Use the following Rules worksheet to organize the individual rules you want to use. Space is provided for you to create your own service groups. Make copies of the worksheet, as necessary.
A filled-in sample of the Rules worksheet with the requisite services that you may want for a particular network is included following the Rules table.
Table 2-9 Rules
Ordered Rule Index |
Service or Service Group |
Source Address |
Destination Address |
Action |
Encryption |
User or Groups of Users Optional |
Time of Day Optional |
Screen Optional |
---|---|---|---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Table 2-10 Sample for "Rules" Worksheet
Ordered Rule Index |
Service or Service Group |
Source Address(es) |
Destination Address(es) |
Action |
Encryption |
1 |
ftp |
Internal-net |
Internet |
ALLOW |
NONE |
2 |
ftp |
* |
ftp Server |
ALLOW |
NONE |
3 |
ftp |
Internet |
Internal-net |
DENY |
NONE |
This section lists the available action types you use to construct ordered rules.
ALLOW options:
LOG_NONE
LOG_SUMMARY
LOG_DETAIL
SNMP_NONE
SNMP
DENY options:
LOG_NONE
LOG_SUMMARY
LOG_DETAIL
SNMP_NONE
SNMP
ICMP_NONE
ICMP_NET_UNREACHABLE
ICMP_HOST_UNREACHABLE
ICMP_PORT_UNREACHABLE
ICMP_NET_FORBIDDEN
ICMP_HOST_FORBIDDEN
ENCRYPT options:
NONE
SKIP_Version_1 (for connection to a SunScreen SPF-100 only)
You must decide on:
Key Algorithm list (depends on the SKIP version chosen: Domestic or Global)
Data Algorithm list (depends on the SKIP version chosen: Domestic or Global)
SKIP_Version_2 (for connection to all other SKIP-enabled devices) (Optional: Tunnel addresses are allowed.)
You must decide on:
From Encryptor list
To Encryptor list
Key Algorithm list (depends on the SKIP version chosen: Domestic or Global)
Data Algorithm list (depends on the SKIP version chosen: Domestic or Global)
After you define and map out your network and decide on your policy, you use data objects, such as services and addresses, to configure SunScreen 3.1 Lite with the policy rules to control access to your network. When you installed SunScreen 3.1 Lite, you created a policy named "Initial," which is created so you can connect to the Policy Edit page and build your own security policies.