Apart from rules explicitly defined by an administrator, the Security Gateway also creates implied rules,
which are derived from Global Properties definitions. Implied rules enable certain connections to occur to
and from the gateway using a variety of different services. The firewall places implied rules either first, last,
or immediately before last rule in the Rule Base.
Examples of implied rules include rules that enable Security Gateway control connections and outgoing
packets originating from the Security Gateway.
To view implied rules:
1. Add at least one rule to the rule base.
2. Click View > Implied Rules.
The Firewall tab displays the Implied Rules in addition to the user-defined rules.
Order of Rule Enforcement:
The Security Gateway inspects packets and applies rules in a sequential manner. When a Security Gateway
receives a packet from a connection, it inspects the packet and applies the first rule in the Rule Base, then
the second rule and so on.
Once all elements in a given rule match the information contained the packet (source, destination, service,
etc.), the Security Gateway stops the inspection and immediately applies that rule. If no applicable rule is
found in the Rule Base, the traffic is automatically blocked.
It is essential that you understand the concept of rule processing. The firewall always enforces the first
matching rule to any given packet. This may not necessarily the rule that best applies to the traffic.
It is important to carefully plan your Rule Base and place rules in the appropriate order. The best practice is
to put rules that apply to very specific conditions at the beginning of the Rule Base. General rules should be
put toward the end of the Rule Base.
Rules are processed in the following order:
1. First Implied Rule: This rule cannot be modified or overwritten in the Rule Base. No rules can be
placed before it.
2. Explicit Rules: These are administrator-defined rules, which may be located anywhere between the first
and the next to last implied rules.
3. Next to Last Implied Rules: These are more specific implied rules that are applied before the last
implied rule is enforced.
4. Last Implied Rule: This is the default rule, which typically rejects all packets without logging.
Example Access Control Rule:
The following screen shot shows a typical access control rule, as seen in the Firewall tab of
SmartDashboard. This rule states that HTTP connections that originate from the branch office that are
directed to any destination, will be accepted and logged.
Figure 1-2 Typical access control rule
Special Considerations for Access Control:
This section describes Access Control scenarios.
The key to effective firewall protection is a simple Rule Base. One of the greatest dangers to the security of
your organization is misconfiguration. For example, a user may try to sneak spoofed, fragmented packets
past your firewall if you have accidentally allowed unrestricted messaging protocols. To keep your Rule
Base simple, ensure that it is concise and therefore easy to understand and maintain. The more rules you
have, the more likely you are to make a mistake.
When creating rules, ensure that you allow only traffic that you want. Consider traffic initiated and crossing
the firewall from both the protected and unprotected sides of the firewall.
The following basic access control rules are recommended for every Rule Base:
- A Stealth Rule to prevent direct access to the Security Gateway.
- A Cleanup Rule to drop all traffic that is not permitted by the previous rules. There is an implied rule that
does this, but the Cleanup Rule allows you to log such access attempts.
Remember that the fundamental concept behind the Rule Base is that actions that are not explicitly
permitted are prohibited.
Rule order is a critical aspect of an effective Rule Base. Having the same rules, but putting them in a
different order, can radically alter the effectiveness of your firewall. It is best to place more specific rules first
and more general rules last. This order prevents a general rule from being applied before a more specific
rule and protects your firewall from misconfigurations.
Topology Considerations: DMZ:
If you have servers that are externally accessible from the Internet, it is recommended to create a
demilitarized zone (DMZ). The DMZ isolates all servers that are accessible from untrusted sources, such as
the Internet, so that if one of those servers is compromised, the intruder only has limited access to other
externally accessible servers. Servers in the DMZ are accessible from any network, and all externally
accessible servers should be located in the DMZ. Servers in the DMZ should be as secure as possible. Do
not allow the DMZ to initiate connections into the internal network, other than for specific applications such as UserAuthority.
The X11 (X Window System Version 11) graphics display system is the standard graphics system for the
Unix environment. To enable X11, you must create a specific rule using the X11 service. If you select Any
as the Source or Destination, the X11 service is not included because when using the X11 service, the
GUI application acts as the server rather than the client.