An ACL can cause the PIX Security Appliance to allow a designated client to
access a particular server for a specific service. When there is only one
client, one host, and one service, only a minimum number of lines in an ACL are
needed. However, as the number of clients, servers, and services increases, the
number of lines in an ACL required increases exponentially.
To simplify
the task of creating and applying ACLs, administrators can group network
objects such as hosts, and services such as FTP and HTTP. This reduces the
number of ACLs required to implement complex security policies. For example, a
security policy that normally requires 3300 lines in an ACL might only require
40 lines after hosts and services are properly grouped.
Object grouping
provides a way to group objects of a similar type so that a single ACL can
apply to all the objects in the group
. The following
types of object groups can be created:
-
Network – Used to group client hosts, server hosts, or subnets.
-
Protocol – Used to group protocols. It can contain one of the
keywords icmp, ip,
tcp, or udp, or an integer in the range
1 to 254 representing an IP protocol number. Use the keyword
ip to match any Internet protocol, including ICMP, TCP, and
UDP.
-
Service – Used to group TCP or UDP port numbers assigned to a
different service.
-
ICMP-type – Used to group ICMP message types which are permitted or
dennied access.
Applying a PIX Security Appliance object group to a command is the
equivalent of applying every element of the object group to the command. In the
example shown in Figure
, the
group DMZ_Servers contains servers 192.168.0.10, 192.168.0.11, and
192.168.0.12. The group DMZ_Services supports HTTP, HTTPS, and FTP protocols.
Applying the groups DMZ_Servers and DMZ_Services to an ACE is the same as
applying all of the hosts and protocols individually.