Barracuda Networks VERSION SP4 User Manual
15 Barracuda NG Network Access Client - Administrator’s Guide
Furthermore the update service provides the information necessary to diagnose the up-to-dateness of
the client's signature databases and engine versions..
the client's signature databases and engine versions..
1.5
Endpoint Security Policy Introduction Practices (Analyse, Enforce,
Monitor)
Monitor)
For implementing firewalls at formerly unrestricted network transitions like LAN-segments or endpoint
firewalls for LAN endpoints, a smooth implementation tactics is widely used.
firewalls for LAN endpoints, a smooth implementation tactics is widely used.
A widely used but not recommended way is to start with a pass all policy, analysing traffic instead of
controlling it, and then introducing rules step-by-step reducing traffic using the pass-all policy, and at
last replacing pass-all by block-all. This might be called the AEM-model:
controlling it, and then introducing rules step-by-step reducing traffic using the pass-all policy, and at
last replacing pass-all by block-all. This might be called the AEM-model:
1.) Analyse
2.) Enforce
3.) Monitor
When implementing a firewall at a clear network perimeter like an internal-internet transition it is not
advisable to use this model. The rule set should be built according to SAEM:
advisable to use this model. The rule set should be built according to SAEM:
1.) Strictly Enforce
2.) Analyse
3.) Enforce
4.) Monitor
While from a strict security point of view this is also recommended for formerly unrestricted network
transitions, many administrators nevertheless use AEM for practical reasons. If, however, you have the
chance to already know what should happen at the network point of concern, use as much of this
know-how as possible and
transitions, many administrators nevertheless use AEM for practical reasons. If, however, you have the
chance to already know what should happen at the network point of concern, use as much of this
know-how as possible and
do not start with pass-all only
. And if you use AEM,
do not finish with a pass-all
rule
.
Keep in mind that your rule sets should always mirror your overall abstract security policy for the
network point of concern. Using AEM or SAEM is not a matter of technical possibilities but of weighing
risk and effort.
network point of concern. Using AEM or SAEM is not a matter of technical possibilities but of weighing
risk and effort.
1.6
The Border Patrol
Clients often need to access remote trust zones for which restricted access rights and stronger security
measures apply. Consequently, the means to assess the suitability of crossing clients to access target
trust zones needs to be available. The building block responsible for evaluating trust zone transitions
is called border patrol. In short, the border patrol validates the credentials of crossing clients, including
authentication and health status data, so that the applicable security measures are correctly met.
measures apply. Consequently, the means to assess the suitability of crossing clients to access target
trust zones needs to be available. The building block responsible for evaluating trust zone transitions
is called border patrol. In short, the border patrol validates the credentials of crossing clients, including
authentication and health status data, so that the applicable security measures are correctly met.
As a prerequisite, either the Access Control Service (standalone Barracuda NG Firewall) or the CC (for
managed Barracuda NG Firewalls) must have access to the internet.
managed Barracuda NG Firewalls) must have access to the internet.