You have many hosts on your internal network. Your security policy may require you to implement different levels of access for groups of these hosts. Rather than creating rules for every single host, it is often easier to think of the hosts as networks. It can also be useful to group those networks into groups of networks. The Gauntlet Firewall allows you to specify networks and network groups.
This chapter discusses the concepts of networks and network groups, and explains how to configure networks and network groups. The chapter consists of the following sections:
The Gauntlet Firewall makes decisions on services and access based on the IP address of the source host. You could try to create rules for every single one of the hosts you manage. In most sites, this would be an extremely tedious process. Or, you can group the systems you manage, and create rules for groups of systems.
A network is simply an object defined by the firewall administrator that represents one or more systems. You denote a network via an IP address or domain name. The following are all valid examples of networks:
10.0.1.120
10.0.1.*
192.5.49.0:255.255.255.0
dimension.yoyodyne.com
*.yoyodyne.com
A network group is a collection of one or more networks. Network groups simplify administration. They allow you to create rules for a larger group of systems, instead of having to create individual rules for each system. A network group consists of networks that:
are logically related because of your security policy (for example, all the networks inside your firewall or all the systems that you use to administer the firewall)
are physically located in the same place (for example, all the networks located in the Virginia office.
have a similar business purpose (for example, all the networks in the Accounting department)
groups of other networks groups (for example, all network groups in the Maryland office)
The initial Gauntlet Firewall configuration defines two network groups: a trusted network group and an untrusted network group.
The trusted network group allows you to group all the hosts that you trust. The trusted network group generally includes:
the firewall itself (that is, 127.0.0.1)
hosts and networks inside the firewall (for example, 10.0.1.*, 10.0.2.*, *.yoyodyne.com)
hosts and networks connected to the firewall via PC Extender
As part of the initial configuration of the firewall, you provide information about your trusted networks, and add them to the trusted networks group. The firewall includes rules that use the trusted service group for the trusted network group.
The untrusted network group consists of all the hosts that you do not trust. The untrusted network group usually includes every host that you don't explicitly specify as a member of the trusted network group.
The firewall includes rules that use the untrusted service group for the untrusted network group.
Define a new network group whenever you need to specify a different set of rules for a different set of networks or hosts. Often, changing business conditions or new requirements require changes to the flow of information to or from an organization.
For example, Yoyodyne is using several of its internal networks for a demonstration for their annual open house. Visitors will have access to the systems on these demonstration networks. The management at Yoyodyne wants to make sure these systems are not used to access inappropriate sites on the Internet. The trusted network group at Yoyodyne allows fairly wide access to the Internet. This is an appropriate time to create a new network group.
To implement the new network group, the firewall administrator:
Creates a new network group called Demonstration.
Adds the networks that will be used for the demonstration to the Demonstration network group.
Creates a Demonstration service group that permits only the services they want visitors to use.
Creates a rule that indicates that the Demonstration network group uses the Demonstration service group.
Orders the rules so that the firewall reads the Demonstration rule before it reads the trusted rule.
To access network configuration:
Configuring a network allows you to refer to the network by name when configuring the Gauntlet Firewall Manager. This section discusses planning, creating, modifying, and deleting networks.
Creating networks identifies various elements in your network.
To create a network:
In the Networks window, click Add.
The Add Network Definition window displays.
Provide the following required information about your network:
Address of the network. Specify individual systems, entire networks, or subnets. Enter by IP address or by IP address and mask. The wildcard * is valid in IP addresses.
Specifies to which interface of the firewall the network is connected.
If all the hosts on this network are inside the firewall, click Inside.
If all the hosts on this network are outside the firewall, click Outside.
If all the hosts on this network are on the service network of the firewall, click ServiceNet.
If the hosts in this network could be on networks inside, outside, or on the service net of the firewall, click Unknown.
Provide additional descriptive information about your network.
Group
Click on a network group to make this network a part of a network group.
Description
Description for the network.
Location
Reserved for future use.
MAC Address
MAC address for this host. This setting is valid only if you have specified an individual host.
Reference
Reserved for future use.
Click OK.
When one or more changes need to be made to an existing network, you can modify the settings for that network.
 | Note: You cannot modify the IP address of the network. Instead, create a new network and remove the existing network. |
To modify a network:
In the Networks window, select the network you wish to modify.
Click Modify.
The Modify Network Definition window displays.
Change the settings for the network.
Click OK.
To access network group configurations:
This section discusses the following topics:
Determine how you wish to group your networks. Consider the types of services you need for various networks.
Remember not to add the same network to two different network groups.
In the Network Groups window, click Add.
The Add Network Group window displays.
Provide information about your new network group.
Name of the new network group. Names of network groups are case sensitive.
Description
Description for the network group.
Select the networks or network groups you want to include in (make members of) the new network group:
Click the network you would like to add from the Not Included list.
Click >> to add the network or network group to the Included list.
Click OK.
When one or more changes need to be made to an existing network group, you can modify the settings for that network group.
| Note: You cannot modify the name of a network group. Instead, create a new network group and remove the existing network group. |
To modify a network group:
In the Network Groups window, select the network group you wish to modify.
Click Modify.
The Modify Network Group window displays.
Change the settings for this network group.
Click OK.