Policies: examples

Sample policies

There are sample policies included with FreeNAC to give an idea of how to build a custom policy. The examples are described on this page.

Each example is more complex than the previous, and demonstrates specific policy functions. These (working) policies are in the etc/ directory.
See also the chapters writing a custom policy and policy testing .

  1. policy1.php

    Allows access to known devices (host->isActive) into the network and will place them in the global default vlan defined in the config table. If an unknown device connects to the network, it will be denied.

  2. policy2.php

    As policy1, but in addition:
    - In postconnect: information for the EndDevice and the port where the EndDevice connected are stored into the database (switch_port->update, host->update). If the EndDevice or the port are not known, they are inserted into the database (switch_port->insertIfUnknown, host->insertIfUnknown).

  3. policy3.php

    - Allows access to known devices into the network and will place them in the vlan assigned to the end device (host->getVlanId).
    - If an unknown device connects to the network, it will be denied.
    - postconnect: same as policy2.

  4. policy4.php

    - Allows access to known devices into the network and will place them in the vlan assigned to the end device.
    - If an unknown device connects to the network, assign the global default vlan if defined. If such a global default vlan hasn't been defined, the connecting device will be denied.
    - postconnect: same as policy2.

  5. policy5.php

    - Allows access to known devices into the network and will place them in the vlan assigned to the end device.
    - If an unknown device connects to the network, assign the port default vlan, if the switch port where the device is connecting to has a default vlan assigned to it.
    - If the device is unknown, and there is no port default vlan, then assign the global default vlan.
    - If neither a port vlan or a global default vlan have been defined, the connecting device will be denied.
    - postconnect: same as policy2.

  6. policy6.php

    - Allows access to known devices into the network and will place them in the vlan assigned to the end device.
    - If an unknown device connects and it is a virtual machine, assign the same vlan used by its 'mother' device, already active on that port (host->isVM, switch_port->getVMVlan)
    - If the device is still unknown, assign a port default vlan, a global default vlan, or deny - as in policy 5.

    - postconnect: same as policy2.

  7. policy7.php

    - If an end-device is in the killed state, or its expiry date is due, assign the isolation vlan, or deny access if that isolation vlan is zero (host->isKilled, host->isExpired, conf_vlan_for_killed)
    - then apply the same rules as policy 6.

  8. policy8.php

    In this policy the 'health' status assigned to every connecting device is verified. If the end-device has its health status set to QUARANTINE, it'll be placed in the quarantine vlan. For a health status other than QUARANTINE and OK, log a warning to syslog.

    Let's say that for example, there is a worm spreading the internal network, through port 135:
    - The policy checks for end-devices with port 135 open ($port_scan->isPortOpen).
    - If that port is open on the EndDevice, we'll place it in the quarantine vlan (quarantine_vlan).
    - Otherwise, apply the same rules as policy 5.

    In postconnect, besides applying the same rules as policy5, also:
    - checkto see if port 135 is open. If it is, then set the device's health status to QUARANTINE.
    - If a connecting device no longer has port 135 open, then set back its status to OK and restart the port in order put the end-device pack in its usual vlan.

    In the quaratine vlan, a captive dhcp/dns/web portal would need to be installed to inform the use of the quarantine and how to remediate.
    An alternative to quarantining would be to send a warning email, if the open port posed a low risk.

  9. policy9.php

    This policy file allows access to known devices into the network. The vlan assigned to the connecting the device will be assigned as follows:
    - If the switch has a vlan associated to it, that vlan will be used.
    - If there is an exception vlan declared in the vlanswitch table, use that vlan
    - Otherwise, assign the vlan assigned to this end device.
    If there is an unmanaged system trying to connect, log an alert.
    For unknown and unmanaged systems, if the switch port where the device is connecting to
    has a vlan assigned to it, the EndDevice will be placed in that vlan.
    If no port default vlan has been assigned, use the global default vlan if defined.
    If neither a port vlan or a global default vlan have been defined, the connecting device will be denied.

    - postconnect: Same as policy2

  10. policy10.php

    The aim of this policy file is to demonstrate that vlan names can also be specified when allowing access.
    For active devices, if the connecting device is the manager's system(MAC: cc00.ffee.eeee), place it right away in the vlan 'MANAGER_VLAN'.
    For the rest of active devices (not manager's ones), place them in the vlan assigned to them. If an unknown device connects to the network, it will be denied.

    - postconnect: Same as policy 3

  11. policy11.php

    This policy shows how to use the new method postScan in the EndDevice class. This will set the flag scannow for systems requesting access to the network, only if they haven't been scanned in the last 7 days. Note, that for this to work, you must activate from crontab the scans in scannow mode. See port_scan for more information.

    This policy is the same as policy1.php in the preconnect part, but in the postconnect part the postScan method is being used. This method is planned to be used only in this part of the policy, but it can also be used in preconnect.

To use these policies, you need to create a symbolic link from 'policy.inc.php' to the policy file you want to use:

cd /opt/nac/etc
rm policy.inc.php
ln -s policyX.php policy.inc.php