Applies to:

• Zentera Air Ultimate

About Chamber Policies

Application Chambers provide advanced security through visibility and control of networking into and out of protected endpoints. As the scope of an Application Chamber is at the scale of a software application, the Chamber Policies that it applies can be completely streamlined, making their intent easier to understand. This approach also dramatically reduces the need for policy exceptions, which tend to introduce security holes.

Chamber Policies: structure and policy precedence

Chamber Policies leverage the same Objects as Access Policies; defined Address Objects, Service Port Objects, and Application Process Objects are shared and can be used by both Chamber Policies and Access Policies.

The difference between an Access Policy and a Chamber Policy is that an Access Policy applies only to a ZTNA connection between Users and Applications, or Applications and Services, filtering the traffic that goes across the connection.

An Application may associate one or more Chamber Policies. The Chamber Policies create filters on the physical network interface of the endpoints of the Application, and can allow or deny inbound or outbound accesses to local or Internet-based resources.

In terms of precedence, Access Policies are always evaluated before Chamber Policies. In other words, a Chamber Policy can never block a valid Access Policy.

Chamber Policy Enforcement

Chamber Policies are enforced by the zLink agent on each endpoint. As the administrator updates Chamber Policies, new policies are automatically pushed to all affected endpoints so that the enforced security reflects the policies configured in the zCenter services portal.

Similar to the Object Group model, Chamber Policies can be grouped into Chamber Policy Templates.  This model promotes policy maintainability, as individual Chamber Policies are well documented and can be independently managed and updated without affecting the function of other Chamber Policies in the Template.