Policy Types
EPICenter Concepts and Solutions Guide
163
In the EPICenter Policy Manager, each policy type acts somewhat like a template, allowing you to
specify only components that are valid for the policy type. For example, the Policy Manager expects you
to enter two sets of endpoints for a Security or an IP policy, but only a single set of endpoints for a
VLAN or Source Port policy. In addition, the Policy Manager will only show endpoints of valid types in
the Select Policy Traffic list in the Edit Policy, Network Resource, Server, Clients or Users Endpoints
windows.
Access-based Security Policies
Access-based Security Policies represent a new policy type similar to IP policies. They are dynamic
policies which are designed and typically implemented at the edge of the network to enforce user based
security on an IP basis whenever and wherever the user connects. The principal difference is that the
ACL rules associated with the policy are dynamically applied to and removed from the network in
response to network login and 802.1x login and logout events. The IP addresses are static in nature and
determined by the network resources. The device port the user logs on dynamically determines the user
IP addresses. In addition, unlike IP policies, security policies are applied only on the device through
which the user logged on. These policies operate in concert with the currently defined static policies
and other access-based security policies and share the same precedence properties.
You use Access-based Security policies for a number of important reasons. One primary function of
these policies is to protect core network resources by controlling and enforcing security for user access
at the point of entry to the network (e.g. edge network devices). Additionally, these policies allow you
to augment the basic yes/no security provided by Netlogin with a finer grain control of access levels.
Users can be granted or denied access to certain areas of the network and users can be given different
service level guarantees by the use of different QoS profiles.
You also use Access-Based Security policies to grant various levels of service on a per user or user
group level. By using different QP assignments on a per user or user group basis in the access domain
of the security policy, each user receives a specific level of service on the edge device port. Static IP
policies should be defined in conjunction with dynamic user policies to establish a baseline security
access level and QoS level for all users. Typically, these static IP policies would be used to deny access
to sensitive network resources and/or to provide a base level quality of service. These static IP policies
should have lower precedence than the dynamic user based security policies to allow the dynamic user
based security policies to override the static IP policies on a per user basis.
Access-based Security policies are implemented with dynamic ACL allocation/deallocation on a per
edge device port basis by the policy server based on current users on the network. The ACL rules are
only applied to the single edge device port in the access domain on demand upon user network login
(netlogin / 802.1x). This differs from the static IP, VLAN and source port policies which apply the ACL
rules in a persistent manner on devices specified by the policy scope.
In the EPICenter Policy Manager, the endpoints of the traffic flow for Access-based Security policies are
defined as one or more services and users. The EPICenter Policy Manager lets you specify the endpoints
using named resources, such as user names or host names, or groups that include such resources. If you
specify a group resource as an endpoint, only the resources within the group (and its subgroups) that
can be mapped to an IP or subnet address will be used as policy endpoints on the network services
side.
The default traffic direction for Access-based Security policies is user to network resource(s), which
creates ACL rules with the source IP address as the user's IP address and the destination IP address as
the network resource IP addresse. This secures the network as the user is denied or permitted access to
the network resource(s). The bidirectional traffic setting is used when security policies grant access and
additionally provide quality of service. The quality of service for the traffic between the user and the
To Next Page
Loading...
Need help?
General
