Wireless Access

last person joined: 19 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

policies most specific to less specific OR viceversa

This thread has been viewed 0 times

  • 1.  policies most specific to less specific OR viceversa

    Posted Jan 28, 2015 06:21 AM

    Hi guys,

     

     

    It is my first post here, and I am very excited :) 

     

    TOPIC FIREWALL:

     

    AUBA says that GENERALLY (I like that) most specific policies should go on the TOP (as in any other firewall, we examine the rules TOP -> BOTTOM), and then the less specific rules, towarss the bottom.

     

    On my last job, the security team told us to do the opposite (Palo Alto and IPtables firewalls), meaning, most general rules at the top, and less general rules at the bottom.

     

    Both ways have upsides:

    -  most specific rules first: We avoid checkin so many rules, therefore we reduce performance requirements.

    - less specific rules first: I would say, that the sooner we kick a client out, the better, Meaning, we give less chances to hear to opened ports.

     

     

    Commenst are very welcome :)

     

    Josu.



  • 2.  RE: policies most specific to less specific OR viceversa

    EMPLOYEE
    Posted Jan 28, 2015 06:57 AM

    It is probably more about organization, than anything else.  You want it more specific to less specific so that you can easily understand if and why a rule is not working.  The rule evaluation is top to bottom, so they should be written from the most specific to less specific.  It is not really about what ports are opened or how soon you want to kick a client off..



  • 3.  RE: policies most specific to less specific OR viceversa
    Best Answer

    Posted Jan 28, 2015 07:01 AM

    Hi Friend,

     

    Policy execution method is similar in all the vendors. it is called as pyramid rule.on top of it, this rule is not to speedup the execution process rather to select the perfect one.

     

    here is an example :

     

    Suppose if we have to block a particular host ( Ex: 192.168.1.100) in a subnet(192.168.1.0 /24) to access TFTP, we ca write the policy in two different ways,

     

    1. IP access list extended 199 192.168.1.0 255.255.255.0 any any permit

    IP access list extended 199 host 192.168.1.100 any UDP 69 deny

     

    2. IP access list extended 199 host 192.168.1.100 any UDP 69 deny

    IP access list extended 199 192.168.1.0 255.255.255.0 any any permit

     

    Both policies looks very similar but execution is completely different, First one will not stop the host 192.168.1.100 on accessing the TFTP because , first rule says anybody from the the subnet , 192.168.1.0 can access any thing, host 192.168.1.100 also part of the same subnet so it will be allowed, process will never check the next rule.

     

    where as the second method is concern, we are denying the specific host therefore the host will be stopped accessing the TFTP, if any other host trying to access the TFTP, traffic will not match with the first rule so the process will execute the second rule.

     

    bottom line is, Most specific ,means rule matching or filtering minimum hosts should come first. we should write the rules top to bottom in ascending order WRT the hosts that rule is filtering.

     

    For your ref :

     

     

    fPolicy1.JPG

     

    Please fee free for any further query on this.