Users, groups and global policies, Users, groups and global policies -2 – NETGEAR ProSafe SSL312 User Manual

Page 48

Advertising
background image

NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual

4-2

Setting Up User and Group Access Policies

v1.1, November 2006

Users, Groups and Global Policies

An administrator can define and apply user, group and global policies to predefined network
resource objects, IP addresses, address ranges, or all IP addresses and to different SSL VPN
services. A specific hierarchy is invoked over which policies take precedence. The SSL VPN
Concentrator policy hierarchy is defined as:

1. User Policies take precedence over all Group Policies.

2. Group Policies take precedence over all Global Policies.

3. If two or more user, group or global policies are configured, the most specific policy takes

precedence.

For example, a policy configured for a single IP address takes precedence over a policy configured
for a range of addresses. And a policy that applies to a range of IP addresses takes precedence over
a policy applied to all IP addresses. If two or more IP address ranges are configured, then the
smallest address range takes precedence. Hostnames are treated the same as individual IP
addresses.

Network Resources are prioritized just like other address ranges. However, the prioritization is
based on the individual address or address range, not the entire Network Resource.

For example, let’s assume the following global policy configuration:

Policy 1: A Deny rule has been configured to block all services to the IP address range
10.0.0.0 - 10.0.0.255

.

Policy 2: A Deny rule has been configured to block FTP access to 10.0.1.2 -
10.0.1.10

.

Policy 3: A Permit rule has been configured to allow FTP access to the predefined network
resource, FTP Servers. The FTP Servers network resource includes the following
addresses:10.0.0.5 - 10.0.0.20 and ftp.company.com, which resolves to
10.0.1.3

.

Assuming that no conflicting user or group policies have been configured, if a user attempted to
access:

An FTP server at 10.0.0.1, the user would be blocked by Policy 1.

An FTP server at 10.0.1.5, the user would be blocked by Policy 2.

An FTP server at 10.0.0.10, the user would be granted access by Policy 3. The IP address
range 10.0.0.5 - 10.0.0.20 is more specific than the IP address range defined in
Policy 1.

Advertising
Popular Brands
Popular manuals