Table of Contents
Advertisement
Chapter 8: Roles and Role Elements
Incoming/Outgoing Priority - You can configure a priority for traffic coming into the BSC
or going out from the BSC via this network service. If the BSC experiences network
congestion, High priority traffic takes precedence over Medium and Low priority traffic.
You can also configure role-based traffic priority. An override option in the role
configuration determines whether the priority setting in a policy's network service takes
precedence over the priority setting in the role. See "Defining User Roles to Enforce
Network Usage Policies" on page 8-2 for information about role configuration.
Note: Incoming traffic is defined to be Protected-to-Managed while outgoing traffic is
defined to be Managed-to-Protected.
Incoming/Outgoing DSCP Value - The BSC can use differentiated services code point
(DSCP) marking to mark or change the mark of incoming or outgoing packet traffic via
this network service. This allows other devices in the network that are configured for
Differentiated Services (DiffServ) to enforce a specific QoS level based on the priority of
the DSCP mark in each packet header. Unchanged means there is either no DSCP
marking or the BSC will not alter the marking value.
You can also configure role-based DSCP marking. An override option in the role
determines whether the DSCP marking setting in a policy's network service takes
precedence over the DSCP setting in the role. See "Defining User Roles to Enforce
Network Usage Policies" on page 8-2 for more information about role configuration.
Denial of
Optional. If your network is experiencing a Denial-of-Service (DoS) attack or has a large
Service
number of virus-infected hosts resident on it, then configure the BSC Denial of Service
(DoS) settings to limit or disable affected network services. The DoS can be caused by
malicious users or Internet worms/viruses.
To limit the bandwidth for a service, mark the Limit checkbox and then enter the maximum
bandwidth allotted to the service in the Packets per second field.
Entering a bandwidth of zero (0) completely blocks the service.
Be sure to apply the bandwidth limitations in all directions (protected-to-managed,
managed-to-protected, and into the BSC) as appropriate for your network.
Intrusion
Specify access to the network service to users in the BSC Intrusion Detection System's
Detection
Blocked State by marking one of the following radio buttons:
Normal - The service is allowed or denied as specified by the blocked user's IDS role.
Exclude - Allow users in the Blocked State to access this network service regardless of
their role's settings, i.e. the service will not be subject to IDS.
Block - Deny users in the Blocked State access to this network service regardless of their
role's settings.
Saving the
Click Save to store the information to the BSC database or Save and create another to
Settings
continue defining network services.
You might be prompted to restart the BSC. We recommend that you do not restart the BSC
until you have completely finished configuring the BSC for use in your network.
Creating Network Service Groups
Create groups of network services to enable you to easily provide or deny access to
multiple network services based on a user's assigned role.
To create a network service group:
8-16
Advertisement
Table of Contents
