Cisco IP Solution Center Security User Guide, 3.0
Firewall Services
Downloads: This chapterpdf (PDF - 554.0KB) The complete bookPDF (PDF - 3.65MB) | Feedback

Firewall Services

Table Of Contents

Firewall Services

ISC Firewall Provisioning Features

Creating Firewall Policies

Specifying General Parameters

Creating Access Rules

Specifying Inspection Rules

Applying URL Filtering

Specifying a Syslog Server

Specifying Authentication Proxy

Creating Firewall Service Requests

Adding Templates To Service Requests (Optional)


Firewall Services


This chapter contains the following sections:

ISC Firewall Provisioning Features

Creating Firewall Policies

Creating Firewall Service Requests


Note Before creating an ISC security policy or service request, it is necessary to populate the ISC repository with the target devices in your network, collect the initial device configuration files, designate customers and customer sites, and define each target device as a CPE device.

CPE devices are the devices at each end of the VPN tunnel. Creating CPE devices includes assigning each target device to a specific customer and customer site and marking the device interfaces. Specifically for security management, you must define at least one outside and one inside interface on each CPE device.

For how-to information on populating your ISC repository and setting up CPE devices, refer to the Cisco IP Solution Center Infrastructure Guide, 3.0.


ISC Firewall Provisioning Features

The following features are supported by ISC firewall provisioning:

Access Rules - Also referred to as access control lists, access rules filter network traffic by controlling whether IP packets are forwarded or blocked at a specified device interface. The device examines each packet to determine whether to forward or drop the packet using criteria you specify in the firewall policy. Access list criteria could be source or destination addresses, upper-layer protocols, or applied through examination of other packet content.

Inspection Rules

CBAC: A Cisco IOS-only feature. Context-based Access Control (CBAC) examines not only network layer and transport layer information, but also examines the application-layer protocol information (such as FTP information) to learn about the state of TCP and UDP connections. CBAC maintains connection state information for individual connections. This state information is used to make intelligent decisions about whether packets should be permitted or denied, and dynamically creates and deletes temporary openings in the firewall. For more information, refer to the following URL:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1826/products_feature_guide09186a0080080f4d.html#xtocid13

Fixup: A PIX Firewall-only feature. Fixups are PIX Firewall inspection rules, equivalent to CBAC. For more information, please refer to the following URL:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a00800eb727.html

URL filtering - This feature enables your Cisco IOS and PIX Firewalls to interact with Websense or N2H2 URL filtering software, allowing you to prevent users from accessing specified web sites.

Exclusive domain filtering - Cisco IOS Firewall includes an exclusive domain feature that enables you to permit or deny a particular URL; this feature requires Cisco IOS Software Release 12.2 or later.

Syslog enabling - Messages produced by CPE devices that usually go to the console can be collected and stored by sending these messages to a syslog server. Syslogs enable you to gather information about traffic and performance, analyze logs for suspicious activity, and troubleshoot problems. All syslog messages have a logging facility and message level.

Authentication Proxy - A Cisco IOS-only feature. The Cisco IOS Firewall authentication proxy feature allows network administrators to apply specific security policies on a per-user basis. Users can be identified and authorized on the basis of their per-user policy, as opposed to a general policy applied across multiple users. A AAA server is required to use this feature.

Creating Firewall Policies

Provisioning firewalls with ISC requires creating a firewall policy. The policy is a set of attributes or configuration settings that can be translated to configure Cisco IOS routers and PIX Firewalls in your network. A policy can be a global or customer-specific. Additionally, policies can inherit attributes from parent policies and be tailored to meet specific firewall configuration requirements. Once created, the firewall policy can then be applied to multiple service requests and is not hardware-specific.


Note Once the policies have been created, they can be used in service requests. Each policy can be used multiple times, speeding up service provisioning and providing consistency.

Although policies can be edited on a per-service request basis, if you modify a policy, you must Force Deploy any associated service requests to update the policy in those service requests.


To create a Firewall Service Policy, perform the steps in the following sections:

Specifying General Parameters

Creating Access Rules

Specifying Inspection Rules

Applying URL Filtering

Specifying a Syslog Server

Specifying Authentication Proxy

Specifying General Parameters


Step 1 Click Home > Service Design > Policy Manager. The Policies page appears. If you have no policies defined, the Policies page appears as shown in Figure 6-1.

Figure 6-1 The Policies Page With No Policies Defined

If you have policies already defined, all previously defined policies with appear on the Policies page as shown in Figure 6-2.

Figure 6-2 The Policies Page Populated With Policies

Step 2 Click Create > Firewall Policy. The Firewall Policy - General page appears as shown in Figure 6-3. Enter the values for your firewall policy fields by following the instructions in Table 6-1.

Figure 6-3 The Firewall Policy - General Page

Table 6-1 Firewall Policy Fields 

Field Name
Type
Instructions

Policy Name

text box

Enter a name for the policy.

Policy Owner

radio button

Specify whether the policy is global by clicking Global, or customer owned by clicking Customer.

If you select Customer, you are required to specify the owner. To do this, click Select. When you click Customer > Select, the Customer for Policy Owner Selection dialog box appears as shown in Figure 6-4. Click the button next to the customer you want to select and click Select to return to the Firewall Policy - General page, or click Cancel to exit the dialog box without saving changes.

Parent Policy

drop-down list

(Optional) You can specify parent policies. Policies can be hierarchal. If policies conflict, parent policies override child policies unless you specify otherwise.

Sysopt Connection permit-ipsec

checkbox

Applicable to PIX Firewalls. Select this option if you want to permit IPsec traffic through the firewall.


Figure 6-4 Customer for Policy Owner Selection Dialog Box

Step 3 Click Next to continue.


Creating Access Rules

Before creating access rules, decide what traffic you want to allow through the device and what traffic you want to block. Once you have done this, continue with this section.


Step 1 The Firewall Policy - Access Rules page appears as shown in Figure 6-5 (because you clicked Next on the Firewall Policy - General page).


Note Alternately, if you are modifying an existing policy, click Service Design > Policy Manager > Create > Firewall Policy. Select the name of the policy and click Edit > Next to access the Firewall Policy - Access Rules page.


Figure 6-5 The Firewall Policy - Access Rules Page


Note Access rules 1. and 2. are example access rules. Remove these rules before production deployment because they permit traffic to flow into your network by default.

Additionally, you must create an access rule to allow management traffic to flow through to the device.


Step 2 To create a new access rule, click Create. The Firewall Access Rule Editor dialog box appears as shown in Figure 6-6.

Figure 6-6 Firewall Access Rule Editor Dialog Box

Table 6-2 Firewall Access Rule Editor Fields 

Field Name
Type
Instructions

Policy Name

non-editable field

This is the name of the firewall policy, which you selected at the start of creating this policy.

Source

combo box

Specify the source address. The source address can be specified three ways:

Enter the address in a.b.c.d/n format where a.b.c.d is the subnet and n is the subnet mask

Enter any in the source field.

Select a network object by clicking Add. The Network Objects dialog box appears, as shown in Figure 6-7. Checkmark the network object you want to use and click Select. (Network objects are created at Home > Service Design > Network Objects Manager.) For more information on creating network objects, refer to the Cisco IP Solution Center Infrastructure Guide, 3.0.

Destination

combo box

Specify the destination address. The destination address can be specified three ways:

Enter the address in a.b.c.d/n format where a.b.c.d is the subnet and n is the subnet mask

Enter any in the destination field.

Select a network object by clicking Add. The Network Objects dialog box appears, as shown in Figure 6-7. Checkmark the network object you want to use and click Select. (Network objects are created at Home > Service Design > Network Objects Manager.) For more information on creating network objects, refer to the Cisco IP Solution Center Infrastructure Guide, 3.0.

Access Direction

drop-down list

Specify the direction of traffic you want to monitor. If traffic is coming into the interface, select Inbound. If traffic is leaving the interface, select Outbound.

Service

combo box

Specify which protocols to monitor. A default set of protocols and protocol bundles are provided, but additional protocols can be added or the defaults modified.

To choose a specific protocol, click Add Protocols. The Add Protocols dialog box appears as shown in Figure 6-8. Check the box for a protocol, or multiple boxes for multiple protocols, and click Select.

To add a group of protocols, click Add Protocol Bundles. The Add Protocol Bundles dialog box appears with the list of predefined protocol bundles, as shown in Figure 6-9. Check the box for a protocol bundle, or multiple boxes for multiple protocol bundles, and click Select.

Service Direction

drop-down list

Specify the service direction. The options are as follows:

Normal - The source port is not substituted for the destination port upon reply.

Reverse - Substitutes the destination port (from the request) with the source port upon reply.

Action

drop-down list

Specify an action when monitored traffic is encountered. The options are as follows:

Select Permit when you want to allow traffic through the interface.

Select Deny when you want to block traffic through the interface.

Interface

drop-down list

Specify the interface(s) to which to apply the rule. The options are as follows:

Inside - The inside interface.

Outside - The outside interface.

DMZ1 - The DMZ interface. (There are can be multiple DMZ interfaces.)

Can child policy override this rule?

checkbox

Specify whether or not a child policy can override this rule. If yes, put a check mark. If not, leave it blank. Normally the parent policy will take precedence.

Comment

text box

(Optional) You can enter any comments here.

Save

button

Click Save when done to save changes and close the dialog box.

Cancel

button

Click Cancel to exit the dialog box without saving changes.


Figure 6-7 Network Objects Dialog Box

Figure 6-8 Add Protocols Dialog Box

Figure 6-9 Add Protocol Bundles Dialog Box

Step 3 When done, click Save.


Specifying Inspection Rules


Step 1 Click Next to continue. The Firewall Policy - Inspect Rules page appears as shown in Figure 6-10.


Note Alternately, if you are modifying an existing policy, click Service Design > Policy Manager > Create > Firewall Policy. Select the name of the policy and click Edit > Next > Next to access the Firewall Policy - Inspect Rules page.


Figure 6-10 The Firewall Policy - Inspection Rules Page

Step 2 There are two default inspection rules, one for TCP and one for UDP traffic. To add additional rules, click Create. The Firewall Policy - Inspection Rule Editor dialog box appears as shown in Figure 6-11.

Figure 6-11 Firewall Inspection Rule Editor Dialog Box

Table 6-3 Firewall Inspection Rule Editor Fields 

Field Name
Type
Instructions

Application

drop-down list

Specify applications for which to inspect packets. Choose applications from the drop-down list. Depending on what applications you choose, some fields will be required for you to enter information.

Port

Text box

Enter a port. Some applications require you to specify a port.

End Port

Text box

(Optional) Enter a port number. If you want to monitor a port range, input a port number.

RPC Program Number

Text box

If grayed out, you do not need to enter an RPC number. Otherwise, enter the RPC program number for the protocol.

Save

button

Click Save when done to save changes and close the dialog box.

Cancel

button

Click Cancel to exit the dialog box without saving changes.


Step 3 Click Save.


Applying URL Filtering

For Cisco IOS and PIX Firewall devices, you can perform URL filtering by linking to third-party software, either N2H2 or Websense. To use this feature, you must specify the location of the server running the URL filtering software.

For Cisco IOS devices only, if you have a URL pattern that you want to filter out, you can enter the URL pattern in the URL Exclusive Domains section of the URL Filtering page.


Step 1 Click Next to continue. The Firewall Policy - URL Filtering page appears as shown in Figure 6-12.


Note Alternately, if you are modifying an existing policy, click Service Design > Policy Manager > Create > Firewall Policy. Select the name of the policy and click Edit > Next > Next > Next to access the Firewall Policy - URL Filtering page.


Figure 6-12 The Firewall Policy - URL Filtering Page

Step 2 Follow the instructions in Table 6-4 to apply URL filtering.

Table 6-4 Firewall Policy - URL Filtering Fields 

Field Name
Type
Instructions

Enable URL Filtering

checkbox

To turn on URL filtering, put a check mark in this field.

Vendor Name

drop-down list

Choose the third-party URL filtering software vendor name, either Websense or N2H2.

Timeout

text box

Enter a timeout value to specify how long to wait without getting a response from the Websense server before timing out.

Interface

drop-down list

Specify the device interface on which the third party software is located.

Server IP Address

combo box

To specify the URL server IP address, click Create. This launches the Firewall URL Server Editor dialog box, as shown in Figure 6-13. Follow the instructions in Table 6-5.

URL Exclusive Domains

combo box

For Cisco IOS devices only. To add a URL to the filtering list, click Create. This launches the Firewall URL Exclusive Domain Editor dialog box, as shown in Figure 6-15. Follow the instructions in Table 6-6.

Refer to the Cisco IOS version you have and see if the feature is supported.

URL Exclusive Domains: Cisco IOS-specific. To add a URL to the list, follow the steps below. Refer to the Cisco IOS version you have and see if the feature is supported.

a. Click Create. The Firewall URL Exclusive Domain Editor dialog box appears.


Figure 6-13 Firewall URL Server Editor Dialog Box

Table 6-5 Firewall URL Server Editor Fields 

Field Name
Type
Instructions

Server IP Address

combo box

There are two ways to enter the server IP address. You can do either of the following:

Enter the server address directly into the text box, or

If you want to use a previously defined network object, click Select and the Firewall URL Server Editor dialog box appears as shown in Figure 6-14. Click the button next to the predefined network object that contains the server IP address and click Select, or click Cancel to exit the dialog box without saving changes. (Network objects are created at Home > Service Design > Network Objects Manager.) For more information on creating network objects, refer to the Cisco IP Solution Center Infrastructure Guide, 3.0.

Port

text box

Enter the port on which you want to filter traffic.

Protocol

drop-down list

Select the protocol you want to filter.

Save

button

Click Save when done to save changes and close the dialog box.

Cancel

button

Click Cancel to exit the dialog box without saving changes.


Figure 6-14 Network Objects Dialog Box

Figure 6-15 Firewall URL Exclusive Domain Editor Dialog Box

Table 6-6 Firewall URL Exclusive Domain Editor Fields 

Field Name
Type
Instructions

URL Pattern

text box

Enter a URL pattern you want to filter.

Action

drop-down list

Select Permit to allow traffic to pass through from the URL you entered, or select Deny to block traffic from that URL.

Comment

text box

(Optional) Enter any comments. Click Save when done to close the dialog box.

Save

button

Click Save when done to save changes and close the dialog box.

Cancel

button

Click Cancel to exit the dialog box without saving changes.


Step 3 Click Next to continue.


Specifying a Syslog Server

The Firewall Policy - Syslog page allows you to specify the syslog facility and syslog level to use for syslog messages, the interface through which to send syslog messages, and the IP address of the syslog server. To specify these syslog attributes, perform the following steps:


Step 1 After clicking Next on the URL Filtering page, the Firewall Policy - Syslog page appears as shown in Figure 6-16.


Note Alternately, if you are modifying an existing policy, click Service Design > Policy Manager > Create > Firewall Policy. Select the name of the policy and click Edit > Next > Next > Next > Next to access the Firewall Policy - Syslog page.


Figure 6-16 The Firewall Policy - Syslog Page

Table 6-7 Firewall Policy - Syslog Fields 

Field Name
Type
Instructions

Enable Syslog

checkbox

Check to enable system logging. You must check this box before you can set the syslog options.

Syslog Facility

drop-down list

Specify the type of syslog facility you want to use. The options are as follows:

For Cisco IOS devices only - cron, daemon, kern, lpr, mail, news, or sys9 through sys14.

For Cisco IOS and PIX Firewall devices - local0 through local7.

Syslog Level

drop-down list

Specify level of system logging you want to see. The options are emergencies, alerts, critical, errors, warnings, notifications, informational, and debugging.

Timestamp

checkbox

To enable a timestamp on the log, put a check mark in the box.

Log Server IP Address

combo box

To add a log server, click Create. The Firewall Log Server page appears as shown in Figure 6-17. Follow the directions in Table 6-8.


Figure 6-17 Firewall Log Server Editor Dialog Box

Table 6-8 Firewall Log Server Editor Fields 

Field Name
Type
Instructions

Server IP Address

combo box

There are two ways to enter the server IP address. You can do either of the following:

Enter the server address directly into the text box, or

If you want to use a previously defined network object, click Select and the Firewall URL Server Editor dialog box appears as shown in Figure 6-18. Click the button next to the predefined network object that contains the server IP address and click Select, or click Cancel to exit the dialog box without saving changes. (Network objects are created at Home > Service Design > Network Objects Manager.) For more information on creating network objects, refer to the Cisco IP Solution Center Infrastructure Guide, 3.0.

Interface

drop-down list

Select the interface on which the log server is located.

Save

button

Click Save when done to save changes and close the dialog box.

Cancel

button

Click Cancel to exit the dialog box without saving changes.


Figure 6-18 Network Objects Dialog Box

Step 2 Click Next to continue.


Specifying Authentication Proxy

The Authentication Proxy page allows you to enable an authentication proxy. An external AAA server is required, so you must have one already in your ISC repository before you can use this feature. For more information on adding devices to your ISC repository, refer to the Cisco IP Solution Center Infrastructure Getting Started Guide, 3.0.


Step 1 After clicking Next on the Syslog page, the Firewall Policy - Authentication Proxy page appears as shown in Figure 6-19. Follow the instructions in Table 6-9.


Note Alternately, if you are modifying an existing policy, click Service Design > Policy Manager > Create > Firewall Policy. Select the name of the policy and click Edit > Next > Next > Next > Next > Next to access the Firewall Policy - Authentication Proxy page.


Figure 6-19 The Firewall Policy - Authentication Proxy Page

Table 6-9 Firewall Policy - Authentication Proxy Fields 

Field Name
Type
Instructions

Enable Authentication Proxy

checkbox

Check to enable authentication proxy. You must check this box before you can set the authentication options.

AAA Server

button

Click Select to specify a AAA server. The AAA Server for AAA Server Selection dialog box appears as shown in Figure 6-20.

Figure 6-20 AAA Server for AAA Server Selection Dialog Box

Click the radio button next to the AAA server you want to select, and click Select.

If the AAA server you want to select is not listed, you need to define it. Refer to the Cisco IP Solution Center Infrastructure Getting Started Guide, 3.0 for more information on how to add an AAA server to your repository.

Use Local Order

drop-down list

Specify the local order. There are three choices:

None - Only use the AAA server.

Before - Authenticate using the local database first, and then use the AAA server.

After - Authenticate using the AAA server and if authentication fails, use the local database.

Interface

drop-down list

Specify the interface on which the AAA server resides:

Inside - The inside interface.

Outside - The outside interface.

DMZ1 - The DMZ interface. (There are can be multiple DMZ interfaces.)

Protocols

Add/Remove selections

Select the protocols in Available Protocols for which you want to authenticate users and click Add. You can select the following

http - HTTP.

telnet - Telnet.

ftp - FTP.

If you accidently add a protocol to Selected Protocols that you do not want to use to authenticate users, select the protocol and click Remove.


Step 2 Click Finish when done. Confirmation that your policy has been created is displayed in the Status box in the lower-left corner of the page, as shown in Figure 6-21.

Figure 6-21 The Policies Page After Successfully Creating A Policy


Creating Firewall Service Requests

Once you have created a firewall policy, follow the steps below to create a firewall service request:


Note Before you continue, check that the CPE device has its interfaces marked and all network objects for it have been defined. If not, adding the CPE device into the service request will fail.



Step 1 Click Home > Service Inventory > Inventory and Connection Manager > Service Requests. The Service Requests page appears.

Figure 6-22 The Service Requests Page

Step 2 Click Create > Firewall. The Select Policy page appears as shown in Figure 6-23.

Figure 6-23 The Select Policy Page

Step 3 Check the radio button next to the firewall policy you want to provision and click OK. The Firewall Service Editor page appears, as shown in Figure 6-24. This page allows you to select the firewall or firewalls to which you want to apply the firewall policy.

Figure 6-24 The Firewall Service Editor Page

Table 6-10 Firewall Service Editor Fields 

Field Name
Type
Instructions

Policy

non-editable field

The policy name.

Change Policy

button

Click to select a different firewall policy.

Customer

non-editable field

The name of the customer to which the policy applies.

Description

text box

(Optional) Enter a description about this particular service request.


Step 4 Click Add Firewall. The CPE for Firewall Service Request dialog box appears.

Figure 6-25 CPE for Firewall Service Request Dialog Box

Step 5 Choose the firewall device (defined as a CPE device) and click Select.

Step 6 This returns you to the Firewall Service Editor page. Click Add Firewall again for each firewall device you want to add and click Select. After adding three firewall devices, the Firewall Service Editor page appears as shown in Figure 6-26.

Figure 6-26 The Firewall Service Editor With Firewalls Added

Step 7 Click Save SR. The your newly created service request will appear in the list of service requests on the Service Request page as shown in Figure 6-27.

Figure 6-27 The Service Request Page With New Firewall Service Request Added

Step 8 Refer to "Provisioning Services,"for instructions on how to deploy your service request.


Adding Templates To Service Requests (Optional)

There may be features ISC does not support. If this is the case, a template can be included in the service request to append or prepend the CPE device configuration. To add a template, perform the following steps:


Step 1 Click Add Templates on the Firewall Service Editor page (Figure 6-26). The Add/Remove Templates dialog box appears as shown in Figure 6-28.

Figure 6-28 Add/Remove Templates Dialog Box

Step 2 Click Add. The Template DataFile Chooser page appears. The templates are on the left column and the associated data files are on the right.

Figure 6-29 The Template DataFile Chooser Page

Step 3 Find the template type you want to add and expand the folder view.

Step 4 Click the name of the template you want to add. The associated data files will be displayed on your right.

Step 5 To view the configlets, click View.

Step 6 Click Accept to continue.

Step 7 Click OK on the Add/Remove page.

Step 8 Click Save when done.