful example of installing your Screen in routing mode in the SunScreen 3.1 Configuration Examples document.
To begin the process, create a group of all the IP addresses that SunScreen needs to know. SunScreen identifies network elements--network, subnetworks, and individual hosts--by IP address. Before you can define the rule, you must define all the elements or parts that make up the rule. Several types of addresses need to be defined in SunScreen.
Creating Service Groups
Use the following table to assist you in creating service groups that use any combination of the individual network services. A useful group to define at many sites is an "internet services" group, consisting of public services, such as FTP, e-mail, and WWW. You might want to familiarize yourself with the set of pre-defined network services to avoid creating unnecessary duplicates.
Table 2-1 Services or Service Groups|
Name |
Definition |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Addresses
SunScreen 3.1 Lite uses IP addresses to define the network elements that make up the configuration. These addresses are then used in defining the Screen's network interfaces and as the source and destination addresses for rules and NAT.
The address can be for a single computer, or it can be for a whole network or subnetwork. Additionally, addresses (individual and network) can be grouped together to form an address group. SunScreen 3.1 Lite allows you to define address groups that specifically include or exclude other defined addresses (single IP hosts, ranges, or groups).
Table 2-2 Address Explanations
The following figure shows an example of various types of addresses and can be used as a reference when completing your own network map.
Figure 2-1 Example of a Network Map
In this figure, the following examples of different types of addresses can be seen:
-
The ftp-www server is an example of a single host address (172.16.1.2).
-
Corporate, sales, and the engineering hosts are examples of ranges of addresses. For example, the range of addresses in the engineering hosts, 172.16.5.2 with the netmask 255.255.255.0, is defined as a range of addresses from 171.16.5.2 to 172.16.5.255.
The Internet is an example of a group of addresses, in this case defined as all. The ftp-www server is an example of a single address. The corporate, sales, and engineering hosts are examples of ranges of addresses.
The following worksheets can help you organize the IP addresses. Expand them as necessary. Group the IP addresses and names for the following network elements:
Rules are used to control access to your computer network and to control encryption for access to your data. In preparing to implement rules, you have:
-
Determined the overall services that are available on your network.
-
Determined the services available to a particular user or host and user groups over particular IP addresses.
-
Determined the correct action for the service and addresses for that user or host.
Note -By default, the Screen drops any packets that do not specifically match a rule. This makes it easier to create rules, since you only have to write a rule for the services you want to pass.
|
Name |
IP Address |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Table 2-4 Address Ranges
|
Name |
Address |
|
|---|---|---|
|
|
Beginning |
Ending |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Table 2-5 Address Group
|
Name |
Address |
|
|---|---|---|
|
|
Include |
Exclude |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
NAT
NAT enables you to map from unregistered addresses to registered addresses allocated by your Internet service provider (ISP). The NAT function of SunScreen 3.1 Lite uses this translation to replace the IP addresses in a packet with other IP addresses. This allows you to use unregistered addresses to number your internal networks and hosts and yet have full connectivity to the Internet. With this Lite version, you can have up to 10 internal addresses that use NAT.
Table 2-6 NAT Map Table|
Type |
Address |
Translated Address |
||
|
Static/Dynamic |
Source |
Destination |
Source |
Destination |
|
|
|
|
|
|
|
|
|
|
|
|
Interfaces
Table 2-7 Screen's Interfaces|
Type |
Interface Name |
Group Address |
Logging Details |
||
|
SNMP Alert |
Logging |
ICMP Reject |
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This Lite version of SunScreen 3.1 only supports two routing interfaces.
Administration Stations
Use this table to collect the information needed to add to Administration Stations.
Table 2-8 Administration Stations|
Name of Certificate associated with Admin Station |
Address of Admin Station |
Key Algorithm |
Data Algorithm |
MAC Algorithm |
Admin User Name |
Access Level |
|---|---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Rules
Use the following Rules worksheet to organize the individual rules you want to use. Space is provided for you to create your own service groups. Make copies of the worksheet, as necessary.
A filled-in sample of the Rules worksheet with the requisite services that you may want for a particular network is included following the Rules table.
Table 2-9 Rules|
Ordered Rule Index |
Service or Service Group |
Source Address |
Destination Address |
Action |
Encryption |
User or Groups of Users Optional |
Time of Day Optional |
Screen Optional |
|---|---|---|---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Table 2-10 Sample for "Rules" Worksheet
|
Ordered Rule Index |
Service or Service Group |
Source Address(es) |
Destination Address(es) |
Action |
Encryption |
|
1 |
ftp |
Internal-net |
Internet |
ALLOW |
NONE |
|
2 |
ftp |
* |
ftp Server |
ALLOW |
NONE |
|
3 |
ftp |
Internet |
Internal-net |
DENY |
NONE |
Four Action Types
This section lists the available action types you use to construct ordered rules.
-
ALLOW options:
-
LOG_NONE
-
LOG_SUMMARY
-
LOG_DETAIL
-
SNMP_NONE
-
SNMP
-
-
DENY options:
-
LOG_NONE
-
LOG_SUMMARY
-
LOG_DETAIL
-
SNMP_NONE
-
SNMP
-
ICMP_NONE
-
ICMP_NET_UNREACHABLE
-
ICMP_HOST_UNREACHABLE
-
ICMP_PORT_UNREACHABLE
-
ICMP_NET_FORBIDDEN
-
ICMP_HOST_FORBIDDEN
-
-
ENCRYPT options:
-
NONE
-
SKIP_Version_1 (for connection to a SunScreen SPF-100 only)
-
You must decide on:
-
Key Algorithm list (depends on the SKIP version chosen: Domestic or Global)
-
Data Algorithm list (depends on the SKIP version chosen: Domestic or Global)
-
SKIP_Version_2 (for connection to all other SKIP-enabled devices) (Optional: Tunnel addresses are allowed.)
-
You must decide on:
-
From Encryptor list
-
To Encryptor list
-
Key Algorithm list (depends on the SKIP version chosen: Domestic or Global)
-
Data Algorithm list (depends on the SKIP version chosen: Domestic or Global)
-
After you define and map out your network and decide on your policy, you use data objects, such as services and addresses, to configure SunScreen 3.1 Lite with the policy rules to control access to your network. When you installed SunScreen 3.1 Lite, you created a policy named "Initial," which is created so you can connect to the Policy Edit page and build your own security policies.
- © 2010, Oracle Corporation and/or its affiliates