Table of Contents
Advertisement
Configuring the Summit WM Controller
Filtering at the Interface Level
The Summit WM Controller, Access Points and Software has a number of built-in filters that protect the
system from unauthorized traffic. These filters are specific only to the Summit WM Controller. These
filters are applied at the network interface level and are automatically invoked. By default, these filters
provide stringent-level rules to allow only access to the system's externally visible services. In addition
to these built-in filters, the administrator can define specific exception filters at the interface-level to
customize network access. These filters do not depend on a WM-AD definition.
Built-in Port-Based Exception Filters
On the Summit WM Controller, various port-based exception filters are built in and invoked
automatically. These filters protect the Summit WM Controller from unauthorized access to system
management functions and services via the ports. Access to system management functions is granted if
the administrator selects the allow management option.
Allow management traffic is now specific to the interface being allowed. For example, if allow
management is allowed on a physical port (esa0), only users connected through ESA0 will be able to get
access to the system. Users connecting on any other interface such as a WM-AD (esa6) will no longer be
able to target ESA0 to gain management access to the system. In order to allow access for users
connected on a WM-AD, the WM-AD configuration itself must have allow management enabled and
users will only be able to target the WM-AD interface specifically.
NOTE
You can also enable management traffic in the WM-AD definition.
For example, on the Summit WM Controller's data interfaces (both physical interfaces and WM-AD
virtual interfaces), the built-in exception filter prohibits invoking SSH, HTTPS, or SNMP. However, such
traffic is allowed, by default, on the management port.
If management traffic is explicitly enabled for any interface (physical port or WM-AD), access is
implicitly extended to that interface through any of the other interfaces (WM-AD). Only traffic
specifically allowed by the interface's exception filter is allowed to reach the Summit WM Controller
itself. All other traffic is dropped. Exception filters are dynamically configured and regenerated
whenever the system's interface topology changes (for example, a change of IP address for any
interface).
Enabling management traffic on an interface adds additional rules to the exception filter, which opens
up the well-known IP(TCP/UDP) ports, corresponding to the HTTPS, SSH, and SNMP applications.
The port-based built-in exception filtering rules, in the case of traffic from WM-AD users, are applicable
to traffic targeted directly for the WM-ADs interface. For example, a WM-AD filter may be generic
enough to allow traffic access to the Summit WM Controller's management (for example, Allow All
[*.*.*.*]). Exception filter rules are evaluated after the user's WM-AD assigned filter policy, as such, it is
possible that the WM-AD policy allow the access to management functions that the exception filter
denies. These packets are dropped.
50
Summit WM20 User Guide, Software Release 4.2
Advertisement
Table of Contents
