Enabling Security Using Rules
How do inbound and outbound rules work?
Rules determine a secure firewall policy that regulates who you want to have access to what. Security policies can apply to the entire network, such as a single security policy to turn zone access on and off. You can also make the policy more granular to accommodate specific security needs. For example, you can create firewalled zones that require specific user permission to use specific applications.
Policy controls
Policy controls are built on two types of rules:
Outbound/Internal Rules - Define the policy for internal users and devices accessing internal or external applications.
Inbound (NAT) Rules - Define the policy for external (internet) access to internal applications. Inbound rules offer optional support for NAT, port translations, and an external host white list.
Outbound and internal rules
The outbound and internal rules specify a source, a target, and an action. The source can be either a special catch-all selection like all registered users, or a custom selection of user groups, device groups, individual users, individual devices, or policy tags. We recommend that you base the outbound and internal rules on user groups and device groups, and then make exceptions using policy tags.
The target is either the special selector Any that matches any target, a selection of zones, or a selection of application groups and applications.
You create a rule, place it in the desired order, and select whether it’s allowed or denied.
Creating outbound rules to set a security policy
SteelConnect evaluates the rules in numerical order starting with rule 1. If the conditions set in the rule match, then the rule is applied. If the conditions set in the rule don’t match, then the rule isn’t applied and the system moves on to the next rule. For example, if the conditions of rule 1 don’t match, rule 2 is consulted. If rule 2 matches the conditions, it is applied, and no further rules are consulted.
In the list of rules, a green check mark indicates that the rule’s action is Allow and a red x indicates that the rule’s action is Deny.
To create an outbound rule to allow all users access to all zones
1. Choose Rules > Outbound/Internal.
2. Click New Policy Rule.
3. Select All (excluding guests).
4. Click Allow.
5. Under Applications / Targets, select each zone from the drop-down list.
6. Click Submit.
To create an outbound rule that blocks Facebook from a user and a device
1. Choose Rules > Outbound/Internal.
2. Click New policy rule.
3. Select the rule position.
4. Under Users/Source, choose Selected Users, Devices, Groups, or Tags.
5. Select a user. If the user isn’t already associated with a device, select a device.
To link the user to the device, the MAC address for the device has to be visible to the gateway. Essentially, the gateway has to be on the same Layer 2 broadcast domain, VLAN, or zone as the device. When the gateway can’t see the MAC address, the rule doesn’t work.
6. Click Deny.
7. Under Applications / Targets, choose Selected applications or groups.
8. Select Facebook from the drop-down list.
9. Click Submit.
To create a rule that allows a laptop administrator access to the Active Directory server in the data center using port 3389
This procedure uses the custom application RDP_AD created in Custom applications.
1. Choose Rules > Outbound/Internal.
2. Click New policy rule.
3. Select the rule position.
4. Choose Selected Users, Devices, Groups or Tags (not supported on 5030 gateways).
5. Choose Laptop Admin.
6. Click Allow.
7. Under Applications / Targets, choose Selected applications or groups.
8. Select the custom application RDP_AD from the drop-down list.
9. Click Submit.
Rule allowing laptop administrator access to AD server in the data center
Inbound (NAT) rules
Because the gateways use a firewalled system, you need rules to allow traffic for both outbound and inbound access. Use inbound rules to control any services you want to advertise to the internet. An inbound rule can use DNAT or full NAT, and you can also apply a port offset.
Use inbound NAT when the return traffic in the zone is not routed back to the gateway. With inbound NAT, the source IP address of the inbound traffic is NATed to the IP address of the Riverbed gateway within the zone.
For inbound NAT rules on SteelConnect gateways, the device providing the service must be in a zone that is local to the gateway advertising the service.
A whitelist is available to limit access to the exposed application to specific external hosts.
Example-Creating an inbound rule to allow all users access to a web server inside of your location using port 80
1. Choose Rules > Inbound/NAT.
2. Click New Inbound Rule.
3. Select an internal application.
4. Select an uplink or multiple sets of uplinks to advertise the service on port 80 out; whether it be across an MPLS uplink or a public internet uplink.
5. Select the mode in which to advertise the service; for example, NAT inbound. Optionally, you can select No NAT and type a single, registered WAN IP classful address for that specific web server.
6. Turn reflection on to provide internal users access to the service from inside the local zones.
Turn the external host white list on to define a list of IP hosts that are able to access the service. Specify one IPv4/IPv6 host/network or DNS hostname per line.
7. Click Submit.
Example-Creating an inbound rule to make the AD server available to the internet
This example uses the custom application RDP_AD, created in Custom applications.
1. Choose Rules > Inbound/NAT.
2. Click New inbound rule.
3. Select RDP_AD.
4. Select the DC uplink.
5. Select DNAT.
6. Under NAT Port mappings, select 3389 > 3389 internal.
7. Leave the NAT port offset and the external host white list off.
8. Click Submit.
An inbound rule to make the AD server available to the internet