Manualshelf

User Guide

ManualsBrandsAlcatel-Lucent ManualsOtherOMNIACCESS SAFEGUARD CONTROLLER
291292293294295296297298299300
OmniAccess SafeGuard OS Administration Guide
299
Chapter 7: Establishing a Security Policy
the system can enforce access control based on the what the user is doing with the
application and extend enforcement from Layer 3 through Layer 7. User policies
are discussed in User Policies on page 305.
Traffic Flow
Unlike competitive products, SafeGuard devices are not packet-based nor do they use
packet-based control mechanisms. Instead, the system initiates policy enforcement on
TCP connections or groupings of UDP packets. These connections are called flows.
The upper physical ports of the SafeGuard devices are called the network side of the device
and the lower physical ports the host side. In the default policy configuration, we express
a policy from the host side perspective but it is applied to traffic in both directions. This
bidirectional behavior is unlike traditional Access Control Lists (ACLs), which require
explicit command level configuration for each direction. This physical distribution for
user and network ports is only for controllers. In a switch/user network it is just a logical
concept and its use is more as originator and destination.
However, there might be an occasion when you want to control a flow from the network
side of the device. This change of direction can be configured using the flow-in and flow-
out keywords on the policy filter. These keywords are described in Configuring the Rules
on page 316.
Figure 7 Flow Direction
Policy Enforcement
The order in which a policy is enforced depends on two factors:
CST_026b
Flow-out
Flow-in
Host Side
Network Side