Rules
Use the Rules worksheet to organize the individual rules you want to use. Space is provided for you to create your own service groups. Make copies of the worksheet, as necessary.
A filled-in sample of the Rules worksheet with the requisite services that you may want for a particular network is shown below. Table 2-11.
Table 2-10 Rules|
Ordered Rule Index |
Service or Service Group |
Source Address |
Destination Address |
Action |
Encryption |
User or Groups of Users Optional |
Time of Day Optional |
Screen Optional |
|---|---|---|---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Table 2-11 Sample for "Rules" Worksheet
|
Ordered Rule Index |
Service or Service Group |
Source Address(es) |
Destination Address(es) |
Action |
Encryption |
|
1 |
ftp |
Internal-net |
Internet |
ALLOW |
NONE |
|
2 |
ftp |
* |
ftp Server |
ALLOW |
NONE |
|
3 |
ftp |
Internet |
Internal-net |
DENY |
NONE |
Four Action Types
-
ALLOW options:
-
LOG_NONE
-
LOG_SUMMARY
-
LOG_DETAIL
-
SNMP_NONE
-
SNMP
-
A proxy type may be chosen if the service can be proxied by one of the SunScreen proxies.
-
-
DENY options:
-
LOG_NONE
-
LOG_SUMMARY
-
LOG_DETAIL
-
SNMP_NONE
-
SNMP
-
ICMP_NONE
-
ICMP_NET_UNREACHABLE
-
ICMP_HOST_UNREACHABLE
-
ICMP_PORT_UNREACHABLE
-
ICMP_NET_FORBIDDEN
-
ICMP_HOST_FORBIDDEN
-
-
ENCRYPT options:
-
NONE
-
SKIP_Version_1 (for connection to a SunScreen SPF-100 only)
-
You must decide on:
-
Key Algorithm list (depends on the SKIP version chosen: Domestic or Global)
Data Algorithm list (depends on the SKIP version chosen: Domestic or Global)
SKIP_Version_2 (for connection to all other SKIP-enabled devices) (Optional: Tunnel addresses are allowed.)
You must decide on:
-
From Encryptor list
-
To Encryptor list
-
Key Algorithm list (depends on the SKIP version chosen: Domestic or Global)
-
Data Algorithm list (depends on the SKIP version chosen: Domestic or Global)
After you define and map out your network and decide on your policy, you use data objects, such as services and addresses, to configure SunScreen with the policy rules to control access to your network. When you installed SunScreen, you automatically created a Policy named "Initial," which you can use connect build your own Security Policies.
- © 2010, Oracle Corporation and/or its affiliates