Using Management Center for Firewalls 1.3
Creating an Inheritance and Grouping Strategy
Download this chapter
Creating an Inheritance and Grouping StrategyCreating an Inheritance and Grouping Strategy
Download the complete book
Using Management Center for Firewalls 1.3 - PDF VersionUsing Management Center for Firewalls 1.3 - PDF Version (PDF - 7 MB)
give_us_feedback

Table Of Contents

Creating an Inheritance and Grouping Strategy

What Is Inheritance?

How Inheritance Works for Configuration Settings

How Inheritance Works for Access and Translation Rules

Relating Device Groups to Inheritance

Managing Your Grouping Structure

Configuring Device Groups


Creating an Inheritance and Grouping Strategy

Policy inheritance is fundamental to managing multiple firewall devices with Firewall MC. The key to any inheritance strategy is the ability to define a device hierarchy. To develop an effective inheritance strategy, you must understand the following concepts:

How configuration settings are inherited and enforced.

How rules are inherited and evaluated.

How device group hierarchy affects both types of inheritance.

This chapter describes these three concepts and explains how to define and manage your device groups.

What Is Inheritance?

Relating Device Groups to Inheritance

Managing Your Grouping Structure

What Is Inheritance?

Inheritance refers to the capability of Firewall MC to enforce hierarchical lists of policies (sets of rules) and device settings across multiple firewall devices. The hierarchy and order of inheritance is defined by the groups and devices presented in the Object Selector combined with the type of inheritance being used.

Within Firewall MC, two types of inheritance exist:

Inheritance of configuration settings (settings inheritance).

Inheritance of access and translation rules (policy inheritance).

How Inheritance Works for Configuration Settings

When developing a grouping strategy, you must understand how configuration settings are inherited to ensure that your network can scale effectively. Configuration settings are those settings that control individual features of a firewall device. They do not enforce traffic flows as access and translation rules do. Instead, configuration settings define characteristics for the device, such as interface definitions and failover settings, that are required for the device to operate on the network.

When defining settings under Configuration > Settings, you specify whether to define them for a group or a device. You select that device from the Object Selector.

Settings are active at the device level, but they can be set at any group or subgroup level ( Figure 6-1). By default, settings applied to a group are inherited by enclosed subgroups and devices contained in that group.

Figure 6-1 Configuration Hierarchy and Settings Attributes

How Settings Are Inherited

In addition to the effective use of a hierarchy, you can specify how settings are inherited within that hierarchy. Settings applied to a group can be inherited by subgroups and devices within that group. This inheritance can be defined as default, mandatory, both, or neither.

Default Configuration Settings

Default configuration settings are set at a group level, but they can be overridden for a subgroup or device. A setting is designated as default for a subgroup or device when you select the Inherit settings check box.When Inherit settings is selected, the subgroup or device defers the definition of any setting to a higher-level, enclosing group. If no settings are defined at the device level, the settings for the enclosing group in the Object Selector determine the value. Depending on how you populate your Object Selector, you can create a chain of inheritance (the act of deferring to a higher-level setting). This means that most specific settings are defined at the firewall device level deep in the branch, while more general settings are defined on more general parent objects (such as a subgroup that represents a site). To override a default setting, you deselect the Inherit settings check box and specify other values for that scope ( Figure 6-2). For example, if you are configuring failover settings and the Enforce/Mandate settings for children check box is deselected at the Global scope, you can select the Inherit settings check box at Group 1, which will inherit the failover setting defined at the Global scope. Alternatively, at Subgroup A, you can override the failover setting inherited by Group 1 by deselecting the Inherit settings check box, then entering new values for failover. Changes made for failover at Subgroup A take precedence over the setting made at Group 1.

Figure 6-2 Default Settings Diagram (Inherit Settings)

Mandatory Configuration Settings

Mandatory settings are group-level settings that require all children of that group to use those settings. Unlike the default settings, you cannot override settings mandated by a parent group. ( Figure 6-3). To define mandatory settings, select the Enforce/Mandate settings for children check box.

For example, if you are configuring failover and the Enforce/Mandate settings for children check box is selected at the Global scope, all subgroups and children inherit the failover setting; changes to failover are disallowed at any subgroup or device level.

Figure 6-3 Mandatory Settings Diagram (Enforce/Mandate Settings
for Children)

How Inheritance Works for Access and Translation Rules

The inheritance of both access and translation rules differs from the approach used for device-level settings. To understand how inheritance works and the effects of rule-based inheritance, you must understand the default security stance, how both types of rules are evaluated by the firewall devices, and how Firewall MC allows you to define a hierarchy of rules that can be inherited.

Default Security Stance

Firewall MC follows a simple paradigm: that which is not expressly permitted is prohibited. The default security policy applied to all firewall devices is "deny." Therefore, unless you explicitly define a security policy that allows a network service to originate from a specific source, the session request will be denied by the firewall device.

Currently, the default stance is implicit, meaning no rules are defined in the interface that express this stance. However, you can override this stance by editing the default access rule table associated with the Global group. Within the field of network security, two primary security stances exist:

Those that are not expressly permitted are prohibited.

Those that are not expressly prohibited are permitted.

Either stance clearly shows the types of rules the administrator should define. You define rules that permit traffic or rules that deny traffic. Keeping the two types of rules separate allows for easier interpretation of the security policy that is in effect.

How Rules Are Evaluated

The firewall devices managed by Firewall MC evaluate access and translation rules differently. Access rules are matched according to the first match approach, whereas translation rules are matched based using the best match approach.

For access rules, the firewall device enforces the first rule found to match the conditions of the session request. This rule satisfies all of the conditions of the session request, including the source, destination, and service type. However, this rule is not guaranteed to be the rule that best matches the session request. To ensure that the firewall devices enforce a best match rule, you must define your most explicit rules first in the access rules table. For translation rules, the firewall device enforces the rule that best matches the conditions of the session request. This rule, that of the most specific match, means that the translation rule that refers to the source of the session request most specifically is the one that regulates it.

How Rules Are Ordered and Inherited

In Firewall MC, rules are represented as ordered lists. Rules are processed from first to last and can be defined at three levels within the device group hierarchy:

Global.

Group.

Firewall device.

Rules are recognized as either mandatory, device, or default

Mandatory—Rules that apply at an enclosing group and are ordered down to a device. Mandatory rules cannot be overridden. Mandatory rules are listed first, so they take precedence over any rules that come later.

Device—Rules that are defined at the device level. Device rules take effect only if no relevant mandatory rules apply. Device rules override default rules.

Default—Rules that are ordered from the device up to enclosing groups. Default rules take effect if no mandatory or device-specific rules apply.

Firewall MC displays separate rule tables for mandatory and default rules at each scope. To determine the rules that apply to a device, you identify the mandatory rules for each enclosing group before rules set at the device level, then identify the default rules for each enclosing group after rules set at the device level. This concept is shown in Figure 6-4.

Figure 6-4 Mandatory and Default Settings

Note The rules displayed in the tables vary according to the scope you selected.

Relating Device Groups to Inheritance

Firewall MC functionality does not rely on network topology to implement the desired end-to-end security policies. Instead, it uses a hierarchical structure to organize devices according to similar attributes or other logical relationships, for example, devices that use common settings and rules or administrator privileges used for a set of devices. When you select an object within this hierarchy, you are selecting the scope.

When you select the scope, you identify the place in the hierarchy at which settings or rules are defined. Firewall MC determines whether you are defining settings and rules that can be inherited or that are device-specific. Selecting a group allows you to define inheritable attributes. Therefore, how you define groups within the hierarchy and which devices and subgroups are included within them determines how inheritance will work within your system.

When defining your hierarchy, note the following:

The Global group contains all groups, subgroups, and devices.

Groups contain one or more subgroups or devices.

Devices represent firewall devices and can be listed only once in the hierarchy. They can be a member of only one group. For example, the Global group contains a group called East Coast. East Coast contains subgroups MA and NC. MA contains firewall device 1 and firewall device 2, and NC contains firewall device 3 and firewall device 4.

Figure 6-5 is a sample representation of subgroups and devices.

Figure 6-5 Sample Group Hierarchy

By defining settings and rules at the group level, you can apply configuration elements to multiple firewalls in a logical manner. Otherwise, you can apply policies to a single device at the device level.

Managing Your Grouping Structure

The Managing Groups feature allows you to add new groups to Firewall MC, modify the contents of existing groups, move existing groups, or delete empty groups.You can add or import a device directly into the Global group or define a subgroup in which devices with like configuration needs will reside. To access this feature, select Devices > Managing Groups.

We recommend that when you set up a new group you use a name and description that can be identified easily. For example, you can define and identify groups by region, department within your company, or any other grouping based on a commonality. A subgroup cannot have the same name as the enclosing group, and no two subgroups within an enclosing group can have the same name.

Configuring Device Groups

Device groups allow you to manage and apply settings to multiple devices positioned on your network. For example, Firewall MC allows you to test settings on a single device or a small device group. Then, if the settings meet your needs, you can move entire device groups to the test folder and all settings are inherited.

Adding a Device Group

Adding device groups allows you to organize your devices by region or by the policy rules you want to apply to that group of devices.

Step 1 Select Devices > Managing Groups.

The Managing Groups page appears.

Step 2 Select the Global group or a subgroup, then click Add.

The Define Group Information page appears. (See Table 6-1.)

Step 3 Enter the name of the group in the field provided, for example, East coast.

NoteWhen you define a device group name, the name must be different from that of the enclosing group.

Device groups contained within a single enclosing group must have different names.

Step 4 Enter a description in the field provided, for example, all offices on Atlantic coast except Florida.

Step 5 Click Next.

The Target Group wizard summary page appears.

Step 6 Verify the information is correct, then click Finish.

You are returned to the Managing Devices page with new device group information displayed.

Table 6-1 describes the elements on the Managing Groups page.

Table 6-1 Managing Groups 

Element
Description

Global folder

Top-level folder within the device hierarchy. All user-defined groups reside in this folder.

Group Name

User-defined name of group, for example, East coast.

Note When you define a device group name, the name must be different from that of the enclosing group.

Note Device groups contained within a single enclosing group must have different names.

Group Description

(Optional) Information that describes group, for example, All offices on Atlantic coast except Florida.


Moving a Device Group

Moving a device group is a beneficial feature that allows you to easily change and apply rules and settings to multiple devices at the same time. Moving device groups into new folders does, however, erase earlier settings applied to the folder that the device group is being moved from.

Step 1 Select Devices > Managing Groups.

The Managing Groups page appears.

Step 2 Select the group to move, then click Move.

Step 3 Select the target group, then click Next.

The Target Group wizard summary page appears.

Step 4 Verify the information is correct, then click Finish.

You are returned to the Managing Devices page with new device group information displayed.

Renaming a Device Group

If you rename a device group, all rules associated with that group no longer apply to those devices.

When you define a device group name, the name must be different from that of the enclosing group. Device groups contained within a single enclosing group must have different names.

Step 1 Select Devices >  Managing Groups.

The Managing Groups page appears.

Step 2 Select the group to rename, then click Edit.

The Define Group Information page appears. (See Table 6-1.)

Step 3 Enter a new group name in the field provided, for example, West coast.

NoteWhen you define a device group name, the name must be different from that of the enclosing group.

Device groups contained within a single enclosing group must have different names.

Step 4 Enter a new description in the field provided, for example, all offices on Pacific coast except Washington.

Step 5 Click Next.

The Define Group wizard summary page appears.

Step 6 Verify the information is correct, then click Finish.

You are returned to the Managing Devices page with new device group information displayed.

Deleting a Device Group

Before You Begin

Make sure the group is empty. You must remove all devices from the group before it can be deleted.

Step 1 Select Devices  > Managing Groups.

The Managing Groups page appears.

Step 2 Select the device group to delete, then click Delete.

You are prompted to confirm the delete request.

Step 3 Click OK.

The device group is removed.