Creating Rules and Rule Sets Configuration Example Alcatel-Lucent Security Products Configuration Example Series

A Note About Rule Set Applications In most applications you will not put a rule set (firewall) on the interface connected to the wide area network or router. All of the internal interfaces should have a firewall on them. If an interface is not in use you can disable it. In some cases you would have multiple firewalls (virtual firewalls) on a single interface. Ethernet 0 Ethernet 1 Brick Ethernet 2 Ethernet 3

A Note About Rule Set Applications The ALSMS comes with several very useful pre-configured rule-sets as seen below. These rule sets can be used as is or modified and renamed. The “Administrative Zone rule set should be put on each Brick in the network to ensure connectivity between the Bricks and the ALSMS.

A Note About Rule Set Applications The key to setting up a rule set or series of rule sets successfully is proper planning. Make a drawing of what you are trying to accomplish before proceeding. This drawing will save you plenty of time along the way. It will also help to optimize your rule sets so that they are efficient to process and with a small number of rules. Group things! you can group all of your users, then subgroup them into departments. You can also group your servers so for instance all of your accounting servers are in a “Host Group” and all of your web servers are in another “Host Group”.

A Note About Rule Set Applications You can also group services. So for instance maybe you want to group SMTP,HTTP, HTTPS, POP3, FTP and so forth into a group called “internet services”. This might be a set of services that all of your users will be allowed to use. If your users are grouped and your services are grouped you can accomplish this all in one rule. * Also think about putting your most used rules at the top of the rule-set. This will reduce the number of decisions that the firewall needs to process and make the system function more efficiently. *See other configuration examples or the policy guide on grouping your: users, hosts and services.

A Note About Rule Set Applications It’s recommended that you use the existing rule set called “Administrative Zone” to protect the ALSMS and allow communications between the Bricks and the ALSMS. The Alcatel-Lucent Approach to Firewall management is very much an object oriented approach. Rule sets can be used modified, renamed and then used again in many cases. Keep this in mind during the planning stages. Your users in various sites will have many of the same needs. Make your initial rule sets to match your overall security policies. That way they are portable enough to be renamed and reused. This will save you a lot of time in the long run.

Creating Rules and Rule Sets To create a rule set click on Brick Zone Rulesets folder from the main menu on the ALSMS. Right click and select New Brick Zone Ruleset. Notice that there is one rule already made for you. This is the “Drop All” rule that is at the bottom of every ruleset. Right click in the window and select new.

Creating Rules and Rule Sets The Brick Zone Ruleset Editor seen to the left is where you define your rules. Note: Rule Active Yes. Direction determines if you want this rule to apply to data coming into the network, out of the network or both directions. Source and Destination can be Hosts, Host Groups, Users or Users Groups. Service or Group Can be selected from a pre-configured list of about 70 services, Can be a group that you defined or can be a custom made service.

Creating Rules and Rule Sets Note the tabs across the top of the Brick Zone Rule Editor. These are all options that can be set on a “per rule” basis. These tabs allow you to set things like bandwidth management at the rule level, NAT, PAT, make a rule active only during certain times of the day, set alarms, route on a “per rule” basis, as well as set things like session timeouts, maximum usage per rule, TCP enforcement, SYN Flood parameters and much more. Take a look at these tabs and see if you require any of these features on this rule. When you are finished click OK to close the Brick Zone Rule Editor.

Creating Rules and Rule Sets To make you next rule Right Click in the rule set editor again or click the + button on the lower left. Note that the rule we just made assumed that you had already setup a users group called All-Users as well as a service called Internet-Services. Also note that the system will help you by making additional rules necessary to complete the task that you defined. If you look at your rule set now you will see three rules in total. The Drop All rule was predefined at the start of the rule set. You made rule number 1000 and the system made rule 310. If you choose not to see the system rules you can click the box at the lower right of your screen to Hide System Rules.

Creating Rules and Rule Sets Maybe your next rule would look like this. This rule would allow all of the Accounting Users that you created unrestricted access to all of the Accounting Servers, but nothing else. The * in a field is a wildcard. In this case there is an * in the Service or Group field. This means allow all services by the Accounting Users to the Accounting Servers.

Creating Rules and Rule Sets Make another rule allowing DNS onto the network to the nodes in your drawing that will require DNS. You can restrict this to only preferred DNS Servers by setting up a Host Group called DNS Servers and putting the addresses of the preferred servers in there. Remember to name your ruleset, fill in the description and save it.

Creating Rules and Rule Sets Your rule set should now look something like this.

Creating Rules and Rule Sets Next lets apply this rule set to the interface that you designed it for. From the folder list click on Bricks, choose the Brick that this rule set will be assigned to. At the Brick Editor Screen click on the Policy Assignment tab. By double clicking on the interface that you want this assigned to you will open the Policy Assignment Editor screen. From there use the pull-down arrow to assign the firewall that you just created.

Creating Rules and Rule Sets One last step. Once you have assigned the rule set to the appropriate interface on the appropriate Brick you will need to save and apply the changes to that Brick. Click File>Save and Apply, The click OK. Repeat the steps in this configuration example for other rule sets.

Creating Rules and Rule Sets For more detailed information on configuring this feature click Help>On Line Product Manuals>Policy Guide See the section on Brick Zone Rulesets. The Product Manuals can also be found on your ALSMS CD.