|
|
The Network Object Groups branch of the Tools and Services tree is where you create, store, and modify network object groups. A Network object group is a logical collection of objects from your Network Topology tree that you can reference as a whole from a destination condition node or source condition node within security policy abstracts. The network objects the group contains are treated as if they were combined with an "or" statement.
Additionally, you can create folders under the Network Object Groups branch in which to organize your network object groups.
Network object groups are logical collections of objects from your Network Topology tree. They are one of the many components that you can use in constructing security policy abstracts, and are key components in constructing scalable security policies. They can contain any object that appears in your Network Topology tree, but they cannot contain perimeters, interfaces, host names, or IP addresses. Although these items are acceptable source or destination conditions, they cannot be added to a network object group; to refer to these items in a security policy abstract, you must refer to them from a separate source or destination condition node.
Network object groups reside on the Network Object Groups branch of the Tools and Services tree. You can use a simple add/delete list that appears in the View pane when you create or select a group to add network objects to or to remove network objects from a group. You can create and store the groups directly on the Network Object Groups branch, and you can further organize the destination groups by categorizing them within folders that you create on the branch.
Network object groups are used to refer to multiple network objects from a single source or destination condition node within security policy abstracts. Each source or destination condition node can refer to a single item, such as an object in your Network Topology tree, a perimeter, an interface, or a specific host name or address. By collecting multiple network objects in a network object group, you can reference all objects in the group as a single item from a source or destination condition. Without the network object group, you would have to use multiple source or condition nodes in an "or" or "else" configuration, each one referring to a single network object, within the security policy.
For example, if you have multiple web servers located on various networks throughout your Network Topology tree, you can create a single network object group that contains all your web servers and use that group as the source or destination within your security policy. Figure 5-1 shows a simplified example of what a policy using a network object group would look like. The policy contains a source of whatever object in the Security Policy Enforcement branch the policy is applied to, a service condition of Web Services (which is a bundle of services related to using the web), and a destination condition of Web Servers, which is actually a network object group containing all web servers in the Network Topology tree.
Without using the network object group, you would have to create a source or destination condition for each web server. Figure 5-2 shows the same policy as above, but without the use of a network object group in the destination condition node.
One main benefit of using network object groups is in the creation of scalable security policies. By utilizing the associative capabilities of network object groups, you can grow your policies along with your network. When you add an object to or remove an object from a network object group, the change automatically propagates to all policies that refer to that network object group.
In the discussion above, we mentioned creating a network object group that contained all the web servers in the various networks you are managing. If you add another web server to your topology, and you want the same policies that apply to your current web servers to apply to the new one, you would simply have to add that web server to your Web Servers network object group. If you had not used a network object group, you would have to find all security policies that apply to your web servers and update each security policy with another source or condition node.
Another benefit of using network object groups is that they reduce the complexity of your security policies by reducing the number of nodes and branches within the graphical construct of the policies. Instead of requiring multiple source or destination condition nodes to refer to several network objects, you only need one to refer to the network object group. The decision tree will have a much simpler structure, which, when combined with appropriately named network object groups, makes it easier to read and interpret.
You can perform the following tasks with Network Object Groups:
To create a new network object group, perform the following steps:
Step 2 Right-click the Network Object Groups branch icon in the Navigator pane, point to New, and then click Network Object Group on the shortcut menu.
Result: A new icon representing the network object group appears in the Navigator pane. The Name box of the new network object group is active. The property panel for the network object group appears in the View pane.
 |
Note You do not need to create a new network object group directly in the branch, but can instead right-click the folder icon of a network object group folder to create the group directly in the folder. |
Step 3 To name the new network object group, type the name in the selected Name box, and then press Enter.
Result: The new name is applied to the new network object group.
Cisco Secure Policy Manager enables long names and the use of most alphanumeric or symbol characters. Also, you can use both uppercase and lowercase characters. However, you cannot use quotation marks (") or a semicolon (;).
 |
Tips If you cannot edit the name, right-click the new network object group icon and click Rename on the shortcut menu. |
Step 4 To add a network object to the network object group, expand the network topology tree that appears in the Available Network Objects box, select the network object, and then click Add.
Result: The network object name appears in the Included Network Objects box. Repeat this procedure until you have added all desired network objects to the new network object group.
|
Note You cannot select multiple objects in the Available Network Objects box. You must select and add each needed object individually. |
Step 5 To remove a network object from the network object group, select it in the Included Network Objects box, and then click Delete.
Result: The network object name no longer appears in the Included Network Objects box.
|
Note You cannot select multiple objects in the Included Network Objects box. You must select and remove each unwanted object individually. |
Step 6 To accept your changes and close the properties panel, click OK.
Step 7 To save any changes that you have made, click Save on the File menu.
To modify an existing network object group, perform the following steps:
Step 2 Click the network object group icon in the Navigator pane.
Result: The network object group property panel appears in the View pane.
|
Note If the network object group properties panel does not appear in the View pane, right click the network object group icon in the Navigator pane and select Properties. |
Step 3 To add a network object to the group, select a network object in the Available Network Objects box, and then click Add.
Result: The network object name appears in the Included Network Objects box.
Step 4 To delete a network object from the group, select a network object in the Included Network Objects box, and then click Delete.
Result: The network object name no longer appears in the Included Network Objects box.
Step 5 To accept your changes and close the panel, click OK.
Step 6 To save any change you have made, click Save on the File menu.
Posted: Thu May 25 13:25:09 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.