User Groups provide a powerful security tool when setting up inter-entity networks. A Corente Cloud Services Exchange User Group limits the visibility of remote users and locations to a specific set of local IP addresses. Although a local network may include one hundred systems, an administrator can configure the local Corente Services Gateway so that remote users and gateways can only access five of those one hundred. The rest of these computers are completely blocked from outside view.
In many ways, User Groups create a virtual demilitarised zone (DMZ). Although one hundred systems are physically connected to the LAN, remote locations can be limited to access only the extranet server, the email server, and the public FTP server.
Routers are capable of performing similar access limitations, but not to the same extent as User Groups. Routers can confine problems such as excessive broadcasts, duplicate IP addresses, unauthorized DHCP servers, and misbehaving Windows servers, as well as remote users snooping around the network. When problems occur, few users are affected and the problems are easy to troubleshoot. However, routing alone does not solve security. User Groups are also required.
A User Group in Corente Cloud Services Exchange is a group of statements. Each statement defines a range of IP addresses that are either included or excluded from the User Group. As a traffic packet comes through a tunnel to a gateway, the gateway’s User Group is scanned for a pattern that matches the incoming packet. An include/exclude rule associated with the pattern determines whether the packet is accepted or rejected by the gateway.
Corente Cloud Services Exchange improves User Groups by taking them a step further with fine-grained access control, allowing access rules to be defined on a per-source address, per-destination address, and per-protocol basis. Administrators can define multiple User Groups on each gateway, which can each be matched with User Groups in the partner location. The administrator can then choose the type of traffic that is allowed to be transported between these sets of IP addresses, effectively banning the use of certain services or applications over the VPN by all or specific computers. This also allows the creation of asymmetrical tunnels, in which local computers can be used to access remote computers on the VPN, but be inaccessible themselves (or the opposite).
Fine-grained access control allows a single gateway to be in place on each corporate network, serving a wide array of computers with different VPN and Internet access requirements.