Service and Service Group Objects

Part of setting up your network security policy is to define the network services available to hosts on your internal network and to hosts on the external network. Generally, most sites need to determine or set up policy rules that govern the basic services.

SunScreen provides a number of predefined network services and service groups such as http, ftp, telnet, dns, and rsh. You can change the default values of a service or add a new service.as needed.

SunScreen lets you define single services and service groups. Service groups consist of the single services that you want to use together. The services that are available for use in the policies were installed as part of the SunScreen software.

Besides the basic services, every TCP/IP implementation provides services such as echo, discard, daytime, chargen, and time. For services such as ftp, you may want to allow anyone in the internal corporate network to send outbound traffic, but only allow inbound traffic in this protocol to go to the FTP server. This requires two rules: one for the outbound traffic and one for the inbound traffic going to the public server.

Each service uses a state engine, a sort of protocol checker. For example, the FTP state engine checks port numbers when the ftp service is being used. For more information on state engines, see the SunScreen Reference Manual.

To Add a Service

Although you may change the default values for a service, to make any troubleshooting easier, it is better to add a new service with the new values.

1. Select Service in the Type choice list.

2. Click New Single... from the Add New choice list

   The Service dialog window appears.

   Figure 3-6 Service Dialog Window

   
   

3. Type the name for this new service in the Name field, for example:

   ftp-34

4. (Optional) Type a description for this service in the Description field, for example:

   ftp-34 uses port 34 instead of port 21. Use ftp-34 instead of the supplied ftp service.

   The description appears in the Service Details field that displays when you choose a service or service group for a rule.

5. (Optional) Select a Screen from the Screen choice list.

6. Click the down arrow of the Add Filter button on the Service panel to display the service filter choice list.

7. Select a filter from the Filter choice list.

   • You can use the Add Filter button as necessary to get the number of filters that you need for a particular service.

   • If you have too many filters, follow the steps below to delete them.

   1. Click and highlight the parameters field of the line that contains the unwanted filter.

   2. Click the Delete button to delete the filter.

8. Click the select box in the Filter field to display the list of service filter engines.

   Figure 3-7 List of Filter Engines

   
   

   For each filter desired, follow the steps below:

   1. Click the select box under Filter.

   2. Choose a filtering engine from the choice list displayed.

   3. Click the Reverse box, if the service operates in the reverse direction.

      Reverse is a seldom-used option for specifying asymmetric inbound traffic, such as traceroute and router discovery services.

9. Type the port number for the new service in the Port field. If you have too many ports, follow the steps below to delete them:

   You can use the Add Port button as necessary to get the number of ports that you need for a particular filter.

   1. Click the Add Port button to add the necessary ports.

   2. Click the parameters field of the line that contains the unwanted port to highlight the line.

   3. Click the Delete button to delete it.

10. (Optional) Change the default values by typing the ones that you want to use, if you want to override the default values for the filter that you have selected.

11. Click the Broadcast button if the service sends IP broadcast packets.

    If the service sends both broadcast and non-broadcast packets (for example, the standard rip service), you will need two ports: one with the broadcast box checked and one with the broadcast box unchecked.

12. Type the required number of parameters, separated by spaces, if you want to override the default parameters for the filter that you have selected.

    You only need to type in parameters if you do not want to use the default values. The information for the default values for these fields is in the SunScreen Reference Manual.

13. Click Reverse check box if the service operates in the reverse direction.

14. Click the OK button to place this service definition in the policy file.

    The service ftp-34 now appears in the list of services.

15. Repeat the above steps until you have added all the services necessary for your policy.

To Add a Service Group

Although SunScreen lets you modify the default services in service groups, to make any troubleshooting easier, it is better to add a new service group that contains the services that you want.

1. Select Service in the Type choice list.

2. Select New Group... from the Add New choice list.

   The Service dialog window is displayed.

   Figure 3-8 Add New Group Service Dialog Window

   
   

3. Type the name for the new service group in the Name field in the Service dialog window.

4. (Optional) Type a description for this new service group in the Description field.

   The description appears in the Service Details field that displays when you choose a service or service group for a rule.

5. (Optional) Choose a Screen from the Screen choice list.

6. Click and highlight the service or service group that you want to include in this new service group.

7. Click the Add button to move the chosen service or service group to the Members list.

8. Click the OK button.

9. Repeat the above steps until you have added all the service groups required.