Policy - Edge Routing Rules

Overview

Byos has a number of policy configurations that govern how the traffic moves between Byos Secure Edge microsegments, the internet, and Byos Secure Lobby itself.

As a reminder, these policies can be applied to different groups, and all Byos Secure Edges in the group will receive the same policy.

Internet Access

This policy governs whether or not the Edges in the Group have access to the internet.

• Note: When this is set to “No”, the Edges will not have internet access. However, if the Secure Lobby connection is established, the Edges will be able to communicate with other resources visible inside of Secure Lobby.

Start Secure Lobby on boot

By default, this policy will be set to “No” and the Secure Lobby connection has to be enabled by the administrator.

When this policy is set to yes, the Secure Lobby connection is turned on as soon as the Byos Secure Edge is turned on. When enabled, no packets will leave the endpoint until the Secure Lobby connection is established.

Allow Outbound Access to Secure Lobby

By default, this policy will be set to “No” and the Byos Secure Edge will only be able to receive inbound traffic from Secure Lobby. Setting this policy to “Yes” means traffic is able to move bidirectionally to and from the Edge to Secure Lobby.

Route All Traffic through Secure Lobby

By default, this policy will be set to “No” and the Byos Secure Edge will route clean TLS traffic to the internet and speak to the Byos Management Console continuously with regular beacons.

When the Secure Lobby connection is initiated, but this policy is set to “No”, only Management Console traffic will be routed through Secure Lobby.

When this policy is set to yes, all traffic (Regular internet + Management Console traffic) will be routed through Secure Lobby before reaching the internet.

Outbound Access to LAN

By default, this policy will be set to No, and Byos will not be able to talk with other devices

Zone Membership (alpha)

The policy determines the physical network segment of the Zone that the group will belong to. Upon Group creation, the Policy Group will be set to be in the Default Zone at 172.20.0.0.

Login Required

This Zone policy setting determines whether or not a login is required locally from the End User’s side of the Endpoint Edge. By default, this is set to “Yes”.

• When set to “No”, the the Edge can be plugged in and connected to the network, and the Edge will immediately allow traffic to reach the device(s) in the microsegment.

How will traffic flow in the network with different routing rule sets?

Scenario 1: Regular Internet + LAN Access

• Internet traffic allowed

• Outbound access to LAN allowed

Scenario 2 - Internet + Inbound SL + LAN

• Internet access allowed

• Only inbound Secure Lobby traffic allowed

• Outbound access to LAN allowed

Scenario 3 - Regular Internet + Inbound & Outbound SL + LAN

• Internet access allowed

• Inbound and outbound access to Secure Lobby allowed

• Outbound access to LAN allowed

Scenario 4: Full SL Routing to Internet + No Access to LAN)

• Internet access is allowed and is routing through Secure Lobby

• Inbound and outbound access to Secure Lobby allowed

• Access to LAN not allowed

Scenario 5 - Full SL Routing to Internet + Only First Hop of the LAN

• Internet access is allowed and is routing through Secure Lobby,

• Inbound and outbound access to Secure Lobby allowed

• Access to LAN allowed (but only the first hop of the network, and not subsequent ones)

Scenario 6 - No Internet + Inbound SL Routing + No Access to LAN

• Internet access is not allowed

• Inbound access from Secure Lobby is allowed

• Access to LAN is not allowed

Scenario 7 - No Internet + Full SL Routing + No Access to LAN

• Internet access is not allowed

• Inbound and outbound access to Secure Lobby is allowed

• Access to LAN is not allowed

Scenario 8 - No traffic allowed

• No outbound or inbound traffic allowed