Configuring a management ACL

You can secure access to an SCC using an internal management Access Control List (ACL) under Administration > Security: Management ACL. SCCs are subject to the network policies defined by a corporate security policy, particularly in large networks. Using an internal management ACL, you can:

• restrict access to certain interfaces or protocols of an SCC.

• restrict inbound IP access to an SCC, protecting it from access by hosts that don’t have permission without using a separate device (such as a router or firewall).

• specify which hosts or groups of hosts can access and manage an SCC by IP address, simplifying the integration of SteelHeads into your network.

The management ACL provides these safeguards to prevent accidental disconnection from the SteelHead, the SCC, and the embedded Shark feature:

• It detects the IP address you’re connecting from and displays a warning if you add a rule that denies connections to that address.

• It always allows the default SteelHead ports 7800, 7801, 7810, 7820, and 7850.

• It always allows a previously connected SCC to connect and tracks any changes to the IP address of the SCC to prevent disconnection.

• It converts well-known port and protocol combinations, such as SSH, Telnet, HTTP, HTTPS, SNMP, and SOAP into their default management service and protects these services from disconnection: for example, if you specify protocol 6 (TCP) and port 22, the management ACL converts this port and protocol combination into SSH and protects it from denial.

• It tracks changes to default service ports and automatically updates any references to changed ports in the access rules.

You set up a management ACL under Administration > Security: Management ACL. Select Enable Management ACL to enable the management ACL.

The management ACL contains rules that define a match condition for an inbound IP packet. You set a rule to allow or deny access to a matching inbound IP packet. When you add a rule on an SCC, the destination specifies the SCC, and the source specifies a remote host.

The ACL rules list contains default rules that allow you to use the management ACL with branch service RiOS features, such as DNS caching. These default rules allow access to certain ports required by these features. The list also includes default rules that allow access to the SCC and the embedded Shark feature.

• Allow—Allows a matching packet access to the SteelHead. This is the default action.

• Deny—Denies access to any matching packets.

(Appears only when Service is set to Specify Protocol.) Specifies All, TCP, UDP, or ICMP from the drop-down list. The default setting is All. When set to All or ICMP, the Service and Destination Ports are dimmed.

Specifies the destination port of the inbound packet, either a single port value or a port range of port1-port2, where port1 must be less than port2. Leave it blank to specify all ports.

Specifies a rule number from the drop-down list. By default, the rule goes to the end of the table (just above the default rule). SteelHeads evaluate rules in numerical order starting with rule 1. If the conditions set in the rule match, then the rule is applied, and the system moves on to the next packet. If the conditions set in the rule don’t match, the system consults the next rule. For example, if the conditions of rule 1 don’t match, rule 2 is consulted. If rule 2 matches the conditions, it is applied, and no further rules are consulted.

The default rule, Allow, which allows all remaining traffic from everywhere that hasn’t been selected by another rule, can’t be removed and is always listed last.

Adds the rule to the list. The Management Console redisplays the Rules table and applies your modifications to the running configuration, which is stored in memory.

If you add, delete, edit, or move a rule that could disconnect connections to the SCC, a warning message appears. Click Confirm to override the warning and allow the rule definition anyway. Use caution when overriding a disconnect warning.

• When you change the default port of services, such as SSH, HTTP, HTTPS, on either the client or server-side SCC and create a management ACL rule denying that service, the rule will not work as expected. The SCC on the other end (either server or client) of an in-path deployment doesn’t know that the default service port has changed, and consequently optimizes the packets to that service port. To work-around this problem, add a pass-through rule to the client-side SCC for the management interfaces. The pass-through rule prevents the traffic from coming from the local host when optimized.

• A management ACL rule that denies access from port 20 on the server-side SCC in an out of-path deployment prevents data transfer using active FTP. In this deployment, the FTP server and client can’t establish a data connection because the FTP server initiates the SYN packet and the management rule on the server-side SCC blocks the SYN packet. To work-around this problem: