Configuring a Management ACL
You can secure access to a SCC using an internal management Access Control List (ACL) in the Management ACL page.
SCCs are subject to the network policies defined by a corporate security policy, particularly in large networks. Using an internal management ACL, you can:
• restrict access to certain interfaces or protocols of a SCC.
• restrict inbound IP access to a SCC, protecting it from access by hosts that do not have permission without using a separate device (such as a router or firewall).
• specify which hosts or groups of hosts can access and manage a SCC by IP address, simplifying the integration of SteelHeads into your network.
The management ACL provides these safeguards to prevent accidental disconnection from the SteelHead, the SCC, and the embedded Shark feature:
• It detects the IP address you are connecting from and displays a warning if you add a rule that denies connections to that address.
• It always allows the default SteelHead ports 7800, 7801, 7810, 7820, and 7850.
• It always allows a previously connected SCC to connect and tracks any changes to the IP address of the SCC to prevent disconnection.
• It converts well-known port and protocol combinations, such as SSH, Telnet, HTTP, HTTPS, SNMP, and SOAP into their default management service and protects these services from disconnection: for example, if you specify protocol 6 (TCP) and port 22, the management ACL converts this port and protocol combination into SSH and protects it from denial.
• It tracks changes to default service ports and automatically updates any references to changed ports in the access rules.
To set up a management ACL
1. Choose Administration > Security: Management ACL to display the Management ACL page.
Figure: Configuring Management ACL and Adding New Rules
2. Under Management ACL Settings, complete the configuration as described in this table.
Control | Description |
Enable Management ACL | Select this check box to enable the management ACL. |
Apply | Applies your settings to the running configuration. |
3. Click Save to Disk to save your settings permanently.
Adding ACL Management Rules
The management ACL contains rules that define a match condition for an inbound IP packet. You set a rule to allow or deny access to a matching inbound IP packet. When you add a rule on a SCC, the destination specifies the SCC itself, and the source specifies a remote host.
The ACL rules list contains default rules that allow you to use the management ACL with branch service RiOS features, such as DNS caching. These default rules allow access to certain ports required by these features. The list also includes default rules that allow access to the SCC and the embedded Shark feature.
To add an ACL management rule
1. Under Management ACL Settings, complete the configuration as described in this table.
Control | Description |
Add a New Rule | Displays the controls for adding a new ACL rule. |
Action | Select one of these rule types from the drop-down list: • Allow - Allows a matching packet access to the SteelHead. This is the default action. • Deny - Denies access to any matching packets. |
Service | Optionally, select Specify Protocol, or HTTP, HTTPS, SOAP, SNMP, SSH, Telnet. When specified, the Destination Port is dimmed. |
Protocol | (Appears only when Service is set to Specify Protocol.) Optionally, select All, TCP, UDP, or ICMP from the drop-down list. The default setting is All. When set to All or ICMP, the Service and Destination Ports are dimmed. |
Source Network | Optionally, specify the source subnet of the inbound packet; for example, 1.2.3.0/24. |
Destination Port | Optionally, specify the destination port of the inbound packet, either a single port value or a port range of port1-port2, where port1 must be less than port2. Leave it blank to specify all ports. |
Interface | Optionally, select an interface name from the drop-down list. Select All to specify all interfaces. |
Description | Optionally, describe the rule to facilitate administration. |
Rule Number | Optionally, select a rule number from the drop-down list. By default, the rule goes to the end of the table (just above the default rule). SteelHeads evaluate rules in numerical order starting with rule 1. If the conditions set in the rule match, then the rule is applied, and the system moves on to the next packet. If the conditions set in the rule do not match, the system consults the next rule. For example, if the conditions of rule 1 do not match, rule 2 is consulted. If rule 2 matches the conditions, it is applied, and no further rules are consulted. Note: The default rule, Allow, which allows all remaining traffic from everywhere that has not been selected by another rule, cannot be removed and is always listed last. |
Log Packets | Tracks denied packets in the log. By default, packet logging is enabled. |
Add | Adds the rule to the list. The Management Console redisplays the Rules table and applies your modifications to the running configuration, which is stored in memory. |
Remove Selected | Select the check box next to the name and click Remove Selected. |
Move Selected | Moves the selected rules. Click the > next to the desired rule position; the rule moves to the new position. |
2. Click Save to Disk to save your settings permanently.
Note: If you add, delete, edit, or move a rule that could disconnect connections to the SCC, a warning message appears. Click Confirm to override the warning and allow the rule definition anyway. Use caution when overriding a disconnect warning.