Security Profiles are an essential part of an Elisity policy. Learn how to best utilize security profiles within and between policy groups to start segmenting your network with traffic rules.
Security Profiles are groups of L3/L4 traffic rules, called Security Rules.
A security profile is a policy construct that enables an administrator to define a set of security rules based on L3/L4 protocol to be allowed or denied in a policy. You can consider security profiles as a separate building block on a policy, just like policy groups, that can be created and referenced in as many policies as needed.
Security profiles can either be pre-built and then referenced when building a policy, or they will be built on demand when creating a policy. You can also duplicate, modify, and save security profiles if you want to use a security profile in a different policy, but with minor (or major) modifications.
To configure a security rule the Rule Type, Rule, Attributes (optional) and Action must be defined. Rule types are defined below:
L3/L4 Protocol – Specific L3/L4 protocols can be matched such as ICMP or custom source or destination TCP/UDP ports.
Some key benefits of Security Profiles:
-
Customizable Rule Creation: Elisity offers pre-built security rules for common protocols, making it easier for administrators to define rules for widely used applications. Additionally, administrators can create custom TCP and UDP rules, enabling fine-grained control over traffic. This flexibility allows organizations to tailor security profiles to their specific requirements and applications.
-
Centralized Management and Reusability: Security profiles can be created and managed centrally within the Elisity Cloud Control Center. Once defined, security profiles can be reused across multiple policies, eliminating the need for redundant rule creation. This centralized management streamlines policy administration and ensures consistent and standardized security rules throughout the network.
-
Simplified Policy Creation: By referencing security profiles within policies, administrators can simplify the policy creation process. Instead of individually defining each security rule within a policy, administrators can leverage pre-configured security profiles that contain the necessary rules. This not only saves time but also reduces the chances of errors and inconsistencies in policy configurations.
-
Flexibility and Scalability: Security profiles offer flexibility and scalability as network requirements evolve. As security needs change, administrators can easily modify existing security profiles by adding, deleting, or modifying rules. This adaptability allows organizations to respond to new threats, regulatory changes, or operational requirements without major policy reconfiguration.
-
Enhanced Security Posture: Security profiles enable organizations to establish a strong security posture by enforcing strict traffic rules. By explicitly allowing only necessary protocols and ports, organizations can minimize the attack surface and mitigate the risks associated with unauthorized or malicious network communication. This helps prevent lateral movement within the network and reduces the impact of potential security incidents.
Create a New Security Profile
To create a security profile, go to Policies -> Security Profiles -> + Create Security Profile
Give your Security Profile a name, and a description if you wish. In this case, we are building a security profile that allows MODBUS traffic, ICMP, and denies all other traffic. In the screenshot below we have added an allow rule for MODBUS (UDP) and we are adding another rule to allow MODBUS (TCP).
Note that when selecting pre-configured security rules such as these, the destination port is filled according to the protocol and the source ports are left open.
Note in the Security Profile creator that you also have the option to Enable Logging for a given security rule.
When you click "Enable Log" on a security rule while building a Security Profile, you activate a feature on the switch that logs any hits on that specific rule. These logs are then sent to the configured Syslog server for further analysis.
Purpose: Enabling logging on a security rule activates the switch's capability to record any traffic that matches the rule. This log data is then forwarded to the Syslog server for centralized collection and analysis.
Benefits:
- Enhanced Monitoring: Provides visibility into traffic patterns and potential security threats.
- Centralized Analysis: Logs are aggregated on the Syslog server, facilitating comprehensive analysis and reporting.
Note: Ensure your Syslog server is properly configured to receive and store these logs for effective monitoring and troubleshooting.
Here we are adding another rule by clicking + Add New Rule.
Note that when adding a security rule, the default "Rule Action" is Allow, which of course means that those rules defined will be permitted.
We can change the rule action by clicking on the allow box, and changing it to deny. We will do that for "All Traffic" so that any traffic other than our explicitly permitted rules will be denied. After we have created our security rules, we can click deploy, and our security profile is ready to be used in a policy.
Custom Security Rules
In addition to using our library of pre-built security rules, you can create custom TCP and UDP rules as well. To do this, select "Custom TCP Rule" or "Custom UDP Rule" when selecting your protocol during security rule creation, fill your source and destination ports, and deploy.
As seen below, you can specify a specific port, port range, or both in the source and destination fields. You can also type "Any" or 0-65535 which will automatically transform to the "Any" port range.
Edit Your Security Profiles
Editing Security Profiles is very simple within Cloud Control Center. Simply click the Security Profile you want to modify, and click "edit" in the top right. You can add or delete rules here. Click the pencil icon next to a security rule to modify the rule type, source ports, destination ports, and rule actions. Common destination ports will be automatically identified by their protocol name. In the example below, I changed one of the security rules to TCP destination port 22, and the protocol was recognized as SSH. Any security rule with a source port defined will automatically be considered a custom security rule.
Order of Security Rules
It is important to note that security rules are evaluated in the order that they are displayed. This is important to consider in the case where you might have overlapping match criteria (source or destination ports and protocols) and want to set the precedence manually. To change the order of security rules, click and drag the handle to the left of the Rule column, up or down.
Referencing Security Profile in Policy
When you are ready to create a policy using your security profile, you will select "Use an existing security profile" and select your unique profile name from the drop down list. Click on it, and you will see your security rules populate the screen. Notice that this is also where you can choose to create a new security profile during policy creation as an alternate workflow. Simply click the "Create New Security Profile" button and fill out your security rules as usual.
Audit Comments for Security Profiles
Audit comments in Elisity Cloud Control Center provide a structured way to capture the intent behind policy changes. Requiring comments when creating or updating Policy Groups and Security Profiles ensures that each modification is documented, supporting compliance, accountability, and easier policy reviews.
Benefits/Use Cases
User Attribution: Each policy change can be attributed to a specific user, promoting accountability and tracking.
Audit and Compliance Readiness: Mandatory comments ensure every Security Profile modification is logged, facilitating regulatory compliance and internal audits.
Policy Lifecycle Management: Documented comments add context to each policy change, helping administrators review and maintain relevant policies over time.
Enable Audit Comments
- Go to Settings in the main navigation.
- Under System > Advanced, toggle Enforce Audit Comments to activate the requirement for audit comments on policy changes.
Adding an Audit Comment When Creating or Updating Policy Groups
- In Policies > Security Profiles choose to create a new item or edit an existing one.
- Enter a brief note in the Audit Comment field to document the reason for the change. This field is mandatory for both creation and updates. This field requires a minimum of 10 characters up to 254 characters.
- Click Create or Save to finalize the action. If the minimum length for the audit comment is not met, you will not be able to save the change. The audit comment will be recorded as part of the change history.