Object Grouping
Overview of object grouping

An ACL can cause the PIX Security Appliance to allow a designated client to access a particular server for a specific service. When there is only one client, one host, and one service, only a minimum number of lines in an ACL are needed. However, as the number of clients, servers, and services increases, the number of lines in an ACL required increases exponentially.

To simplify the task of creating and applying ACLs, administrators can group network objects such as hosts, and services such as FTP and HTTP. This reduces the number of ACLs required to implement complex security policies. For example, a security policy that normally requires 3300 lines in an ACL might only require 40 lines after hosts and services are properly grouped.

Object grouping provides a way to group objects of a similar type so that a single ACL can apply to all the objects in the group . The following types of object groups can be created:

  • Network – Used to group client hosts, server hosts, or subnets.
  • Protocol – Used to group protocols. It can contain one of the keywords icmp, ip, tcp, or udp, or an integer in the range 1 to 254 representing an IP protocol number. Use the keyword ip to match any Internet protocol, including ICMP, TCP, and UDP.
  • Service – Used to group TCP or UDP port numbers assigned to a different service.
  • ICMP-type – Used to group ICMP message types which are permitted or dennied access.

Applying a PIX Security Appliance object group to a command is the equivalent of applying every element of the object group to the command. In the example shown in Figure , the group DMZ_Servers contains servers 192.168.0.10, 192.168.0.11, and 192.168.0.12. The group DMZ_Services supports HTTP, HTTPS, and FTP protocols. Applying the groups DMZ_Servers and DMZ_Services to an ACE is the same as applying all of the hosts and protocols individually.


Web Links