Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved


Chapter 3 Managing Access Control Lists : Overview

Overview
ACLs filter network traffic by controlling whether a client can connect to a service on the P-7500 system, and if a client is permitted a connection, what routed messages are forwarded or blocked at the P-7500 system interfaces.
When creating an ACL, you define criteria which are applied to each message or subscription that is processed by the P-7500 system; the system then decides whether to forward or block each message or subscription based on whether or not the message or subscription matches the criteria. If the message is denied, the software discards the message.
Your P-7500 system examines each message to determine whether to forward it or drop it based on the criteria you specify within the ACL configuration through the client connection access controls and subject access controls described on page 38 and page 39, respectively.
Product Key Feature Locking
The product key may be used to enable ACLs on any P-7500 system. If a product key is removed, then a system restart is triggered and all configuration related to the features unlocked by that key is lost.
When the ACL feature is locked, no aspect of it is configurable or displayable. The CLI commands relating to the feature are still visible in the P-7500 CLI, but when run, they fail and return an applicable error message indicating the feature is locked, and take no further action.
Client Connection Access Controls
Client connection access control enables you to choose which clients are allowed to connect to the P-7500 system.
The default setting for a client connection attempt can either be Allow or Disallow. When the default action is set to Allow, there are no restrictions on a client connection attempt. When it is set to Disallow, a client attempting to connect is immediately disconnected from the P-7500 system.
After you have set the default client connection action, you can create a list of clients that you want to act as exceptions to the default action. For example, if the default client connection action is Allow, when a client on the Exceptions list attempts to connect to the P-7500 system, the client is immediately disconnected from the P-7500 system. If the default client connection action is Disallow, the client on the Exceptions list is connected with no restrictions.
Changing the default client connect action, or removing clients from the Exceptions list, does not affect clients that already have an established connection to the P-7500 system. They remain connected.
Exceptions to the default action are configured as a list of ip/mask pairs expressed in CIDR form. Any client whose address falls into any of the ip/mask in this list gets the opposite behavior to the configured default action. There is a limit of 250 exceptions supported.
A global statistic is incremented for every denied connection attempt. In addition, a circular log is also maintained capturing:
Changing the setting of client-connect from allow to disallow or changing the exception list has no effect on already connected clients, they remain connected. The initial value for action is disallow.
Subject Access Controls and ACL Profiles
Each client is associated with a single named ACL profile which determines what subject-based access controls are imposed on it. There can be up to 6000 ACL profiles created, including the preconfigured ACL profile named "default". Names must be unique across all ACL profiles. The rules governing what subjects a client can publish and subscribe to are applied when a client is mapped to an ACL profile through the profile-mapping CONFIG command.
Clients that are are not mapped to specific ACL profiles are denied access to the P-7500 system when the ACL feature is unlocked through the product key.
 
The profile mapping assigns a client to an ACL profile according to their username and service. The username and service can either be explicitly specified in the profile mapping, or left unspecified, thereby implying the mapping applies to any username or service. If either the username or service are not specified in the profile mapping, then the system maps clients to an ACL profile and prioritizes them according to the most restrictive and applicable mapping rule. The mapping rules in order of priority are:
1. "exact username and exact service"
2. "exact username any service"
3. "any username exact service"
4. "any username any service"
For example, consider the following set of ACL profile mappings:
The following clients connecting with the above parameters are prioritized and mapped as follows to the ACL profiles, in accordance with the most restrictive and applicable mapping rule:
When you create an ACL profile, you can configure whether you want the default action to be to allow or disallow clients assigned to the ACL profile from publishing on or subscribing to subjects. You can also list specific subjects that you want to be excepted from the default action. Through ACL profiles, subject access controls enable you to specify which subjects clients are permitted to publish on and subscribe to.
Subscriptions are either fully accepted or completely rejected depending on whether they match the configured subject access controls. Special rules are employed when handling subscriptions containing wildcards to ensure configured ACLs are effective in blocking the traffic they have been configured to disallow.
Wildcard subscriptions that match an ACL profile’s exceptions are disallowed if the ACL profile’s default rule is to allow all subscriptions. For example, if an ACL profile has been configured to allow all subscriptions except FRUIT.APPLES, a subscription to FRUIT.> (covering FRUIT.APPLES) is disallowed. If FRUIT.> were accepted, then messages published to FRUIT.APPLES would match FRUIT.> and be delivered to the client. This would contradict the intention of the ACL.
If the ACL profile’s default rule disallows all subscriptions, wildcard characters in the subscription are not given any special treatment when establishing matching exception rules. For example, if an ACL profile has been configured to disallow all subscriptions except FRUIT.BANANAS, a subscription request to FRUIT.> would be disallowed given that the ‘>’ would not be treated as a wildcard character and therefore not cover the exception rule of FRUIT.BANANA. In suppressing the subscription, which requested everything below FRUIT, the ACL profile’s intention of only allowing access to FRUIT.BANANA is enforced.
There is no limit to the number of publishing or subscription subject exceptions per ACL profile. However, there is a maximum of 10,000 subject exceptions (publish and subscribe combined) allowed amongst all profiles. Also keep in mind that the more exceptions you have, the more difficult it is to comprehend and manage your subject access control configuration.
Each P-7500 system has a preconfigured ACL profile named "default". The initial configuration of the "default" ACL profile is:
Although you can modify the configuration of the "default" ACL profile, it cannot be deleted.
If you change the default action for an ACL profile, any existing subjects that are listed as exceptions are maintained as exceptions, but their behavior becomes the opposite of what it was.
A global statistic is incremented for every denied publish or subscribe subject attempt. In addition, a circular log is also maintained capturing:
the ACL profile name that triggered the denial (shown only when the wide parameter option is entered with the show log acl User EXEC command)

Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved