User Guide

ManualsBrandsAlcatel-Lucent ManualsOtherOMNIACCESS SAFEGUARD CONTROLLER

291

292

293

294

295

296

297

298

299

300

OmniAccess SafeGuard OS Administration Guide

298

Chapter 7: Establishing a Security Policy

Policy Concepts

Policy is an important aspect of the SafeGuard OS solution. This chapter discusses the

key concepts of policy, how to develop a policy workflow, and procedures for coding

policy commands.

Policies are the rules that govern access for users and resources. We use policies to

establish the boundaries and enforce a security philosophy for these users and resources.

Policies can be divided into the following categories:

■ System white-black list – Is a list of MAC addresses, IP addresses, or VLAN IDs that

are either permitted or denied traffic into the network. Use the system white-

black list to override policy enforcement, visualization, and malware detection. To

configure a system white-black list, see System White-Black List on page 302.

■ Malware policies – When SafeGuard OS detects malware on the system, malware

policies specify how the infection is handled. These policies allow you to set how

little or how much access a user or application can have on the network when it is

suspected of being infected.

Malware policies can be set up to block an infected user or application, or allow

the end device to communicate to an IT server or Internet website for automatic

upload of the most recent anti-virus software or operating system patch. When

the attack is specific to a particular application, malware policies allow traffic

from other applications to continue unimpeded. Malware polices are described

further in Detecting and Isolating Malware Security Threats on page 361

■ Override policies – Allows you to override a system policy with this special user

policy. Override policies are discussed in Overriding System Policies with a User

Policy on page 323.

■ System policies – SafeGuard OS has a set of default policies and roles that are

primarily used by internal routines. These policies are normally not configured by

users. For more information about these policies, see System Generated Policies and

Roles on page 325

■ EPV policies – EPV helps ensure that a user’s system and virus software are kept

up-to-date. End point Posture Verification (EPV) is a component of SafeGuard OS

that validates software compliance. EPV policies are the mechanisms that control

whether a user’s machine is scanned (checked) or whether the user is allowed to

bypass the check. EPV policies are discussed in EPV System Policies on page 326.

■ User policies – Allow user access to network resources and applications based on

the authentication state of the user. These are policies configured by the user/

administrator to control the network access to his network.

Unlike competitive products that look at the destination L4 port to determine the

application, SafeGuard OS performs deep packet inspection. After performing deep

packet inspection, the SafeGuard OS not only knows the application but knows

what the user is trying to accomplish with the application. With this information