Re-evaluating current structure

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Re-evaluating current structure

L3 Networker

I am currently managing users via AD groups but need a more granular approach.  I recently added a BYOD device manager to my network.  It divides my 2 main groups using a specific IP range.  If I use this method to manage users I will probably have to reset all my policies.  My question is should I start by blocking all processes then open just what we need.  Which rule should go first?

I have Students and faculy-Staff

Faculty-Staff can have network access, printers etc.   social media, streaming media, Netflix etc

Students with Auth machines can have network share access

No Social Media, games, (all the usual blocks)  limited (QOS) streaming media, no Netflix, Hulu TV.

What rules should I start with

3 REPLIES 3

L4 Transporter

Depends on how savage you want to be.

If you want to work up from a "deny everything" scenario, I would start with two rules for each affected zone (facility & students) or IP range.

First rule - allow selected applications. Remember, you need to start with the most OPEN rule first, because rules are processed sequentially, and if you make your first rule "deny everything", then all traffic will hit this rule, match, and nothing else will be processed.

Actually, you can do it with three rules - I'd do something like this

Source: Facility zone/IP range - Allow : required apps

Source : Student zone/IP range - Allow : required apps

Source : Any - Deny : Any

That way, anything which doesn't match the first two rules rull fall through to the "deny" rule and be blocked. The most open rule (the faculty one) should be the first security rule in your list, then the next most restrictive one (the student rule), then the complete deny rule.

If you want to be more open, it's a little more complex.

It is a step.  We have Spring Break coming up.  Perfect time to re design the policies.  I'll start with the Scorched earth policy and open from there.

If that's your policy, then go for it.

I work the other way around - I do three rules, but the final one is an allow any/any - but email me a report about it so I can slowly close loopholes.

I find that leads to less complaints when Fred Nerks favourite, business critical application suddenly stops working. 🙂

  • 2217 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!