|
4. Object
Oriented IP Filter/Firewall.
IP Object/IP Group
You may define groups of addresses, for example the addresses of all the devices in one department. Then you can use IP group by name in the firewall filters. It allows a filter rule to be applied to many IP addresses, so reducing number of firewall filters required.
Service Type Object/Service Type Group
You may define sets of protocol/ports. Then you may use Port Group by name in the firewall filters. It allows a single rule to be applied to many protocol/ports, so reducing number of controls required.
Content Security Management
You may define policy profiles of IM (Instant Messenger)/P2P (Peer to Peer) applications. Then you can use CMS by name in the firewall filters. It allows a rule to be applied to many IP addresses, so reducing number of firewall filters required.
Example
We will take an example to introduce this feature. Assuming there are three main departments in one company, R&D dept. Sales dept. and FAE dept. The IP addresses allocation is shown in the figure below.
There are following rules:
- Leaders and Administrator have full Internet access.
- R&D staff can only send and receive mails.
- Sales and FAE staff can access websites, send & receive mails, use MSN and Skype, others are blocked.
- Web and Mail servers only allow corresponding service ports.
You may define 8 IP Objects and 4 IP Groups:
IP Object:
1. R&D dept: 192.168.1.11 ~ 192.168.1.49
2. Sales dept: 192.168.1.51 ~ 192.168.1.79
3. FAE dept: 192.168.1.81 ~ 192.168.1.99
4. Servers: 192.168.1.3 ~ 192.168.1.9
5. R&D leader: 192.168.1.10
6. Sales leader: 192.168.1.50
7. FAE leader: 192.168.1.80
8. Administrator: 192.168.1.2
IP Group::
1. Admin Group: 4 IP objects (R&D leader, Sales leader, FAE leader and Administrator)
2. Marketing and Support Group: 2 IP objects (Sales dept, FAE dept)
3. R&D Group: 1 IP object (R&D dept)
4. Server Group: 1 IP object (Servers)
You may define 8 Service Type Objects and 3 Service Type Groups:
Service Type Object:
1. Web http: Source Port: 1024~65535, Destination Port: 80
2. Web https: Source Port: 1024~65535, Destination Port: 443
3. Receive Mail: Source Port: 1024~65535, Destination Port: 110
4. Send Mail: Source Port: 1024~65535, Destination Port: 25
5. Mail Server for send mail: Source Port: 110, Destination Port: 1024~65535
6. Mail Server for receive mail: Source Port: 25, Destination Port: 1024~65535
7. Web Server for http: Source Port: 80, Destination Port: 1024~65535
8. Web Server for https: Source Port: 443, Destination Port: 1024~65535
Service Type Group:
1. M&S permit: 4 Objects (1~4 )
2. R&D permit: 2 Objects (3, 4)
3. Server permit: 4 Objects (5~8)
You may define 2 CMS profiles:
1. R&D and Servers: disable all
2. M&S: enable MSN and Skype
Please follow the steps below to setup the router.
1. Setup IP Object
Go to Objects Setting >> IP Object and create 8 IP objects.
1. The configuration of "R&D" object is shown below. The settings for "Sales dept", "FAE dept" and "Servers" are similar.
2. The configuration of "R&D leader" object is shown below. The settings for "Sales leader", "FAE leader" and "Administrator" are similar.
2. Setup IP Group
Go to Objects Setting >> IP Group and create 4 IP groups.
1. Click Index 1, enter "Admin Group" in the Name field.
For the Interface please select "LAN" to list all available IP Objects. Select appropriate IP Object according to the rules and add into the "Selected IP Objects".
Press the OK button to finish the setup.
2. Refer to the step 2 to setup the left 3 IP Groups:
Marketing and Support Group: 2 IP objects (Sales dept, FAE dept)
R&D Group: 1 IP object (R&D dept)
Server Group: 1 IP object (Servers)
3. Setup Service Type Object
Go to Objects Setting >> Service Type Object and create 6 objects.
1. Setup "Web http"
The settings for the left 7 Objects are similar.
4. Setup Service Type Group
Go to Objects Setting >> Service Type Group and create 3 groups.
1. Click Index 1, enter "M&S permit" in the Name field.
In the "Available Service Type Objects" table please select appropriate objects according to the rules and add them into the "Selected Service Type Objects".
2. Refer to the step 1 to setup the left 2 Service Type Groups:
R&D permit: 2 Objects (3 and 4)
Server permit: 4 Objects (5, 6, 7 and 8)
5. Setup Content Security Management Profile
Go to Objects Setting >> CSM Profile and create 2 profiles.
1. For "M&S" profile disable all applications except MSN and Skype.
2. For "R&D and Servers" profile disable all the applications.
6. Setup IP Filter Rules
Go to Objects Setting >> CSM Profile and setup 5 rules.
1. Rule "block all". Block all outgoing traffic by default.
2. Rule "pass Admin". Pass any traffic for "Admin Group".
3. Rule "pass M&S". Pass web & mail traffic and allow MSN & Skype for "Market & Sales Group".
4. Rule "pass R&D". Pass mail traffic for the "R&D Group".
5. Rule "pass Servers". Pass web & mail traffic for the "Server Group".
With Object/Group feature you just need to setup 5 rules! Besides, when there is new one added into current group, you even needn't adding any new rule!
Assuming one person join the Sales dept. The IP address for this person is 192.168.1.100. All you must do is to create an IP Object and add it into the IP Group "Market & Support".
|
|
|
Page last modified : 13 October 2008 |