In addition to protecting your network from unwelcome intruders,
BorderManager helps you control Internet access. In the long run, this can save
you money because you won't have to purchase additional bandwidth to get access
to the resources you need. We'll look at the basics of setting up access rules
and then demonstrate the process by creating a rule to govern Web access.
www.novell.com. Watch for the IP address and
how it changes each time you PING the site. If you use the IP address of a site,
the rule will work unless the site is down or is moved to a new IP address.
When you click Specified in the Destination panel of the Access Rule Definition
window, you'll see the URL Specifications window. Enter the URL to be controlled
by clicking on the dotted square box. The [http://] part is automatically filled
in for you; all you need to do is enter the site name. However, you will only be
able to see the main page of the site—if you attempt to go past that, or if
the main page contains references to other sites, you won't be allowed to see
them. You can address part of the problem by adding [/*] to the end of the site
name so the access rule will permit all references to pages on that site. If
getting to the links listed on the site becomes an issue, you'll need to include
those sites in the access rule. Once you've entered all the addresses you want
this rule to control, click OK to save the URLs you've entered.
Before clicking OK for the last time to save the new access rule, you may want
to take one extra step and select Enable Rule Hit Logging. BorderManager will
then record each time that a user tries to access a site affected by this rule.
If management requests information about unauthorized Internet access, you'll be
able to supply that information.
Putting the access rules in order
Determining the sort order for access rules takes a bit of experimentation based
on how many rules you have and how involved the setup for the access rules
happens to be. If you have three access rules and rules 2 and 3 reference a
specific user, only rule 2 may be referenced and the user will never be affected
by rule 3. Always put your most restrictive rule first (that is, the rule that
affects the greatest number of users). I place the rule that denies all access
to the Internet last and then place the rules that allow access to specific
sites first. Each time you create a rule, it appears at the bottom of the list
by default. By using the up and down arrows on the Rules toolbar, you can move
the rule into the position where it will work properly.
Documenting the access rules
Now that your rules are defined and running, you have to go back to pen and
paper to record your efforts. In its current version, BorderManager cannot
automatically output the specifics of the rules you create to a text file. By
moving the bar across the bottom of the window in the BorderManager Access Rules
page, you see that there's a number assigned to each rule you create, as well as
a provision for labeling the rule (although there's no place where you can enter
a description of the rule). There is no right or wrong way to document the rules
you put in place. The main thing is to record what you've set up—by issuing
print screens of the different rules or creating a form where you write down the
information you entered to set up each rule. The few minutes you take now to
record this information will save you time later when you need to decipher the
logic you used when initially creating the rule.
When you first start setting up access rules in BorderManager, don't try to set
them up all at once. And when you decide to go past the URL access type to one
such as FTP, make sure that the affected proxy service is configured and running
on BorderManager. Take each rule one step at a time, and don't create the next
rule until you're satisfied the one you just created is working properly.
Ronald Nutter is a senior systems engineer in Lexington, KY. He's an MCSE,
Novell Master CNE, and Compaq ASE.
