In the trusted internal network model, the server is protecting traffic that originates from hosts inside a privately controlled network.
The following statements, concepts, and files are covered in the discussion of this model:
Figure 1 shows the trusted internal network portion of the security model network.
For this example, assume that the following requirements must be met to control traffic on the internal network:
Perform the following steps to meet these requirements and configure the trusted internal network model.
Because the entire internal network is defined in one zone, you can define a unique security class for the interface with address 9.1.1.1. For this example, the SECCLASS parameter of all internal network interfaces is assigned the arbitrary value of 1, which can be interpreted to mean a trusted network. If you specify the SecurityClass parameter in the IpService block, the related interface must be assigned the same value on the SECCLASS parameter of the LINK or INTERFACE statement in the TCP/IP profile. In this example, the traffic is allowed only over an interface with a SECCLASS parameter value of 1, presumed to be the interface connected to the internal network.
IpService
{
SourcePortRange 80
DestinationPortRange 1024 65535
Protocol tcp
Direction bidirectional InboundConnect
Routing local
SecurityClass 1
}
Because normal FTP uses two well-known ports, two services are required, one for the control connection and one for the data connection:
IpService
{
SourcePortRange 21
DestinationPortRange 1024 65535
Protocol tcp
Direction bidirectional InboundConnect
Routing local
SecurityClass 1
}
IpService
{
SourcePortRange 20
DestinationPortRange 1024 65535
Protocol tcp
Direction bidirectional OutboundConnect
Routing local
SecurityClass 1
}
The InboundConnect keyword is used for services that are not allowed to initiate a TCP connection. The OutboundConnect keyword is used for services that are not allowed to receive a TCP connection request. If neither keyword is specified, either side can initiate a TCP connection.
Local Address of secure server: 9.1.1.1
Remote Address of administrative machine: 9.1.1.2
Local Address of secure server: 9.1.1.1
Remote Address of all hosts on internal network: 9.1.1.0/24
IpGenericFilterAction permit-log
{
IpFilterAction permit
IpFilterLogging yes
}
IpGenericFilterAction permit-nolog
{
IpFilterAction permit
IpFilterLogging no
}
In this example, the source address refers to an address on the secure host. The destination address refers to remote hosts. The IpService statements are the ones defined in step 2. Note that the IpGenericFilterAction statement must reference a previously defined action.
IpFilterRule AdminFTP
{
IpSourceAddr 9.1.1.1
IpDestAddr 9.1.1.2
IpService
{
SourcePortRange 21
DestinationPortRange 1024 65535
Protocol tcp
Direction bidirectional InboundConnect
Routing local
SecurityClass 1
}
IpService
{
SourcePortRange 20
DestinationPortRange 1024 65535
Protocol tcp
Direction bidirectional OutboundConnect
Routing local
SecurityClass 1
}
IpGenericFilterActionRef permit-log
}
IpFilterRule InternalNetWeb
{
IpSourceAddr 9.1.1.1
IpDestAddrSet 9.1.1.0/24
IpService
{
SourcePortRange 80
DestinationPortRange 1024 65535
Protocol tcp
Direction bidirectional InboundConnect
Routing local
SecurityClass 1
}
IpGenericFilterActionRef permit-nolog
}
IpGenericFilterAction permit-log
{
IpFilterAction permit
IpFilterLogging yes
}
IpGenericFilterAction permit-nolog
{
IpFilterAction permit
IpFilterLogging no
}
Because IPSec is not required in this example, no filters for IKE traffic are needed.
IpFilterPolicy
{
FilterLogging on
IpFilterRule AdminFTP
{
IpSourceAddr 9.1.1.1
IpDestAddr 9.1.1.2
IpService
{
SourcePortRange 21
DestinationPortRange 1024 65535
Protocol tcp
Direction bidirectional InboundConnect
Routing local
SecurityClass 1
}
IpService
{
SourcePortRange 20
DestinationPortRange 1024 65535
Protocol tcp
Direction bidirectional OutboundConnect
Routing local
SecurityClass 1
}
IpGenericFilterActionRef permit-log
}
IpFilterRule InternalNetWeb
{
IpSourceAddr 9.1.1.1
IpDestAddrSet 9.1.1.0/24
IpService WebServer
{
SourcePortRange 80
DestinationPortRange 1024 65535
Protocol tcp
Direction bidirectional InboundConnect
Routing local
SecurityClass 1
}
IpGenericFilterActionRef permit-nolog
}
}
The completed stack-specific IP security configuration file for the internal network with two filter rules follows:
# IP Security policy for Secure Server
##########################
# IpFilterPolicy block #
##########################
IpFilterPolicy
{
FilterLogging on
#Allow admin FTP; log traffic
IpFilterRule AdminFTP
{
IpSourceAddr 9.1.1.1
IpDestAddr 9.1.1.2
IpService
{
SourcePortRange 21
DestinationPortRange 1024 65535
Protocol tcp
Direction bidirectional InboundConnect
Routing local
SecurityClass 1
}
IpService
{
SourcePortRange 20
DestinationPortRange 1024 65535
Protocol tcp
Routing local
SecurityClass 1
Direction bidirectional OutboundConnect
}
IpGenericFilterActionRef permit-log
}
#Allow LAN Web traffic; don't log
IpFilterRule InternalNetWeb
{
IpSourceAddr 9.1.1.1
IpDestAddrSet 9.1.1.0/24
IpService
{
SourcePortRange 80
DestinationPortRange 1024 65535
Protocol tcp
Direction bidirectional InboundConnect
Routing local
SecurityClass 1
}
IpGenericFilterActionRef permit-nolog
}
############################
# Generic Filter Actions #
############################
IpGenericFilterAction permit-log
{
IpFilterAction permit
IpFilterLogging yes
}
IpGenericFilterAction permit-nolog
{
IpFilterAction permit
IpFilterLogging no
}
IpAddr InternalNetServerAddress
{
Addr 9.1.1.1
{
IpAddr InternalNetAdminAddress
{
Addr 9.1.1.2
}
IpAddrSet InternalNet
{
Prefix 9.1.1.0/24
}
IpService WebServer
{
SourcePortRange 80
DestinationPortRange 1024 65535
Protocol tcp
Direction bidirectional InboundConnect
Routing local
SecurityClass 1
}
IpService FTPServer-Control
{
SourcePortRange 21
DestinationPortRange 1024 65535
Protocol tcp
Direction bidirectional InboundConnect
Routing local
SecurityClass 1
}
IpService FTPServer-Data
{
SourcePortRange 20
DestinationPortRange 1024 65535
Protocol tcp
Direction bidirectional OutboundConnect
Routing local
SecurityClass 1
}
IpServiceGroup FTPServer
{
IpServiceRef FTPServer-Control
IpServiceRef FTPServer-Data
}
IpFilterGroup InternalNetZoneA
{
IpFilterRef AdminFTP
IpFilterRef InternalNetWeb
}
Notice that just as the list of IpFilterRule statements in the IpFilterPolicy block is ordered, the list of IpFilterRef statements in the IpFilterGroup block is also ordered. The InternalNetWeb rule applies to all of the IP addresses in the network, including the administrative machine. However, the AdminFTP rule is more specific because it applies only to a specific address within that network. The more specific rule is placed first in the list.
Now that all reusable statements have been identified and separately defined, they can be incorporated into any statement that requires that reusable statement type. The modified stack-specific IP security configuration file using references follows. Note that by adding names and organizing related statements, the purpose of the IpFilterPolicy statement is clarified.
# IP Security policy for Secure Server
##########################
# IpFilterPolicy block #
##########################
IpFilterPolicy
{
FilterLogging on
IpFilterGroupRef InternalNetZoneA
}
##########################
# Security Zones #
##########################
IpFilterGroup InternalNetZoneA
{
IpFilterRuleRef AdminFTP
IpFilterRuleRef InternalNetWeb
}
##########################
# Filter rules #
##########################
#Allow admin FTP; log traffic
IpFilterRule AdminFTP
{
IpSourceAddrRef InternalNetServerAddress
IpDestAddrRef InternalNetAdminAddress
IpServiceGroupRef FTPServer
IpGenericFilterActionRef permit-log
}
#Allow LAN Web traffic; don't log
IpFilterRule InternalNetWeb
{
IpSourceAddrRef InternalNetServerAddress
IpDestAddrSetRef InternalNet
IpServiceRef WebServer
IpGenericFilterActionRef permit-nolog
}
######## All reusable reference statements defined below ########
############################
# Generic Filter Actions #
############################
IpGenericFilterAction permit-log
{
IpFilterAction permit
IpFilterLogging yes
}
IpGenericFilterAction permit-nolog
{
IpFilterAction permit
IpFilterLogging no
}
##########################
# Reusable Services #
##########################
IpService WebServer
{
SourcePortRange 80
DestinationPortRange 1024 65535
Protocol tcp
Direction bidirectional InboundConnect
Routing local
SecurityClass 1
}
IpService FTPServer-Control
{
SourcePortRange 21
DestinationPortRange 1024 65535
Protocol tcp
Direction bidirectional InboundConnect
Routing local
SecurityClass 1
}
IpService FTPServer-Data
{
SourcePortRange 20
DestinationPortRange 1024 65535
Protocol tcp
Direction bidirectional OutboundConnect
Routing local
SecurityClass 1
}
############################
# Reusable Service Groups #
############################
IpServiceGroup FTPServer
{
IpServiceRef FTPServer-Control
IpServiceRef FTPServer-Data
}
############################
# Reusable IP Addresses #
############################
IpAddr InternalNetServerAddress
{
Addr 9.1.1.1
}
IpAddr InternalNetAdminAddress
{
Addr 9.1.1.2
}
IpAddrSet InternalNet
{
Prefix 9.1.1.0/24
}
This stack-specific IP security configuration file gives FTP access to the administrator and web access to everyone in the internal network. By relying heavily on the abstracted use of references, the policy is not only more self-explanatory, but changes to any referenced object are propagated to any statement that references it. So, if the IP address of the administrative machine or internal subnetwork changes, you merely have to make one change to an IpAddr or IpAddrSet statement, rather than modify a large number of instances in multiple rules.