Stop managing your network one node at a time!
[Home] [Download] [Project Page] [Bugs] [SVN] [email Lists] [Tutorials] [Screenshots]

Net-Policy tutorial

This tutorial assumes

• a fresh install of net-policy 0.9.2 and corresponding np-plutoplus and np-cerberus packages.
• a clean database with a freshly run np-setup and np-setupMIBtables.

Defining some network policies

A Policy is a collection of rules and filters applied to packets to determine what actions are necessary for that packet. Think of a policy as a grouping of data that makes something happen.

Policies are assigned to roles, and any number of roles can be assigned to a host. You can think of roles as how you would like to group your hosts. All of your network nodes will eventually be put into one or more roles. Example role names might be something like: router, firewall, switch, web server, workstation, unix and linux. The net-policy policy distribution daemon (np-distd) will apply the appropriate rules, filters and actions to a host when it is assigned to a new role.

Now that we have some basic terminology, let's create a policy that will set SNMP trap notification destinations.

1. Create hosts and their roles. For this example, we will assume that we have a host, west, which will receive notifications. A second host, east, will send notifications.
   1. Click on Manage clients/hosts, and click Next.
   2. Select Create_New, and click Next.
   3. Enter west (must resolve to an address) as the Client Name, and Click Next.
   4. Select Create_New for the role, and click Next.
   5. Enter notification receiver as the role name and Click Next.
   6. Click Commit to commit your changes to the database.
   7. Click Return to top to go back to the main menu.
   8. Click on Manage clients/hosts, and click Next.
   9. Select Create_New, and click Next.
   10. Enter east (must resolve to an address) as the Client Name, and Click Next.
   11. Select Create_New for the role, and click Next.
   12. Enter notification generator as the role name and Click Next.
   13. Click Commit to commit your changes to the database.
   14. Click Return to top to go back to the main menu.
2. Create the policy.
   1. Select Create a new policy and click Next.
   2. Enter send notifications as the policy name and Click Next.
   3. Click Commit to commit your changes to the database.
   4. Click Return to top to go back to the main menu.
3. Now that we have a policy, we need to make it do something. We will add a policy to send traps to the notification receiver.
   1. Click on the Add notification logging destination button, and click Next.
   2. Select the destination for your SNMP notifications by selecting the host you previously defined (west), and then select inform and SNMP version 2c, and click Next.
   3. Select the community name for the notifications to use when they're being sent. If you actually have a notification receiver on your host, enter the appropriate community name. For this example, we will use notification. Click Next.
   4. This screen shows extra parameters that can be set. If you actually have a notification receiver, you may change these values. Otherwise, leave the defaults and click Next.
   5. Click Commit to commit your changes to the database.
   6. Click Return to top to go back to the main menu.
4. No that we have a policy configured, we need to associate our role with the policy, so the system will know which hosts need to be configured with the policy.
   1. Select Manage host roles, and click Next.
   2. Select notification generator and click Next.
   3. Check the box to add the notification generator policy and click Next.
   4. Click Commit to commit your changes to the database.
   5. Click Return to top to go back to the main menu.

Sending out the policies to the hosts

To send out the policies to the hosts, run the following commands. This will do a one-time run of the database. Further below, we'll tell you how to run these as daemons so that network policies will take effect immediately.

The np-datad script does background database processing. Run it as follows:

• np-datad -u SQLUSER -p SQLPASS -d -i

When that finishes, you'll then need to run np-distd to send your network configuration policy data out to your network nodes. Do this as follows:

• np-distd -u SQLUSER -p SQLPASS -s 0

When this finishes, all of your policies should be distributed to your hosts. Check to make sure everything went ok.

Running the policy distribution agents as daemons

If you want the policy distribution agents to run continuously, run them as follows:

• np-datad -u SQLUSER -p SQLPASS &
• np-distd -u SQLUSER -p SQLPASS &

Filters and Actions: A more complex example

We all know that telnet is an insecure protocol, so lets create a policy that requires telnet traffic to be encrypted. In this example we will create a role, a policy, a preconfiured action, an ESP transform, keys, a rule and a filter. Make sure you have a fresh cup of your favorite caffeinated beverage (I'll wait), and then begin.

1. Create the telnet server role.
   • If you have done the notification example, and already have the host west as a client:
     1. Click on Manage host roles, and click Next.
     2. Select Create_New, and click Next.
     3. Enter telnet server and click Next.
     4. Select the host west to be a member of the new role, and click Next.
   • If you have NOT done the notification example, and do not have the host west as a client:
     1. Click on Manage clients/hosts, and click Next.
     2. Select Create_New, and click Next.
     3. Enter west and click Next.
     4. Select Create_New role, and click Next.
     5. Enter telnet server as the role name, and click Next.
   • Click Commit to commit your changes to the database.
   • Click Return to top to go back to the main menu.
2. Create a rule to create the preconfigured Action.
   1. Select Create a new firewall rule and Click Next.
   2. Enter encrypt telnet for the policy name, and Click Next.
   3. Select the telnet server role for the policy, and Click Next.
   4. Enter the following values for the new rule:
      

      Administrative name	encrypt telnet
      Description	start preconfigured action on telnet
      Priority	100
      Filter type	IP Header Filter
      Action type	Establish a Preconfigured-key IPsec connection

      and Click Next.
   5. Select Create_New preconfigured action and Click Next.
   6. Enter the following values for the preconfigured action, leaving other values at their defaults:
      

      Administrative name	esp-sha-12hrs
      Description	12 hour esp-sha SA
      SA Direction	both
      SA encapsulation mode	tunnel
      SA Peer Gateway	None
      SA Direction	both
      Maximum SA Lifetime	43200
      Choose an ESP transform to protect this SA	Create New
      ESP SPI value	2003

      and Click Next.
   7. Enter the following values for the ESP transform:
      

      Administrative name	3des-sha-12hrs
      Lifetime (seconds)	43200
      Authentication mode	sha
      Encryption cipher	Triple DES

      and Click Next.
   8. Select Create_New for both keys and Click Next.
   9. You may choose to enter your own key value, or use the default. Enter the following values for the ESP Authentication key:
      

      Administrative name	sha-key-one

      and Click Next.
   10. You may choose to enter your own key value, or use the default. Enter the following values for the ESP Encryption key:
       

       Administrative name	3des-key-one

       and Click Next.
   11. Click Next to create a new IP filter.
   12. Enter the following values for the filter:
       

       Administrative name	is telnet
       IP version	ipV4
       Filter on destination port range	X
       Low Destination Port	23
       High Destination Port	23
       Filter on protocol	X
       Protocol	6

       and Click Next.
   13. Click Commit to commit your changes to the database.
   14. Click Return to top to go back to the main menu.
3. Add hosts to the telnet server role.
   1. If you have not already created a host, do so now.
      1. Click on Create a new host, and click Next.
      2. Enter host name (must resolve to an address), and click Next. In our example, we are using the host west.
      3. Click Commit to commit your changes to the database.
      4. Click Return to top to go back to the main menu.
   2. Select Manage clients/hosts and Click Next.
   3. Select a host to manage (west) and Click Next.
   4. Select a role to add (telnet server) and Click Next.
   5. Click Commit to commit your changes to the database.
   6. Click Return to top to go back to the main menu.

Verifying results

1. Log into west via ssh or on a local terminal (don't use telnet!).
2. Verify ping to east works
3. telnet to east. You can hit ctrl-c pretty quickly, as we don't care if it really works. As soon as it reports Trying host..., press control-c.
4. Verify ping to east now fails. This is because west is now sending encrypted packets that east doesn't understand.
5. Log into east via ssh or on a local terminal (don't use telnet!).
6. telnet to west. You can hit ctrl-c pretty quickly, as we don't care if it really works. As soon as it reports Trying host..., press control-c.
7. From either host, verify ping now works again.
8. That's it! You are done.

IKE and IPSEC: A more complex example

Instead of setting up a preconfigured action, we could just let the hosts negotiate the details themselves. In this example, we will set up a policy to do just that.

This example assumes that the preconfigured action example has already been completed.

1. Select Create a new firewall rule and Click Next.
2. Select the existing encrypt telnet policy, and Click Next.
3. Enter the following values for the new rule:
   

   Administrative name	encrypt telnet via ike
   Description	Negotiate IKE and establish phase II SA on telnet
   Priority	42
   Filter type	IP Header Filter
   Action type	Negotiate IKE and establish phase II SA

   and Click Next.
4. Enter the following values for the IKE/IPSEC pair, leaving other values at their defaults:
   

   Administrative name	ike-ipsec
   Phase I action to use:	Create New
   Phase II action to use:	Create New

   and Click Next.
5. Enter the following values for the IKE action:
   

   Administrative name	3des-md5-12hrs
   Select responder negotiation parameters	min 1h; refresh 90%; can idle
   Peer	None

   make sure both Identity fields are blank, and Click Next.
6. Enter the following values for the IKE proposal:
   

   Proposal name	Create_New
   Proposal priority	10

   and Click Next.
7. Enter the following values for the IKE proposal, leaving any other fields with their default values:
   

   Administrative name	3des-md5-768-psk
   IKE CBC Cipher algorithm:	Triple DES
   Cipher Key Length:	24
   IKE hash algorithm:	MD5
   IKE authentication method:	pre-shared key
   IKE Diffie-Hellman group:	768-bit MODP group

   and Click Next.
8. Enter the following values for the IPSEC action:
   

   Administrative name	blowfish-md5-12hrs
   Select responder negotiation parameters	min 1h; refresh 90%; can idle
   Encapsulation mode	tunnel
   Ipsec Peer Gateway	None

   and Click Next.
9. Enter the following values for the IPSEC proposal:
   

   Administrative name	esp proposal
   Priority	10
   Protocol	ESP

   and Click Next.
10. Enter the following values for the IPSEC transform:
    

    Administrative name	esp transform
    Priority	10
    Transform	Create New

    and Click Next.
11. Enter the following values for the ESP transform:
    

    Administrative name	blowfish-md5-12hrs
    Lifetime (seconds)	43200
    Authentication mode	MD5
    Encryption cipher	Blowfish

    and Click Next.
12. Enter the following values for the filter:
    

    IP filter to use:

    is telnet

    and Click Next.
13. Click Commit to commit your changes to the database.
14. Click Return to top to go back to the main menu.