ProSecure Unified Threat Management (UTM) Appliance

For example, assume the following global policy configuration:

Policy 1. A Deny rule has been configured to block all services to the IP address range 10.0.0.0–10.0.0.255.

Policy 2. A Deny rule has been configured to block FTP access to 10.0.1.2–10.0.1.10.

Policy 3. A Permit rule has been configured to allow FTP access to the predefined network resource with the name FTP Servers. The FTP Servers network resource includes the following addresses: 10.0.0.5–10.0.0.20 and the FQDN ftp.company.com, which resolves to 10.0.1.3.

Assuming that no conflicting user or group policies have been configured, if a user attempted to access FTP servers at the following addresses, the actions listed would occur:

10.0.0.1. The user would be blocked by Policy 1.

10.0.1.5. The user would be blocked by Policy 2.

10.0.0.10. The user would be granted access by Policy 3. The IP address range 10.0.0.5–10.0.0.20 is more specific than the IP address range that is defined in Policy 1.

ftp.company.com. The user would be granted access by Policy 3. A single host name is more specific than the IP address range that is configured in Policy 2.

Note: The user would not be able to access ftp.company.com using its IP address 10.0.1.3. The UTM’s policy engine does not perform reverse DNS lookups.

Note: When you use the SSL VPN Wizard to build a portal, a user policy that permits access is automatically added for the user account that you define with the SSL VPN Wizard.

Global Default Policy

The global default policy with destination 0.0.0.0/[0] and permission Deny prevents traffic from any SSL VPN client to reach the LAN after an SSL VPN has been established. This is a security measure. To provide access to the LAN, you would normally create new policies for users or groups and permit restricted access to resources on the LAN.

If you want to provide global access to the LAN without restrictions, change the permission of the global default policy to Permit. Alternately, you could provide global access to the LAN but restrict access to a port or port range by specifying a port number or range of port numbers for the global default policy and by changing the permission of the global default policy to Permit.

Virtual Private Networking Using SSL Connections

372

Page 372
Image 372
NETGEAR UTM5EW-100NAS, STM150EW-100NAS manual Global Default Policy, 372