|
|
The Security Policy Abstracts branch of the Tools and Services tree is where you create, store, and manage your security policy abstracts. A security policy abstract is an object that represents a security policy in the Cisco Secure Policy Manager Navigator pane. The security policy contained in the abstract consists of a graphical decision tree with source, service, destination conditions, and actions.
When you create a new security policy abstract in the Security Policy Abstracts branch, it is automatically populated with a decision tree that contains a source of "this network object" (referring to the object in the Security Policy Enforcement branch to which the policy is or will be applied). When you create a security policy abstract in the in the Default Policies folder, it is automatically populated with a decision tree that contains a single Deny node. You use Policy Builder to modify this default decision tree to suit your needs.
You can organize your security policy abstracts in folders that you create under the Security Policy Abstracts branch. The branch also contains three default folders: the Example Policies folder, the System Policies folder, and the Default Policies folder.
A security policy abstract can contain one of two types of security policy, a standard security policy and a default security policy. A standard security policy must contain a source or a destination condition of "this network object," meaning that whatever object the security policy is applied to in the Security Policy Enforcement branch will act as the source or destination condition of the security policy. This security policy construction provides you with the flexibility of being able to create generic security policies that you can apply to different objects in the Security Policy Enforcement branch.
A default security policy, however, does not have to contain a source or destination condition of "this network object." In a default security policy you must explicitly specify the source and destination of the network traffic being regulated. Default security policies can only be created in the Default Policies folder of the Security Policy Abstracts branch, and can only be applied to the Default Policy node in the Security Policy Enforcement branch.
For more information about the construction of standard and default security policies and the decision trees used to define policy, refer to "Policy Builder." For more information about the Default Policy and the Security Policy Enforcement branch, refer to the "Security Policy Enforcement."
The Example Policies folder is an organizational folder like the ones that you can create under the Security Policy Abstracts branch. This means that you can use it to store policies, rename it, or delete it as you would any other user folder. For more information about organizational folders, see "Folders."
Additionally, the Example Policies folder is populated with two example policies: HTTP Outbound and Standard Services. These policies are provided as examples of what developed policies may look like. You can safely modify, rename, or delete these policies without affecting Cisco Secure Policy Manager, or use them as is if you choose. If this is your first time using Cisco Secure Policy Manager, you may want to use these policies as practice policies to become familiar with using Policy Builder to develop or modify security policy decision trees.
The System Policies folder in the Security Policy Abstracts branch is a special folder used by Cisco Secure Policy Manager. Do not delete or rename this folder, or use it to store user-created security policies.
Cisco Secure Policy Manager automatically generates several security policies. These policies ensure that the system can communicate with its various components and with the Policy Enforcement Points. In a distributed installation, these policies ensure that the various primary and secondary servers can communicate across Policy Enforcement Points. They also ensure that the policy server is not accidentally isolated from the other components of Cisco Secure Policy Manager.
You cannot modify the automatically generated policies. If you delete an automatically generated policy, it will be recreated the next time you perform a Save and Update operation.
The Default Policies folder is a special folder used by Cisco Secure Policy Manager. Do not delete or rename this folder.
The Default Policies folder contains the policies that you can apply to the Default Policy node under the Security Policy Enforcement branch of the Network Policy tree. The default policy is the top-level user-definable policy. Although you can only apply a single policy to the Default Policy node, you can create multiple default policies in the Default Policies folder, which enables you to develop new default policies for future use without changing your current security stance.
Policies constructed in the Default Policies folder are the only security policies that do not have to contain a source or destination condition set to "this network object" (referring to the object in the Security Policy Enforcement branch to which the policy is or will be applied). They can only be applied to the Default Policy node in the Security Policy Enforcement branch of the Network Policy tree.
Unlike the security policy abstracts that you create in the Security Policy Abstracts branch, or in a folder under the branch, security policy abstracts created in the Default Policies folder are pre-populated with only a single Deny node. You use Policy Builder to then construct the decision tree from that node.
You can create a new security policy abstract in either the Security Policy Abstracts branch of the Tools and Services tree or directly on an object in the Security Policy Enforcement branch of the Network Policy tree. The difference is that when you create a security policy in the Security Policy Abstracts branch, it still needs to be applied to a network object in the Security Policy Enforcement branch for the command sets to be generated, whereas when you create a security policy in the Security Policy Enforcement branch, it is already applied to the network object (and a security policy abstract is automatically added in the Security Policy Abstracts branch).
To create a new security policy abstract, perform the following task:
Result: A new node appears in the Navigator pane, and Policy Builder opens with the pre-populated decision tree displayed. If you created the new security policy abstract on the Security Policy Enforcement Branch, the abstract is automatically given the name of the object on which it was created and the abstract is automatically added to the Security Policy Abstracts branch. If you created the security policy abstract in the Security Policy Abstracts branch, the Name box beside the security policy abstract icon is selected for editing.
Step 2 Type the new name in the Name box and press Enter. If you created the security policy abstract on an object in the Security Policy Enforcement branch, right-click the new security policy abstract icon in the Security Policy Enforcement branch and click Rename on the shortcut menu.
Result: The name appears beside the new node and at the top of the Policy Builder pane.
Step 3 To learn how to modify the pre-populated decision tree by creating or changing condition and action nodes, refer to "Policy Builder."
Step 4 To accept your changes and close Policy Builder, click Close.
Step 5 To save any changes that you have made, click Save on the File menu.
You modify an existing security policy abstract by opening the policy it contains in Policy Builder. You can modify security policies from two places: the Security Policy Abstracts branch of the Tools and Services tree or the Security Policy Enforcement branch of the Network Policy tree.
Whenever you modify a security policy, the changes are propagated to all instances of that security policy. If you modify a policy in the Security Policy Abstracts branch, the changes propagate to all instances of that security policy in the Security Policy Enforcement branch. Likewise, if you modify a security policy in the Security Policy Enforcement branch, the changes propagate to all instances of that security policy in the Security Policy Enforcement branch and to the instance of that security policy that resides in the Security Policy Abstracts branch.
To modify an existing security policy abstract, perform the following task:
 |
Caution If you accidentally click New instead of Open, you will replace your existing applied policy with a completely new policy. If you replace the policy by accident, remove the new policy from the Security Policy Enforcement branch object, and then reapply the previous policy to the object. The previous policy will be located on the Security Policy Abstracts branch (or folder on the branch). Right-clicking the Security Policy Enforcement branch object where the new policy was accidentally created, selecting Policy, and then clicking Remove will remove the security policy attached to the object. |
Result: Policy Builder opens and displays the selected security policy abstract. Any changes that you make to the instantiated policy propagate to the instance of the security policy abstract under the Security Policy Abstracts branch.
Step 2 To modify a security policy abstract in the Security Policy Abstracts branch, click the security policy abstract icon.
Result: Policy Builder opens and displays the select security policy abstract. Any changes that you make to the security policy abstract are propagated to all instances of that security policy.
 |
Tips If Policy Builder does not display in the View pane, right-click the security policy abstract icon and select Policy, and then click Open. |
Step 3 To learn about how to modify the security policy decision tree, refer to "Policy Builder."
Step 4 To accept your changes and close Policy Builder, click Close.
Step 5 To save any changes you have made, click Save on the File menu.
Posted: Thu May 25 13:25:40 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.