Security and Policy
Security features in netverdict are modelled around packet and control-plane outcomes: whether traffic is permitted, denied, translated, encrypted, marked, or routed differently after policy. The engine favours deterministic policy reasoning over appliance emulation.
For narrow deep dives, see ACL, NAT, Route Policy, IPsec, Zone-Based Firewall, and QoS.
Support level
Section titled “Support level”| Area | Level | What this means |
|---|---|---|
| IPv4 standard ACLs | Supported | Numbered and named standard ACLs match source IPv4 prefixes and can bind to interfaces. |
| IPv4 extended ACLs | Supported | IP, ICMP, TCP, UDP, protocol, port, operator, range, host, and subnet matches. |
| IPv6 ACLs | Supported | Named IPv6 ACLs and interface traffic filters. |
| Object groups | Supported | Network and service object groups participate in ACL evaluation. |
| Time ranges | Supported | ACL entries can be gated by simulation date/time. |
| ACL analysis | Supported | Shadowing, malformed-entry checks, and flow-search surfaces. |
| Prefix-lists | Supported | Route-policy matching for BGP, redistribution, and import/export analysis. |
| AS-path ACLs | Supported | Regex-like AS_PATH matching for BGP route-maps. |
| Community-lists | Supported | Standard exact matching and expanded regex matching. |
| Route-maps | Supported | Match/set model shared by BGP, redistribution, and policy checks. |
| Static NAT | Supported | Inside/outside static IPv4 translations. |
| Dynamic NAT / PAT | Supported | Pool/list translation and overload PAT on interface or pool. |
| ASA twice NAT | Behaviour model | Parser/runtime coverage for modelled ASA-style NAT scenarios. |
| Zone-based firewall | Behaviour model | Zones, zone-pairs, class-maps, policy-maps, inspect/drop/pass. |
| GRE tunnels | Supported | IPv4 GRE tunnel encapsulation and forwarding. |
| IPsec tunnel mode | Behaviour model | IKE/IPsec configuration, SA solver, ESP datapath, and selector reasoning. |
| IKEv2 | Behaviour model | Selected profile/keyring/proposal surface for tunnel establishment labs. |
| QoS classification | Behaviour model | Class maps match ACLs/protocols where implemented. |
| QoS marking | Supported | DSCP/precedence metadata can be set on packets. |
| QoS scheduling | Not modelled | Queue timing, WRED, shaping rate behaviour, and hardware queues are out of scope. |
Standards coverage
Section titled “Standards coverage”| Standard / feature family | Coverage | Notes |
|---|---|---|
| Cisco ACL semantics | Supported | Standard/extended ACL ordering, implicit deny, wildcard masks, ports, and interface binding. |
| IPv6 ACL semantics | Supported | Named IPv6 ACLs with deterministic permit/deny evaluation. |
| RFC 3022 | Supported | Traditional NAT behaviour for static and overload translation outcomes. |
| Cisco ASA twice NAT style | Behaviour model | Ordered NAT rule matching and translation outcome for supported cases. |
| RFC 2784 | Supported | GRE tunnel forwarding behaviour. |
| IKEv2 / IPsec tunnel mode | Behaviour model | Tunnel selectors, SA state, and ESP forwarding outcome; no real crypto negotiation. |
| DSCP / RFC 2474 style | Behaviour model | DSCP field marking and policy metadata. |
| Cisco MQC | Behaviour model | Class-map, policy-map, and service-policy structure. |
| Cisco ZBFW style | Behaviour model | Zone membership, zone-pair direction, class matching, and actions. |
| BGP policy families | Supported | Prefix-list, route-map, AS-path ACL, and community-list semantics used by BGP. |
Feature matrix
Section titled “Feature matrix”| Feature | Status | Notes |
|---|---|---|
| ACL first-match order | Supported | Entries are evaluated in order with implicit deny. |
| Wildcard masks | Supported | Cisco wildcard semantics are used for IPv4 ACLs. |
| TCP/UDP port operators | Supported | eq, neq, lt, gt, and range style matches where parsed. |
| ICMP type matching | Supported | ICMP permit/deny rules affect ping and flow checks. |
| Interface ACL binding | Supported | Inbound/outbound filters participate in packet evaluation. |
| Object-group expansion | Supported | Network/service groups are resolved during ACL evaluation. |
| Time-range gates | Supported | Time-scoped ACL entries depend on simulation clock. |
| Prefix-list sequence order | Supported | Ordered prefix policy with permit/deny outcomes. |
| Route-map match/set | Supported | Match prefix/community/AS-path and set attributes/next-hop/metric where implemented. |
| Community-list matching | Supported | Standard exact and expanded regex forms. |
| Static inside NAT | Supported | One-to-one translation. |
| PAT overload | Supported | Many-to-one translation with port state. |
| NAT inside/outside interfaces | Supported | Translation only applies across configured NAT domains. |
| NAT order | Behaviour model | Supported NAT rules are evaluated deterministically. |
| ZBFW zone membership | Supported | Interfaces can be assigned to zones. |
| ZBFW inspect/pass/drop | Behaviour model | Matching traffic can create return-state or be allowed/dropped statelessly. |
| GRE tunnel interfaces | Supported | Tunnel source/destination and overlay addressing. |
| IPsec crypto map / profile surface | Behaviour model | Supported fields feed tunnel establishment and selectors. |
| ESP datapath | Behaviour model | Protected traffic can traverse the tunnel outcome. |
| QoS class-map / policy-map | Supported | Classification and action containers. |
| DSCP set action | Supported | Packet metadata can be marked. |
| Policing/shaping syntax | Config model | Stored/emitted where parsed; no queue scheduler. |
Vendor command matrix
Section titled “Vendor command matrix”| Command | IOS-style | ASA-style | Junos-style | VyOS-style | Notes |
|---|---|---|---|---|---|
access-list 10 permit 10.0.0.0 0.0.0.255 | Supported | Partial | n/a | Partial | Standard IPv4 ACL. |
ip access-list extended WEB-IN | Supported | Partial | n/a | Partial | Extended ACL container. |
permit tcp host 10.0.10.10 any eq 443 | Supported | Supported | Partial | Partial | TCP/port match. |
ipv6 access-list V6-IN | Supported | n/a | Partial | Partial | IPv6 ACL. |
object-group network SERVERS | Supported | Supported | n/a | n/a | Network object group. |
time-range BUSINESS-HOURS | Supported | n/a | n/a | n/a | Time-gated ACL entry. |
ip access-group WEB-IN in | Supported | n/a | Partial | Partial | Interface ACL binding. |
ip prefix-list PL seq 10 permit 10.0.0.0/8 le 24 | Supported | Partial | Supported | Supported | Prefix policy. |
ip as-path access-list 10 permit ^65001_ | Supported | n/a | Partial | Partial | AS_PATH policy. |
ip community-list standard CUST permit 65000:10 | Supported | n/a | Partial | Partial | Community policy. |
route-map RM permit 10 | Supported | Partial | Partial | Supported | Route-policy container. |
set local-preference 200 | Supported | n/a | Supported | Supported | BGP route-map action. |
ip nat inside source static ... | Supported | n/a | Partial | Supported | Static NAT. |
ip nat inside source list 10 interface ... overload | Supported | n/a | Partial | Supported | PAT overload. |
nat (inside,outside) source static ... | n/a | Behaviour model | n/a | n/a | ASA twice NAT form. |
zone security INSIDE | Supported | n/a | n/a | n/a | ZBFW zone. |
zone-pair security ZP source INSIDE destination OUTSIDE | Supported | n/a | n/a | n/a | ZBFW direction. |
class-map type inspect | Supported | n/a | n/a | n/a | ZBFW/MQC class. |
policy-map type inspect | Supported | n/a | n/a | n/a | ZBFW policy. |
interface Tunnel0 / tunnel mode gre ip | Supported | n/a | Partial | Supported | GRE tunnel. |
crypto ikev2 proposal | Partial | Partial | n/a | Partial | IKEv2 config surface. |
crypto map VPN 10 ipsec-isakmp | Behaviour model | Behaviour model | n/a | Partial | IPsec tunnel selector. |
class-map match-any VOICE | Supported | n/a | Partial | Partial | QoS classification. |
policy-map WAN-OUT | Supported | n/a | Partial | Partial | QoS policy. |
set dscp ef | Supported | n/a | Partial | Partial | Marking action. |
show access-lists | Supported | Partial | Partial | Partial | ACL state. |
show ip nat translations | Supported | n/a | Partial | Partial | NAT table. |
show policy-map interface | Supported | n/a | Partial | Partial | QoS policy view. |
show crypto ipsec sa | Behaviour model | Behaviour model | n/a | Partial | IPsec SA view. |
Behaviour notes
Section titled “Behaviour notes”ACL and firewall evaluation is deterministic and ordered. ACLs use first-match semantics with an implicit deny. Zone-based firewall adds zone membership and direction before class/action evaluation.
NAT is evaluated as a packet transformation before or after routing according to the supported NAT family. The model tracks translation outcome and return state, not every platform-specific NAT table flag.
Route policy is shared by routing protocols. Prefix-lists, AS-path ACLs, community-lists, and route-maps feed BGP and redistribution-style decisions. This is why security-policy pages and routing-policy pages overlap: the same canonical IR backs both views.
IPsec is intentionally a tunnel-behaviour model. It is useful for selectors, reachability, and ESP path reasoning, but the engine does not perform real cryptography, certificate validation, or vendor-specific negotiation races.
QoS currently changes packet metadata and records policy structure. It does not run a packet scheduler, congestion model, or hardware queue simulator.
Examples
Section titled “Examples”Extended ACL protecting a server
configure terminalip access-list extended WEB-IN permit tcp host 10.0.10.10 any eq 443 deny icmp host 10.0.10.10 any permit ip any anyinterface GigabitEthernet0/1 ip access-group WEB-IN inendshow access-listsVendor styles
IOS-style
ip access-list extended WEB-IN permit tcp host 10.0.10.10 any eq 443 deny icmp host 10.0.10.10 any permit ip any anyinterface GigabitEthernet0/1 ip access-group WEB-IN inJunos-style
set firewall family inet filter WEB-IN term HTTPS from source-address 10.0.10.10/32set firewall family inet filter WEB-IN term HTTPS from protocol tcpset firewall family inet filter WEB-IN term HTTPS from destination-port 443set firewall family inet filter WEB-IN term HTTPS then acceptset firewall family inet filter WEB-IN term DEFAULT then acceptset interfaces ge-0/0/1 unit 0 family inet filter input WEB-INVyOS-style
set firewall ipv4 name WEB-IN rule 10 action acceptset firewall ipv4 name WEB-IN rule 10 source address 10.0.10.10set firewall ipv4 name WEB-IN rule 10 protocol tcpset firewall ipv4 name WEB-IN rule 10 destination port 443set interfaces ethernet eth1 firewall in name WEB-INPAT overload
configure terminalaccess-list 10 permit 10.0.0.0 0.0.0.255interface GigabitEthernet0/0 ip nat insideinterface GigabitEthernet0/1 ip nat outsideip nat inside source list 10 interface GigabitEthernet0/1 overloadendshow ip nat translationsZone-based firewall inspection
configure terminalzone security INSIDEzone security OUTSIDEclass-map type inspect match-any WEB match protocol httppolicy-map type inspect INSIDE-OUT class type inspect WEB inspectzone-pair security ZP source INSIDE destination OUTSIDE service-policy type inspect INSIDE-OUTendshow policy-map type inspect zone-pairGRE tunnel with protected prefix intent
configure terminalinterface Tunnel0 ip address 172.16.0.1 255.255.255.252 tunnel source GigabitEthernet0/0 tunnel destination 203.0.113.2ip route 10.20.0.0 255.255.0.0 Tunnel0endshow interfaces Tunnel0show ip route 10.20.0.0Known limits
Section titled “Known limits”The security model is not a firewall appliance emulator. Counters, logging formats, inspection protocol parsers, ALG behaviour, and platform-specific fast-path details are intentionally limited.
IPsec does not perform real encryption, certificate-chain validation, NAT-T encapsulation, DPD negotiation, or every IKE proposal mismatch edge case.
QoS does not include queue scheduling, congestion, WRED probability, shaping timers, LLQ starvation behaviour, or platform-specific hardware queues.
ASA twice NAT support is focused on modelled scenarios. Complex real-world NAT rule interactions should be treated as partial unless covered by a specific lab or test.