Management ACL
You configure management ACL for the selected security policy in the Management ACL page.
Appliances are subject to the network policies defined by a corporate security policy, particularly in large networks. Using an internal management ACL, you can:
• restrict access to certain interfaces or protocols of an appliance.
• restrict inbound IP access to an appliance, protecting it from access by hosts that do not have permission without using a separate device (such as a router or firewall).
• specify that hosts or groups of hosts can access and manage an appliance by IP address, simplifying the integration of appliances into your network.
The Management ACL provides the following safeguards to prevent accidental disconnection from the SCC:
• detects the IP address you are connecting from and displays a warning if you add a rule that denies connections to that address.
• always enables the default appliance ports 7800, 7801, 7810, 7820, and 7850.
• always enables a previously-connected SCC to connect and tracks any changes to the IP address of the SCC to prevent disconnection.
• converts well-known port and protocol combinations, such as SSH, Telnet, HTTP, HTTPS, SNMP, and SOAP into their default management service and protects these services from disconnection. For example, if you specify protocol 6 (TCP) and port 22, the management ACL converts this port and protocol combination into SSH and protects it from denial.
• tracks changes to default service ports and automatically updates any references to changed ports in the access rules.
For details about management ACL, see the SteelHead Management Console User’s Guide for SteelHead CX.
The Management ACL page contains the following groups of settings:
Management ACL Settings
The management ACL contains rules that define a match condition for an inbound IP packet. You set a rule to allow or deny access to a matching inbound IP packet. When you add a rule on a SCC, the destination specifies the SCC itself, and the source specifies a remote host.
Complete the configuration as described in this table.
Control | Description |
Enable Management ACL | Secures access to an appliance using a management ACL. |
Adding a New Rule
The management ACL contains rules that define a match condition for an inbound IP packet. You set a rule to allow or deny access to a matching inbound IP packet. When you add a rule on an appliance, the destination specifies the appliance itself, and the source specifies a remote host.
The ACL rules list contains default rules that allow you to use the management ACL with the RiOS features PFS, DNS caching, and RSP. These default rules allow access to certain ports required by these features. The list also includes a default rule that enables access to the SCC.
Complete the configuration as described in this table.
Control | Description |
Add a New Rule | Displays the controls for adding a new rule. |
Action | Select one of the following rule types from the drop-down list: • Allow - Enables a matching packet access to the SCC. This is the default action. • Deny - Denies access to any matching packets. |
Service | Select All, HTTP, HTTPS, SOAP, SNMP, SSH, or Telnet. When specified, the Destination Port is dimmed and unavailable. |
Protocol | (Appears only when Service is set to Specify Protocol.) Optionally, select All, TCP, UDP, ICMP or a specify a protocol number (1, 6, 17). The default value is All. When set to All or ICMP, the Service and Destination Ports are dimmed and unavailable. |
Source Network | Optionally, specify the source network of the inbound packet. |
Interface | Optionally, select an interface name from the drop-down list. Select All to specify all interfaces. |
Description | Optionally, describe the rule to facilitate administration. |
Rule Number | Optionally, select a rule number from the drop-down list. By default, the rule goes to the end of the table (just above the default rule). Appliances evaluate rules in numerical order starting with rule 1. If the conditions set in the rule match, then the rule is applied, and the system moves on to the next packet. If the conditions set in the rule do not match, the system consults the next rule. For example, if the conditions of rule 1 do not match, rule 2 is consulted. If rule 2 matches the conditions, it is applied, and no further rules are consulted. Note: The default rule, Allow, that enables all remaining traffic from everywhere that has not been selected by another rule, cannot be removed and is always listed last. |
Log Packets | Tracks denied packets in the log. By default, packet logging is enabled. |
Add | Adds the rule to the list. |
Remove Selected | Select the check box next to the name and click Remove Selected. |
Move Selected | Moves the selected rules. Click the > next to the desired rule position; the rule moves to the new position. |