Using Alias elements in Access rules

You can use Alias elements to create a single rule that changes in meaning depending on where it is installed.

Alias elements are one of the most useful tools for reducing the complexity of a policy. Alias elements are like variables in a mathematical equation—their value changes depending on the component on which they are installed. Because Alias elements are able to change their meaning to adapt to local contexts, they can be used to create a single rule. That rule then changes in meaning depending on where it is installed. With Alias elements, you can avoid creating multiple, near-duplicate rule sets when you have several engines. The Alias element is used like any other network element. However, the IP addresses that the Alias element represents depends on the engine where the rules are installed. The IP address to engine mapping is defined in the Alias element.

For example, a company has its headquarters in Helsinki and branch offices in Atlanta, Munich, Tokyo, and Montreal. Each office has its own web server. The web server rules could be put in a single Sub-Policy, but each location’s web server has a different IP address. Normal rules would require allowing access to all IP addresses on all engines, which is not only unnecessary, but can also be a security risk. Using Alias elements, the company can create a single set of rules that are still valid when applied to multiple engines. These rules would not, however, allow access to IP addresses that are not in use on a particular engine.

The administrator of the example company can create a web server alias, $WebServers. In the Alias element’s properties, the administrator defines what $WebServers means for each component. For the IPS engine in Helsinki, the web server would be defined as 192.168.1.101, for the IPS engine in Tokyo as 192.168.2.101, and so on.

When the administrator installs a policy containing the web server rules with the Alias element, the addresses are translated to the correct address on that component. Therefore, when the policy is installed on the Helsinki IPS engine, the Alias element translates to an IP address of 192.168.1.101. The other addresses are not included in the policy that is transferred to that particular engine.

In this way, Alias elements simplify policies without reducing security.