January 16, 2012

1.2.1 Rule-based management

Rule-based management, also known as label-based management, defines conditions for access to objects. The access is granted to the object based on both the object's sensitivity label and the user's sensitivity label. With all rules, an action must be defined. That action is triggered when conditions are or are not met.

Rule-based management is the concept of controlling the security of communications and IT events through rule- or filter-driven systems. Firewalls, proxies, routers, IDS, IPS, antivirus and more are examples of rule-based security management systems. Each of these systems has a set of rules. Each rule is either an explicit allow or deny. If an event or packet does not match any rule, it should be denied by default.

Rule-based management is one method of implementing a white list security management concept. In a white-list security management system if the event or activity does not match an allow rule, it is denied by default. Even new zero-day attacks are blocked using a white-list management system.

How to go about configuring a firewall should stem directly from the business rules established in the organization's security policy and by always placing your "allow" rules lower in priority than your "deny" filters, your overall rule set will be more secure.

References:

  • http://searchsecurity.techtarget.com/tip/Firewall-rule-management-best-practices
  • http://searchsecurity.techtarget.com/tip/How-to-reduce-risks-with-URL-filtering
  • CompTIA Security+ Review Guide: Exam SY0-301, Second Edition by James M. Stewart
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

No comments:

Post a Comment