Configuring Security Settings : Configuring management ACL rules
  
Configuring management ACL rules
You can secure access to a SteelHead Interceptor using an internal management Access Control List (ACL) in the Administration > Security: Management ACL page.
SteelHead Interceptors are subject to the network policies defined by a corporate security policy, particularly in large networks. Using an internal management ACL, you can complete these tasks:
Restrict access to certain interfaces or protocols of a SteelHead Interceptor.
Restrict inbound IP access to a SteelHead Interceptor, protecting it from access by hosts that do not have permission without using a separate device (such as a router or firewall).
Specify which hosts or groups of hosts can access and manage a SteelHead Interceptor by IP address, simplifying the integration of SteelHead Interceptors into your network.
The Management ACL provides these safeguards to prevent accidental disconnection from the SteelHead Interceptor:
It detects the IP address you are connecting from and displays a warning if you add a rule that denies connections to that address.
It converts well-known port and protocol combinations such as SSH, Telnet, HTTP, HTTPS, SNMP, and SOAP into their default management service and protects these services from disconnection. For example, if you specify protocol 6 (TCP) and port 22, the management ACL converts this port and protocol combination into SSH and protects it from denial.
It tracks changes to default service ports and automatically updates any references to changed ports in the access rules.
To set up a management ACL
1. Choose Administration > Security: Management ACL to display the Management ACL page.
Management ACL page
2. Under Management ACL Settings, complete the configuration as described in this table.
Control
Description
Enable Management ACL
Secures access to a SteelHead Interceptor using a management ACL.
3. Click Apply to apply your changes to the running configuration.
4. Click Save to save your settings permanently.
If you add, delete, edit, or move a rule that could disconnect connections to the SteelHead Interceptor, a warning message appears. Click Confirm to override the warning and allow the rule definition anyway. Use caution when overriding a disconnect warning.
To add an ACL management rule
1. Under Add a New Rule, complete the configuration as described in this table.
Control
Description
Add a New Rule
Displays the controls for adding a new rule.
Action
Select one of these rule types from the drop-down list:
Allow—Allows a matching packet access to the SteelHead Interceptor. This is the default action.
Deny—Denies access to any matching packets.
Service
Select All, or select a specific protocol (such as HTTP, HTTPS, SOAP, SNMP, SSH or Telnet) from the drop-down list. When a specific protocol is selected, the Protocol and Destination Port fields are unavailable.
Protocol
(Appears only when Service is set to All.) Select All, TCP, UDP, or ICMP from the drop-down list. The default setting is All. When set to All or ICMP, the Destination Port is unavailable.
Destination Port
(Appears only when the Protocol is set to UDP or TCP.) Specify the destination port of the inbound packet, either a single port value or a port range of port1-port2, where port1 must be less than port2. Leave it blank to specify all ports.
Source Network
Optionally, specify the source subnet of the inbound packet: for example, 1.2.3.0/24.
Interface
Optionally, select an interface type from the drop-down list. Select All to specify all interfaces.
Description
Optionally, describe the rule to facilitate administration.
Rule Number
Optionally, select a rule number from the drop-down list (Start, 1, or End). By default, the rule goes to the end of the table (just above the default rule).
SteelHeads evaluate rules in numerical order starting with rule 1. If the conditions set in the rule match, then the rule is applied, and the system moves on to the next packet. If the conditions set in the rule do not match, the system consults the next rule; for example, if the conditions of rule 1 do not match, rule 2 is consulted. If rule 2 matches the conditions, it is applied, and no further rules are consulted.
The default rule, Allow, which allows all remaining traffic from everywhere that has not been selected by another rule, cannot be removed and is always listed last.
Log Packets
Tracks denied packets in the log. By default, packet logging is enabled.
Add
Adds the rule to the list. The Management Console displays the Rules table and applies your modifications to the running configuration, which is stored in memory.
Remove Selected
Select the check box next to the name and click Remove Selected.
Move Selected
Moves the selected rules. Click the arrow next to the desired rule position; the rule moves to the new position.
2. Click Save to save your settings permanently.