Brick Policy Rules And Zone Rulesets - Alcatel-Lucent Security Management Server (SMS) Release 9.4 Technical Overview

Alcatel-Lucent VPN Firewall Brick

Brick Policy Rules and Zone Rulesets

...................................................................................................................................................................................................................................
Brick rules: a primary firewall security mechanism
One of the fundamental security elements of a firewall is a rule, which allows or
blocks traffic, based on some set of criteria.
Brick devices use a 6-Tuple Matching system as the first set of rule criteria. The
6-Tuple includes any combination of the following information from the IP header of
the packet as it traverses the Brick:
1. IP Source address
2. IP destination address
3. IP protocol
4. TCP or UDP source port (or ICMP/IGMP type)
5. TCP or UDP destination port (or ICMP/IGMP code)
6. VLAN ID
Brick zone ruleset
A set of these rules comprise what is referred to as a policy or Brick zone ruleset,
which is assigned to one or more ports on one or more Brick devices. When you
assign a Brick zone ruleset to a port, you specify the IP addresses of the hosts
connected to that port and protected by the set of rules in the zone ruleset that has
been assigned to the port.
A set of pre-configured Brick zone rulesets are installed with the Alcatel-Lucent VPN
Firewall solution. These pre-configured zone rulesets consist primarily of pre-defined
system rules that allow management and configuration traffic to pass between the SMS
and Bricks. These pre-defined zone rulesets can then be modified with user-defined
rules which address the specific data security constraints and activities of the "zone" or
portion of the customer's operational network connected to that Brick port, or copied
to a new zone ruleset, modified as needed, and assigned to the port.
Traffic can be further segmented by creating Brick partitions and assigning Virtual
LANs (VLANs) to these partitions, for separating traffic from different customers that
share physical address points. Each Brick partition can be set up as a distinct virtual
firewall, with its own set of host IP addresses, rulesets, and session cache entries.
Rule packet filtering
The Brick, as a bridging device, "listens" to all data traffic that crosses its ports. When
a data packet crosses a Brick port, the Brick examines the packet header information
and compares it with the rules contained in the zone ruleset that has been assigned to
the port. If the Brick finds a rule that matches the information and traffic type
contained in the packet header, it takes the action dictated by the rule for that type of
...................................................................................................................................................................................................................................
260-100-022R9.4
Issue 1, June 2009
™
Security Appliance
1-5