### File contains examples for the following policies: ### 1) securing traffic between branch offices ### 2) securing traffic from remote access uses (via L2TP over IPSEC) ### 3) Policy for protecting LDAP server ### 4) drop all traffic on public interfaces ### ### The policies in this file assume that the directory has been ### loaded with the pre-defined templates in "policyTemplates.ldif". ### ### ### ########################################################################### ### Example 1: ### ### Branch office policy for securing traffic from 11.0.0.0 to 12.0.0.0 ### ### This policy consists of the information needed to setup the ### ### security association for the Security Gateway (SG1 - public IP ### ### Address = 1.1.1.1) protecting the 11.0.0.0 network and the ### ### information needed for the Security Gateway (SG2 - public IP ### ### Address = 1.1.1.2) protecting the 12.0.0.0 network. ### ########################################################################### # Profile for SG1 dn: cn=11to12, o=ibm, c=us objectclass: trafficprofile cn: 11to12 sourceaddressrange: 1:11.0.0.0-255.255.255.0 destinationaddressrange: 1:12.0.0.0-255.255.255.0 #IPSEC Action for SG1 dn: cn=secure11to12, o=ibm, c=us objectclass: IPSecSecurityAction cn: secure11to12 securityaction: permit ipsectunnelstart: 1.1.1.1 ipsectunnelend: 1.1.1.2 ipsecproposalreference: 1: cn=strongP2EspProp, o=ibm, c=us ipsecproposalreference: 2: cn=strongP2EspAhProp, o=ibm, c=us ipsecproposalreference: 3: cn=veryStrongP2EspProp, o=ibm, c=us ipsecproposalreference: 4: cn=veryStrongP2EspAhProp, o=ibm, c=us #Policy for SG1 dn: cn=policySecure11to12, o=ibm, c=us objectclass: policyrule cn: policySecure11to12 rulepriority: 20 policyscope: isakmp policyscope: ipsec trafficprofilereference: cn=11to12, o=ibm, c=us policyvalidityperiodreference: cn=allTheTime, o=ibm, c=us ipsecsecurityactionreference: cn=secure11to12, o=ibm, c=us ipsecisakmpactionreference: cn=generalPhase1Action, o=ibm, c=us #Profile for SG2 dn: cn=12to11, o=ibm, c=us objectclass: trafficprofile cn: 12to11 sourceaddressrange: 1:12.0.0.0-255.255.255.0 destinationaddressrange: 1:11.0.0.0-255.255.255.0 #IPSEC Action for SG2 dn: cn=secure12to11, o=ibm, c=us objectclass: IPSecSecurityAction cn: secure12to11 securityaction: permit ipsectunnelstart: 1.1.1.2 ipsectunnelend: 1.1.1.1 ipsecproposalreference: 1: cn=strongP2EspProp, o=ibm, c=us ipsecproposalreference: 2: cn=strongP2EspAhProp, o=ibm, c=us ipsecproposalreference: 3: cn=veryStrongP2EspProp, o=ibm, c=us ipsecproposalreference: 4: cn=veryStrongP2EspAhProp, o=ibm, c=us #Policy for SG2 dn: cn=policySecure12to11, o=ibm, c=us objectclass: policyrule cn: policySecure12to11 rulepriority: 20 policyscope: isakmp policyscope: ipsec trafficprofilereference: cn=12to11, o=ibm, c=us policyvalidityperiodreference: cn=allTheTime, o=ibm, c=us ipsecsecurityactionreference: cn=secure12to11, o=ibm, c=us ipsecisakmpactionreference: cn=generalPhase1Action, o=ibm, c=us ########################################################################### ### Example 2: ### ### Remote Access policy for securing traffic from Any User to 11.0.0.0 ### ### This policy definition is for remote access users connecting to ### ### their local ISP and being assigned a public IP address. This ### ### address is unknown to the corporate security gateway and would be ### ### considered invalid in the trusted network. As a result, the ### ### mode of operation is to run IPSEC in transport mode and run L2TP ### ### on top of IPSEC. L2TP will provide the user authentication and IP ### ### address assignment for the private network. IPSEC will protect and ### ### authentication the L2TP traffic. This policy must be one of the ### ### lowest priority policies since the remote address information is ### ### causing overlaps with the more specific policies. Note, you must ### ### still enable L2TP, configure L2TP for fixed port mode and PPP users ### ### to finish setting up the configuration. ### ########################################################################### #Profile for SG1 - Any traffic going in/out 1.1.1.1 from/to 11.0.0.0 network dn: cn=remoteUserto11, o=ibm, c=us objectclass: trafficprofile cn: remoteUserto11 sourceaddressrange: 1:11.0.0.0-255.255.255.0 destinationaddressrange: 1:0.0.0.0-0.0.0.0 sourceportrange: 1701:1701 destinationportrange: 1701:1701 protocolnumber: 17 interface: 1:-1.1.1.1 #IPSEC Action for SG1, Transport Mode # Note: ipsectunnelend value of 0.0.0.0 denotes remote access # users with an unknown IP Address. dn: cn=secureRemoteAccessUsersTo11, o=ibm, c=us objectclass: IPSecSecurityAction cn: secureRemoteAccessUsersTo11 securityaction: permit ipsectunnelstart: 1.1.1.1 ipsectunnelend: 0.0.0.0 ipsecproposalreference: 1: cn=strongP2EspPropXport, o=ibm, c=us ipsecproposalreference: 2: cn=strongP2EspAhPropXport, o=ibm, c=us ipsecproposalreference: 3: cn=veryStrongP2EspPropXport, o=ibm, c=us ipsecproposalreference: 4: cn=veryStrongP2EspAhPropXport, o=ibm, c=us #Policy for SG1 dn: cn=remoteAccessto11, o=ibm, c=us objectclass: policyrule cn: remoteAccessto11 rulepriority: 10 policyscope: ipsec policyscope: isakmp trafficprofilereference: cn=remoteUserto11, o=ibm, c=us policyvalidityperiodreference: cn=allTheTime, o=ibm, c=us ipsecsecurityactionreference: cn=secureRemoteAccessUsersTo11, o=ibm, c=us ipsecisakmpactionreference: cn=generalPhase1Action, o=ibm, c=us ########################################################################### ### Example 3: ### ### This policy provides the Bootstrap Policy needed to terminate IPSEC ### ### tunnels being setup by remote security gateways fetching their ### ### policy information from a local ldap server protected by this ### ### SG. In this example the LDAP server IP Address is 11.0.0.1 and the ### ### port number that the LDAP Server is listening on is 389. ### ########################################################################### #Profile for SG1 protecting LDAP server, remote address and port information #is unknown. dn: cn=gatewaysToLDAPServer, o=ibm, c=us objectclass: trafficprofile cn: gatewaysToLDAPServer sourceaddressrange: 1:11.0.0.1-255.255.255.255 sourceportrange: 389:389 protocolnumber: 6:6 interface: 1:-1.1.1.1 #IPSEC Action for SG1 dn: cn=secureLdapServer, o=ibm, c=us objectclass: IPSecSecurityAction cn: secureLdapServer securityaction: permit ipsectunnelstart: 1.1.1.1 ipsectunnelend: 0.0.0.0 ipsecproposalreference: 1: cn=strongP2EspProp, o=ibm, c=us ipsecproposalreference: 2: cn=strongP2EspAhProp, o=ibm, c=us ipsecproposalreference: 3: cn=veryStrongP2EspProp, o=ibm, c=us ipsecproposalreference: 4: cn=veryStrongP2EspAhProp, o=ibm, c=us #Policy for SG1 dn: cn=gatewayToLdapServerPolicy, o=ibm, c=us objectclass: policyrule cn: gatewayToLdapServerPolicy rulepriority: 15 policyscope: ipsec policyscope: isakmp trafficprofilereference: cn=gatewaysToLDAPServer, o=ibm, c=us policyvalidityperiodreference: cn=allTheTime, o=ibm, c=us ipsecsecurityactionreference: cn=secureLdapServer, o=ibm, c=us ipsecisakmpactionreference: cn=generalPhase1Action, o=ibm, c=us ########################################################################### ### Example 4: ### ### Policy to Drop All Other Traffic Going in or Out Public Interface ### ### This example has the rules for SG1 and SG2 ### ########################################################################### #Profile for SG1 dn: cn=inOutPublicSG1, o=ibm, c=us objectclass: trafficprofile cn: inOutPublicOn11 interface: 1:1.1.1.1- interface: 1:-1.1.1.1 #Policy for SG1 dn: cn=dropPublicTrafficSG1, o=ibm, c=us objectclass: policyrule cn: dropPublicTrafficTo11 rulepriority: 5 policyscope: ipsec trafficprofilereference: cn=inOutPublicSG1, o=ibm, c=us policyvalidityperiodreference: cn=allTheTime, o=ibm, c=us ipsecsecurityactionreference: cn=ipsecDrop, o=ibm, c=us #Profile for SG2 dn: cn=inOutPublicSG2, o=ibm, c=us objectclass: trafficprofile cn: inOutPublicOn12 interface: 1:1.1.1.2- interface: 1:-1.1.1.2 #Policy for SG2 dn: cn=dropPublicTrafficSG2, o=ibm, c=us objectclass: policyrule cn: dropPublicTrafficTo12 rulepriority: 5 policyscope: ipsec trafficprofilereference: cn=inOutPublicSG2, o=ibm, c=us policyvalidityperiodreference: cn=allTheTime, o=ibm, c=us ipsecsecurityactionreference: cn=ipsecDrop, o=ibm, c=us #################################### ## DEVICEPOLICYRULES LIST for SG1 ## #################################### dn: cn=rulesForSG1, o=ibm, c=us objectclass: devicepolicyrules cn: cn=rulesForSG-On-11Net policyrulereference: cn=policySecure11to12, o=ibm, c=us policyrulereference: cn=gatewayToLdapServerPolicy, o=ibm, c=us policyrulereference: cn=remoteAccessto11, o=ibm, c=us policyrulereference: cn=dropPublicTrafficSG1, o=ibm, c=us ########################### ## DEVICEPROFILE for SG1 ## ########################### dn: cn=deviceProfileForSG1, o=ibm, c=us objectclass: deviceprofile cn: deviceProfileForSG1 devicerulesreference: cn=rulesForSG1, o=ibm, c=us #################################### ## DEVICEPOLICYRULES LIST for SG2 ## #################################### dn: cn=rulesForSG2, o=ibm, c=us objectclass: devicepolicyrules cn: rulesForSG2 policyrulereference: cn=policySecure12to11, o=ibm, c=us policyrulereference: cn=dropPublicTrafficSG2, o=ibm, c=us ########################### ## DEVICEPROFILE for SG2 ## ########################### dn: cn=deviceProfileForSG2, o=ibm, c=us objectclass: deviceprofile cn: deviceProfileForSG2 devicerulesreference: cn=rulesForSG2, o=ibm, c=us