Enabling Security Using Rules

This topic describes how to add inbound and outbound rules to create a secure firewall policy.

How do inbound and outbound rules work?

Rules determine a secure firewall policy that regulates who you want to have access to what. Security policies can apply to the entire network, such as a single security policy to turn zone access on and off. You can also make the policy more granular to accommodate specific security needs. For example, you can create firewalled zones that require specific user permission to use specific applications. Or, you can create one or more firewalled sites.

Policy controls

Policy controls are built on two types of rules:

•Outbound/Internal Rules - Define the policy for internal users and devices accessing internal or external applications.

•Inbound (NAT) Rules - Define the policy for external (internet) access to internal applications. Inbound rules offer optional support for NAT, port translations, and an external host white list.

Outbound and internal rules

The outbound and internal rules specify a source, a target, and an action. The source can be either a special catch-all selection like all registered users, or a custom selection of user groups, device groups, individual users, individual devices, or policy tags. We recommend that you base the outbound and internal rules on user groups and device groups, and then make exceptions using policy tags.

The target is either the special selector Any that matches any target, a selection of zones, or a selection of application groups and applications.

You create a rule, place it in the desired order, and select whether it’s allowed or denied.

Creating outbound rules to set a security policy

SteelConnect evaluates the rules in numerical order starting with rule 1. If the conditions set in the rule match, then the rule is applied. If the conditions set in the rule don’t match, then the rule isn’t applied and the system moves on to the next rule. For example, if the conditions of rule 1 don’t match, rule 2 is consulted. If rule 2 matches the conditions, it is applied, and no further rules are consulted.

In the list of rules, a green check mark indicates that the rule’s action is Allow and a red x indicates that the rule’s action is Deny.

To create an outbound rule to allow all users access to all zones

1. Choose Rules > Outbound/Internal.

2. Click New policy rule.

3. Select All (excluding guests).

4. Click Allow.

5. Under Applications / Targets, select each zone from the drop-down list.

6. Click Submit.

To create an outbound rule that is limited to one or more sites

1. Choose Rules > Outbound/Internal.

2. Click New policy rule.

3. Select the rule position.

4. By default, the rule applies to all sites. To apply the rule to certain sites, click the search box and select one or more sites.

5. Under Users/Sources, select the users and sources the rule applies to from the drop-down menu.

6. Click the search box to select users or sources from the drop-down list.

7. Click Allow.

8. Click Submit.

To create an outbound rule that is limited to one or more hosts and networks

1. Choose Rules > Outbound/Internal.

2. Click New policy rule.

3. Select the rule position.

4. By default, the rule applies to all sites. To apply the rule to certain sites, click the search box and select one or more sites.

5. Under Users/Source, choose Hosts and Networks.

6. Specify one or more IPv4 or IPv6 host or network IP addresses.

7. Click Allow.

8. Click Submit.

To create an outbound rule that blocks Facebook from a single IP address

1. Choose Rules > Outbound/Internal.

2. Click New policy rule.

3. Select the rule position.

4. Under Users/Source, choose Hosts and Networks.

5. Specify an IPv4 or IPv6 address.

6. Click Deny.

7. Under Applications / Targets, choose Selected applications or groups.

8. Select Facebook from the drop-down list.

9. Click Submit.

To create a rule that allows a laptop administrator access to the Active Directory server in the data center using port 3389

This procedure uses the custom application RDP_AD created in Custom applications.

1. Choose Rules > Outbound/Internal.

2. Click New policy rule.

3. Select the rule position.

4. Choose Selected Users, Devices, Groups or Tags.

5. Choose Laptop Admin.

6. Click Allow.

7. Under Applications / Targets, choose Selected applications or groups.

8. Select the custom application RDP_AD from the drop-down list.

9. Click Submit.

Rule allowing laptop administrator access to AD server in the data center

Inbound (NAT) rules

Because the gateways use a firewalled system, you need rules to allow traffic for both outbound and inbound access. Everything is blocked until you create a rule to allow access. Use inbound rules to control any services you want to advertise to the internet. An inbound rule can use destination NAT (DNAT) or full NAT, and you can also apply a port offset.

To simplify inbound rule configuration, you can configure a private WAN as trusted. When a WAN is trusted, you allow access for all connections that arrive on an uplink to that WAN. This saves you from creating specific rules for each type of connection you want to allow. For details, see WAN settings.

Use inbound NAT when the return traffic in the zone is not routed back to the gateway. With inbound NAT, the source IP address of the inbound traffic is NATed to the IP address of the Riverbed gateway within the zone.

For inbound NAT rules on SteelConnect gateways, the device providing the service must be in a zone that is local to the gateway advertising the service.

A white list is available to limit access to the exposed application to specific external hosts.

Example-Creating an inbound rule to allow all users access to a web server inside of your location using port 80

1. Choose Rules > Inbound/NAT.

2. Click New Inbound Rule.

3. Select an internal application.

4. Select an uplink or multiple sets of uplinks to advertise the service on port 80 out; whether it be across an MPLS uplink or a public internet uplink.

5. Select the mode in which to advertise the service. Optionally, select No NAT and type a single, registered WAN IP classful address for that specific web server.

6. Turn reflection on to provide internal users access to the service from inside the local zones.

Turn the external host white list on to define a list of IP hosts that are able to access the service. Specify one IPv4/IPv6 host/network or DNS hostname per line.

7. Click Submit.

Example-Creating an inbound rule to make the AD server available to the internet

This example uses the custom application RDP_AD, created in Custom applications. Only device application types are allowed with inbound rules.

1. Choose Rules > Inbound/NAT.

2. Click New inbound rule.

3. Select RDP_AD.

4. Select the DC uplink.

5. Select DNAT to use destination NAT.

6. Under NAT Port mappings, select 3389 > 3389 internal.

7. Leave the NAT port offset and the external host white list off.

8. Click Submit.

An inbound rule to make the AD server available to the internet