Novell Documentation: Novell BorderManager 3.8

VPN Policy

Novell BorderManager 3.8 VPN services provide VPN access rules thatcan be assigned to a particular user. The access control is categorized based on Novell eDirectory user, X.509 certificate user, Novell eDirectory usergroup, and Novell eDirectory container. The traffic rules are granularized to the level of port information.

The administrator can effectively combine the authentication and traffic rules to control all the VPN users. For example, it is possible to configure a rule to allow one particular user to access an application running on a particular TCP port and deny access to everyone else. In addition to this, the administrator can even specify the type of authentication credentials for a particular user.

VPN rules are part of either the client-to-site VPN service or the site-to-site VPN Service. The client-to-site VPN service has both authentication and traffic rules. The site-to-site VPN service has only traffic rules because there is no user authentication involved in the site-to-site VPN service. Authentication rules reside on the VPN server and are traversed only after the primary authentication is successful, then the selected set of traffic rules enforces all the traffic over the VPN tunnel for the duration of the connection. The default authentication rule is Deny All.

The following table provides an overview of the access rules.

Client-to-Site	Site-to-Site
Authentication rules are traversed	No Authentication rules
Traffic rules are indexed based on the user	No index. All traffic rules are applicable to the master and all slave servers
No specific third-party rules need to be configured. Based on the certificate user logged in, the traffic rules are enforced.	Specific traffic rules must be configured while configuring communication with the third party site-to-site server
Can specify a destination condition	No destination condition. They are covered by protected networks

The following default values are discussed here in brief:

Default Values for Client-to-Site Authentication Rules

When a client-to-site service is created, no default authentication rule is created. In such a situation, the VPN server assumes that the default authentication action is to allow all users from eDirectory. However, if at least one authentication rule is configured, the default (no rule is matching) action is to deny the user trying to get access to the VPN network.

Default Values for Client-to-Site Traffic Rules

When a client-to-site service is created, a default traffic rule is created to drop the packet. This means that when a client-to-site service is created, the client-to-site connection goes through but all packets are dropped at the VPN client. In other words, the communication ceases to exist. For this, the administratormust have to configure the required traffic rules for different users accordingly

Default Values for Site-to-Site Traffic Rules

When the site-to-site service is created, a default traffic rule is created for any kind of traffic to encrypt it with 3DES/HMAC-MD5 combination. This default traffic rule can be modified to include any kind of traffic or to drop the packet.