Security Profiles are an essential part of an Elisity policy. Learn how to best utilize security profiles within and between policy groups to start segmenting your network with traffic rules.
Security Profiles are groups of L3/L4 traffic rules, called Security Rules.
A security profile is a policy construct that enables an administrator to define a set of security rules based on L3/L4 protocol to be allowed or denied in a policy. You can consider security profiles as a separate building block on a policy, just like policy groups, that can be created and referenced in as many policies as needed.
Security profiles can either be pre-built and then referenced when building a policy, or they will be built on demand when creating a policy. You can also duplicate, modify, and save security profiles if you want to use a security profile in a different policy, but with minor (or major) modifications.
To configure a security rule the Rule Type, Rule, Attributes (optional) and Action must be defined. Rule types are defined below:
L3/L4 Protocol – Specific L3/L4 protocols can be matched such as ICMP or custom source or destination TCP/UDP ports.
Some key benefits of Security Profiles:
Customizable Rule Creation: Elisity offers pre-built security rules for common protocols, making it easier for administrators to define rules for widely used applications. Additionally, administrators can create custom TCP and UDP rules, enabling fine-grained control over traffic. This flexibility allows organizations to tailor security profiles to their specific requirements and applications.
Centralized Management and Reusability: Security profiles can be created and managed centrally within the Elisity Cloud Control Center. Once defined, security profiles can be reused across multiple policies, eliminating the need for redundant rule creation. This centralized management streamlines policy administration and ensures consistent and standardized security rules throughout the network.
Simplified Policy Creation: By referencing security profiles within policies, administrators can simplify the policy creation process. Instead of individually defining each security rule within a policy, administrators can leverage pre-configured security profiles that contain the necessary rules. This not only saves time but also reduces the chances of errors and inconsistencies in policy configurations.
Flexibility and Scalability: Security profiles offer flexibility and scalability as network requirements evolve. As security needs change, administrators can easily modify existing security profiles by adding, deleting, or modifying rules. This adaptability allows organizations to respond to new threats, regulatory changes, or operational requirements without major policy reconfiguration.
Enhanced Security Posture: Security profiles enable organizations to establish a strong security posture by enforcing strict traffic rules. By explicitly allowing only necessary protocols and ports, organizations can minimize the attack surface and mitigate the risks associated with unauthorized or malicious network communication. This helps prevent lateral movement within the network and reduces the impact of potential security incidents.
Create a New Security Profile
To create a security profile, go to Policies -> Security Profiles -> + Create Security Profile
Give your Security Profile a name, and a description if you wish. In this case, we are building a security profile that allows MODBUS traffic, ICMP, and denies all other traffic. In the screenshot below we have added an allow rule for MODBUS (UDP) and we are adding another rule to allow MODBUS (TCP).
Note that when selecting pre-configured security rules such as these, the destination port is filled according to the protocol and the source ports are left open.
Here we are adding another rule by clicking + Add New Rule.
Note that when adding a security rule, the default "Rule Action" is Allow, which of course means that those rules defined will be permitted.
We can change the rule action by clicking on the allow box, and changing it to deny. We will do that for "All Traffic" so that any traffic other than our explicitly permitted rules will be denied. After we have created our security rules, we can click deploy, and our security profile is ready to be used in a policy.
Custom Security Rules
In addition to using our library of pre-built security rules, you can create custom TCP and UDP rules as well. To do this, select "Custom TCP Rule" or "Custom UDP Rule" when selecting your protocol during security rule creation, fill your source and destination ports, and deploy.
As seen below, you can specify a specific port, port range, or both in the source and destination fields. You can also type "Any" or 0-65535 which will automatically transform to the "Any" port range.
Edit Your Security Profiles
Editing Security Profiles is very simple within Cloud Control Center. Simply click the Security Profile you want to modify, and click "edit" in the top right. You can add or delete rules here. Click the pencil icon next to a security rule to modify the rule type, source ports, destination ports, and rule actions. Common destination ports will be automatically identified by their protocol name. In the example below, I changed one of the security rules to TCP destination port 22, and the protocol was recognized as SSH. Any security rule with a source port defined will automatically be considered a custom security rule.
Order of Security Rules
It is important to note that security rules are evaluated in the order that they are displayed. This is important to consider in the case where you might have overlapping match criteria (source or destination ports and protocols) and want to set the precedence manually. To change the order of security rules, click and drag the handle to the left of the Rule column, up or down.
Referencing Security Profile in Policy
When you are ready to create a policy using your security profile, you will select "Use an existing security profile" and select your unique profile name from the drop down list. Click on it, and you will see your security rules populate the screen. Notice that this is also where you can choose to create a new security profile during policy creation as an alternate workflow. Simply click the "Create New Security Profile" button and fill out your security rules as usual.