Planning Access Control Policies

Experienced system administrators who understand the information presented thus far in this chapter might be able to implement their organization's access control policies without planning.

However, for those who want to think through their access control mechanisms prior to implementation, we have provided Access Control Planning Worksheets in *Microsoft Word and *Adobe Acrobat PDF formats with the online documentation.

Identify Your Organization's Policies

After printing the worksheets, complete the following steps:

1. Investigate and make sure you understand your organization's policies as they pertain to cache device access.

2. If the policies are clear and concise you might be able to proceed with defining the conditions that will implement the policy.

3. If the policies are more general, develop a list of simple sentences that state each policy point in specific terms

   For example, your organization's policies regarding cache device access might include the following points:

   • Only requests coming from IP addresses ranging from 10.1.1.1 through 10.1.3.255 will be allowed.
   • All other requests will be blocked.
   • Our N2H2 (or Websense) filtering server must approve all URLs.
   • All other requests will be blocked.
   • Only authenticated users can access the forward proxy service on IP address 10.1.3.250.
   • All requests to this service from non-authenticated users will be blocked.

Plan Access Control Conditions

After you have specific policy statements to work with, creating conditions for these statements is relatively easy.

We recommend you do the following:

1. Print enough Condition Planning Worksheets for all the conditions you think you'll need to create.

2. Create a separate worksheet for each condition, keeping in mind that conditions specify how request data is evaluated for obtaining a true result.

   For example, you might create the following conditions to match the policy statements in Identify Your Organization's Policies:

   • Source IP Range Is 10.1.1.1 - 10.1.3.255
   • Source IP Range Is Not 10.1.1.1 - 10.1.3.255
   • N2H2 Server Allows Request
   • N2H2 Server Denies Request
   • You would not need to create conditions for only letting authenticated users access the forward proxy service because service access is already controlled when you assign the service an authentication profile.

   IMPORTANT:  You should never create conditions that you know will always be false. For more information, see A False Result Allows Requests to Pass Through.

3. Although conditions don't have associated actions, note the action you want associated with each condition's rule at the top of each condition sheet for later reference when you are planning and creating rules.

   For example, continuing with the conditions identified in Step 2:

   • Source IP Range Is 10.1.1.1 - 10.1.3.255 - Allow
   • Source IP Range Is Not 10.1.1.1 - 10.1.3.255 - Block
   • N2H2 Server Allows Request - Allow
   • N2H2 Server Denies Request - Block

4. If you plan to create User conditions, also plan for the authentication profiles you will need and for which services these profiles will be associated with. For more information, see Authentication Services.

5. If you plan to create conditions that leverage an N2N2 or Websense filtering server, make sure you have the information needed to configure Excelerator XL 1.0 to work with the servers. For more information, see Content Filtering.

6. After ensuring you have defined conditions for each of your policy statements, continue with Plan Access Control Rules.

Plan Access Control Rules

After you have created conditions to match your policy statements, you must plan for rules that will enforce the actions you had in mind when you created the conditions. You must also assign each rule a priority to ensure that it is evaluated in the proper order.

We recommend you do the following:

1. Sort your Condition Planning Worksheets so that you have a stack for each rule.

   NOTE:  It is not unusual for a rule to have only one or two conditions associated with it.

2. If you intend to control new connection requests, ensure that the stacks targeted at new connection request policies contain only Source IP, Source Port, Incoming IP, and Incoming Port condition types.

3. Watch for conditions that overlap.

   • If you have overlapping conditions, for example
     • One condition that matches request data against a specific IP address
     • Another condition that matches request data against an address range that includes the specific address

     and

   • If these conditions are contained in rules with different actions

   You will need to ensure that the rule with the specific condition is evaluated first. Otherwise the action for the general condition will happen before the specific condition is tested.

4. Pay special attention to User conditions.

   If you have all of the following:

   • Proxy services that don't require authentication
   • Proxy services that require authentication
   • Access Control Rules that block access for users who don't meet specific authentication (User) criteria

   then you must ensure that you prioritize your rules so that valid requests without user data are evaluated and allowed (or blocked) before the User rules come into play and block the valid requests for lack of authentication data.

5. Print a copy of the Rule Planning Worksheet for each rule you think you need to create.

6. Create a rule for each stack of Condition Planning Worksheets, checking all the appropriate boxes and grouping the conditions in sets as rule logic dictates.

7. Fasten the corresponding rule worksheet to the front of each stack of condition worksheets.

8. If you want, return to the Condition Planning Worksheets and record the associated rule and set information for tracking purposes.

Plan Access Control Policies

The primary consideration when creating new policies is identifying the correct policy stage. For more information on policy stages, see When Access Control Can Occur. If you need to control both new connection requests and user data requests, you will need to create at least two policies, one for each request stage.

When considering which stages to use, remember that it is more efficient to block or allow requests at new connection time that to evaluate the same condition after the TCP connection has already been established.

If you have a large number of rules, creating more than one policy for a request type can help with organizing and tracking the rules. However, having multiple policies also makes the task of determining the rule evaluation order more complex if all of the policies contain rules with the same priorities and assigned actions.

If your access control policies need to vary depending on external considerations such as time of day of the week or date, you might consider creating separate policies you can quickly enable and disable as these other considerations dictate.

When you are ready to plan your policies, complete the following steps:

1. Print at least one Policy Planning Worksheet for each policy stage.

2. Sort the Rule Planning Worksheets by Priority and Action. For help, review the information in Evaluating Your Access Control Policies.

3. Record the information for each rule on its associated Policy Planning Worksheet.

4. Fasten the Policy Planning Worksheet and its associated rule/condition worksheets in order, with the policy worksheet on top.

5. If you want, you can now check the rule flow manually before proceeding with policy creation.