Wireless Access

Reply
Occasional Contributor I
Posts: 7
Registered: ‎01-26-2015

policies most specific to less specific OR viceversa

Hi guys,

 

 

It is my first post here, and I am very excited :) 

 

TOPIC FIREWALL:

 

AUBA says that GENERALLY (I like that) most specific policies should go on the TOP (as in any other firewall, we examine the rules TOP -> BOTTOM), and then the less specific rules, towarss the bottom.

 

On my last job, the security team told us to do the opposite (Palo Alto and IPtables firewalls), meaning, most general rules at the top, and less general rules at the bottom.

 

Both ways have upsides:

-  most specific rules first: We avoid checkin so many rules, therefore we reduce performance requirements.

- less specific rules first: I would say, that the sooner we kick a client out, the better, Meaning, we give less chances to hear to opened ports.

 

 

Commenst are very welcome :)

 

Josu.

Guru Elite
Posts: 21,018
Registered: ‎03-29-2007

Re: policies most specific to less specific OR viceversa

It is probably more about organization, than anything else.  You want it more specific to less specific so that you can easily understand if and why a rule is not working.  The rule evaluation is top to bottom, so they should be written from the most specific to less specific.  It is not really about what ports are opened or how soon you want to kick a client off..



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Valued Contributor II
Posts: 804
Registered: ‎12-01-2014

Re: policies most specific to less specific OR viceversa

Hi Friend,

 

Policy execution method is similar in all the vendors. it is called as pyramid rule.on top of it, this rule is not to speedup the execution process rather to select the perfect one.

 

here is an example :

 

Suppose if we have to block a particular host ( Ex: 192.168.1.100) in a subnet(192.168.1.0 /24) to access TFTP, we ca write the policy in two different ways,

 

1. IP access list extended 199 192.168.1.0 255.255.255.0 any any permit

IP access list extended 199 host 192.168.1.100 any UDP 69 deny

 

2. IP access list extended 199 host 192.168.1.100 any UDP 69 deny

IP access list extended 199 192.168.1.0 255.255.255.0 any any permit

 

Both policies looks very similar but execution is completely different, First one will not stop the host 192.168.1.100 on accessing the TFTP because , first rule says anybody from the the subnet , 192.168.1.0 can access any thing, host 192.168.1.100 also part of the same subnet so it will be allowed, process will never check the next rule.

 

where as the second method is concern, we are denying the specific host therefore the host will be stopped accessing the TFTP, if any other host trying to access the TFTP, traffic will not match with the first rule so the process will execute the second rule.

 

bottom line is, Most specific ,means rule matching or filtering minimum hosts should come first. we should write the rules top to bottom in ascending order WRT the hosts that rule is filtering.

 

For your ref :

 

 

fPolicy1.JPG

 

Please fee free for any further query on this.

 

Cheers,
Venu Puduchery,
[Is my post helped you ? Give Kudos :) ]
Search Airheads
Showing results for 
Search instead for 
Did you mean: