About Chamber Policies
Application Chambers provide advanced security through visibility and control of networking into and out of protected endpoints. As the scope of an Application Chamber is at the scale of a software application, the Chamber Policies that it applies can be completely streamlined, making their intent easier to understand. This approach also dramatically reduces the need for policy exceptions, which tend to introduce security holes.
Chamber Policies: structure and policy precedence
Chamber Policies leverage the same Objects as Access Policies; defined Address Objects, Service Port Objects, and Application Process Objects are shared and can be used by both Chamber Policies and Access Policies.
A Chamber Policy applies to a given server, and filters traffic on the physical network interfaces. It can allow or or deny access to local or Internet-based resources that are not onboarded to CoIP.
For example, a Chamber Policy may be used to restrict DNS traffic only to a certain set of known-good DNS resolvers, which are not onboarded to CoIP. It may also be used to filter traffic destined for the Internet.
In contrast, an Access Policy applies to connections between servers that are onboarded to CoIP – for example, between Users and Applications, or Applications and Services. Traffic between two Chambers is also governed by an Access Policy.
An Application may associate one or more Chamber Policies.
In terms of precedence, Access Policies are always evaluated before Chamber Policies. In other words, a Chamber Policy can never block a valid Access Policy.
Chamber Policy Enforcement
Chamber Policies are enforced by the zLink agent on each endpoint. As the administrator updates Chamber Policies, new policies are automatically pushed to all affected endpoints so that the enforced security reflects the policies configured in the zCenter services portal.
An Application may potentially span multiple network domains, so administrators should note that Chamber Policies are applied identically to all endpoints.
Similar to the Object Group model, Chamber Policies can be grouped into Chamber Policy Templates. This model promotes policy maintainability, as individual Chamber Policies are well documented and can be independently managed and updated without affecting the function of other Chamber Policies in the Template.