Creating Permissions ==================== Understanding Permissions ------------------------- Permissions allow you to define Node Access based off of a combination of Network, Service, and Time objects. Out of the box Genians has 2 Permissions that are used in our pre-defined Enforcement Policies. These are **PERM-ALL** and **PERM-DNS**. - **PERM-ALL**: Allow all services on all networks - **PERM-DNS**: Only allow DNS service on all networks (*You can create custom Permissions but you first need to understand about the Network, Service and Time objects and how to edit and create them*) - **Network** - A rule that identifies certain networks and allows you to define access based off of IP/Netmask, IP Range. Fully qualified domain names may also be used to block or allow specific websites. Node Groups may also be used as a network object. - **Service** - A rule that identifies services to allow you to define access through several protocols and ports. - **Time** - A rule used to create different access times to either allow during certain days and hours, or deny during certain days or hours. (*Exclude checkbox is used to as a **NOT Operator**. e.g. For a defined Network, checking the box for Exclude allows Nodes to access ALL networks other then this one*) .. important:: Permission is applicable only to ARP Enforcement, Port Mirroring enforcement, and in-line enforcement. Step 1. Create A Custom Network Object -------------------------------------- .. note:: Node Groups may also be used as Network Objects. To enable, go to **Preferences > Beta Features**, then skip to **Step 4** to configure to a permission. #. Go to **Policy** in top panel #. Go to **Object > Network** in left Policy panel #. Click **Tasks > Create** #. Enter the following: - **ID**: Unique-Name (*e.g. Guest Network*) - **Group**: Select Group or Groups to apply to this Network Object - **Network IP/Netmask, Range, or FQDN + DNS TTL** #. Click **Create** #. Click **Apply** Default Network Objects ----------------------- - **@LOCAL** - Is an object representing the local network of each intended sensor interface. A local server can be accessed by anyone on the local network but outside access is denied. - **@MANAGED** - Is combined networks from ALL Network Sensors. If New Network Sensors are added then those networks are automatically added and included into the @MANAGED group. Example: +----------------+------------------+ |Network Sensor |IP Address | +================+==================+ |Sensor 1 |192.168.10.10 | +----------------+------------------+ |Sensor 2 |192.168.20.10 | +----------------+------------------+ |Sensor 3 |192.168.30.10 | +----------------+------------------+ A Node connects with IP: 192.168.10.100 If the Node is allowed and the Network object is LOCAL Group: A(192.168.10.100) Perm Destination Network: Local The node can only connect to the Network range 192.168.10.0/24 The Node is allowed and the Network object is MANAGED Group:A(192.168.10.100) Perm Destination Network: Manage The node can only connect to the Network ranges in 192.168.10.0/24, 192.168.20.0/24, 192.168.30.0/24 Step 2. Create A Custom Service Object -------------------------------------- #. Go to **Policy** in top panel #. Go to **Object > Service** in left Policy panel #. Click **Tasks > Create** #. Enter the following: - **ID**: Unique-Name (*e.g. Port 80*) - **Group**: Select Group or Groups to apply to this Network Object - **Service Port**: Select a Protocol and Operator to choose ports (*e.g. For Port 80: TCP/ = 80, and TCP/ = 8080*) #. Click **Update** #. Click **Apply** Step 3. Create A Custom Time Object ----------------------------------- #. Go to **Policy** in top panel #. Go to **Object > Time** in left Policy panel #. Click **Tasks > Create** #. Enter the following: - **ID**: Unique-Name (*e.g. Business Hours for Guests*) - **Group**: Select Group or Groups to apply to this Network Object - **Time**: Specific Date or Range of Days and Hours (*e.g. Time: 0800-1800, Days: Monday-Friday*) #. Click **Create** #. Click **Apply** Step 4. Create A Permission --------------------------- #. Go to **Policy** in top panel #. Go to **Object > Permission** in left Policy panel #. Click **Tasks > Create** #. Enter the following: - **ID**: Unique-Name - **Description**: Some description to help understand what the Permission does - **Settings**: Select and edit Network, Service, and Time objects. - **Exclude**: Is used as a NOT Operator #. Click **Create** #. Click **Apply**