Guest

Cisco Services Modules

Installation and Configuration for Common Criteria EAL4+ Evaluated Catalyst 6500 Series and Cisco 7600 Series Firewall Services

  • Viewing Options

  • PDF (719.1 KB)
  • Feedback
Installation and Configuration for Common Criteria EAL4 Evaluated Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Version 3.1(3.17)

Table Of Contents

Installation and Configuration for Common Criteria EAL4 Evaluated Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Version 3.1(3.17)

Contents

Introduction

Audience

Supported Hardware and Software Versions

Security Information

Organizational Security Policy

Security Implementation Considerations

Certified Configuration

Windows 2000 Documentation

Windows XP Documentation

Potential Insecure Configurations

Uncommitted Changes

Default Flow Policy

Physical Security

Administration Access

Servers and Proxies

Logging and Messages

Access Lists

Trusted and Untrusted Networks

Routed Mode

Transparent Mode

Inspection Policy

Public Access Servers

Using FTP and Telnet

Monitoring and Maintenance

Administrative Roles

Auditing Component Requirements

Password Complexity

AAA Server and Authentication Policy per the IT Environment

Determining the Software Version

Installation Notes

Verification of Hardware and Software Image

Configuration Notes (IOS/Supervisor)

Saving Your Configuration

Service Password Encryption

Layer 2 Security

Layer 3 Security

Disabling the HTTP Server

Disabling SNMP Management

Disabling the TFTP Server

Disabling Source Routing

Enabling Time-Stamps

Command-Specific Events

Idle Time Outs

Setting the System Clock

Configuring Authentication on the Supervisor

Configuring Secure Shell

Configuring System Log Messaging from the Supervisor to PFSS

Configuration Notes (FWSM)

FWSM Maintenance Partition

Saving Your Configuration

Using the established Command

Enabling Timestamps

Enabling Reliable Logging

Systems Logs

Server Settings

Configuring Authentication on FWSM

Configuring Console Access on FWSM to Use AAA (Optional)

Idle Time Outs

Configuring AAA for Telnet and FTP

Configuring SSH

Configuring Failover of FWSM

Inspecting ICMP

Unicast RPF

Same Security Traffic

Using the Syslog Server

Verifying the Correct Version of PFSS

Using the Syslog Server (PFSS Active Mode)

Changing the Syslog Server Parameters at the Windows 2000 System

Recovering from the Syslog Server Disk-Full Condition

Configuring System Log Message Search Functions Using the System Log Message Search

Setting Up the System Log Message Search Display

Configuring System Log Message Search Functions with the System Log Message Search (Log Searching Mode)

Searching System Log Messages Based on Syslog ID

Searching System Log Messages for Specific Commands Entered by the Administrator on the Supervisor

Searching System Log Messages Based on User ID

Searching Windows Audit Events

Searching System Log Messages Based on IP Address

Searching System Log Messages with the Advanced Option Feature

MD5 Hash Value for the Evaluated Configuration

Obtaining Documentation and Submitting a Service Request


Installation and Configuration for Common Criteria EAL4 Evaluated Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Version 3.1(3.17)


April 2007

Contents

This document describes how to install and configure the Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module (FWSM) as certified by Common Criteria Evaluation Assurance Level 4 (EAL4).

In this guide, "FWSM"or "Firewall Services Module" applies to all models of the Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module, unless specifically noted otherwise.


Note Failure to follow the information provided in this document will result in the Firewall Services Module not being compliant with the evaluation, and may make it insecure.


This document includes the following sections:

Introduction

Audience

Supported Hardware and Software Versions

Security Information

Installation Notes

Configuration Notes (IOS/Supervisor)

Configuration Notes (FWSM)

Using the Syslog Server

Configuring System Log Message Search Functions Using the System Log Message Search

MD5 Hash Value for the Evaluated Configuration

Obtaining Documentation and Submitting a Service Request

Introduction

This document is an addendum to the Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module documentation set, which should be read before configuring the FWSM.

Cisco product documentation includes:

Release Notes

Release Notes for the Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module, Software Release 3.1

Upgrade Guide

Upgrading the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module from Release 2.x to Release 3.1

Regulatory Compliance and Safety Information Guide

Regulatory Compliance and Safety Information for the Catalyst 6500 Series and Cisco 7600 Series Switches

Command Line Configuration Guide

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide, Version 3.1

Command Reference Guide

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference, Version 3.1

System Log Messages Guide

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Logging Configuration and System Log Messages, Version 3.1

For a complete list of documentation for the Catalyst 6500 series switch, go to:

http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html

For a complete list of documentation for the Cisco 7600 series routers, go to:

http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html

The FWSM documentation is available in printed-paper form, and online (in both HTML and PDF formats).

Audience

This document is written for administrators configuring the Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module software. This document assumes you are familiar with networks and network terminology, that you are a trusted individual, and that you are trained to use the Internet and its associated terms and applications.

Supported Hardware and Software Versions

Only the following combinations of hardware and software listed in Table 1 are compliant with the FWSM 3.1(3.17) EAL4 evaluation. Using hardware and software not specified invalidates the secure configuration.

Table 1 Supported Hardware and Software for FWSM

Hardware

FWSM

FWSM Part no. WS-SVC-FWM-1-K9

 

Supervisor

Sup720 or Sup2

Switch/Router

7600 Series chassis (7603, 7606, 7609, 7613) with Supervisor Engine 720.

Catalyst 6500 series (6503, 6506, 6509-NEB, 6509, 6513) with Cisco Catalyst 6500 Series Supervisor Engine 2 with Multilayer Switch Feature Card 2 (MSFC2) or Cisco Catalyst 6500 Series Supervisor Engine 720

Audit server

PC

Software

FWSM

Cisco FWSM Firewall image version 3.1(3.17)

 

Supervisor

Cisco IOS Software Release 12.2(18)SXF5

Audit server

Windows 2000 Professional Service Pack 3 and Q326886 hotfix or Windows XP Professional Service Pack 2 (including hotfixes 896423, 899587, 899588, 896422, 890859, 873333, 885250, 888302, 885835, and 907865) or Service Pack 2 (for audit server)

PIX Firewall Syslog Server (PFSS) 5.14


Security Information

In addition to the Regulatory Compliance and Safety Information document, the sections that follow provide additional security information for use with a Common Criteria Certified Firewall Services Module.

Organizational Security Policy

Security Implementation Considerations

Certified Configuration

Organizational Security Policy

Ensure that your FWSM is delivered, installed, managed, and operated in a manner that maintains an organizational security policy.

Security Implementation Considerations

The sections that follow provide implementation considerations that need to be addressed to administer the FWSM in a secure manner.


Note The certified configuration does not host public data. Do not use any components of the certified configuration to host and provide public data.


The threat of malicious attacks aimed at discovering exploitable vulnerabilities is considered moderate. A moderate attack potential for the certified configuration makes the following assumptions:

Identification

The time taken to identify the potential attack is negligible as knowledge that the certified configuration uses console port for local access and SSH for remote access can be considered common knowledge for an attacker of moderate attack potential.

No specialist technical experience is considered to be required to identify the vulnerability.

Public knowledge of the certified configuration operation is all that is required to identify this vulnerability.

Physical access to the certified configuration console port is required.

Only standard equipment is required.

Exploitation

Public knowledge of the certified configuration operation is all that is required to exploit this vulnerability.

Standard equipment is required to attempt a brute force or dictionary attack.

Other Factors

No physical access to the certified configuration may be obtained by untrusted persons as the certified configuration is physically secure (Assumption A.PHYSEC from the ST document).

Certified configuration administrators may not be considered attackers, and follow all administrator guidance (Assumption A.NOEVIL from the ST document).

Administrators use passwords of the level of complexity described in this document (see Password Complexity). Passwords will therefore be a combination of alphabetic and numeric characters. This password will be at least eight characters long and will be kept secret.

Certified Configuration

Use only the FWSM software Version 3.1(3.17). Only the hardware and software version combinations listed in Table 1 can be used to implement an evaluated configuration. Changing the software or hardware to a different version invalidates the evaluated status of a particular hardware platform.

The Certified Common Criteria Firewall Services ModuleVersion 3.1(3.17) excludes the following features:

Routing Information Protocol (RIP)

Simple Network Management Protocol (SNMP)

Dynamic Host Configuration Protocol (DHCP) Server

Virtual Private Networks (VPNs) through the IOS executing on the Supervisor or FWSM

The features that are specifically excluded must be disabled while the FWSM and Supervisor are operating in the evaluated configuration.

All other hardware and software features and functions of the FWSM are included in the evaluated product configuration and thus can be used in conjunction with the Target of Evaluation (TOE) Security Functions as long as the TOE functions are configured, operated, and managed in accordance with this document.

The FWSM Target of Evaluation relies on a Windows 2000 or Windows XP computer to act as an audit server. Windows is configured in the EAL4 evaluated configuration to support this TOE. Microsoft Windows Evaluated Configuration documentation can be found by clicking the following links:

Windows 2000 Documentation

Windows 2000 Common Criteria Evaluated Configuration User's Guide:

http://www.microsoft.com/technet/security/prodtech/Windows2000/w2kccug/default.mspx

Windows 2000 Common Criteria Evaluated Configuration Administrator's Guide:

http://www.microsoft.com/technet/security/prodtech/windows2000/w2kccadm/default.mspx

Windows 2000 Common Criteria Security Configuration Guide:

http://www.microsoft.com/technet/security/prodtech/windows2000/w2kccscg/default.mspx

Windows XP Documentation

Windows XP Common Criteria Evaluated Configuration User's Guide:

http://download.microsoft.com/download/d/3/0/d304ab38-567c-4fad-a368-a3661ca1a16d/wxp_common_criteria_user_guide.zip

Windows XP Common Criteria Evaluated Configuration Administrator's Guide:

http://download.microsoft.com/download/e/8/9/e897a1ee-0273-4694-b155-ad02f7b2b4d5/wxp_common_criteria_admin_guide.zip

Windows XP Common Criteria Security Configuration Guide:

http://download.microsoft.com/download/5/3/b/53b53a3e-39d5-4d30-86f2-146aa2c7be45/wxp_common_criteria_configuration_guide.zip

The configuration of the FWSM should be reviewed on a regular basis to ensure that the configuration continues to meet the organizational security policy when considering the following:

Changes in the FWSM configuration

Changes in the organizational security policy

Changes in the threats presented from the untrusted network(s)

Changes in the administration and operations staff or the physical environment of the FWSM

Potential Insecure Configurations

This section includes the following topics:

Uncommitted Changes

Default Flow Policy

Physical Security

Administration Access

Servers and Proxies

Logging and Messages

Access Lists

Trusted and Untrusted Networks

Public Access Servers

Using FTP and Telnet

Monitoring and Maintenance

Auditing Component Requirements

Password Complexity

Determining the Software Version

Uncommitted Changes

FWSM loads the saved startup configuration and automatically copies this configuration into the running configuration.

You can configure the running configuration to a specific need and save the running configuration. You can also save the updated configuration to the startup configuration. The running configuration is held in volatile memory so if the FWSM reboots and resumes operation when uncommitted changes were made, these changes will be lost and the FWSM will revert to the last configuration saved. For more information, see Saving Your Configuration.

Default Flow Policy

By default, the FWSM is configured with a default flow policy. The outbound interface refuses all external to internal flow of data. Administrators must take note of this, and ensure that the correct policy for the organization is followed when installing before users are permitted to use the FWSM. Set up access lists to enable traffic to flow through the FWSM. Specific permit or deny rules are required to be applied to a protocol, a source and destination IP address or network and optionally, the source and destination ports. For more information, see the Organizational Security Policy section to implement a suitable security policy.

Physical Security

The FWSM must be located in a physically secure environment to which only a trusted administrator has access. The secure configuration of the FWSM can be compromised if an intruder gains physical access to the FWSM. Similarly, the audit server used to store and manage the FWSM system log messages must be protected physically and with suitable identification and authentication mechanisms to ensure that only trusted administrators have access.

Administration Access

There are only two methods by which the administrator can manage the FWSM:

Using the serial interface directly connected to the Supervisor

Using SSH access with single user authentication

The FWSM does not have an external console port. You must session in to the FWSM to perform configuration by first connecting to the console on the Supervisor, and then executing the session command. For this certified configuration, there are two modules that are used to provide the certified configuration security functions: the FWSM itself and the Supervisor executing IOS. Each module has its own interfaces and executing operating system.

Servers and Proxies

To ensure complete security when the FWSM is shipped, inbound access to all proxies and servers is initially disabled. After the installation, you must explicitly permit each service and enable the services necessary for your security policy. See the configuration guides for information on how to configure the FWSM. Certification requires a completely controlled environment in which specified services are allowed and all others denied.

Logging and Messages

Monitoring activity in the log files is an important aspect of your network security and should be conducted regularly. Monitoring the log files lets you take appropriate and timely action when you detect security breaches or events that are likely to lead to a security breach in the future. Use the show logging command or the syslog server to view log files messages. See Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Logging Configuration and System Log Messages for information about sending messages, and archiving.

Access Lists

The access-list command operates on a first-match basis. Therefore, the last rule added to the access list is the last rule checked. Administrators must take note of this when entering the initial rules during the configuration, because it may impact the remainder of the rule parsing.

Trusted and Untrusted Networks

The FWSM can be used to isolate your network from the Internet or from another network. A trusted network is usually your internal network and an untrusted network may be the Internet or any other network. For this certified configuration, VLANs provide logical separation between various networks. The configuration of VLANs takes place on the Supervisor as the Supervisor is in control of all the network interfaces that exist on the platform. The Supervisor also can be configured to perform routing functions for the network.

The FWSM must be configured so that it acts as the only network connection between your internal network and any external networks. The FWSM will deny any information flows for which no rule is defined. Your security implementation is based on the control of traffic from one network to the other, and should support your security policy.

See "Assigning VLANs to the FWSM in Cisco IOS Software" in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide for additional information about configuring VLANs.


Note For increased security and to avoid risk of exposure caused by misconfiguring ACLs in non-admin contexts, the AAA server and management hosts must be located on remote networks protected from non-admin contexts by another means besides using the admin context.


In the default configuration, traffic types observe the default policy for inside to outside traffic. Table 2 shows the traffic types and their supported modes for inside to outside traffic.

Table 2 Traffic Types and Supported Modes - Inside to Outside 

Traffic Type
Single Routed Mode
Multiple Routed Mode
Single Transparent Mode
Multiple Transparent Mode

Spoofed traffic

No (RPF enabled)

No (RPF enabled)

No (ARP inspection enabled)

No (ARP inspection enabled)

Ethernet

Yes

Yes

Yes

Yes

ARP

No (router hop)

No (router hop)

Yes

Yes

CTIQBE

Yes

Yes

Yes

Yes

DNS

Yes

Yes

Yes

Yes

Echo

Yes

Yes

Yes

Yes

Finger

Yes

Yes

Yes

Yes

H.323

Yes

Yes

Yes

Yes

IP

Yes

Yes

Yes

Yes

ICMP

Yes

Yes

Yes

Yes

TCP

Yes

Yes

Yes

Yes

UDP

Yes

Yes

Yes

Yes

FTP

Yes

Yes

Yes

Yes

GTP

Yes

Yes

Yes

Yes

HTTP

Yes

Yes

Yes

Yes

ILS

Yes

Yes

Yes

Yes

MGCP

Yes

Yes

Yes

Yes

POP3

Yes

Yes

Yes

Yes

RSH

Yes

Yes

Yes

Yes

RTSP

Yes

Yes

Yes

Yes

Skinny

Yes

Yes

Yes

Yes

SIP

Yes

Yes

Yes

Yes

ESMTP

Yes

Yes

Yes

Yes

SunRPC

Yes

Yes

Yes

Yes

Telnet

Yes

Yes

Yes

Yes

TFTP

Yes

Yes

Yes

Yes

XDMCP

Yes

Yes

Yes

Yes

traceroute

Yes

Yes

Yes

Yes

STP

No

No

Yes

Yes

All other traffic

Yes

Yes

Yes

Yes


In the default configuration, traffic types observe the default policy for outside to inside traffic. Table 3 shows the traffic types and their supported modes for outside to inside traffic.

Table 3 Traffic Types and Supported Modes - Outside to Inside 

Traffic Type
Single Routed Mode
Multiple Routed Mode
Single Transparent Mode
Multiple Transparent Mode

Spoofed traffic

No (RPF enabled)

No (RPF enabled)

No (ARP inspection enabled)

No (ARP inspection enabled)

Ethernet

No

No

No

No

ARP

No (router hop)

No (router hop)

Yes

Yes

CTIQBE

No

No

No

No

DNS

No

No

No

No

Echo

No

No

No

No

Finger

No

No

No

No

H.323

No

No

No

No

IP

No

No

No

No

ICMP

No

No

No

No

TCP

No

No

No

No

UDP

No

No

No

No

FTP

No

No

No

No

GTP

No

No

No

No

HTTP

No

No

No

No

ILS

No

No

No

No

MGCP

No

No

No

No

POP3

No

No

No

No

RSH

No

No

No

No

RTSP

No

No

No

No

Skinny

No

No

No

No

SIP

No

No

No

No

ESMTP

No

No

No

No

SunRPC

No

No

No

No

Telnet

No

No

No

No

TFTP

No

No

No

No

XDMCP

No

No

No

No

traceroute

No

No

No

No

STP

No

No

Yes (can be denied by ACL)

Yes (can be denied by ACL)

All other traffic

No

No

No

No


PFSS is the Windows system log messaging service that provides the system audit store for the firewall. The PFSS shall be configured to communicate with the firewall according to the mode in which the firewall is operating.The PFSS server is required to have its own defined VLAN and interface for communications. The logging host command in this instance is configured to log messages over TCP to the audit server on the VLAN interface. Figure 1 shows the network topology for a single context.

Figure 1 Network Topology for Single Context

If the firewall is operating in multiple context mode, each context shall be defined to communicate with the audit server and configuration settings established to protect the audit server from receiving any other traffic other than that which is specifically allowed per policy. Figure 2 shows the network topology for multiple contexts.


Warning Configuring IPs on IOS interfaces that are in the same subnets as FWSM interfaces increases the potential for routing loops and bypassing of FWSM.

Note To ensure proper protection of the audit server, the PFSS server must be placed on a trusted network and must have access-control lists applied on the FWSM and IOS to only allow TCP and UDP system log messaging data to be sent to the PFSS.


Figure 2 Network Topology for Multiple Contexts

Host / Interface
IP Address
Description

PFSS Server

192.168.0.27

Connected to a physical port on VLAN 192

AAA

192.168.26.2

Connected to a physical port on VLAN 26

VLAN192

192.168.0.1

VLAN Interface for VLAN 192

BVI

192.168.50.254

Interface for Transparent-2

VLAN50

192.168.50.1

VLAN Interface for BVI to communicate with

BVI

192.168.40.254

Interface for Transparent-1

VLAN40

192.168.40.1

VLAN Interface for BVI to communicate with



Note The black dot in Figure 2 represents IOS enforcing ACLs to ensure that only approved syslog and AAA traffic can pass from the firewall contexts to / from the PFSS and AAA hosts, and no other traffic is ever permitted by IOS among firewall VLANs (VLANs 2, 40, or 50 in figure 2).


Routed Mode

In routed mode, the audit VLAN is connected through an IOS VLAN for a minimum of three defined interfaces: external, internal, and audit. The access lists within the FWSM are responsible for protecting the audit server in routed mode.

Transparent Mode

In transparent mode, a BVI management interface provides a third interface to the context for communication with the PFSS and the RADIUS or TACACS+ server. The external and internal interfaces in this configuration are running in transparent mode and do not have an IP address assigned. The BVI is owned or managed by FWSM and has an IP address. One IP address must be configured in order for that context to send system log messages through the BVI and authentication traffic to reach the RADIUS/TACACS+ server. Access-lists on the Supervisor are used to protect the audit and authentication traffic. Strict ACEs must be applied to each BVI to only permit system log messages and RADIUS/TACACS+ traffic from the single host IP of the transparent mode context to the specific host IPs of the PFSS and AAA servers.


Note The IOS VLAN interface and the transparent mode BVI must be on a /30 subnet.


hostname(config)# interface VLAN192
hostname(config-if)# ip address 192.168.50.254 255.255.255.252
hostname(config-if)# ip access-group 101 in
hostname(config-if)# ip access-group 102 out
 
   

A transparent firewall does not participate in IP routing. The only IP configuration required for the FWSM is to set the management IP address for each bridge group. This address is required because the FWSM uses this address as the source address for traffic originating on the FWSM, such as system messages or communications with AAA servers. You can also use this address for remote management access.

hostname(config)# interface vlan 50
hostname(config-if)# nameif inside
hostname(config-if)# security-level 100
hostname(config-if)# bridge-group 1
hostname(config-if)# interface vlan 500
hostname(config-if)# nameif outside
hostname(config-if)# security-level 0
hostname(config-if)# bridge-group 1
hostname(config-if)# interface bvi1
hostname(config-if)# ip address 192.168.50.1 255.255.255.252
 
   

A route must be configured on the FWSM to pass traffic from the current context to the syslog server via the VLAN on the Supervisor.

hostname(config)# route inside 0.0.0.0 255.255.255.255 192.168.50.1
 
   

Note Use only a default route in the transparent context.

Transparent contexts using a BVI interface require static ARP entries for the IOS VLAN IP/MAC, which acts as the route gateway to the PFSS and AAA servers. The same IOS MAC addresses are visible in the transparent mode context on both sides of the firewall. If a static entry is not defined, then the firewall context will periodically move the MAC address back and forth between the inside MAC address table to the outside MAC address table. This movement breaks the route to the PFSS and AAA servers, and causes the context to stop passing traffic, because the context will see the PFSS logging host as down.


hostname(config)# mac-address-table static inside 00d0.02de.040a 
 
   

Note On FWSM, when the debug mac-address-table command and debug arp command are enabled at the same time, the messages overlap.

MAC address spoofing and IP address spoofing (for local subnets or VLANs) within each transparent mode context are to be specifically denied in the evaluated configuration.


hostname(config)# arp-inspection outside enable no-flood
hostname(config)# arp-inspection inside enable no-flood
 
   

Warning Using the no-flood option without first configuring all necessary static ARP entries will [0]eventually result in disabling all connectivity to, from, or through the transparent context, because the ARP table and MAC-address-table will not learn MAC addresses and are empty, without the static entries.

Inspection Policy

A default inspection policy must be specified for each context in the evaluated configuration. This policy is determined by the protocols that are included in this evaluation and must be enabled by default. Enter the following commands:

hostname(config)# policy-map global_policy
hostname(config)# class inspection_default
hostname(config)# inspect ctiqbe
hostname(config)# inspect esmtp
hostname(config)# inspect ftp strict
hostname(config)# inspect gtp
hostname(config)# inspect h323
hostname(config)# inspect http
hostname(config)# inspect icmp
hostname(config)# inspect icmp error
hostname(config)# inspect ils
hostname(config)# inspect mgcp
hostname(config)# inspect rsh
hostname(config)# inspect rtsp
hostname(config)# inspect sip
hostname(config)# inspect skinny
hostname(config)# inspect sunrpc
hostname(config)# inspect tftp
hostname(config)# inspect xdmcp
hostname(config)# inspect dns
hostname(config)# inspect smtp
 
   

Public Access Servers

If you are planning to host public access servers, you must decide where they will be located in relation to the FWSM. Placing servers on the network outside the FWSM leaves them open to attack. Placing servers on the internal network means you must open up your FWSM to allow access.

Using FTP and Telnet

File Transfer Protocol (FTP) is used to retrieve or deposit files on a remote system. Telnet is used to access a remote server using a console like connection over the network. The Common Criteria Security Target document requires that Telnet and FTP traffic through the FWSM must be authenticated before traffic is allowed to pass through. See Configuring AAA for Telnet and FTP for more information about how to configure the FWSM correctly to authenticate Telnet and FTP.


Note Use of the local user database for authentication of Telnet and FTP traffic through the firewall is not permitted in the evaluated configuration. All authentication of FTP and Telnet traffic through the firewall must be performed by use of single-use passwords via remote AAA servers.

To enforce compliance of FTP traffic with the FTP RFC, the strict option for the FTP inspection must be enabled in the evaluated configuration.


hostname(config)# policy-map global_policy
hostname(config)# class inspection_default
hostname(config)# inspect ftp strict
 
   

Monitoring and Maintenance

The FWSM software provides several ways to monitor the FWSM, from logs to messages.

Ensure you know how you will monitor the FWSM, both for performance and for possible security issues.

Plan your backups. If there should be a hardware or software problem, you may need to restore the FWSM configuration.

The configuration of the FWSM should be reviewed on a regular basis to ensure that the configuration meets the security objectives of the organization in the face of the following:

Changes in the FWSM configuration

Changes in the security objectives

Changes in the threats presented by the external network

Administrative Roles

The certified configuration contains three administrative roles (shown in the following table) for use in the evaluated configuration.

Role Name
Description

Authorized Supervisor Administrator

Any administrator with knowledge of the enable password on the router. Privileged access is defined by any privilege level entering an enable password after individual login.

Authorized Firewall Administrator

Any administrator with knowledge of the enable password on the FWSM. Privileged access is defined by any privilege level entering an enable password after individual login.

Authorized Audit Administrator

The role assigned to a user that logs in and reviews the information recorded by the PFSS application.



Note The administrator of the chassis must be the administrator of any other blades installed in the chassis.


Auditing Component Requirements

The FWSM interacts with Windows 2000 for the purpose of storing the audit data. The server should be running Windows 2000 with Service Pack 4. The auditing machine will provide suitable audit records to the administrator, protect the stored audit records from unauthorized deletion, and will detect modifications to the audit records. It is the responsibility of the administrator to regularly review the audit records provided by the FWSM, and to take any relevant action as necessary to ensure the security of the Firewall Services Module. The location of the auditing machine and records should only be accessible to the administrator.

Password Complexity

Passwords must be 8 to 16 characters in length. The minimum password length must be enforced by the administrator. The following list of characters may be used in passwords:

26 uppercase letters (A - Z)

26 lowercase letters (a - z)

10 numbers (0 - 9)

Special characters (!"#$%&'()*+,-./:;<@[\`{|=>?]^_}~)

To construct a password, 94 characters are available for use, except for the space character, which is prohibited.

The password guidance included in this section applies to the creation and management of user passwords. Users must ensure that when creating or changing a password, the following requirements are met. Passwords must:

Be a minimum of 8 characters and a maximum of 16 characters

Include mixed-case alphabetical characters

Include at least one numeric character

Passwords must not include:

Birthdays

Names (parents, family, spouse, pets, or favorite sports player)

Sports teams

Towns, cities, or countries

AAA Server and Authentication Policy per the IT Environment

The AAA server specified for this certified configuration is included within the environment. The administrator must ensure that during installation, the AAA server is capable of the following:

Maintaining attributes for each user (identity, association of human user to with the administrator account, and password).

Firewall administrators shall authenticate with a single-use authentication mechanism before being allowed to access the firewall remotely.

Human users shall authenticate with a single-use authentication mechanism when using FTP or Telnet that passes through the firewall.

Reusable passwords are allowed for authorized administrators to access the firewall or router console directly using the local console.

Reusable passwords may be used for the console connection to the Supervisor, or the console connection from the Supervisor to the FWSM, or for use of the enable command on FWSM.

All authentication on the Supervisor must defer to the remote AAA server and not use the local user database.

The IT environment section from the security target document requires that the administrator follow guidance concerning what authentication types are required for each request to administer the certified configuration.

Determining the Software Version

Use the show version command to verify the software version of your FWSM unit. The certified configuration will return 3.1(3)17 as the software version.

Installation Notes

Read the appropriate installation guides before installing the FWSM.

Verification of Hardware and Software Image

To verify that the FWSM software and hardware were not tampered with during delivery, perform the following steps:


Step 1 Before unpacking the FWSM, inspect the physical packaging the equipment was delivered in. Verify that the external cardboard packing is printed with the Cisco Systems logo and motifs. If it is not, contact the supplier of the equipment (Cisco Systems or an authorized Cisco distributor/partner).

Step 2 Verify that the packaging has not obviously been opened and resealed by examining the tape that seals the package. If the package appears to have been resealed, contact the supplier of the equipment (Cisco Systems or an authorized Cisco distributor/partner).

Step 3 Verify that the box has a white tamper-resistant, tamper-evident Cisco Systems barcoded label applied to the external cardboard box. If it does not, contact the supplier of the equipment (Cisco Systems or an authorized Cisco distributor/partner). This label will include the Cisco product number, serial number, and other information regarding the contents of the box.

Step 4 Note the serial number of the FWSM on the shipping documentation. The serial number displayed on the white label affixed to the outer box will be that of the FWSM. Verify the serial number on the shipping documentation matches the serial number on the separately mailed invoice for the equipment. If it does not, contact the supplier of the equipment (Cisco Systems or an authorized Cisco distributor/partner).

Step 5 Verify that the box was indeed shipped from the expected supplier of the equipment (Cisco Systems or an authorized Cisco distributor/partner). This can be done by verifying with the supplier that they shipped the box with the courier company that delivered the box and that the consignment note number for the shipment matches that used on the delivery. Also verify that the serial numbers of the items shipped match the serial numbers of the items delivered. This verification should be performed by some mechanism that was not involved in the actual equipment delivery, for example, phone/FAX or other online tracking service.

Step 6 Once the FWSM is unpacked, inspect the unit. Verify that the serial number displayed on the unit itself matches the serial number on the shipping documentation and the invoice. If it does not, contact the supplier of the equipment (Cisco Systems or an authorized Cisco distributor/partner).

Step 7 There are three alternatives for obtaining a Common Criteria evaluated software image:

Download a Common Criteria evaluated software image file from Cisco.com onto a trusted computer system. To access this site, you must be a registered user and you must be logged in. Software images are available from Cisco.com at the following URL: http://tools.cisco.com/support/downloads/pub/Redirect.x?mdfid=270638920

The FWSM ships with a CD containing all current software images. The Common Criteria evaluated software image is available on this CD.

Customers can order a CD with all of the current software images from Cisco.com. There is a charge for this option.

Step 8 Download the c6svc-fwm-k9.3-1-3-17.bin file.

Step 9 Once the file is downloaded, verify that it was not tampered with by using an MD5 utility to compute an MD5 hash for the downloaded file and compare this with the MD5 hash for the image from the Certification Report published by CESG, which is available on its website. If the MD5 hashes do not match, contact Cisco TAC. The MD5 hash for this FWSM version is "9e68c34a7fcb0fb093404e5db84bc56b."

Step 10 To copy the image that was downloaded from the web to flash, enter the following commands:

a. copy tftp:/1.2.3.4/c6svc-fwm-k9.3-1-3-17.bin flash:

b. reload

Step 11 Start your FWSM. Confirm that your FWSM loads the image correctly and completes internal self-checks. At the prompt, enter the show version command. Verify that the version is correct. If the FWSM image fails to load, or if the FWSM version is not correct, contact Cisco TAC.

The following is sample output from the show version command, which displays the FWSM version:

hostname# show version
 
   
FWSM Firewall Version 3.1(3)17 <system>
 
   
Compiled on Tue 31-Oct-06 19:49 by dalecki
 
   
FWSM up 9 mins 0 secs
failover cluster up 9 mins 0 secs
 
   
Hardware:  WS-SVC-FWM-1, 1024 MB RAM, CPU Pentium III 1000 MHz
Flash LEXAR ATA FLASH @ 0xc321, 20MB
 
   
 0: Int: Not licensed    : irq 5
 1: Int: Not licensed    : irq 7
 2: Int: Not licensed    : irq 11
 
   
Licensed features for this platform:
Maximum Interfaces     : 1000   
Inside Hosts        : Unlimited 
Failover          : Active/Active
VPN-DES           : Enabled  
VPN-3DES-AES        : Enabled  
Cut-through Proxy      : Enabled  
Guards           : Enabled  
URL Filtering        : Enabled  
Security Contexts      : 250    
GTP/GPRS          : Disabled 
VPN Peers          : Unlimited 
 
   
Serial Number: SBQ1234567
Running Activation Key: <1 2 3 4 5>
Configuration has not been modified since last system restart.

Configuration Notes (IOS/Supervisor)

This section includes the following topics:

Saving Your Configuration

Service Password Encryption

Layer 2 Security

Layer 3 Security

Disabling the HTTP Server

Disabling SNMP Management

Disabling Source Routing

Enabling Time-Stamps

Command-Specific Events

Idle Time Outs

Setting the System Clock

Configuring Authentication on the Supervisor

Configuring Secure Shell

Configuring System Log Messaging from the Supervisor to PFSS

Saving Your Configuration

IOS uses both a running configuration and a starting configuration. Configuration changes affect the running configuration. To save that configuration, the running configuration (held in memory) must be copied to the start-up configuration. This may be achieved by either using the write memory command or the copy system:running-config nvram:startup-config command. These commands should be used frequently when making changes to the configuration of the IOS router. If the IOS router reboots and resumes operation when uncommitted changes have been made, these changes will be lost, and the IOS router will revert to the last saved configuration.

Service Password Encryption

Ensure all passwords on the local router are stored encrypted by entering the following commands:

Router# configure terminal
Enter configuration commands (one per line). End with Ctrl + Z.
Router(config)# service password-encryption
 
   

Layer 2 Security

To maintain the integrity of configured VLANs, implement the following guidelines:

Enable port security, and disable the Spanning Tree Protocol (STP) for all ports that do not require STP. For more information, see http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.htm

When using the "portfast" feature in an STP configuration, enable BPDU guard so that the port maintains a secure state when it enters the forwarding state. For more information, see http://www.cisco.com/warp/public/473/65.html

When using STP, enable the "root guard" enhancement. For more information, see http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800ae96b.shtml

To implement these features and prevent VLAN hopping, use the following commands on each port enabled in access mode:

hostname(config)# interface GigabitEthernet 1/10
hostname(config-if)# switchport
hostname(config-if)# switchport mode access
hostname(config-if)# switchport access vlan
 
   

Note The vlan parameter in the previous line should not be specified as VLAN 1.


hostname(config-if)# switchport trunk native vlan
 
   

Note The vlan parameter in the previous line should not be specified as VLAN 1.


hostname(config-if)# switchport mode trunk
hostname(config-if)# switchport nonegotiate 
hostname(config-if)# no ip address
hostname(config-if)# no cdp enable
hostname(config-if)# no udld port
hostname(config-if)# spanning-tree portfast
hostname(config-if)# spanning-tree bpduguard enable
hostname(config-if)# vtp mode transparent
hostname(config)# no mls qos

Warning The use of VLAN 1 for in-band management traffic is prohibited in the evaluated configuration. The administrator must define a dedicated VLAN that keeps management traffic separate from user data and protocol traffic. The exception to that rule is when the FWSM requires maintenance that requires booting to the FWSM Maintenance Partition, and files need to be transferred between the FWSM Maintenance Partition and another host. The FWSM Maintenance Partition can only communicate on VLAN 1, and therefore VLAN 1 must be enabled on the Supervisor to support communication over VLAN1 between the FWSM Maintenance Partition and the trusted remote host.

Prune VLAN 1 from all the trunks and from all the access ports that do not require it (including unconnected and shutdown ports).

Do not configure the management VLAN on any trunk or access port that does not require it (including not connected and shut-down ports).

Layer 3 Security

IOS requires explicit ACLs to deny IP spoofing attempts and protect the PFSS and RADIUS/TACACS+ servers. Only one IP address can be assigned to an IOS interface in the evaluated configuration. It is not permitted for more than one interface of any type to have an IP address assigned to it, including any VLAN interface, Ethernet interface, or Loopback interface.


Warning Never assign IP addresses to a non-VLAN interface within IOS. Only VLAN interfaces can have assigned IP addresses. All traffic through the device must be inspected by at least one FWSM context, and specifying IP address on physical interfaces creates a potential routing of traffic from one physical interface to another, without forcing traffic to flow through the FWSM.

Use of more than one IP within IOS would be necessary only when FWSM is in multiple context mode. If more than one IP is applied to any interface on IOS that has an IP address assigned, apply an inbound ACL to do the following:

Explicitly permit traffic from specified source IPs to specified destination IPs.

If necessary, explicitly permit SSH traffic from a source host to the IP address of the IOS interface.

Never use the keyword any to specify a source or destination address range.

Explicitly deny all other traffic, and consider logging all other traffic with the log-input command on the ACE. When the Supervisor and FWSM are properly configured in the evaluated configuration, denying all other traffic through the interface should not affect the flow of network traffic, because all traffic needs to be routed through the FWSM.

Access control lists on the IOS must be configured to protect the PFSS (TCP system log message) traffic between the firewall contexts and the PFSS server. The IOS VLAN interface for the audit VLAN must have inbound and outbound ACLs applied. This ACL must also include permit statements for UDP system log messages to reach the PFSS from the Supervisor.

To add an ACL to allow traffic from the firewall to the PFSS server, enter the following command:

hostname(config)# access-list 101 permit tcp 192.168.50.254 0.0.0.0 192.168.0.26 0.0.0.0 
eq 1470
 
   

To add an ACL to allow the UDP system log message to be sent from the Supervisor to the PFSS server, enter the following command:

hostname(config)# access-list 101 permit udp 192.168.0.254 0.0.0.0 192.168.0.26 0.0.0.0 eq 
514
 
   

To allow return traffic from the PFSS server, enter the following command:

hostname(config)# access-list 102 permit tcp 192.168.0.26 0.0.0.0 192.168.50.254 0.0.0.0 
gt 1024
 
   

To add an ACL to allow traffic from the firewall context to the RADIUS/TACACS+ server, enter the following commands:

hostname(config)# access-list 103 permit udp 192.168.50.254 0.0.0.0 192.168.26.2 0.0.0.0 
eq 1645
hostname(config)# access-list 103 permit udp 192.168.50.254 0.0.0.0 192.168.26.2 0.0.0.0 
eq 1646
hostname(config)# access-list 103 permit udp 192.168.50.254 0.0.0.0 192.168.26.2 0.0.0.0 
eq 49
 
   

To add an ACL to allow traffic from the Supervisor to the RADIUS/TACACS+ server, enter the following commands:

hostname(config)# access-list 103 permit udp 192.168.0.254 0.0.0.0 192.168.26.2 0.0.0.0 eq 
1645
hostname(config)# access-list 103 permit udp 192.168.0.254 0.0.0.0 192.168.26.2 0.0.0.0 eq 
1646
hostname(config)# access-list 103 permit udp 192.168.0.254 0.0.0.0 192.168.26.2 0.0.0.0 eq 
49
 
   

To allow return traffic from the RADIUS/TACACS+ server, enter the following commands:

hostname(config)# access-list 104 permit udp 192.168.26.2 0.0.0.0 192.168.50.254 0.0.0.0 
gt 1024
hostname(config)# access-list 104 permit udp 192.168.26.2 0.0.0.0 eq 49 192.168.50.254 
0.0.0.0 eq 49
hostname(config)# access-list 104 permit udp 192.168.26.2 0.0.0.0 192.168.0.254 0.0.0.0 gt 
1024
hostname(config)# access-list 104 permit udp 192.168.26.2 0.0.0.0 eq 49 192.168.0.254 
0.0.0.0 eq 49
 
   

Disabling the HTTP Server

The scope of the Common Criteria evaluation for this configuration does not include the HTTP Server feature. In order to achieve an evaluated configuration, the HTTP Server is to be disabled on the router.

To disable the HTTP Server, enter the following command:

Router# configure terminal
Enter configuration commands (one per line). End with Ctrl + Z.
Router(config)# no ip http server
 
   

Disabling SNMP Management

The scope of the Common Criteria evaluation for this configuration does not include management access of the router via SNMP. In order to achieve an evaluated configuration, SNMP is to be disabled on the routers.

To disable the SNMP Server, enter the following command:

Router(config)# no snmp-server
 
   

Disabling the TFTP Server

The scope of the Common Criteria evaluation for this configuration does not include the TFTP server executing on the Supervisor.

To disable the TFTP Server, enter the following command:

Router(config)# no tftp-server
 
   

Disabling Source Routing

The IP protocol supports source routing options that allow the sender of an IP datagram to control the route that datagram will take toward its ultimate destination, and usually the route that any reply will take. These options are rarely used for legitimate purposes in real networks. Some older IP implementations do not process source-routed packets correctly, and it may be possible to crash machines running these implementations by sending datagrams with source routing options to those machines.

A Cisco router with the no ip source-route command set will never forward an IP packet that carries a source routing option. You should not use this command unless you know that your network needs source routing.

Router(config)# no ip source-route
 
   

Enabling Time-Stamps

By default, all audit records are not stamped with the time and date, which are generated from the system clock when an event occurs.

The Common Criteria evaluated Cisco IOS requires that the time-stamp feature be enabled on your IOS router. To enable the timestamp of audit events, enter the following commands:

Router(config)# service timestamps log datetime
Router(config)# service timestamps debug datetime
 
   

To ensure that the timestamp option is meaningful, the system clock in your IOS router must be set correctly (see the following section for more information).

Command-Specific Events

Enter the following set of commands together to generate specific events about administrator actions on the Supervisor:

Router(config)# aaa authorization commands 15 default if-authenticated none
Router(config)# logging trap debugging 
Router(config)# logging buffer debug
Router# debug aaa authorization
 
   

Note The debug parameter is lost upon reload, and needs to be manually reset.


Searching and sorting of these events is performed using the PFSS Search and Sort application.

Idle Time Outs


Note Time outs on the Supervisor must be set to a maximum of 30 minutes.


To set the interval that the EXEC command interpreter waits until user input is detected, enter the exec-timeout line configuration command. To set the interval for closing the connection when there is no input or output traffic, enter the session-timeout command in line configuration mode.

Router(config)# line console 0
Router(config-line)# exec-timeout 30 
Router(config-line)# session-timeout 30
Router(config-line)# exit
 
   

To set the idle timeout for an SSH connection to the Supervisor, enter the ip ssh time-out command in global configuration mode.

Router(config)# ip ssh time-out 30
 
   

Setting the System Clock

To provide accurate time stamps for logging, the system clock must be set. Some models of IOS routers have real time clocks that maintain real time when the IOS router is powered down. These real time clocks are used to initialize the system clock at startup. Other models of IOS routers do not have a real time clock that will maintain the date and time after shutdown, and must obtain the correct date and time from a reliable time source. Although IOS routers are capable of using the Network Time Protocol (NTP), this function is not enabled in the evaluated configuration. If the IOS router does not have an internal hardware clock, the time is required to be set manually at startup by a privileged, authorized administrator with the clock command:

clock set hh:mm:ss day month year
 
   

where hh:mm:ss is 24-hour time, day is the current date, month and year are the name of the month and year in full (for example, clock set 08:52:00 8 February 2005).

Configuring Authentication on the Supervisor

Local authentication from the Supervisor is available in this configuration. For remote management via SSH, the evaluated configuration requires a remote AAA service that provides one-time authentication. The configuration of AAA services will depend on the environment in which the certified configuration is to operate and may differ between installations. Enter the following commands:

Router(config)# aaa authentication login AllAuth group server-group
Router(config)# aaa authentication enable group server-group
Router(config)# line console 0
Router(config)# login authentication AllAuth
Router(config)# line vty 0 4
Router(config)# login authentication AllAuth
 
   

Note Authentication to the local user database is not permitted from the console or through SSH. Reusable passwords may be used for console and enable authentication, but cannot be used for SSH. Using the none authentication method is not permitted.

The evaluated configuration requires the RADIUS or TACACS+ protocols to be used for the remote AAA services.


Configuring Secure Shell

If the remote management over Secure Shell (SSH) is to be enabled, it is required to be configured to use 3DES or AES encryption in accordance with the evaluated configuration. A single-use authentication server must be configured and used to authenticate SSH sessions to the certified configuration. The single-use authentication server must use RADIUS or TACACS+ protocols to request services from the single-use authentication server.

Router# configure terminal
 
   
Enter configuration commands (one per line). End with Ctrl + Z.
 
   
Router(config)# hostname sample-host
hostname(config)# ip domain name cisco.com
hostname(config)# crypto key generate rsa
 
   
The name for the keys will be: sample-host.cisco.com Choose the size of the key modulus in 
the range of 360 to 2048 for your general purpose keys. Choosing a key modulus greater 
than 512 may take a few minutes.
 
   
How many bits in the modulus [512]: 2048 <enter>
% Generating 2048 bit RSA keys ...[OK]
hostname(config)# ip ssh version 2
hostname(config)# line vty 0 4
hostname(config-line)# transport input ssh
hostname(config-line)# exit
hostname(config)# exit
 
   

Additional information for configuring this feature can be found in the Cisco IOS Security Configuration Guide, available at:

http://www.cisco.com/en/US/docs/ios/redirect/eol.html

For more information, see Configuring Secure Shell.

Configuring System Log Messaging from the Supervisor to PFSS

The Supervisor module must send audit events to the PFSS server for analysis by the audit administrator. Configure the Supervisor to use system log messaging to transmit the audit events by entering the following commands:

Router# configure terminal
Enter configuration commands (one per line). End with Ctrl + Z.
Router(config)# logging host 10.150.0.206
Router(config)# exit
 
   

Configuration Notes (FWSM)

This section includes the following topics:

FWSM Maintenance Partition

Saving Your Configuration

Using the established Command

Enabling Timestamps

Enabling Reliable Logging

Systems Logs

Server Settings

Configuring Authentication on FWSM

Configuring Console Access on FWSM to Use AAA (Optional)

Idle Time Outs

Configuring AAA for Telnet and FTP

Configuring SSH

Configuring Failover of FWSM

Inspecting ICMP

Unicast RPF

Same Security Traffic

FWSM Maintenance Partition

The FWSM Maintenance Partition is used to upgrade or install application images if you cannot boot into the application partition, to reset the application image password, or to display crash dump information. You must change the default passwords associated with the maintenance partition, including both the root and guest accounts.

For more information, see the "Changing the Maintenance Software Passwords" section in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide.


Note Be sure to follow the guidelines listed in Password Complexity for passwords used on the maintenance partition.


Saving Your Configuration

The write memory command should be used frequently when making changes to the configuration of the FWSM. If the FWSM reboots and resumes operation when uncommitted changes were made, these changes will be lost, and the FWSM will revert to the last saved configuration.

Using the established Command

Administrators are advised not to use the established command on the certified FWSM. Incorrect use of this command may give outside users greater access to inside systems than is intended, and for this reason, its use is not recommended.

Enabling Timestamps

By default, all audit records are not stamped with the time and date, which are generated from the system clock when an event occurs. The certified FWSM requires that the timestamp option is enabled. To enable the timestamp of audit events, enter the logging timestamp command. To ensure that the timestamp option remains the default, enter the write memory command to save the option to the startup configuration.

Be sure to set the clock on the Supervisor. The FWSM does not contain its own hardware clock, and relies on the accuracy of the clock on the Supervisor.


Note Although the IOS is capable of using the Network Time Protocol (NTP), this function is not enabled in the evaluated configuration.


Enabling Reliable Logging

By default, auditing events are transported to the remote syslog server over UDP. The certified FWSM requires auditing events to be transported over TCP. The TCP option is configured using the logging host interface ip_address tcp/port_number command. With TCP logging configured, new sessions through the certified FWSM will be disallowed if log messages cannot be forwarded to the remote host.

To facilitate the TCP logging function, the Firewall Services Module must be configured on a secure Windows server. For details about how to obtain and configure the logging function, see Using the Syslog Server (PFSS Active Mode).

Systems Logs

For details about the FWSM system logs, see Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Logging Configuration and System Log Messages. The following sections are not supported on a certified FWSM:

System Logs

Receiving SNMP requests

Sending SNMP Traps

Other Remote Management and Monitoring Tools

ASDM

Cisco Secure Policy Manager

SNMP Traps


Note Telnet is not supported on the certified FWSM. It is disabled by default.


Server Settings

You must install the ACS server. The following document provides information about installing the Cisco Secure ACS:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/prod_eol_notices_list.html

The Security Target document for this evaluation requires that the administrator install and use a single-use password mechanism. The single-use solution can use tokens or one-time password. The single use solution must enforce lockout of user accounts and should be set to lock out the user on the ACS server after five incorrect login attempts.

The aaa local authentication attempts max-fail command is available on FWSM and should be set to a maximum value of five in the evaluated configuration. Level 15 users in the local database will not be locked out.

Configuring Authentication on FWSM

To create a server group, add AAA servers to the server group, configure the protocol, and add authentication to SSH, perform the following steps:


Note Only TACACS+ and RADIUS security protocols are included in the evaluated configuration. Do not select any of the other options for protocol under aaa-server. TACACS+ and RADIUS both require a password to authenticate to the server. The administrator is required to follow the guidance in this document when creating the RADIUS or TACACS+ password.


To configure authentication on the FWSM, perform the following steps:


Step 1 Identify the server group name and the protocol. To do so, enter the following command:

hostname contexta(config)# aaa-server server_group protocol {radius | tacacs+}
 
   

For example, to use RADIUS to authenticate network access and TACACS+ to authenticate CLI access, you need to create at least two server groups, one for RADIUS servers and one for TACACS+ servers.

You can have up to 15 single-mode server groups or four multi-mode server groups. Each server group can have up to 16 servers in single mode or up to four servers in multi-mode.

When you enter the aaa-server protocol command, you enter group mode.

Step 2 For each AAA server on your network, follow these steps:

a. Identify the server, including the AAA server group to which it belongs. To do so, enter the following command:

hostname contexta(config)# aaa-server server_group (interface_name) host server_ip
 
   

When you enter the aaa-server host command, you enter host mode.

Step 3 After the aaa-server and group are configured, enter the following commands to configure authentication:

hostname contexta(config)# aaa authentication telnet console [server-tag | LOCAL]
hostname contexta(config)# aaa authentication enable console [server-tag | LOCAL]
hostname contexta(config)# aaa authentication ssh console [server-tag]
 
   

Note The telnet and enable authentication commands can use either the local user database or remote aaa server, and reusable passwords are permitted. SSH authentication must use a remote aaa server configured for single-use authentication. Using the none authentication method is not permitted.

In the system context of FWSM, to ensure that log messages accurately reflect who accessed the FWSM, do not use the enable command for access to exec mode, but instead use individual user IDs for initial access to user mode using the login command. Configure individual user accounts with the username command. The enable password can be rendered useless by setting the password to an unknown encrypted password string.



Configuring Console Access on FWSM to Use AAA (Optional)

Console access on the FWSM for AAA is an option, but is not required in the evaluated configuration.

For information about how to enable authentication and command authorization for system administrators, see the "AAA for System Administrators" section in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide.

Usernames are defined on the certified configuration and are used to separate the defined roles into separate individuals. Usernames are used for identifying to the certified configuration over the local session from the Supervisor module. Enter the username command to assign a password and a privilege level for a user. Privilege levels range from 0 (the lowest) through 15. System administrators usually have the highest privilege level.

username name {nopassword | password password [encrypted]} [privilege priv_level]}
 
   

In the following example, the username is testuser:

username testuser password 12RsxXQnphyr/I9Z encrypted privilege 15
 
   

When the evaluated configuration is operating in multiple context mode, usernames are constrained to the individual context in which they were created.

For a complete description of the command syntax, see the Cisco FWSM Command Reference.


Note Local authentication is not an option for SSH authentication in the evaluation configuration. The administrator is also advised to never use the value none by itself for any authentication option. Use of the value none by itself removes the requirement for entering a password.


Idle Time Outs


Note Time outs must be set on the FWSM to a maximum of 30 minutes.


To set the idle timeout for a console connection to the FWSM, enter the console timeout command in global configuration mode.


Note The console timeout command is only available in the system context when operating in multiple context mode.


hostname system(config)# console timeout 30
hostname system(config)# console timeout 30
 
   

To set the idle timeout for an SSH connection to the FWSM, use the ssh timeout command in global configuration mode.

hostname admin(config)# ssh timeout 30
hostname contexta(config)# ssh timeout 30
 
   

Configuring AAA for Telnet and FTP

To configure AAA for Telnet and FTP using cut-through proxies, you must configure the AAA server group and authentication settings first. After those settings are in effect, enable authentication of Telnet and FTP by entering the aaa authentication include {telnet, ftp} command. To configure AAA for Telnet and FTP, enter the following commands:


Note Running FTP and Telnet servers on non-standard ports will result in those flows not requiring authentication and is not to be allowed in the evaluated configuration.


hostname contexta(config)# aaa-server aaasrvgrp protocol radius
hostname contexta(config-aaa-server-group)# exit
hostname contexta(config)# aaa-server aaasrvgrp host 10.30.1.20
hostname contexta(config-aaa-server-host)# authentication-port 1645
hostname contexta(config-aaa-server-host)# timeout 10
hostname contexta(config-aaa-server-host)# retry-interval 2
hostname contexta(config-aaa-server-host)# exit
hostname contexta(config)# aaa authentication include telnet outside 0 0 0 0 aaasrvgrp
hostname contexta(config)# aaa authentication include ftp outside 0 0 0 0 aaasrvgrp
hostname contexta(config)# aaa authentication include telnet inside 0 0 0 0 aaasrvgrp
hostname contexta(config)# aaa authentication include ftp inside 0 0 0 0 aaasrvgrp
 
   

To ensure that separate sessions from a multi-user machine are not able to "piggy-back" on an existing authentication request, be sure that the timeout for authentication is set to 0, to disable caching of authentication data, as follows:

hostname contexta(config)# timeout uauth 0:00:00
 
   

Configuring SSH

The FWSM allows SSH connections to it for management purposes. The FWSM allows a maximum of five concurrent SSH connections per context, if available, with a maximum of 100 connections divided among all contexts. SSH sessions in the evaluated configuration must be authenticated using a single-use password solution, and not the local password database.

To configure SSH, perform the following steps:


Step 1 Configure authentication for SSH by entering the following command.

hostname contexta(config)# aaa authentication ssh console {server-group}
 
   

For information about configuring SSH, see the "Allowing SSH Access" section in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide.

By default, SSH allows Version 1 and Version 2. Always select Version 2. To specify the version number enter, the following command:

hostname(config)# ssh version 2 
 
   

Configuring Failover of FWSM


Note When using failover, be sure to configure an authentication password to be used between the two FWSM units by entering the failover key {secret | hex key} command. Ensure that the password used for the key complies with Password Complexity.

If intra-switch failover is configured, ensure that the failover connection between the two switches is physically protected and is not contained within a VLAN that includes any interfaces other than the specific FWSM failover interfaces.


For more information, see the "Configuring Failover" section in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide.

Inspecting ICMP

To configure the ICMP inspection engine, enter the inspect icmp command in class configuration mode. Class configuration mode is accessible from the policy map configuration mode. Enter the inspect icmp command to prevent ICMP traffic from passing through the firewall if the PFSS audit server fails, as follows:

hostname contexta(config)# class-map icmp-class
hostname contexta(config-cmap)# match default-inspection-traffic
hostname contexta(config-cmap)# exit
hostname contexta(config)# policy-map icmp_policy 
hostname contexta(config-pmap)# class icmp-class
hostname contexta(config-pmap-c)# inspect icmp 
hostname contexta(config-pmap-c)# exit
hostname contexta(config)# service-policy icmp_policy interface outside
 
   

Unicast RPF

To enable Unicast RPF, enter the ip verify reverse-path command in global configuration mode. Unicast RPF guards against IP spoofing (in which a packet uses an incorrect source IP address to obscure its true source) by ensuring that all packets have a source IP address that matches the correct source interface, according to the routing table.

hostname contexta(config)# ip verify reverse-path interface outside
hostname contexta(config)# ip verify reverse-path interface inside
 
   

Same Security Traffic

The same-security-traffic command is not allowed in the evaluated configuration. When this command is enabled, traffic is allowed to pass between interfaces with the same security level, regardless of current security policy. When the same-security-traffic command is enabled, any AAA statements configured using "include" are bypassed.

Using the Syslog Server

The syslog server, also referred to in this document as PFSS, lets you view system log messages from a Windows 2000 system. If you have a Windows 2000 system, use of the syslog server gives you the additional benefit of reliability through receiving TCP event messages, receiving time-stamped messages, and the ability to monitor whether the server is up or down from the FWSM. The syslog server is available without cost from Cisco.com.

Your FWSM must send system log messages via TCP to a syslog server (also called the audit server). If the syslog server system disk becomes full, the FWSM will stop all new connections.

Ensure that the syslog server log files are backed up regularly to minimize the possibility of running out of disk space.


Note The Windows Server hosting the PFSS application shall only execute the PFSS applications and the host operating system required for base functionality. This server will be treated as a non-general purpose server and shall not execute any other general-purpose applications (database, web server, and so on).

The pfss514.exe file should be downloaded from Cisco.com and used to install the PFSS, which includes the PIX Firewall Syslog Service and the PFSS GUI for searching and sorting audit records.

Synchronize the time between the firewall and the Windows server to ensure that audit records can be correlated.


This section includes the following topics:

Verifying the Correct Version of PFSS

Using the Syslog Server (PFSS Active Mode)

Changing the Syslog Server Parameters at the Windows 2000 System

Recovering from the Syslog Server Disk-Full Condition

Verifying the Correct Version of PFSS

To verify the correct version of the PIX Firewall Syslog Service and search GUI, the administrator must stop the running service and use a utility to generate an MD5 hash for a binary file. Compare the results of the utility with the published MD5 values in the following table. Any discrepancy in this comparison indicates that the incorrect version of PFSS is in use.

File Name
MD5

C:\Program Files\Cisco\PIX Firewall Syslog Server\syslogdm.exe

42fcb873427792fadc1917d99371fa03

C:\Program Files\Cisco\PIX Firewall Syslog Server\PFSS Search.exe

98e3b4f7f408062e8376e8cb4449c913


For more information about using the syslog server, see Configuring System Log Message Search Functions with the System Log Message Search (Log Searching Mode).

Using the Syslog Server (PFSS Active Mode)

To configure the FWSM to use the syslog server, perform the following steps:


Step 1 If the syslog server Windows 2000 disk becomes full or the system is unavailable, use the tcp option:

logging host interface ip_address tcp/port_number
 
   

Replace interface with the interface on which the server exists, IP-address with the IP address of the host, and port-number with the TCP port (if different than the default value of 1468). You can verify that the FWSM traffic is disabled due to a syslog server disk-full condition by using the show logging command and looking for the "disabled" keyword in the display.

Only one UDP or TCP command statement is permitted for a server. A subsequent command statement overrides the previous one. Use the write terminal command to view the logging host command statement in the configuration. In the configuration, the UDP protocol appears as "17" and TCP as "6."

Step 2 Create a logging list to specify messages by various criteria (logging level, event class, and message IDs). The list that you create must ensure these events are logged; 106023, 109001 to 109014, 109021, 109023 to 109028, 111008, 111009, 113001, 113003, 113006, 113007, 199001, 199005, 199006, 201008, 502101 to 502103, 605004, 605005, and 611101 to 611104. Use the logging list command in global configuration mode:

logging list name {level level [class event_class] | message start_id[-end_id]} 
 
   

Step 3 Use the logging trap command in global configuration mode to specify which system log messages the security appliance sends to a syslog server by using the logging list that you created in Step 2:

logging trap [logging_list | level] 
 
   

We recommend that you use the debugging level during initial setup and during testing. Thereafter, set the level from debugging to errors for production use.

Step 4 If needed, set the logging facility command to a value other than its default of 20. Most UNIX systems expect the messages to arrive at facility 20, which receives the messages in the local4 receiving mechanism.

Step 5 Start sending messages with the logging enable command. To disable sending messages, use the no logging enable command.

If you want to stop sending a message to the syslog server, use the no logging message syslog_id command. Replace syslog_id with a syslog message ID.

Step 6 You must send time-stamped messages to the syslog server, use the clock set command to set the FWSM system clock and the logging timestamp command to enable time stamping. For example:

clock set 14:25:00 oct 1 2005
logging timestamp
 
   

In this example, the clock is set to the current time of 2:25 pm on October 1, 2005, and time stamping is enabled.

Step 7 Use the no logging permit-hostdown command in global configuration mode to prevent traffic from passing if the syslog server is down or otherwise unavailable.

hostname(config)# no logging permit-hostdown
 
   

For a complete description of the command syntax, see the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference.


Changing the Syslog Server Parameters at the Windows 2000 System

You can change the syslog server parameters at the Windows 2000 system. To do so, choose Start >Settings >Control Pane >Services.

All the syslog server parameter values can be viewed by examining the sass.log file, which the syslog server creates in the same directory as the syslog server log files.

The syslog server starts immediately after installation. You can use the Services control panel to enter new parameters, pause the service and then resume the service, or to stop and start the service.

Choose one or more parameters from the following options:

d%_disk_full—The maximum percentage of how full the Windows 2000 system disk can become before the syslog server causes the FWSM to stop transmissions. This is an integer value in the range of 1 to 100. The default is 90.

t tcp_port—The port that the Windows 2000 system uses to listen for TCP system log messages, the default is 1468. If you specify another port, it must be in the range of 1024 to 65535.

u udp_port—The port that the Windows 2000 system uses to listen for UDP system log messages, the default is 514. If you specify another port, it must be in the range of 1024 to 65535.

e disk_empty_watch_timer—The duration, in seconds, that the syslog server waits between checks to see if the disk partition is still empty. The default is five seconds, and the range is any number greater than zero.

f disk_full_watch_timer—The duration, in seconds, that the syslog server waits between checks to see if the disk partition is still full. The default is three seconds, and the range is any number greater than zero.

To set %_disk_full to 35 percent and the disk-full timer to ten seconds, perform the following steps:


Step 1 Open the Services control pane.

Step 2 Choose the FWSM syslog server service.

Step 3 In the Startup Parameters Edit field, type -d 35 -f 10.

Step 4 Click Start.

Step 5 Press the Enter key to close the Services control pane without changing the parameters.


The syslog server stores system log messages in one of seven files: monday.log, tuesday.log, wednesday.log, thursday.log, friday.log, saturday.log, and sunday.log (according to the days of the week). If a week has already passed since the last log file was created, it will rename the old log file to weekday.mmddyy, where weekday is the current day, mm is the month, dd is the day, and yy is the year (for example, monday.103099).


Note The syslog server truncates system log messages longer than 512 characters in length.


Recovering from the Syslog Server Disk-Full Condition

When you send system log messages via TCP, the Windows 2000 disk may become full and the FWSM unit will stop its traffic. If the Windows 2000 file system is full, the Windows 2000 system beeps and the syslog server disables all TCP connections from the FWSM unit(s) by closing its TCP listen socket.

The FWSM tries to reconnect to the syslog server five times, and during the retry, it stops all new connections through the FWSM. You then need to back up all the log files to another disk or across the network. (While the syslog server is receiving messages, the log files must reside on the local disk.)

To recover from the disk-full condition, perform the following steps:


Step 1 Back up the files on the Windows 2000 system.

Step 2 On the FWSM, check that syslog is disabled with the show logging command. If the syslog server has disabled the connection, the display includes the disable keyword.

Step 3 Restart logging with the logging host command:

logging host dmz1 10.1.1.2 tcp/1468
 
   

Step 4 Check that the server is now enabled with the show logging command. The disabled keyword should no longer be visible.


Configuring System Log Message Search Functions Using the System Log Message Search

You can search and sort system log messages based on dates and times, by syslog ID, and by source and destination IP addresses. You can also use the advanced Option feature to search for system log messages based on port numbers, services, and interface names. Before you can use the procedures in this section, be sure to install the security appliance syslog server. For more information on installing the security appliance syslog server, see the Installing the PIX Firewall Syslog Server section in the Installation Guide for the Cisco Secure PIX Firewall, Version 5.0.

This section includes the following topics:

Setting Up the System Log Message Search Display

Configuring System Log Message Search Functions with the System Log Message Search (Log Searching Mode)

Searching System Log Messages Based on Syslog ID

Searching System Log Messages for Specific Commands Entered by the Administrator on the Supervisor

Searching System Log Messages Based on User ID

Searching Windows Audit Events

Searching System Log Messages Based on IP Address

Searching System Log Messages with the Advanced Option Feature

Setting Up the System Log Message Search Display

This section provides an overview of the FWSM system log message search display.

To access the FWSM system log message search application, perform the following steps:


Step 1 Click the PFSS Search.exe shortcut icon on your desktop. The FWSM system log message search application main window appears.

Step 2 In the View menu, choose Select Column.The Select Column dialog box opens.

Step 3 Check the appropriate check box to show optional column selections in the right window pane. Click any column heading to sort items in ascending or descending order.


Configuring System Log Message Search Functions with the System Log Message Search (Log Searching Mode)

You can configure to search for system log messages, based on specific dates and times. You can specify a single date or time, or you can specify a range of dates and times.

To configure search for system log messages, based on specific dates and times, perform the following steps:


Step 1 Click the PFSS Search.exe shortcut icon on your desktop. The FWSM system log message search application main window appears.

Step 2 Check the Date check box and use the drop-down list in the Between field and the And field to enter a single date, or a range of dates.

Step 3 Check the Time check box and use the drop-down list in the Between field and the And field to enter a specific time, or a range of times.

Step 4 Click Search Now.


Searching System Log Messages Based on Syslog ID

You can configure to search for system log messages, based on specific syslog IDs.

To configure to search for system log messages, based on specific syslog IDs, perform the following steps:


Step 1 Click the PFSS Search.exe shortcut icon on your desktop. The FWSM system log message search application main window appears.

Step 2 In the syslog ID field, enter the stringname of the system log message you want to include in the search.

Step 3 Click Search Now.


Searching System Log Messages for Specific Commands Entered by the Administrator on the Supervisor

Use the PFSS GUI to search for "AAA/AUTHOR/CMD" in the Syslog ID field, and optionally, user ID in the Services field. View the message detail to identify the event ID (shown in parentheses in the message detail). Review the appropriate system log message text file for command-specific details in the "tty1" messages, which do not appear in the PFSS GUI. An example of the flat file detail follows, with the unique event ID, 643142702:

Mar 1 14:47:32.237 edt: tty1 AAA/AUTHOR/CMD (643142702): Port='tty1' list='' service=CMD
Mar 1 14:47:32.237 edt: AAA/AUTHOR/CMD: tty1 (643142702) user='user15'
Mar 1 14:47:32.237 edt: tty1 AAA/AUTHOR/CMD (643142702): send AV service=shell
Mar 1 14:47:32.237 edt: tty1 AAA/AUTHOR/CMD (643142702): send AV cmd=logging
Mar 1 14:47:32.237 edt: tty1 AAA/AUTHOR/CMD (643142702): send AV cmd-arg=console
Mar 1 14:47:32.237 edt: tty1 AAA/AUTHOR/CMD (643142702): send AV cmd-arg=informational
Mar 1 14:47:32.237 edt: tty1 AAA/AUTHOR/CMD (643142702): send AV cmd-arg=<cr>
Mar 1 14:47:32.237 edt: tty1 AAA/AUTHOR/CMD (643142702): found list "default"
Mar 1 14:47:32.237 edt: tty1 AAA/AUTHOR/CMD (643142702): Method=IF_AUTHEN
Mar 1 14:47:32.237 edt: AAA/AUTHOR (643142702): Post authorization status = PASS_ADD

Searching System Log Messages Based on User ID

To search for a specific user identifier, enter the user identifier in the Services field of the PFSS GUI.

Searching Windows Audit Events

See the Windows 2000 EAL4 Administrator Guidance "Audit Management" section for details about using the Event Viewer to view audit records.

Searching System Log Messages Based on IP Address

You can configure to search for system log messages from a specific source IP address to a specific destination address. You can specify either a single IP address to search for, or a range of addresses.

To search for system log messages from a source IP address to a destination address, perform the following steps:


Step 1 Click the PFSS Search.exe shortcut icon on your desktop. The FWSM system log message search application main window appears.

Step 2 Click IP Address. The IP Address dialog box opens in the left pane. (You may have to scroll to view the IP Address fields.)

Step 3 To specify a single IP address as the search criteria, perform the following steps:

a. In the Source IP Address From field, enter the single IP address.

b. In the Destination IP Address From field, enter the same IP address.

Step 4 To specify a range of IP addresses as the search criteria, perform the following steps:

a. In the Source IP Address From field, enter the lower IP address range value.

b. In the Source IP Address To field, enter the higher IP address range value.

c. In the Destination IP Address From field, enter the lower IP address range value.

d. In the Destination IP Address To field, enter the higher IP address range value.

Step 5 Click Search Now.


Searching System Log Messages with the Advanced Option Feature

You can configure to search for system log messages using the Advanced Option feature. The Advanced Option feature allows you to search for system log messages based on port numbers, services, and interface names. You can specify either a single port as search criteria, or a range of ports.

To search for system log messages using the Advanced Option feature, perform the following steps:


Step 1 Click the PFSS Search.exe shortcut icon on your desktop. The FWSM system log message search application main window appears.

Step 2 Click Advanced Option. The Advanced Option dialog box opens in the left pane. (You may have to scroll the left pane to view the Advanced Option fields.)

Step 3 To specify a single port as the search criterion, enter the single port number in the Port No. field.

Step 4 To specify a range of ports as the search criteria:

a. In the left Port No. field (separated by a —), enter the lower port range value.

b. In the right Port No. field, enter the higher port range value.

c. Click Search Now.

Step 5 To specify a service name as the search criterion:

a. Enter the service name in the Services field.

b. Click Search Now.

Step 6 To specify an interface name as the search criterion:

a. Enter the interface name in the Interface Name field.

b. Click Search Now.


MD5 Hash Value for the Evaluated Configuration

The evaluated configuration includes both IOS and FWSM software.The MD5 File Validation feature allows you to generate the MD5 hash for a software image stored on your chassis and compare it to the value posted on Cisco.com to verify that the image on your chassis is not corrupted.

You can obtain the MD5 value for your system image from the Software Center at Cisco.com.

Image Name
MD5 Hash

c6svc-fwm-k9.3-1-3-17.bin

9e68c34a7fcb0fb093404e5db84bc56b

s72033-adventerprisek9_wan-mz.122-18.SXF5.bin

b4cc5ce4383d6787d81d8b85870d057e

s222-adventerprisek9_wan-mz.122-18.SXF5.bin

8bd537cd4207473f43b8835105af0ab3

s3223-adventerprisek9_wan-mz.122-18.SXF5.bin

34caaed23e0969e6057dad9ce1807423


Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.