Overview

This guide goes over the specifics of creating and managing Service Policies [APPNETs] in the web console.

Service Policies are the rules that determine which services your identities have permission to access. Service Policies can also be used to dictate which identities can be used to connect specific applications. This gives you zero trust, least privileged access, and micro-segmentation, at the most granular levels.”
To use an Service Policies you will need Services & Identities . You can go back to one of the previous articles about creating and managing Identities or Services if necessary.

Create Your Service Policy [APPNET]

To create your Service Policies, click Policies (APPNETs) section in the NetFoundry console. Click the blue plus sign in the upper right corner to create a new Service Policy [APPNET] . 

The 'Create a New Service Policy [APPNET] screen will have fields for a name, service, identity, and posture attributes to be filled in. When you create your Service or identity or Posture Check, you will find an option to select attributes from the list or create new ones. A preview will appear on the right-hand portion of the screen which shows your services, identities, and posture checks that are associated with the attributes you've selected. 

For your Service Policy [APPNET] to function properly, your Edge Router must be provisioned. You can check this status on the Edge Routers page and under the 'Type' column, you will see 'Provisioned', 'Provisioning', 'New', or 'Deleting' in that column. Provisioning can take a few minutes but once that has been completed, your identities, services, Service Policy [APPNET], etc., should function as expected.

 

Best Practice/ Caution:

1. Take care not to add ERs or identities hosting services to the same APPNET that lists those services. Always create a separate Service Policy [APPNET] for a set of identities that access services where none of them are terminating any of those services. Creating a bi-directional Service Policy [APPNET] will cause traffic blackhole, since the identities are acting as the ones terminating the service as well as the source.

2. Take care not to add an identity to multiple Service Policies [APPNETs] that have the same or overlapping services. The identity will get into a routing conflict when it has access to the same service via multiple Service Policies [APPNETs].

3. Take care not to add overlapping services to the same Service Policy [APPNET]. Example service A has subnet 10.0.1.0/24 as intercept address for port range 2000-4000 and service B has subnet 10.0.1.8/32 as intercept address for port 3800-3900. Adding services A & B to the same Service Policy [APPNET] creates a conflict

Posture Checks

Posture Checks are security postures applied at the Service Policy [APPNET] level. NetFoundry offers 5 different types of security posture checks for identities. Any Posture Checks that are assigned to an Service Policy [APPNET] will be relayed to the identities that are also assigned to that Service Policy [APPNET].

For more details about Posture Checks refer: Create-and-Manage-Posture-Checks

Attributes

Use of identity/service/posture attribute will select all identities/services/posture checks having that specific attribute to the Service Policy [APPNET]. The @ symbol is used to tag Individual identity/service/posture check and the # symbol is used to tag a group of identities/services/posture checks.

Service attributes provide the reference to any tagged services that are to be made available to the identities.

In the Service Policy [APPNET] provisioning for identity Attributes, the identity attributes determine which of your identities are authorized to access the services you have specified in the Service Attributes section.

The Posture attributes determine which of the posture checks will be relayed to the identities that are also assigned to that Service Policy [APPNET].

Manage Your Service Policy [APPNET]

To manage your existing APPNET, navigate to Policies (APPNETs) section in the NetFoundry console. You can click on a Service Policy [APPNET] row to edit it or use the ellipsis menu at the end of each row to take actions on the individual Service Policy [APPNET]. Use the select bubbles in the first column of the table to select multiple services for bulk delete.

When editing an existing Service Policy [APPNET], the screen will look the same as the 'Create a New Service Policy [APPNET] screen, except that you'll click 'Update' to finish editing instead of 'Create'. 

Was this article helpful?
2 out of 3 found this helpful

Comments

0 comments

Article is closed for comments.