Security Profiles

Security Profiles

On the X family device, Security Profiles are used to apply DV filter policies. A Security Profile defines the traffic to be monitored based on security zones (for example, ANY ==> ANY, LAN ==> WAN, or WAN ==> LAN) and the DV filters to be applied.

A Security Profile consists of the following components:

Identification —Profile name and description.

Security Zones — Specifies the incoming and outgoing security zones to which the Security Profile applies.

IPS Filter Category Settings — Determines the State and Action that applies to all filters within a given Filter Category group.

Filter overrides — Configure filter-level settings that override the Category Settings (optional.)

Global Limits and Exceptions — Configure settings to apply filters differently based on IP address. You can limit filters to apply only to traffic between a source and destination IP address or address range, or apply filters to all traffic except the traffic between specified source and destination IP addresses or address ranges.

When a Security Profile is initially created, the recommended settings for all filter categories are set.

Default Security Profile

The default security profile is set to the ANY ==> ANY security zone pair with all IPS filters configured with the default Digital Vaccine settings. With the default profile in place, all incoming and outgoing traffic in any security zone configured on the device is monitored according to the recommended DV filter configuration. You can edit the default Security Profile to customize the security zones that it applies to and create custom filter settings, or create your own Security Profiles as required. We recommend that you keep the default Security Profile settings configured for the Security Zone pair ANY ==> ANY. This configuration ensures that all traffic will be inspected by the IPS using the default Security Profile if the traffic does not match a more specific security zone configuration.

Applying Security Profiles to Traffic

Using IPS, it is possible for a packet to match more than one Security Profile depending how the security zone pairs are configured within each profile. As a general rule, the X family device will apply the filtering rules specified in the Security Profile that has the most specific Security Zone pair defined. To determine specificity, the device always considers the incoming zone first. See the following examples to see how the device applies filtering rules when a packet matches more than one Security Profile.

Example 1: Security Profile Zone Configuration

Security Profile

Applies To Security Zone Pair

 

 

#1

ANY ==> ANY

 

 

#2

LAN ==> WAN

 

 

In Example 1, a packet going from the LAN zone to the WAN zone matches both Security Profile #1 and #2. The X family device applies the filtering rules from Security Profile #2 to the packet because the LAN zone is more specific than the ANY zone.

X Family LSM User’s Guide V 2.5.1

17