Which Policy Takes Effect When Policy Conflict Occurs on the SVN3000?

Publication Date:  2012-07-19 Views:  92 Downloads:  0
Issue Description
The SVN3000 supports user access policies. However, the policies may conflict with the other ones. When policy conflict occurs on the SVN3000, which policy takes effect?
Alarm Information
None
Handling Process
The SVN3000 policies include user policies and group policies. Both the two types of policies take effect after a user logs in to the virtual gateway. The SVN3000 processes all the policies related to the user.
1.      Among the matched policies, the more matched policies (with longer masks) have higher priority. The four types of policies are as follows, with the priority in a descending order:
A.      IP address port, for example, port 21 at 10.27.65.253/32
B.      IP segment port, for example, port 21 at 10.27.65.253/24
C.     All ports at the IP addresses, for example, all ports at 10.27.65.253/32
D.     All ports in the IP segment, for example, all ports at 10.27.65.0/24
For example, a policy allows the access to port 80 at 10.1.1.0/24 (priority B), and another policy forbids the access to the PC at 10.1.1.1/32 (priority C). Can port 80 at 10.1.1.1/32 be accessed?
Because the former policy has a higher priority, it takes effect. Therefore, port 80 at 10.1.1.1/32 can be accessed.
2.      When two policies for the same destination IP address have the same matching precision but one allows the access whereas the other forbids the access, the policy opposite to the default policy takes effect.
For example, a policy allows the access to port 23 at 10.1.1.0/24, and another policy forbids the access to port 23 at 10.1.1.0/24. The access is allowed by default. Can port at 10.1.1.0/24 be accessed?
The two policies have the same matching precision. The policy opposite to the default policy takes effect. Therefore, port 23 at 10.1.1.0/24 cannot be accessed.
Root Cause
The access control policy of the SVN3000 differs from the firewall ACL. The SVN3000 access control policy is based on port, whereas the firewall ACL is based on IP.
The SVN3000 provides four types of policies according to different IP address and port configurations. Each types of policy have different priority.
Suggestions
None

END