7 Replies Latest reply on Feb 21, 2015 12:18 PM by mike18

    Access control Rules and Zones and Polices

    mike18

      Hi Everyone,

       

      1>Need to confirm when we make access control rules  and when we choose source and destination IPs is it possible that source and destination can belong to different

      zones?

       

      2>Also say if we have 3 interfaces and 3 Zones.

      Can we make more than 3  policys say 5 and under those polices we can make as many as access control rules?

       

      3>No of interfaces have to be equal to Noumber of zones?

       

       

      Regards

       

      Mike

        • 1. Re: Access control Rules and Zones and Polices
          PhilM

          Mike -

           

          If I read your questions correctly, I suspect you may be having some translation issues when it comes to the functionality of this product.

           

          Access control rules and policies are one and the same thing. Some people call them policies, some call then access control rules, some call them access control lists. But they are the same in my mind - as far as this product is concerned.

           

          What you can do, to help to organise things is to put rules into logical groups, and you can expand and collapse those groups to make reading a little easier if you have a lot of rules. I have seen installations in small business environments which have only 20-30 rules, but have also seen installations in larger corporates where there could be over 2,000 rules. Depends largely on the requirements and number of configured interfaces/zones.

           

          1 - Because it is only necessary to create a rule for traffic passing across zone boundaries, the answer to this question is always going to be yes in my view. Simple rules may specify <Any> in the source and destination host sections, but the source and destination zones will often be different (internal -> external, DMZ -> internal, etc...). One exception where source & destination zones will likely be the same is for traffic passing against a NAT boundary.

           

          e.g. If the external IP address is 1.1.1.1 and you have a DMZ zone configured to use a private subnet (say, 10.10.10.x), if you want to grant external user access to a web server located on your DMZ (10.10.10.50), the source and destination zones in the rule will both be "external". The destination host will be the object corresponding to the external interface's IP address (1.1.1.1) and you will then specify a redirect host address object for the 10.10.10.50 IP address.

           

          2 - Not really sure what you are asking for here. But you can create as many rules as you need. Like most Firewalls, Firewall Enterprise operates a top-down mechanism. So for each new connection request, it starts at rule #1 and works down until it finds a match. As you will have already noticed, there is a system-defined "Deny All" rule at the bottom of the rule list. So, if the connection request is not matched to any other rule, it will always match this one and will be denied.

           

          3 - Not necessarily. As mentioned in a previous question of yours, the interface-to-zone relationship can be many-to-one. I often use a simple example of an office with two floors, each floor using it's own subnet (192.168.1.x & 192.168.2.x, for example). The network for each floor can connect to a separate interface on the Firewall and you can choose to assign each interface to its own separate zone (floor1 & floor2). But in this scenario, if you wanted to allow the same degree of outbound access for both floors, you would either have to duplicate each rule you create, or make sure you assign both entries to the source zone part of your rule. Another option would be to create a single zone (Trusted) and in the interface configuration screen assign this zone to both interfaces. Now, when you create a rule based on the "Trusted" zone, it will apply equally to both networks - unless you then decide to assign source host restrictions.

           

          It is also possible to create a virtual zone (a zone definition with no assigned physical interface) which are often used for IPSec VPNs. If, when creating a VPN security association, you specify the internal zone (or whatever you have called it) the tunnel is essentially transparent - allowing all hosts to access any destination for any protocol. If you want to use a VPN to secure a connection with a 3rd party, but only allow them to be able to communicate with a particular server at your end for, say, remote support, you can sepcify the virtual zone definition in the VPN definition and then use Firewall rules between this zone and your internal zone to control who is able to access what, how, and when.

           

          -Phil.

          • 2. Re: Access control Rules and Zones and Polices
            mike18

            Hi Phil,

             

            Currently when i click on Access control rules i see 7 groups so these are logical groups right?

            Under each group i see the different Access control rules.

             

            For example we have logical group called Administration and it has 5 different rules.

            One rule is to allow admin console to device on port 9003.

            For this we have source as 192.168.50.x  and destination is firewall itself.

            For this rule Zone for source and Destination is same.

             

            As per you we need rules to allow traffic going via the firewall.

            Do you know why we have same zone here?

             

            Also to allow SNMP server to talk to firewall we have rule to allow SNMP agent with Source say 192.168.51.x to talk to firewall inside interface 192.168.52.x.

            This rule also has same Zone for source and destinations?

            Can you please explain why?

             

            Regards

            Mike

            • 3. Re: Access control Rules and Zones and Polices
              PhilM

              As per you we need rules to allow traffic going via the firewall.

              Do you know why we have same zone here?

              As I may have mentioned in answer to a previous question of yours, sometimes rules are required in order to access services on the Firewall itself. The Admin Console rule is one such example. The reason why the source and destination zones are the same for these types of rules is because the client machine (source) is located on the internal zone of the Firewall and the destination (the interface on the Firewall with which you wish to establish the Admin Console session) is also on the internal zone. So, source zone=internal & destination zone=internal. The same applies to the SSH server rule, also located in the Adminsitration group which is used to provide you with command line access to the appliance.

               

              The groups you speak of are purely for logical organisation. If you look, each rule is numbered and this is the order in which the rules are processed when the Firewall recieves a connectoin request (be it something like an Admin Console request to the Firewall itself, or a request to pass traffic across a zone boundary). Next to the group name you should see two numbers in brackets - e.g. Administration (10-15) - this tells you that the group in question contains rules 10 through to 15 (the numbers in your case may differ). Prior to v6 of MFE the groups didn't exist and the access rules screen simply displayed a flat list of all of the rules from top to bottom. For a firewall with 20-30 rules this isn't an issue. But, for hundreds (if not thousands) this makes for a very long list. Placing rules into groups helps with logical organisation. But, as I previously mentioned, the groups can be expanded and contracted so for rules (such as the Administration rules) which may not change often, you can collapse this group and therefore reduce the number of rules you see on the screen. Rules can also be disabled. So instead of deleting a rule, you can disable it if you are trying to test something. The rule remains in place, and still occupies the same position in the list, but will not be processed by the Firewall until it is enabled again.

               

              As it seems you are quite new to this product, it is also worthwhile pointing out the search box located near the top of many of the Admin Console screens. You can enter search parameters and this will filter the view to only show matching entries. Particularly useful in the network/address objects screen, the Applications screen and the Access Rules screen. Even though your list of rules may be quite short, if you collapse the Administration group so that the rules themselves disappear from view, you can then type "Admin" in to the search box and it should show you all rules (hidden or not) matching this string.

               

              -Phil.

              • 4. Re: Access control Rules and Zones and Polices
                mike18

                Hi Phil,

                 

                you got it i am new to MCafee world.

                Its been few weeks i am responsible for Mcafee firewalls here.

                You explained very well and i will go through it.Stuff you expalined is very good and hard to find.

                 

                In cisco if we need ssh to gui to firewall we do the config but no acl is needed as traffic is for firewall itself.

                 

                Seems in Mcafee if we need access to firewall via ssh or gui we need access control rules.

                 

                Best Regards

                Mike

                • 5. Re: Access control Rules and Zones and Polices
                  mike18

                  Hi Phil,

                   

                  One question rises from floor example which you gave is

                   

                  But in this scenario, if you wanted to allow the same degree of outbound access for both floors, you would either have to duplicate each rule you create, or make sure you assign both entries to the source zone part of your rule.

                   

                  Here if we assign say both Floor1 interface and Floor 2 interface subnets 192.168.1.x and 192.168.2.x  to source

                  now source shows

                  192.168.1.x

                  192.168.2.x

                   

                  We are assuming here that we have separate interface and Zone for each floor.

                   

                  When we assign both subnets 192.168.1.x and 192.168.2.x  to source then which zone we should choose for source?

                  Can we choose 2 zones fir this?

                   

                  or

                  To make it work with both subnets we need to have 2 different interfaces for each floor but both  assigned to same zone right?

                   

                  Regards

                  Mike

                  • 6. Re: Access control Rules and Zones and Polices
                    PhilM

                    To make it work with both subnets we need to have 2 different interfaces for each floor but both  assigned to same zone right?

                     

                    Basically, yes.

                     

                    Working on the principle that both floors are to be treated with the same degree of trust, you place both interfaces into the same zone and when you can create rules with source criteria of source zone = BothFloors, source = <Any>, client machines from either floor will match the rule. If you needed to lock things down and you only wanted to allow Floor1 access to a particular external service you could create a rule with source zone=BothFloors, source = 192.168.1.x

                     

                    If you need to keep the two subnets completely seperate then you would assign each interface to its own zone and if you then needed to pass traffic between Floor1 & Floor2 you would need to create rules to allow this.

                     

                    There are multiple ways of achieving the same thing. In v7 you could create zone groups, so you could stick with your 1-to-1 relationship between interfaces and zones, but if you wanted to create a rule which was applicable to more than one source zone you could create a zone group and use that instead. Since v8, it is possible to specify multiple individual zones in the source zone section of the rule, and you can still create zone groups if you want. At the end of the day, there isn't necessarily a correct way, but a way of doing it that makes sense to you.

                     

                    -Phil.

                    • 7. Re: Access control Rules and Zones and Polices
                      mike18

                      Hi Phil,

                       

                      Many thanks for explaining we so well again.

                       

                      Best Regards

                      Mike