Policy Rules Page

SunScreen EFS 3.0 uses ordered sets of rules to implement the security policies for your site. Ordered set of rules means that, when a Screen receives a packet, it matches the packet against each rule in its active policy until it finds one that applies, and then takes the actions associated with that rule. Once a Screen finds an applicable rule for a packet, it ignores subsequent rules in its active policies.

Rules do not take effect until you save and activate the policy to which they belong by clicking the Save Changes button located above the Common Objects area, and the Activate button in the bottom area of the Policy List page. SunScreen EFS 3.0 sets up the basic security policy for name service lookups, Routing Information Protocol (RIP) packets, and SunScreen SKIP certificate discovery during installation. You can use the Rules area on the Policy Rules page to specify how your Screen should filter other types of packets.

---

Note -

If the specified filtering rule fails to detect any issued certificate (key) encryption algorithms, it may display the following error message: An error occurred in detecting the Encryption algorithms. Please check if skipd process is running.If this occurs, use the skipd_restart command to restart the skipd process.

---

The Policy Rules page lets you add or modify a rule in the SunScreen EFS 3.0 policy. It opens when you click the Add New button (or when you select a rule and click the Edit button) in the Common Objects page.

Some pages use tabs to organize sets of related controls. To display the controls on a tab, click the tab header. The rules area contains four tabs: Packet Filtering, Administrative Access, NAT, and VPN as described in the following sections. The following table describes the four tabs.

The following table describes the tabs that are available from the Policy Rules page.

Table 3-4 Policy Rules Page Tab Items

Tab	Description
Packet Filtering	Shows the packet filtering rules(s).
Administration Access	Defines access rules for local administration and remote Administration Stations through the administration GUI or the command line (see Appendix B).
NAT	Maps private network addresses to public network addresses.
VPN	Maps name, address, certificate, issued certificate (key) algorithm, data algorithm, MAC algorithm, tunnel address, and description.

Packet Filtering Rules

The Packet Filtering tab brings up a panel that allows you to configure packet filtering rules. Use packet filtering to control traffic using a particular service, traffic intended for a particular service, or traffic coming from a particular address.

SunScreen EFS 3.0 uses ordered packet filtering. The Screen assumes that the first rule that matches a packet is the rule that governs the disposition of the packet.

If the packet does not match any rule, the Screen uses its default action to determine the disposition of the packet. Typically, the default action logs the packet and drops it, though other options are available.

The following table describes the available fields in the Packet Filtering tab.:

• Rule Index (No) -- (Optional) Assigns a number to a rule. By default, this field displays a number one greater than the last rule (indicating this rule will be placed at the bottom of the list). If you type a lower number, the new rule is inserted into the specified position in the list, and the rules currently in the configuration are renumbered.

• Screen -- (Optional) Specifies the Screen for which you want the rule to apply. Type a specific Screen name in this field if you use centralized management and want a rule to apply to a specific Screen.

• Service -- Identifies the network service or service group to which this rule applies. Network services and service groups are described in Appendix B, "Services and State Engines."

• Source -- The value to which the source address of a packet is compared. If an asterisk (*) appears, any source address meets the criteria of the rule.

• Destination -- The value to which the destination address of a packet is compared to determine whether the rule should apply. If an asterisk (*) appears, any destination address meets the criteria of the rule.

• Action -- Displays the action for the rule: ALLOW, DENY, ENCRYPT, and SECURE.

• Time -- Specifies the time of day for the rule.

• Description -- (Optional) Provides a brief description of the Administrative Access rule.

Administrative Access Rules

Administrative Access rules allow you to specify access and encryption settings for local and remote Fm Variable:Filename (Short) administrators.

Local Administrative Access

The Local Access Rules dialog window lets you add or modify administrative access rules for local Administration Stations. Use the fields in the dialog window to type the configuration information for the rule.

• Rule Index (No) -- (Optional) Assigns a number to a rule. By default, this field displays a number one greater than the last rule (indicating this rule will be placed bottom of the list). If you type a lower number, the new rule is inserted into the specified position in the list, and the rules currently in the configuration are renumbered.

• Screen -- (Optional) Specifies the Screen for which you want the rule to apply. Type a specific Screen name in this field if you use centralized management and want a rule to apply to a specific Screen.

• User -- Lists the user names of SunScreen EFS administrators. Use the names that you defined for the Administrative User object.

• Access Level -- Specifies what actions the designated user can perform:

  • ALL -- Allows administrator to display and modify all setting for the Screen.

  • WRITE -- Administrator can perform all operations except modifying the Administration Access rules for any Policy.

  • READ -- Administrator can view both the Information and Policy. This level also allows the user to save and clear logs on the information page. With this access level users cannot modify any Policy data.

  • STATUS -- Administrator can display status information (logs, statistics, status information) but cannot display or modify management settings.

  • NONE

• Description -- (Optional) Provides a brief description of the Administrative Access rule.

Remote Administrative Access

The Remote Access Rules dialog window lets you add or modify administrative access rules for remote administration stations. Use the fields in the dialog window to type the configuration information for the rule.

• Rule Index (No) -- (Optional) Assigns a number to a rule. By default, this field displays a number one greater than the last rule (indicating this rule will be placed bottom of the list). If you type a lower number, the new rule is inserted into the specified position in the list, and the rules currently in the configuration are renumbered.

• Screen -- (Optional) Specifies the Screen for which you want the rule to apply. Type a specific Screen name in this field if you use centralized management and want a rule to apply to a specific Screen.

• Address Object

• User -- Lists the user names of SunScreen EFS administrators. Use the names that you defined for the Administrative User object.

• Encryption -- Specifies the version of SunScreen SKIP being used to encrypt traffic between the Screen and the Administration Station.

• Certificate Group -- Specifies the name of the certificate group allowed in over this interface, which can correspond to a single certificate or a certificate group.

• Key Algorithm -- Identifies the algorithm used to encrypt traffic-encrypting issued certificates (keys). The algorithms available depend on the version of SunScreen EFS (U.S.&Canada, Export Controlled, or Global) you are using.

• Data Algorithm -- Identifies the algorithm used to encrypt message traffic between the Screen and the Administration Station. The algorithms available depend on the version of SunScreen EFS (U.S/Canada,Export Controlled, or Global) you are using.

• MAC Algorithm -- Identifies the algorithm used to authenticate traffic.

• Tunnel -- Identifies the Tunnel address used for the communication between the remote Administration Station and the Screen.

• Access Level -- Specifies what actions the designated user can perform:

  • ALL -- Administrator can display and modify all setting for the Screen.

  • WRITE -- Administrator can perform all operations except modifying the Administration Access rules for any Policy.

  • READ -- Administrator can view both the Information and Policy. This level also allows the user to save and clear logs on the information page. With this access level users cannot modify any Policy data.

  • STATUS -- Administrator can display status information (logs, statistics, status) but cannot display or modify management settings.

  • NONE

• Description -- (Optional) Provides a brief description of the remote administrative access rule.

NAT Rules

The Network Address Translation (NAT) tab allows you to set up mapping rules to translate IP addresses according to specific rules. These rules interpret the source and destination of incoming IP packets, then translate either the apparent source or the intended destination, and send the packets on. You can map hosts, lists of addresses, ranges of addresses, or specific groups, depending on what you have configured in your EFS 3.0 installation. See Address Common Object to define addresses, ranges, or groups of addresses.

In general, you would map addresses to:

• Ensure that internal addresses appear as registered addresses on the Internet, or

• Send traffic for a specific destination to a different, pre-determined destination.

It is not possible to translate both source and destination addresses-- that is, to make packets appear to come from a different IP address and to simultaneously direct the packets to a different destination.

When defining NAT rules, the first rule (lowest number) that matches a packet wins, and no other rules can apply. Therefore, you might define specific rules first, then broader cases later.

The meanings and uses of the specific fields in the NAT screens are as follows:

• Rule Index (No) -- Assigns a number to a rule. By default, this field displays a number one greater than the last rule (indicating this rule will be placed at the end of the list). If you type a specific number, the new rule is inserted into that position in the list, and the rules currently in the configuration are renumbered.

• Screen -- Specifies the Screen for which you want the rule to apply. Type a specific Screen name in this field if you use centralized management and want a rule to apply to a specific Screen.

• Mapping

  • Static -- Specify static mapping to set up a one-to-one relationship between two addresses. You could use this to set new apparent IP addresses for hosts on your network without having to reconfigure each host, for example.

  • Dynamic -- Specify dynamic mapping to map source addresses to other addresses in a one-to-many relationship. You could use dynamic mapping to ensure that all traffic leaving the firewall appears to come from a specific address or group of addresses, or to send traffic intended for several different hosts to the same actual IP access.

• Source -- Specify the source address to map from an untranslated packet. Source addresses are the actual addresses contained in the packet entering the firewall.

• Destination -- Specify the untranslated destination address for the source packet. Destination addresses are the actual addresses contained in the packet entering the firewall.

• Translated Source -- Specify the translated source address for a packet. The translated source is the address the packet appears to originate from.

• Translated Destination -- Specify the translated destination packet address. The translated destination is the actual address the packet goes to after it leaves the firewall.

• Description -- Used to provide a description of the mapping defined in this rule.

As you define rules, remember that you cannot translate both source and destination addresses. You must either translate packets so they appear to come from a different source, or translate packets so they go to a specific destination, but not both.

All NAT rules are unidirectional -- that is, they work precisely as defined, and are not interpreted as also applying in the reverse direction. If you want rules to apply in both directions, you must specify two different rules. For example, if you map a source address from internalname.com to the destination of publicip.com, you will also have to map a source of publicip.com to the destination of internalname.com to translate traffic in both directions.

Virtual Private Network (VPN) Gateway Rules

The VPN tab allows you to define Virtual Private Network (VPN) gateways. Defining VPN gateways using this mechanism simplifies the creation of VPNs that include more than two gateways.

---

Note -

Each gateway in this type of configuration must be able to connect to the other ones directly--without going through another gateway.

---

Defining VPN Gateways

Use the fields in the VPN dialog window to define VPN gateways:

• Rule Index (No) -- (Optional) Assigns a number to a rule. By default, this field displays a number one greater than the last rule (indicating this rule will be placed bottom of the list. If you type a lower number, the new rule is inserted into the specified position in the list, and the rules currently in the configuration are renumbered.

• Name -- Specifies the Name of the VPN to which this gateway belongs.

  ---

  Note -

  Type the same name in the Name field for each gateway that you include in the VPN.

  ---

• Address -- Specifies the machine to be included in the VPN.

• Certificate -- Specifies the name of the certificate for this VPN gateway.

• Key Algorithm -- Specifies the issued certificate (key) algorithm the VPN uses.

All gateways in the same VPN must use the same issued certificate (key) algorithm.

• Data Algorithm -- Specifies the data algorithm the VPN uses.

All gateways in the same VPN must use the same data algorithm.

• MAC Algorithm -- Specifies the MAC algorithm the VPN uses.

All gateways in the same VPN must use the same MAC algorithm.

• Tunnel Address -- Specifies the destination address on the outer (unencrypted) IP packet to which tunnel packets are sent.

• Description -- (Optional) Provides a short description of the VPN gateway.

Adding a VPN Rule

After you define the gateways in your VPN, add a Packet Filtering rule for this VPN. The simplest rule uses * for the source and destination address. This rule allows encrypted use of the specified service for all addresses in the VPN.

When you add a packet filtering rule for VPN, leave the Screen field empty.

• Specify SECURE for the packet filtering action.

• Type the name of the VPN in the VPN field.