Stop managing your network one node at a time!
[Home] [Download] [Project Page] [Bugs] [SVN] [email Lists] [Tutorials] [Screenshots]

Net-Policy tutorial

This assumes a fresh install of the net-policy system, including a clean database with a freshly run np-setup and np-setupMIBtables. See the INSTALL document that comes with the net-policy package for details.

Defining some network policies

Let's start with a quick overview of some terminology.

A Policy is a collection of rules and filters applied to packets to determine what actions are necessary for that packet. Think of a policy as a grouping of data that makes something happen.

Policies are assigned to roles, and any number of roles can be assigned to a host. You can think of roles as how you would like to group your hosts. All of your network nodes will eventually be put into one or more roles. Example role names might be something like: router, firewall, switch, web server, workstation, unix and linux. The net-policy policy distribution daemon (np-distd) will apply the appropriate rules, filters and actions to a host when it is assigned to a new role.

Now that we have some basic terminology, let's create a policy that will set SNMP trap notification destinations.

  1. Create hosts and their roles. For this example, we will assume that we have a host, west, which will receive notifications. A second host, east, will send notifications.
    1. Click on Manage clients/hosts, and click Next.
    2. Select Create_New, and click Next.
    3. Enter west (must resolve to an address) as the Client Name, and Click Next.
    4. Select Create_New for the role, and click Next.
    5. Enter notification receiver as the role name and Click Next.
    6. Click Commit to commit your changes to the database.
    7. Click Return to top to go back to the main menu.
    8. Click on Manage clients/hosts, and click Next.
    9. Select Create_New, and click Next.
    10. Enter east (must resolve to an address) as the Client Name, and Click Next.
    11. Select Create_New for the role, and click Next.
    12. Enter notification generator as the role name and Click Next.
    13. Click Commit to commit your changes to the database.
    14. Click Return to top to go back to the main menu.
  2. Create the policy.
    1. Select Create a new policy and click Next.
    2. Enter send notifications as the policy name and Click Next.
    3. Click Commit to commit your changes to the database.
    4. Click Return to top to go back to the main menu.
  3. Now that we have a policy, we need to make it do something. We will add a policy to send traps to the notification receiver.
    1. Click on the Add notification logging destination button, and click Next.
    2. Select the destination for your SNMP notifications by selecting the host you previously defined (west), and then select inform and SNMP version 2c, and click Next.
    3. Select the community name for the notifications to use when they're being sent. If you actually have a notification receiver on your host, enter the appropriate community name. For this example, we will use notification. Click Next.
    4. This screen shows extra parameters that can be set. If you actually have a notification receiver, you may change these values. Otherwise, leave the defaults and click Next.
    5. Click Commit to commit your changes to the database.
    6. Click Return to top to go back to the main menu.
  4. No that we have a policy configured, we need to associate our role with the policy, so the system will know which hosts need to be configured with the policy.
    1. Select Manage host roles, and click Next.
    2. Select notification generator and click Next.
    3. Check the box to add the notification generator policy and click Next.
    4. Click Commit to commit your changes to the database.
    5. Click Return to top to go back to the main menu.

Sending out the policies to the hosts

To send out the policies to the hosts, run the following commands. This will do a one-time run of the database. Further below, we'll tell you how to run these as daemons so that network policies will take effect immediately.

The np-datad script does background database processing. Run it as follows:

When that finishes, you'll then need to run np-distd to send your network configuration policy data out to your network nodes. Do this as follows:

When this finishes, all of your policies should be distributed to your hosts. Check to make sure everything went ok.

Running the policy distribution agents as daemons

If you want the policy distribution agents to run continuously, run them as follows:

Filters and Actions: A more complex example

We all know that telnet is an insecure protocol, so lets create a policy that requires telnet traffic to be encrypted. In this example we will create a role, a policy, a preconfiured action, an ESP transform, keys, a rule and a filter. Make sure you have a fresh cup of your favorite caffeinated beverage (I'll wait), and then begin.

  1. Create the telnet server role.
  2. Create a rule to create the preconfigured Action.
    1. Select Create a new firewall rule and Click Next.
    2. Enter encrypt telnet for the policy name, and Click Next.
    3. Select the telnet server role for the policy, and Click Next.
    4. Enter the following values for the new rule:
        Administrative name encrypt telnet
        Description start preconfigured action on telnet
        Priority 100
        Filter type IP Header Filter
        Action type Establish a Preconfigured-key IPsec connection
      and Click Next.
    5. Select Create_New preconfigured action and Click Next.
    6. Enter the following values for the preconfigured action, leaving other values at their defaults:
        Administrative name esp-sha-12hrs
        Description 12 hour esp-sha SA
        SA Direction both
        SA encapsulation mode tunnel
        SA Peer Gateway None
        SA Direction both
        Maximum SA Lifetime 43200
        Choose an ESP transform to protect this SA Create New
        ESP SPI value 2003
      and Click Next.
    7. Enter the following values for the ESP transform:
        Administrative name 3des-sha-12hrs
        Lifetime (seconds) 43200
        Authentication mode sha
        Encryption cipher Triple DES
      and Click Next.
    8. Select Create_New for both keys and Click Next.
    9. You may choose to enter your own key value, or use the default. Enter the following values for the ESP Authentication key:
        Administrative name sha-key-one
      and Click Next.
    10. You may choose to enter your own key value, or use the default. Enter the following values for the ESP Encryption key:
        Administrative name 3des-key-one
      and Click Next.
    11. Click Next to create a new IP filter.
    12. Enter the following values for the filter:
        Administrative name is telnet
        IP version ipV4
        Filter on destination port range X
        Low Destination Port 23
        High Destination Port 23
        Filter on protocol X
        Protocol 6
      and Click Next.
    13. Click Commit to commit your changes to the database.
    14. Click Return to top to go back to the main menu.
  3. Add hosts to the telnet server role.
    1. If you have not already created a host, do so now.
      1. Click on Create a new host, and click Next.
      2. Enter host name (must resolve to an address), and click Next. In our example, we are using the host west.
      3. Click Commit to commit your changes to the database.
      4. Click Return to top to go back to the main menu.
    2. Select Manage clients/hosts and Click Next.
    3. Select a host to manage (west) and Click Next.
    4. Select a role to add (telnet server) and Click Next.
    5. Click Commit to commit your changes to the database.
    6. Click Return to top to go back to the main menu.

Verifying results

Now that we have data in the database, run np-datad and np-distd, as shown above. If both complete without errors, we can verify that the policy is actually enforced. This assumes you have hosts west and east in the telnet server role.
  1. Log into west via ssh or on a local terminal (don't use telnet!).
  2. Verify ping to east works
  3. telnet to east. You can hit ctrl-c pretty quickly, as we don't care if it really works. As soon as it reports Trying host..., press control-c.
  4. Verify ping to east now fails. This is because west is now sending encrypted packets that east doesn't understand.
  5. Log into east via ssh or on a local terminal (don't use telnet!).
  6. telnet to west. You can hit ctrl-c pretty quickly, as we don't care if it really works. As soon as it reports Trying host..., press control-c.
  7. From either host, verify ping now works again.
  8. That's it! You are done.

IKE and IPSEC: A more complex example

Instead of setting up a preconfigured action, we could just let the hosts negotiate the details themselves. In this example, we will set up a policy to do just that.

This example assumes that the preconfigured action example has already been completed.

  1. Select Create a new firewall rule and Click Next.
  2. Select the existing encrypt telnet policy, and Click Next.
  3. Enter the following values for the new rule:
      Administrative name encrypt telnet via ike
      Description Negotiate IKE and establish phase II SA on telnet
      Priority 42
      Filter type IP Header Filter
      Action type Negotiate IKE and establish phase II SA
    and Click Next.
  4. Enter the following values for the IKE/IPSEC pair, leaving other values at their defaults:
      Administrative name ike-ipsec
      Phase I action to use: Create New
      Phase II action to use: Create New
    and Click Next.
  5. Enter the following values for the IKE action:
      Administrative name 3des-md5-12hrs
      Select responder negotiation parameters min 1h; refresh 90%; can idle
      Peer None
    make sure both Identity fileds are blank, and Click Next.
  6. Enter the following values for the IKE proposal:
      Proposal name Create_New
      Proposal priority 10
    and Click Next.
  7. Enter the following values for the IKE proposal, leaving any other fileds with their default values:
      Administrative name 3des-md5-768-psk
      IKE CBC Cipher algorithm: Triple DES
      Cipher Key Length: 24
      IKE has algorithm: MD5
      IKE authentication method: pre-shared key
      IKE Diffie-Hellman group: 768-bit MODP group
    and Click Next.
  8. Enter the following values for the IPSEC action:
      Administrative name blowfish-md5-12hrs
      Select responder negotiation parameters min 1h; refresh 90%; can idle
      Encapsulation mode tunnel
      Ipsec Peer Gateway None
    and Click Next.
  9. Enter the following values for the IPSEC proposal:
      Administrative name esp proposal
      Priority 10
      Protocol ESP
    and Click Next.
  10. Enter the following values for the IPSEC transform:
      Administrative name esp transform
      Priority 10
      Transform Create New
    and Click Next.
  11. Enter the following values for the ESP transform:
      Administrative name blowfish-md5-12hrs
      Lifetime (seconds) 43200
      Authentication mode MD5
      Encryption cipher Blowfish
    and Click Next.
  12. Enter the following values for the filter:
      IP filter to use: is telnet
    and Click Next.
  13. Click Commit to commit your changes to the database.
  14. Click Return to top to go back to the main menu.

Please send comments, suggestions or (heaven forbid) corrections to the net-policy-users mailing list. Click here for more information.
Last modified: Tue Mar 18 10:56:15 EST 2003
Powered by: SourceForge Logo