Network Security - Apply and implement secure network administration principles
Exam: CompTIA SY0-301 - CompTIA Security+ (SY0-301)
Network Security - Apply and implement secure network administration principles
Rules-based Management
Rule-Based Access Control is based on ACLs. The basis of this type of access is to determine what can happen to an object based on a set of rules. The most common use of this is on routers and firewalls. Access is determined by looking at a request to see whether it matches a predefined set of conditions. An example would be if you configured your router to deny any IP addresses from the 10.10.0.0 subnet and allow addresses from the 192.168.10.0 network. When a machine with an address of 192.168.10.15 requests access, the router looks at the rules and accepts the request. In Rule-Based Access Control, the administrator sets the rules. This is considered a type of mandatory control because the users cannot change these rules. In other words, if the administrator sets the aforementioned router conditions, you, as a user, cannot have the router accept requests from a 10.10.0.25 address.
In a Rule-Based Access Control solution, accounts may be granted varying levels of access, such as Read, Write, or Execute. An example of this would be setting the filtering of IP packets on a proxy server or firewall. Say you want to keep the production staff from downloading BMP files, but you want to allow the development staff to do so. Before you allow any file to be downloaded, you check conditions such as the file type and the access list configuration. Remember that the most common form of Rule-Based Access Control involves testing against an ACL that details systems and accounts with access rights and the limits of their access for the resources. In addition to firewalls and routers, ACLs are used in operating systems.
Firewall Rules
Firewall rules are configured to allow traffic associated with programs or services to be sent or received. A firewall rule set is similar to an ACL in that the rules determine parameters for each connection based on a set of conditions.
Firewall rules specify what services are allowed or not allowed through the firewall. Rules consist of a source address, a destination address, a service, and an associated action. For example, a firewall rule to allow FTP traffic might look like this:
ipfw add allow tcp from any to any 21 keep-state
You can also specify the type of network adapter the rule is applied to, such as local area network (LAN), wireless, or remote access. Generally speaking, you can create firewall rules to take one of three actions for all connections that match the rule's criteria. These actions are allow the connection, allow the connection if it is secured, or block the connection. Rules are set for both inbound and outbound traffic. Inbound rules can either explicitly allow or block inbound network traffic that fits the criteria. Outbound traffic rules do the same for the network traffic that originates from the computer and fits the criteria outlined in the rule.
In many firewalls the rules can be granulized and configured to specify the computers or users, program, service, or port and protocol. Rules can be configured to be applied when profiles are used. As soon as a network packet matches a rule, that rule is applied and processing stops. The more restrictive rules should be listed first, and the least restrictive rules should follow. Otherwise, if a less restrictive rule is placed before a more restrictive rule, the checking is stopped at the first rule.