5-6
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 5 Managing Policies
Understanding Policies
Having default rules makes it possible to define a global default rule, such as “deny any any”, that
appears at the end of all access rule lists and provides a final measure of security should gaps exist in
the mandatory rules and default rules that appear above it in the rules table.
Inheritance Example
For example, you can define a mandatory worm mitigation rule in the corporate access rules policy that
mitigates or blocks the worm to all devices with a single entry. Devices configured with the regional
access rules policy can inherit the worm mitigation rule from the corporate policy while adding rules that
apply at the regional level. For example, you can create a rule that allows FTP traffic to all devices in
one region while blocking FTP to devices in all other regions. However, the mandatory rule at the
corporate level always appears at the top of the access rules list. Any mandatory rules that you define in
a child policy are placed after the mandatory rules defined in the parent policy.
With default rules, the order is reversed—default rules defined in a child policy appear before default
rules inherited from the parent policy. Default rules appear after any local rules that are defined on the
device, which makes it possible to define a local rule that overrides a default rule. For example, if a
regional default rule denies FTP traffic to a list of destinations, you can define a local rule that permits
one of those destinations.
IPS Policy Inheritance
Event action filter policies for IPS devices can also use inheritance to add rules defined in a parent policy
to the local rules defined on a particular device. The only difference is that although active and inactive
rules are displayed together in the Security Manager interface, all inactive rules are deployed last, after
the inherited default rules.
Signature policies for IPS devices use a different type of inheritance that can be applied on a
per-signature basis. See Configuring Signatures, page 38-4.
Related Topics
• Settings-Based Policies vs. Rule-Based Policies, page 5-2
• Understanding Access Rules, page 16-1
• Understanding Global Access Rules, page 16-3
• Inheritance vs. Assignment, page 5-6
• Inheriting or Uninheriting Rules, page 5-43
Inheritance vs. Assignment
It is important to understand the difference between rule inheritance and policy assignment:
• Inheritance—When you inherit the rules from a selected policy, you do not overwrite the local rules
that are already configured on the device. Instead, the inherited rules are added to the local rules. If
the inherited rules are mandatory rules, they are added before the local rules. If the inherited rules
are default rules, they are added after the local rules. Any changes that you make to the inherited
rules in the parent policy are reflected in the policy that inherits those rules.
Note Inheritance works differently for IPS signature policies and signature event actions. For
more information, see Understanding Signature Inheritance, page 38-3.
• Assignment—When you assign a shared policy to a device, you replace whatever was already
configured on the device with the selected policy. This holds true whether the device previously had
a local policy or a different shared policy of that type.