|
|
Policy Builder is the tool you use to view and modify your security policy content. The security policy content is represented in Policy builder as a graphical decision tree composed of condition nodes, condition branches, and action nodes. Policy Builder also provides a text-based description of the decision tree.
Policy Builder is displayed in the View pane. It has two major components: a left panel that contains the command buttons for the Policy Builder utility and a right panel in which you view or modify the graphical decision tree of a security policy. The right panel also contains a text description of the graphical decision tree above each node.
 |
Note You cannot use the policy text to modify a security policy---it simply provides a textual interpretation of the policy you are building graphically. |
When you first create a security policy abstract in the Security Policy Abstracts branch of the Tools and Services tree, it is populated with a default decision tree that contains a source of "this network object" (referring to the object in the Security Policy Enforcement branch to which the policy is or will be applied). When you first create a security policy abstract in the Default Policies folder of the Security Policy Abstracts branch, it is populated with a default decision tree that contains a single Deny node. You use Policy Builder to modify this default decision tree to suit your needs.
In this respect, there is no difference, from the perspective of Policy Builder, between developing a new security policy and modifying an existing one. When you develop a new security policy, you are simply modifying the default decision tree that appeared when you created the security policy abstract.
Policy Builder provides a rich, flexible language for constructing decision trees, which enables you to express a security policy in multiple ways. You can express a policy with a simple decision tree construct, or you can use the decision tree's branching structure to combine several simple constructs into a composite decision tree construct. You can create source-based policies, which evaluate the traffic originating from the object to which the policy is applied, or destination-based policies, which evaluate the traffic entering the object to which the policy is applied. You should refer to the subtopics below for more information about Policy Builder's decision trees.
When you create a security policy, you are building a decision tree that contains condition nodes with condition branches and action nodes (see Components of a Security Policy, in "Working with Security Policies" for more information about the available condition and action nodes). The decision tree is read starting from the top left, and follows each condition branch until a terminal action is reached. If no terminal action is reached, policy processing is deferred to another security policy according to the rules of inheritance in the Security Policy Enforcement branch (see Policy Evaluation Rules, and Policy Inheritance, in "Security Policy Enforcement" for more information).
A policy statement is single path through the decision tree. A policy statement can contain only one source condition, one service condition, and one destination condition. It may or may not contain non-terminal actions and terminal actions. The simplified decision tree shown in Figure 9-1 illustrates the concept of policy statements:
The first policy statement in this example reads "If source is this network object then if service is HTTP then if destination is Internet then Permit". It follows the "true" branch of each condition statement. The second policy statement reads "If source is this network object then if service is Telnet then if destination is Internet then Deny." It follows the ELSE statement for the first service condition.
This example also demonstrates what happens when decision tree evaluation does not end in a terminal action. If the source of the network traffic being evaluated in the example is not the network object to which this policy is applied, policy processing is deferred according to the policy evaluation and inheritance rules of the Security Policy Enforcement tree. In the preceding example, the deferral also applies to any unsatisfied service and destination conditions.
A policy statement does not have to contain all three conditional statements. You can create a decision tree that contains a policy statement that reads "If source is this network object then if service is HTTP then Deny." However, to allow the network traffic (with a Permit terminal action), you must have a policy statement within the decision tree that contains all three conditions.
Right-clicking any node (condition or action) in the decision tree calls up a shortcut menu from which you can select one of three commands. Understanding these commands and the options that each one presents is integral to building security policies that meet the needs of your network environment.
The Continue command adds another condition node to the decision tree. You can select from five different ways to position the new node on your decision tree: you can add an AND statement, an OR statement, a THEN statement, a NEXT statement, or an ELSE statement.
The Change To command replaces one type of node (condition or action) with another. Unlike the Continue command, which adds a new node to the decision tree, the Change To command changes an existing node. For example, if you have a Deny terminal action node at the end of a condition branch, you can use the Change To command to change it to another action node, such as Permit or Block Java, or to another condition node, such as Service or Destination.
The following restrictions apply to the Change To command. Policy Builder enforces these restrictions by making invalid options on the shortcut menu unavailable.
The Delete command removes the node on which you right-clicked to access the shortcut menu. Policy Manager does not prompt you before deleting the node. All nodes attached "downstream" from that branch along the "true" branch are also deleted, and any nodes attached to the ELSE branch are moved up to the position emptied by the delete action.
Policy Builder provides flexibility in the way you construct your decision trees to represent your security policies. Therefore, there may be multiple ways you can represent a security policy contained within a security policy abstract. This topic explains the branching techniques used to create simple and composite security policies.
A simple security policy does not employ complex branching techniques in the construction of the decision tree. Each policy statement (see Understanding Decision Trees), consisting of a source, service, destination, and action, is treated as a unit that can be either entirely true (all conditions satisfied), in which case the terminal action along the true branch is executed, or entirely false (one or more conditions are not satisfied), in which case the condition statement along the initial node's ELSE branch, if present, is executed. If there is no condition statement along the initial node's ELSE branch, policy evaluation is deferred according to the rules of policy evaluation and inheritance (see Policy Evaluation Rules and Policy Inheritance, in "Security Policy Enforcement" for more information). Figure 9-2 shows an example of a simple security policy decision tree.
A composite security policy uses nested IF statement to combine simple security policies into a more complex decision tree. Figure 9-3 shows the above example expressed as a composite security policy:
This example, however, does not adequately demonstrate the utility of composite policies, because it effectively eliminated only a single source node from the decision tree. The real strength of creating composite security policies comes from the ability to use branching logic to associate several conditions with a single pre-condition, such as associating several distinct destinations with a particular service, and several services with a single source condition. This ability to associate conditions makes the decision tree easier to read, because you will be able to quickly discern the destinations associated with a particular source/service, and scalable, because you can easily add another destination (or other condition) to a source/service branch without having to re-specify all three conditions.
Figure 9-4 shows an example of a security policy decision tree that has a single source condition ("this network object"), and uses a composite policy decision tree to associate several service conditions with the source and several destination conditions with each service.
Like the example in Figure 9-2, the decision tree could be expressed as a series of simple policies, but it would lose the flexibility and readability associated with composite decision trees. For example, if you wanted to permit HTTP traffic to another destination, you could simply add another destination condition to the HTTP branch by using an ELSE branch to add the destination to the list of destination conditions.
When you build a security policy, one of either the source or destination conditions in a path that is being evaluated in the decision tree must be set to "this network object." This creates two categories of security policy: source-based security policies, which have the source condition set to "this network object," and destination-based security policies, which have the destination condition set to "this network object."
|
Note The Default Policy is the exception to this rule. The Default Policy is the highest-level policy that the user can define. It is the policy that is evaluated if no other policies match the particular source/service/destination conditions. If the Default Policy does not match the source/service/destination conditions, the default stance of Cisco Secure Policy Manager to deny the session. In the Default Policy, you specify both source and destination for each service. |
Source-based security policies regulate traffic from a particular source. You should consider constructing source-based policies when you want to limit access from internal resources, such as networks, perimeters, or hosts, to other internal resources or to external resources. When you construct a source-based policy, we recommend that you start the decision tree with an "If source is this network object" condition node.
Destination-based security policies regulate traffic to a particular destination. You should consider constructing destination-based policies when you want to limit access to particular internal resources, such as web or FTP servers, from external or internal sources.
For example, in the case of web servers, the destination of the network traffic is the main concern. You want all your internal and external users to have HTTP access to your corporate web site, and you want your web development team to have FTP access to web servers. You would create a policy that started out with "If destination is this object" and follow that with each type of service you want to permit (an HTTP service condition and an FTP service condition), and then specify the particular sources that you are permitting for each service condition.
When you construct a destination-based policy, we recommend that you start the decision tree with an "If destination is this network object" condition node.
In some cases, you will have both source-based and destination-based policies related to the same object to enable bi-directional communication (for example, you want mail servers to be able to receive mail services from the Internet and also to send mail services to the Internet). One method for accomplishing this is to create two instances of your mail servers in the Security Policy Enforcement branch. You then create two policies for this, one source-based permitting mail traffic out and one destination-based permitting mail traffic in, and apply each one to an instance of your mail servers on your Security Policy Enforcement branch. For more information about populating your Security Policy Enforcement branch, see "Security Policy Enforcement."
Another method for creating a bi-directional policy is to create a single policy with both the source-based decision framework and the destination-based framework in the decision tree, with one branch of the tree containing the "If source is this network object" condition node and another branch containing the "If destination is this network object" condition node. Then, you would create a single instance of your mail servers in the Security Policy Enforcement branch and apply the single policy to that instance of your mail servers.
The following strategies will assist you in planning and building security policies.
1. Populate your Security Policy Enforcement branch. Before you begin to build security policies, populate your Security Policy Enforcement branch. The branch should be populated according to your overall security stance, and will provide information about what security policies you need to create in the first place as well as what those policies should contain.
2. Start specific and work toward global. When you begin to create security policies, create policies for the most specific cases first. The specific cases will apply to objects that are deeper in your Security Policy Enforcement branch. Then, work your way up the branch, creating the more global security policies.
3. Think endpoints, not devices. You construct your security policies based upon the endpoints of the service you want to regulate, not upon the Policy Enforcement Points that reside between those endpoints. Cisco Secure Policy Manager takes care of creating the device-specific configuration. Therefore, you can create security policies that encompass objects from different networks in your topology.
4. Employ grouping strategies. Group common network objects in network object groups and common services in network service bundles. By using these grouping strategies, you create policies that are scalable and structurally simpler (making them easier to construct and read).
5. Start the policy with the most significant condition first. This means that, except in the Default Policy, the decision tree will start with either a source or destination condition of "this network object." This will make it easier for you to distinguish between source-based and destination-based security policies.
You can use Policy Builder to perform the following tasks:
You construct a decision tree in Policy Builder by adding new nodes to the existing decision tree or by modifying the properties of existing nodes. To learn about modifying an existing node's properties, refer to Modifying Node Properties.
To add a node to the decision tree, perform the following task:
You can choose from the following configurations for adding a node. Cisco Secure Policy Manager will only allow you to select valid configurations for the location in the decision tree in which you are adding the node. Additionally, the configuration you select determines the type of node you can add. You will not be able to choose an invalid node type for the selected configuration.
Result: The selected node type appears in the selected configuration. If you added a condition node or a Use Tunnel node, the property panel for that node automatically appears.
Step 2 To set properties of the new node refer to the following table:
| If the node is a... | Then refer to... |
|---|---|
Source Condition | |
Service Condition | |
Destination Condition | |
Use Tunnel Action |
Step 3 To accept your changes and close Policy Builder, click OK.
Step 4 To save any changes that you have made, click Save on the File menu.
You can change one node type to another in the security policy decision tree. If you simply want to change the properties of a particular node, refer to Modifying Node Properties.
To change the node type, perform the following task:
|
Note Only nodes that you can place at that location in the decision tree will be available on the shortcut menu. For example, you will not be able to change a destination condition in an "OR" statement to another type of condition node (source or service), because "OR" statements require that the conditions connected by the "OR" be of the same type. |
Result: The node changes to the selected node. If you changed the node to a condition or a Use Tunnel node, the node's properties automatically appear.
Step 2 To configure the properties of a node refer to the following table:
| If the node is a... | Then refer to... |
|---|---|
Source Condition | |
Service Condition | |
Destination Condition | |
Use Tunnel Action |
Step 3 To change additional nodes, repeat Step 1 and Step 2 above.
Step 4 To accept your changes and close Policy Builder, click OK.
Step 5 To save any changes that you have made, click Save on the File menu.
You can change the properties of existing source, service, and destination condition nodes, as well as the Use Tunnel action node.
When you modify a security policy, the changes are propagated to all instances of that security policy.
To modify the node properties, perform the following task:
Result: The condition node's associated properties panel appears.
 |
Tips You can also access a node's properties panel by double-clicking the node in the Policy Builder pane. |
Step 2 To configure the node's properties refer to the following table:
| If the node is a... | Then refer to... |
|---|---|
Source Condition | |
Service Condition | |
Destination Condition | |
Use Tunnel Action |
Step 3 To modify the properties of additional condition nodes, repeat Step 1 and Step 2 above.
Step 4 To accept your changes and close Policy Builder, click OK.
Step 5 To save any changes you have made, click Save on the File menu.
You specify the actual source or destination for the source/destination condition nodes in the Specify source or destination condition dialog box.
You can specify the following items as sources or destinations in your security policy:
You will need to provide additional information based on the type of source or destination you select.
To specify a source or a destination condition, perform the following task:
|
Note You must be in the Specify source or destination condition dialog box to perform this procedure. If you are not already in the source or destination condition's properties panel, right-click the condition node in Policy Builder, and then select Properties on the shortcut menu. |
a. Select External IP Address under Indication Method.
b. Type the source or destination IP Address in the External IP Addresses box, and then click Add.
c. Repeat Step b to add additional IP addresses to the list of IP addresses.
d. To remove an IP address from the list of source or destination IP addresses, select the address in the list and click Remove.
e. To replace an incorrectly entered IP address in the list, select the address in the list, type the new address over the old address in the External IP Addresses box, and click Replace.
f. To sort your list of source or destination IP addresses, click Sort.
Step 2 To specify an external host name as a source or destination condition:
a. Select External Host Name under Indication Method.
b. Type the host name (such as example.com) in the External Host Name box.
c. To verify that the host name is valid, click DNS Lookup.
|
Tips You can only specify a single external host name as a source or destination condition. To specify more than one external host name as a source, click DNS Lookup to discover the IP addresses for each host name, and then use the External IP Address indication method (Step 1) to add those addresses to the source or destination condition. |
Step 3 To specify an object from your network topology as the source or destination condition:
a. Select Topology Object under Indication Method.
b. To find the network object to use as the source or destination, expand the tree structure in the Network Object box until you find the network object, and then click the network object to select it.
Step 4 To specify a network object group as the source or destination condition:
a. Select Network Object Group in the Indication Method field.
b. Click the network object group name in the Network Object Group list.
Step 5 To specify a policy domain or perimeter as the source or destination condition:
a. Select Policy Domain / Perimeter under Indication Method.
b. Expand the Policy Domains tree that appears at the bottom of the dialog box.
c. Click the policy domain or perimeter name in the Policy Domainst tree.
Step 6 To specify a gateway interface as the source or destination condition:
a. Select Interface under Indication Method.
b. Click the interface name in the Interface list.
Step 7 To accept your changes, click OK.
Step 8 To accept your changes and close Policy Builder, click OK.
Step 9 To save any changes that you have made, click Save on the File menu.
You specify the network service condition in the Specify Service Conditions dialog box.
To specify a service condition, perform the following task:
|
Note You must be in the Specify Service Conditions dialog box to perform this procedure. If you are not already in the dialog box, right-click the service condition node in Policy Builder, and then select Properties on the shortcut menu. |
Result: The network services that compose the network service bundle appear in the If Service is box.
When you click Add after selecting a network service bundle, only the network services in the bundle that are not already present in the If Service is box (if any) are added. However, when you click Select after selecting a network service bundle, all the network services in the If Service is box are replaced by the network services of the network service bundle that you selected.
Step 2 To add an individual network service to the condition, click a service in the Add or Remove Individual Network Services box to select it, and then click Add.
Result: The service that you selected appears in the If Service is box along with any other network service that you have added.
Step 3 To remove a network service, select it in the If Service is box, and then click Remove.
Result: The service that you selected is removed from the If Service is box.
Step 4 To accept your changes, click OK.
Step 5 To accept your changes and close Policy Builder, click OK.
Step 6 To save any changes that you have made, click Save on the File menu.
When you create or modify a Use Tunnel node in the decision tree, you must specify the tunnel group through which the policy will route the specified network services. You specify the tunnel group in the Use Tunnel node's properties panel. Before you can select a tunnel group, you must have first created the tunnel group in the IPSec Tunnel Groups branch of the Network Policy tree. Refer to the Cisco Secure Policy Manager Administrator's Guide: IPSec Tunnel Implementation for more information about tunnel groups.
To specify a tunnel group in a Use Tunnel action node, perform the following task:
|
Note You must be in the Specify Tunnel dialog box to perform this procedure. If you are not already in the dialog box, right-click the node in Policy Builder, and then select Properties on the shortcut menu. |
Result: The name of the selected tunnel group is highlighted in the Tunnel field.
Step 2 To accept your selection, click OK.
Step 3 To accept your changes and close Policy Builder, click OK.
Step 4 To save any changes that you have made, click Save on the File menu.
At times it may be necessary to delete a node from your policy's decision tree. The preferred method of removing unwanted nodes is to change them to the desired type of node (see Changing a Node Type). Sometimes, however, you need to delete a node completely (such as a non-terminal action node accidentally placed before a terminal action node or a unwanted condition node added to a chain of OR statements).
To delete a node, perform the following task:
Result: The node is deleted from the decision tree. If you delete a terminal action node, the ELSE or THEN branch that connected the terminal action to the parent condition node is also deleted. If you delete a non-terminal action node, the ELSE or THEN branch connected to the parent condition node remains and is terminated with the terminal action or the condition node that followed the non-terminal action node. If you delete a condition node, all nodes along the "true" branch of that node are also removed, while any nodes on the "false" branch (ELSE) move up into the position emptied by the delete action.
Step 2 To accept your changes and close Policy Builder, click OK.
Step 3 To save any changes you have made, click Save on the File menu.
The following restrictions apply to cutting, copying, and pasting fragments of policy:
To cut, copy, or paste a fragment of policy, perform the following task:
Result: The selected node is highlighted with a dark border.
Step 2 To copy the selected node, click Copy on the Edit menu. To cut the selected node, click Cut on the Edit menu.
 |
Caution Do not pass the cursor over another node while moving it to click the Cut or Copy command. Passing the cursor over another node will cause that node to become selected and may result in the incorrect node or nodes being cut or copied. If you accidentally cut the wrong node or nodes, press Ctrl-Z to undo the mistake, and restart this procedure. If you accidentally copy the wrong node, simply re-select the proper node and click Copy again. |
Step 3 To paste the selection in the currently displayed decision tree, click the node that is currently located in the position that you want to paste the fragment in and click Paste on the Edit menu.
To paste the selection in another decision tree:
a. Click OK in Policy Builder to save any changes to the current decision tree and close Policy Builder.
b. Right-click the Security Policy Abstract icon of the policy to which you want to add the policy fragment in the Navigator pane, select Policy, and then click Open.
c. Click the node that is currently located in the position that you want to paste the fragment in and click Paste on the Edit menu.
|
Caution Do not pass the cursor over another node while moving it to click the Paste command. Passing the cursor over another node will cause that node to become selected and may result in the fragment being pasted in the wrong location. If you accidentally paste the fragment in the wrong location, press Ctrl-Z to undo the mistake, and restart this step. |
|
Note The fragment of policy will be held on the clipboard until another item is placed on the clipboard. Therefore, you can re-use the fragment in multiple policies or create a new policy (see Creating a New Security Policy Abstract in "Security Policy Abstracts") and paste the fragment into the new policy. |
Step 4 To close Policy Builder and save your changes to the decision tree, click OK.
Step 5 To save any changes that you have made, click Save on the File menu.
|
Note Although you can change its color, the text is not editable. The security policy text is generated from the decision tree and is provided for policy readability only. |
To change the text color, perform the following task:
Result: The Color dialog box appears. The Color dialog box provides several methods for selecting a color for the specified text type.
Step 2 Select a new color in one of the following ways:
Step 3 To accept your changes and close the Color dialog box, click OK.
Result: The selected text type appears in the specified color.
Step 4 To save any changes you have made, click Save on the File menu.
Posted: Mon Jun 5 20:25:39 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.