Rules
Use the following Rules worksheet to organize the individual rules you want to use. Space is provided for you to create your own service groups. Make copies of the worksheet, as necessary.
A filled-in sample of the Rules worksheet with the requisite services that you may want for a particular network is included following the Rules table.
Table 2-9 Rules|
Ordered Rule Index |
Service or Service Group |
Source Address |
Destination Address |
Action |
Encryption |
User or Groups of Users Optional |
Time of Day Optional |
Screen Optional |
|---|---|---|---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Table 2-10 Sample for "Rules" Worksheet
|
Ordered Rule Index |
Service or Service Group |
Source Address(es) |
Destination Address(es) |
Action |
Encryption |
|
1 |
ftp |
Internal-net |
Internet |
ALLOW |
NONE |
|
2 |
ftp |
* |
ftp Server |
ALLOW |
NONE |
|
3 |
ftp |
Internet |
Internal-net |
DENY |
NONE |
Four Action Types
This section lists the available action types you use to construct ordered rules.
-
ALLOW options:
-
LOG_NONE
-
LOG_SUMMARY
-
LOG_DETAIL
-
SNMP_NONE
-
SNMP
-
-
DENY options:
-
LOG_NONE
-
LOG_SUMMARY
-
LOG_DETAIL
-
SNMP_NONE
-
SNMP
-
ICMP_NONE
-
ICMP_NET_UNREACHABLE
-
ICMP_HOST_UNREACHABLE
-
ICMP_PORT_UNREACHABLE
-
ICMP_NET_FORBIDDEN
-
ICMP_HOST_FORBIDDEN
-
-
ENCRYPT options:
-
NONE
-
SKIP_Version_1 (for connection to a SunScreen SPF-100 only)
-
You must decide on:
-
Key Algorithm list (depends on the SKIP version chosen: Domestic or Global)
-
Data Algorithm list (depends on the SKIP version chosen: Domestic or Global)
-
SKIP_Version_2 (for connection to all other SKIP-enabled devices) (Optional: Tunnel addresses are allowed.)
-
You must decide on:
-
From Encryptor list
-
To Encryptor list
-
Key Algorithm list (depends on the SKIP version chosen: Domestic or Global)
-
Data Algorithm list (depends on the SKIP version chosen: Domestic or Global)
-
After you define and map out your network and decide on your policy, you use data objects, such as services and addresses, to configure SunScreen 3.1 Lite with the policy rules to control access to your network. When you installed SunScreen 3.1 Lite, you created a policy named "Initial," which is created so you can connect to the Policy Edit page and build your own security policies.
- © 2010, Oracle Corporation and/or its affiliates