The VPN Gateway uses a policy- and rule-based implementation for firewall management and administration. The Customer Account Administrator defines policies in the AT&T Administration Server. Each Firewall Policy contains a set of allow, deny, forward (Port Forwarding), and log rules that the VPN Gateway will enforce on each of its interfaces. Once established, policies can be associated with the individual VPN Gateway Device Profiles stored in the AT&T Administration Server.

• Policies are defined and associated with a single customer account.
• Rules can be duplicated in multiple policies.
• Policies can be shared by multiple VPN Gateway Device Profiles.
• Each VPN Gateway Device Profile has a single firewall policy assigned to it.

The VPN Gateway monitors three separate network interface groups. Unique firewall rules can be defined within each policy for each of the three network interface groups. The network interface groups are defined as:

• Internet: The Ethernet broadband or analog/ISDN/cellular Dial connection used by the VPN Gateway for connectivity to the Internet. The Internet interface is considered non-trusted and the default firewall policy limits most incoming network traffic.
• LAN: The Ethernet or WiFi connection used by the VPN Gateway for connectivity to the client devices using the VPN Gateway for network access. The LAN interface is considered trusted and the default firewall policy is liberal for all network traffic. This interface also includes all cascaded networks, alias and VLAN definitions.
• Tunnel: The virtual connection established over the physical Internet connection, providing secure access to a remote network. The Tunnel interface is considered trusted and the default firewall policy is liberal for all network traffic.

There are two generic firewall policies defined in the AT&T Administration Server, the Required Firewall Policy and the Default Firewall Policy. The Required Firewall Policy defines the rules that must always be present in any customer-defined policy. The Default Firewall Policy defines the rules that are populated automatically when any new policy is created. The Account Administrator can alter the Default Firewall Policy rules as needed. This allows Account Administrators to define a policy system unique to the needs of their corporation, but within the requirements of the VPN Gateway parameters.