Management ACL

You configure management ACL for the selected security policy in the Management ACL page.

Appliances are subject to the network policies defined by a corporate security policy, particularly in large networks. Using an internal management ACL, you can:

• restrict inbound IP access to an appliance, protecting it from access by hosts that don’t have permission without using a separate device (such as a router or firewall).

• specify that hosts or groups of hosts can access and manage an appliance by IP address, simplifying the integration of appliances into your network.

The Management ACL provides these safeguards to prevent accidental disconnection from the SCC:

• detects the IP address you’re connecting from and displays a warning if you add a rule that denies connections to that address.

• always enables a previously-connected SCC to connect and tracks any changes to the IP address of the SCC to prevent disconnection.

• converts well-known port and protocol combinations, such as SSH, Telnet, HTTP, HTTPS, SNMP, and SOAP into their default management service and protects these services from disconnection. For example, if you specify protocol 6 (TCP) and port 22, the management ACL converts this port and protocol combination into SSH and protects it from denial.

• tracks changes to default service ports and automatically updates any references to changed ports in the access rules.

For details about management ACL, see the SteelHead User Guide.

The Management ACL page contains these groups of settings:

The management ACL contains rules that define a match condition for an inbound IP packet. You set a rule to allow or deny access to a matching inbound IP packet. When you add a rule on an SCC, the destination specifies the SCC, and the source specifies a remote host.

This configuration option is available:

Secures access to an appliance using a management ACL.

The management ACL contains rules that define a match condition for an inbound IP packet. You set a rule to allow or deny access to a matching inbound IP packet. When you add a rule on an appliance, the destination specifies the appliance, and the source specifies a remote host.

The ACL rules list contains default rules that allow you to use the management ACL with the RiOS features PFS, DNS caching, and RSP. These default rules allow access to certain ports required by these features. The list also includes a default rule that enables access to the SCC.

These configuration options are available:

Displays the controls for adding a new rule.

Specifies one of these rule types from the drop-down list:

• Allow—Enables a matching packet access to the SCC. This is the default action.

Specifies All, HTTP, HTTPS, SOAP, SNMP, SSH, or Telnet. When specified, the Destination Port is dimmed and unavailable.

(Appears only when Service is set to Specify Protocol.) Specifies All, TCP, UDP, ICMP or a specify a protocol number (1, 6, 17). The default value is All. When set to All or ICMP, the Service and Destination Ports are dimmed and unavailable.

Specifies the destination port number.

Specifies the source network of the inbound packet.

Specifies an interface name from the drop-down list. Select All to specify all interfaces.

Describes the rule to facilitate administration.

Specifies a rule number from the drop-down list. By default, the rule goes to the end of the table (just above the default rule).

Appliances evaluate rules in numerical order starting with rule 1. If the conditions set in the rule match, then the rule is applied, and the system moves on to the next packet. If the conditions set in the rule don’t match, the system consults the next rule. For example, if the conditions of rule 1 don’t match, rule 2 is consulted. If rule 2 matches the conditions, it is applied, and no further rules are consulted.

The default rule, Allow, enables all remaining traffic from everywhere that hasn’t been selected by another rule. It can’t be removed and is always listed last.