Configuring a management ACL

Edges are subject to the network policies defined by a corporate security policy, particularly in large networks. Using an internal management ACL, you can:

• restrict inbound IP access to an Edge, protecting it from access by hosts that do not have permission without using a separate device (such as a router or firewall).

• specify which hosts or groups of hosts can access and manage an Edge by IP address, simplifying the integration of Edges into your network.

The management ACL provides these safeguards to prevent accidental disconnection from the Edge, the SCC, and the embedded Shark feature:

• It detects the IP address you are connecting from and displays a warning if you add a rule that denies connections to that address.

• It always allows a previously connected SCC to connect and tracks any changes to the IP address of the SCC to prevent disconnection.

• It converts well-known port and protocol combinations such as SSH, Telnet, HTTP, HTTPS, SNMP, and SOAP into their default management service and protects these services from disconnection. For example, if you specify protocol 6 (TCP) and port 22, the management ACL converts this port and protocol combination into SSH and protects it from denial.

• It tracks changes to default service ports and automatically updates any references to changed ports in the access rules.

Under Management ACL Settings, this configuration option is available:

Secures access to a SteelHead using a management ACL.

If you add, delete, edit, or move a rule that could disconnect connections to the Edge, a warning message appears. Click Confirm to override the warning and allow the rule definition. Use caution when overriding a disconnect warning.

Adding an ACL management rule

Restoring the default ACL management rule for DNS caching

The management ACL contains rules that define a match condition for an inbound IP packet. You set a rule to allow or deny access to a matching inbound IP packet. When you add a rule on a Edge, the destination specifies the Edge itself, and the source specifies a remote host.

The ACL rules list contains default rules that allow you to use the management ACL with branch service RiOS features, such as DNS caching. These default rules allow access to certain ports required by these features. The list also includes default rules that allow access to the SCC and the embedded Shark feature.

Under Management ACL Settings, these configuration options are available:

Displays the controls for adding a new rule.

Specifies one of these rule types from the drop-down list:

Specifies Specify Protocol, or HTTP, HTTPS, SOAP, SNMP, SSH, Telnet. When specified, the Destination Port is dimmed.

Specifies All, TCP, UDP, or ICMP from the drop-down list. The default setting is All. When set to All or ICMP, the Service and Destination Ports are dimmed. (This option appears only when Service is set to Specify Protocol.)

Specifies the source subnet of the inbound packet: for example, 1.2.3.0/24.

Specifies the destination port of the inbound packet, either a single port value or a port range of port1-port2, where port1 must be less than port2. Leave it blank to specify all ports.

Specifies an interface name from the drop-down list. Select All to specify all interfaces.

Describes the rule to facilitate administration.

Specifies a rule number from the drop-down list. By default, the rule goes to the end of the table (just above the default rule).

SteelHeads evaluate rules in numerical order starting with rule 1. If the conditions set in the rule match, then the rule is applied, and the system moves on to the next packet. If the conditions set in the rule don’t match, the system consults the next rule. For example, if the conditions of rule 1 don’t match, rule 2 is consulted. If rule 2 matches the conditions, it’s applied, and no further rules are consulted.

The default rule, Allow, which allows all remaining traffic from everywhere that has not been selected by another rule, can’t be removed and is always listed last.

Tracks denied packets in the log. By default, packet logging is enabled.

When you add the rule to the list, the Management Console redisplays the Rules table and applies your modifications to the running configuration, which is stored in memory.

When you change the default port of services such as SSH, HTTP, HTTPS, on either the client-side appliance or server-side appliance and create a management ACL rule denying that service, the rule will not work as expected. The appliance on the other end (either server or client) of an in-path deployment does not know that the default service port has changed, and consequently optimizes the packets to that service port. To work around this problem, add a pass-through rule to the client-side Edge for the management interfaces. The pass-through rule prevents the traffic from coming from the local host when optimized.

A management ACL rule that denies access from port 20 on the server-side appliance in an out-of-path deployment prevents data transfer using active FTP. In this deployment, the FTP server and client cannot establish a data connection because the FTP server initiates the SYN packet and the management rule on the server-side appliance blocks the SYN packet. To work around this problem: