There is a growing need to provide greater granularity and
flexibility in configuring network policies. For example, the ability to
identify and prioritize voice traffic, the ability to rate limit remote access
VPN connections, the ability to perform deep packet inspection on specific
flows of traffic, or the ability to set connection values. The PIX Security
Appliance Software release 7.0 provides this functionality with the
introduction of modular policy framework (MPF). MPF is a framework in which
administrators have the ability to define traffic classes at the desired
granularity and apply actions, or policies, to them. 
MPF is
configured using three main commands:
-
class-map – This command is used to identify a traffic
flow. A traffic flow is a set of traffic that is identifiable by its packet
content. In Figure
, voice
traffic between Site B and Headquarters is an example of a traffic flow, as are
remote access VPNs that allow the system engineers and executives to access
network resources at the headquarters.
-
policy-map – This command is used to associate one or
more actions with a class of traffic. For example, in Figure
, all
voice traffic between Site B and headquarters is provided low latency
queuing.
-
service-policy – This command is used to enable a set
of policies on an interface. In the example in Figure
, the
voice priority queuing policy is applied to the outside interface.
In the example in Figure
, a
network administrator identified five traffic flows, Internet traffic, system
engineer and executive remote VPN traffic, and two site-to-site VPN tunnels to
Site B and Site C with voice. Once the traffic flows are identified, security
policies are mapped to each flow. The policy for traffic from the Internet is
to perform deep packet inspection and inline IPS. For both the system engineers
and the executive remote VPN traffic, the administrator will police the amount
of bandwidth used by each group. For site-to-site traffic over a VPN, all voice
connection traffic is given higher priority queuing. The last class is the
default inspection class. All traffic is subject to the default inspection
policy. After the classes and policies are defined, policies are assigned to a
specific interface, or assigned globally. In the example in the Figure
, the
global_policy is assigned globally. The
outside_policy is assigned to the outside interface.