|
|
The Policy Domains branch of the Tools and Services tree is where you create, store, and manage your Policy Domains. A policy domain is a logical collection of perimeters that you can reference from a source or destination condition node within a security policy or add to the Security Policy Enforcement branch of the Network Policy tree.
You cannot create perimeters contained in policy domains in the Policy Domains branch; you create perimeters when you add gateway objects to your network topology. As you create each perimeter, a perimeter node representing that perimeter is added to the Unassigned policy domain in the Policy Domains branch. You can then move that perimeter to another policy domain for use in a security policy or in the Security Policy Enforcement folder.
A perimeter represents a network or collection of networks that is bounded by one or more gateways. Each interface on a gateway object can only be associated with a single perimeter; a single gateway object cannot have two interfaces associated with the same perimeter, but two gateway objects may each have a single interface associated with one perimeter. As you can for policy domains, you can reference perimeters in the source or destination condition nodes of security policies or add them to the Security Policy Enforcement branch of the Network Policy tree and apply policy to them.
Although perimeter nodes appear in policy domains in the Policy Domains branch, you cannot create a perimeter in the Policy Domains branch; you create perimeters when you define gateway objects in the Network Topology tree. Each interface on a gateway object is associated with a single perimeter.
Figure 6-1 illustrates the concept of perimeters.
The topology in the above figure contains two Policy Enforcement Points, P1 and P2. P1 contains three interfaces, Interface 0 through Interface 2. P2 contains two interfaces, Interface 0 and Interface 1.
Perimeter A is defined by Interface 1 of P1. Perimeter B is defined by Interface 2 of P1 and Interface 0 of P2 and represents all IP addresses that exist between the two interfaces. Perimeter C is defined by Interface 1 of P2. The Internet Perimeter, defined by Interface 0 of P1, represents all unknown networks or IP addresses.
You can use these perimeters in a policy domain to simplify the construction of network policy. If, for example, you want to allow some set of standard network services from the hosts residing on the networks within each perimeter to the Internet, you could construct the policy in the following manner:
First, you create a network service bundle that contains the standard services that you want to allow to the Internet. In this example, we will call it Standard Network Services. Next, you create a policy domain, called Trusted Networks in this example, that contains Perimeter A, Perimeter B, and Perimeter C and place the policy domain in the Security Policy Enforcement branch of the Network Policy tree. Finally, you create a security policy that contains a source condition of "this network object," a service condition of "Standard Network Services" (your service bundle that contains the services that you want to allow), and a destination condition of "Internet," and you apply that policy to the Trusted Networks policy domain in the Security Policy Enforcement branch.
Without the use of the policy domain, you would have to add each network to a folder in the Security Policy Enforcement branch each time you want to apply policy to those networks, which can be a time-consuming process in larger networks, and then apply the policy to the folder. Additionally, by using the policy domain, you create a more scalable security policy. As your network grows, you can add additional perimeters to the policy domain and have the security policy applied to the policy domain in the Security Policy Enforcement branch automatically include the new perimeter when you update and publish the command sets. For this reason, even if you have only a single perimeter to add to the Security Policy Enforcement branch, destination condition, or source condition, you should create a policy domain to contain that perimeter and add the policy domain instead.
You can perform the following tasks with folders:
To create a policy domain, perform the following task:
Step 2 Right-click the Policy Domains branch, point to New on the shortcut menu, and then click Policy Domain.
Result: A new node representing the new policy domain appears under the Policy Domains branch. The default name of the policy domain is automatically selected for renaming.
Step 3 Type the new name in the selected box, and then press Enter.
Result: The new name appears in the Name box of the selected folder.
Cisco Secure Policy Manager enables long names and the use of most alphanumeric or symbol characters. Also, you can use both uppercase and lowercase characters. However, you cannot use quotation marks (") or a semicolon (;).
 |
Tips If you cannot edit the name, right-click the new Policy Domain node, and click Rename on the shortcut menu. |
Step 4 To save any changes you have made, click Save on the File menu.
To move a perimeter between policy domains, perform the following task:
Step 2 Drag the icon of the perimeter you want to move and drop it on the destination policy domain.
Result: The perimeter is moved to the designated policy domain.
If the policy domain that originally contained the perimeter is referenced in a policy, the perimeter will no longer be referenced in the policy and the appropriate commands will be removed when the command sets are next generated.
If the policy domain that now contains the perimeter is referenced in a policy, the perimeter will be included in the policy and the appropriate commands created when the command sets are next generated.
Step 3 To save any changes you have made, click Save on the File menu.
Posted: Mon Jun 5 19:59:48 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.