Worksheets for Defining Your Security Policy
This section contains directions and worksheets to help you analyze and define your security policy requirements.
See the SunScreen 3.2 Administrator's Overview manual for more information. You can also find useful examples in the SunScreen 3.2 Configuration Examples.
To begin the process, create a group of all the IP addresses of which the SunScreen software needs to be aware. SunScreen identifies network elements--network, subnetworks, and individual hosts--by IP address. Before you can define a rule, you must define all the elements or parts that make up the rule.
Addresses
The following types of addresses need to be defined in SunScreen:
-
Host addresses
-
Address ranges
-
Address groups
SunScreen uses IP addresses to define the network elements that make up the configuration. These addresses are then used in defining the Screen's network interfaces and as the source and destination addresses for filtering rules and NAT.
The IP address can be for a single system, or for a whole network or subnetwork. Additionally, addresses (individual and network) can be grouped to form an address group. SunScreen allows you to define address groups that specifically include or exclude other defined addresses (single IP hosts, ranges, or groups).
Use the following worksheets to help you organize your IP addresses. Reproduce them as necessary. Group the IP addresses and names for the following network elements:
-
A single system, or a whole network or subnetwork
-
Addresses (individual and network) grouped to form an address group
Host Addresses
Use the Host Addresses worksheet to list your host addresses. For individual elements, such as the router and individual systems, you need to know the IP address, in standard dotted Internet-address notation (w.x.y.z format), and the name of the host.
|
Name |
Definition |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Address Ranges
Use the Address Ranges worksheet to list your address ranges. For networks and subnetworks, you need to know the beginning and ending addresses of the network or subnetwork, both in standard dotted Internet-address notation (w.x.y.z format).
|
Name |
Address |
|
|---|---|---|
|
Beginning |
Ending |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Address Group
Use the Address Group worksheet to list your address group. Groups of host addresses, network addresses, and other address groups can be combined to form logical groups of addresses that can then be manipulated as a single element. Groups can be inclusive or exclusive or a combination of both, but cannot be cyclic, as in cases where address group A includes (references) address group B, which in turn includes address group A.
|
Name |
Address |
|
|---|---|---|
|
Include |
Exclude |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
- © 2010, Oracle Corporation and/or its affiliates