Before creating an Elisity policy, it is important to understand the policy constructs that can be leveraged to create granular, flexible, and scalable policy sets.
The Elisity policy constructs consist of Asset Groups, Policy Groups and Security Profiles.
An Asset Group is a logical construct that allows an administrator to group together users, applications, or devices. Once populated, the asset group can be referenced by name in your policy logic as match criteria. This allows users, apps, or devices with commonalities to be referenced together, across different policy entries, without having to be selected one by one multiple times over.
NOTE: You cannot mix users, applications, or devices in the same Asset Group. You must create separate Asset Groups for each type of policy object.
To create an Asset Group, navigate to the Policies section on the left pane of Cloud Control Center, select Asset Groups on the top menu bar and then select Add Asset Group.
Give the Asset Group a name and then select the type of Asset Group you want to create: User, App or Device. Select the match criteria and add the devices. In the following example, a device Asset Group is being created and the match criteria is Hostname. Multiple devices are added to the Asset Group and the Asset Group is then Saved or Deployed. Save means that the Asset Group is built and stored in Cloud Control Center but not actionable. Deploy means that the Asset Group is built and stored in Cloud Control Center and is also available to be leveraged in policy match criteria. You can always save an Asset Group and come back later to deploy it.
Once you have added all your assets to the Asset Group you can review them by selecting the Details pop out next to the matched assets count.
Note: The match logic for an Asset Group is “OR”, meaning you will be creating a list of Users, Devices or Applications. Any object specified within the list will match into the Asset Group.
To review or edit the Asset Group configuration, select the Asset Group name. You can also delete the asset group by selecting the three dots (more options) next to the asset group name.
A Policy Group is a core building block of the Elisity policy architecture and allows an administrator to group together multiple users, devices or applications based on match criteria. Assets can be grouped using “OR” logic within an asset category and “AND” logic across asset categories. The policy group can then be referenced during policy creation as a source or destination entry, effectively simplifying and avoiding policy sprawl. Policy Groups can either be pre-built and then referenced when building a policy, or they will be built on demand when creating a policy.
Cloud Control Center is delivered with several pre-built Policy Groups, including Unclassified and InternetPG.
Unclassified is a catch-all Policy Group for any user, device or application that does not match to any explicit customer-defined Policy Group. This allows customers to secure any asset on the network that is unidentified, or does not yet have a policy group defined.
InternetPG is a modifiable Network Policy Group that defines external subnets as a policy endpoint, effectively controlling any traffic destined for network addresses in those defined subnets with policy.
In the following example a policy group is being created that matches users that are a part of the Physicians AD group AND are connecting to the network using an Apple MacBook device. This policy group will later be referenced as a source entry in an Elisity policy.
To create this policy group, navigate to the Policy section on the left pane in Cloud Control Center, select Policy Groups on the top menu bar and then select Add Policy Group.
Give the policy group a name and start adding your User and Device criteria by selecting Add New Asset(s). The Add New Asset operation must be executed twice since this is a cross asset category policy group.
The result should show that the policy group matches users in the Physician AD group and devices that are Macbooks. Note that “AND” operation logic is displayed because of the cross-asset category definition. Anything currently known by Elisity matching the policy group criteria can be viewed by selecting the Details link. Remember to Save or Deploy the policy group once completed. Save means that the Policy Group is built and stored in Cloud Control Center but not actionable. Deploy means that the Policy Group is built and stored in Cloud Control Center and is also available to be leveraged in policy match criteria. You can always save a Policy Group and come back later to deploy it.
To review or edit the policy group configuration, select the policy group name. You can also delete the policy group by selecting the three dots (more options) next to the asset group name. Note: deleting a policy group will also delete the associated policy.
A security profile is a policy construct that enables an administrator to define a set of security rules based on L3/L4 protocol to be allowed or denied in the policy. Security profiles can either be pre-built and then referenced when building a policy, or they will be built on demand when creating a policy.
To configure a security rule the Rule Type, Rule, Attributes (optional) and Action must be defined. Rule types are defined below:
L3/L4 Protocol – Specific L3/L4 protocols can be matched such as ICMP or custom source or destination TCP/UDP ports. Note: to define the ports select the cog icon to the right of the security rule.