APE Rulebase Example: Limiting Bandwidth to Instant Messaging and Peer-to-Peer Traffic in the Enterprise
Suppose you work for a company that has seen a rise in use of extracurricular applications, such as instant messaging applications and peer-to-peer file sharing. These applications pose a problem not only because of lost productivity, but also because they use a lot of bandwidth. After due consideration and analysis, your company decides to allow MSN instant messaging because it is used for legitimate collaboration, but deny use of AIM or Yahoo Instant Messenger, which are popular but not the company standard. At the same time, the company decides to address the use of peer-to-peer file sharing. The executives would like to prohibit use of peer-to-peer file sharing applications altogether, but to keep employees happy, they decide to prohibit use by employees who are not full-time and limit use for all others.
You can leverage the role-based policy feature and the application policy enforcement (APE) rulebase to enforce your company’s new policy.
To deploy this solution:
- Deploy a Unified Access Control (UAC) solution for user access to your corporate network.
Use the IC Series administration console to map users to roles, including:
- Contractors
- Part-Time
- Temp
- Configure communication between the IC Series and IDP so you can use the IDP role-based policy feature.
Configure APE rules to:
- Deny use of the two most popular instant messaging programs.
- Limit bandwidth available to peer-to-peer applications.
In Figure 1, rule 1 drops connections for AIM and Yahoo Instant Messenger. Rule 2 drops peer-to-peer filesharing initiated by contractors, part-time workers, and temporary workers. Rule 3 limits the bandwidth for other connections initiated from within the corporate network to a limited pool of bandwidth.
Figure 1: APE Rulebase: Role-based Rules Enforcing an Enterprise Resource Policy
