| 摘要 |
Securing large networks having heterogeneous computing resources including provision of multiple services both to clients within and outside of the network, multiple sites, security zones, and other characteristics is provided using access control functionality implemented at hosts within the network. The access control functionality includes respective access control policies for indicating to each host from which other computers it can accept connections. Content of the access control policies can be determined based on application data flow needs, and can draw information from databases including DNS and security zone information for hosts to which the access control policies will be applied. Access control policies can be formatted automatically for different host with different characteristics from the same base logical rule set. Other aspects include using more permissive and/or access control rules provided on network equipment to block known bad data, while providing host-based access control focused on application data flow. |
