Table Of Contents
Firewall Services
ISC Firewall Provisioning Features
Creating Firewall Policies
Specifying General Parameters
Creating Access Rules
Specifying Inspection Rules
Applying URL Filtering
Specifying a Syslog Server
Specifying Authentication Proxy
Creating Firewall Service Requests
Adding Templates To Service Requests (Optional)
Firewall Services
This chapter contains the following sections:
•
ISC Firewall Provisioning Features
•Creating Firewall Policies
•Creating Firewall Service Requests
Note Before creating an ISC security policy or service request, it is necessary to populate the ISC repository with the target devices in your network, collect the initial device configuration files, designate customers and customer sites, and define each target device as a CPE device.
CPE devices are the devices at each end of the VPN tunnel. Creating CPE devices includes assigning each target device to a specific customer and customer site and marking the device interfaces. Specifically for security management, you must define at least one outside and one inside interface on each CPE device.
For how-to information on populating your ISC repository and setting up CPE devices, refer to the Cisco IP Solution Center Infrastructure Guide, 3.0.
ISC Firewall Provisioning Features
The following features are supported by ISC firewall provisioning:
•Access Rules - Also referred to as access control lists, access rules filter network traffic by controlling whether IP packets are forwarded or blocked at a specified device interface. The device examines each packet to determine whether to forward or drop the packet using criteria you specify in the firewall policy. Access list criteria could be source or destination addresses, upper-layer protocols, or applied through examination of other packet content.
•Inspection Rules
–CBAC: A Cisco IOS-only feature. Context-based Access Control (CBAC) examines not only network layer and transport layer information, but also examines the application-layer protocol information (such as FTP information) to learn about the state of TCP and UDP connections. CBAC maintains connection state information for individual connections. This state information is used to make intelligent decisions about whether packets should be permitted or denied, and dynamically creates and deletes temporary openings in the firewall. For more information, refer to the following URL:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1826/products_feature_guide09186a0080080f4d.html#xtocid13
–Fixup: A PIX Firewall-only feature. Fixups are PIX Firewall inspection rules, equivalent to CBAC. For more information, please refer to the following URL:
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a00800eb727.html
•URL filtering - This feature enables your Cisco IOS and PIX Firewalls to interact with Websense or N2H2 URL filtering software, allowing you to prevent users from accessing specified web sites.
•Exclusive domain filtering - Cisco IOS Firewall includes an exclusive domain feature that enables you to permit or deny a particular URL; this feature requires Cisco IOS Software Release 12.2 or later.
•Syslog enabling - Messages produced by CPE devices that usually go to the console can be collected and stored by sending these messages to a syslog server. Syslogs enable you to gather information about traffic and performance, analyze logs for suspicious activity, and troubleshoot problems. All syslog messages have a logging facility and message level.
•Authentication Proxy - A Cisco IOS-only feature. The Cisco IOS Firewall authentication proxy feature allows network administrators to apply specific security policies on a per-user basis. Users can be identified and authorized on the basis of their per-user policy, as opposed to a general policy applied across multiple users. A AAA server is required to use this feature.
Creating Firewall Policies
Provisioning firewalls with ISC requires creating a firewall policy. The policy is a set of attributes or configuration settings that can be translated to configure Cisco IOS routers and PIX Firewalls in your network. A policy can be a global or customer-specific. Additionally, policies can inherit attributes from parent policies and be tailored to meet specific firewall configuration requirements. Once created, the firewall policy can then be applied to multiple service requests and is not hardware-specific.
Note Once the policies have been created, they can be used in service requests. Each policy can be used multiple times, speeding up service provisioning and providing consistency.
Although policies can be edited on a per-service request basis, if you modify a policy, you must Force Deploy any associated service requests to update the policy in those service requests.
To create a Firewall Service Policy, perform the steps in the following sections:
•Specifying General Parameters
•Creating Access Rules
•Specifying Inspection Rules
•Applying URL Filtering
•Specifying a Syslog Server
•Specifying Authentication Proxy
Specifying General Parameters
Step 1 Click Home > Service Design > Policy Manager. The Policies page appears. If you have no policies defined, the Policies page appears as shown in Figure 6-1.
Figure 6-1 The Policies Page With No Policies Defined
If you have policies already defined, all previously defined policies with appear on the Policies page as shown in Figure 6-2.
Figure 6-2 The Policies Page Populated With Policies
Step 2 Click Create > Firewall Policy. The Firewall Policy - General page appears as shown in Figure 6-3. Enter the values for your firewall policy fields by following the instructions in Table 6-1.
Figure 6-3 The Firewall Policy - General Page
Table 6-1 Firewall Policy Fields
Field Name
|
Type
|
Instructions
|
Policy Name
|
text box
|
Enter a name for the policy.
|
Policy Owner
|
radio button
|
Specify whether the policy is global by clicking Global, or customer owned by clicking Customer.
If you select Customer, you are required to specify the owner. To do this, click Select. When you click Customer > Select, the Customer for Policy Owner Selection dialog box appears as shown in Figure 6-4. Click the button next to the customer you want to select and click Select to return to the Firewall Policy - General page, or click Cancel to exit the dialog box without saving changes.
|
Parent Policy
|
drop-down list
|
(Optional) You can specify parent policies. Policies can be hierarchal. If policies conflict, parent policies override child policies unless you specify otherwise.
|
Sysopt Connection permit-ipsec
|
checkbox
|
Applicable to PIX Firewalls. Select this option if you want to permit IPsec traffic through the firewall.
|
Figure 6-4 Customer for Policy Owner Selection Dialog Box
Step 3 Click Next to continue.
Creating Access Rules
Before creating access rules, decide what traffic you want to allow through the device and what traffic you want to block. Once you have done this, continue with this section.
Step 1 The Firewall Policy - Access Rules page appears as shown in Figure 6-5 (because you clicked Next on the Firewall Policy - General page).
Note Alternately, if you are modifying an existing policy, click Service Design > Policy Manager > Create > Firewall Policy. Select the name of the policy and click Edit > Next to access the Firewall Policy - Access Rules page.
Figure 6-5 The Firewall Policy - Access Rules Page
Note Access rules 1. and 2. are example access rules. Remove these rules before production deployment because they permit traffic to flow into your network by default.
Additionally, you must create an access rule to allow management traffic to flow through to the device.
Step 2 To create a new access rule, click Create. The Firewall Access Rule Editor dialog box appears as shown in Figure 6-6.
Figure 6-6 Firewall Access Rule Editor Dialog Box
Table 6-2 Firewall Access Rule Editor Fields
Field Name
|
Type
|
Instructions
|
Policy Name
|
non-editable field
|
This is the name of the firewall policy, which you selected at the start of creating this policy.
|
Source
|
combo box
|
Specify the source address. The source address can be specified three ways:
•Enter the address in a.b.c.d/n format where a.b.c.d is the subnet and n is the subnet mask
•Enter any in the source field.
•Select a network object by clicking Add. The Network Objects dialog box appears, as shown in Figure 6-7. Checkmark the network object you want to use and click Select. (Network objects are created at Home > Service Design > Network Objects Manager.) For more information on creating network objects, refer to the Cisco IP Solution Center Infrastructure Guide, 3.0.
|
Destination
|
combo box
|
Specify the destination address. The destination address can be specified three ways:
•Enter the address in a.b.c.d/n format where a.b.c.d is the subnet and n is the subnet mask
•Enter any in the destination field.
•Select a network object by clicking Add. The Network Objects dialog box appears, as shown in Figure 6-7. Checkmark the network object you want to use and click Select. (Network objects are created at Home > Service Design > Network Objects Manager.) For more information on creating network objects, refer to the Cisco IP Solution Center Infrastructure Guide, 3.0.
|
Access Direction
|
drop-down list
|
Specify the direction of traffic you want to monitor. If traffic is coming into the interface, select Inbound. If traffic is leaving the interface, select Outbound.
|
Service
|
combo box
|
Specify which protocols to monitor. A default set of protocols and protocol bundles are provided, but additional protocols can be added or the defaults modified.
To choose a specific protocol, click Add Protocols. The Add Protocols dialog box appears as shown in Figure 6-8. Check the box for a protocol, or multiple boxes for multiple protocols, and click Select.
To add a group of protocols, click Add Protocol Bundles. The Add Protocol Bundles dialog box appears with the list of predefined protocol bundles, as shown in Figure 6-9. Check the box for a protocol bundle, or multiple boxes for multiple protocol bundles, and click Select.
|
Service Direction
|
drop-down list
|
Specify the service direction. The options are as follows:
•Normal - The source port is not substituted for the destination port upon reply.
•Reverse - Substitutes the destination port (from the request) with the source port upon reply.
|
Action
|
drop-down list
|
Specify an action when monitored traffic is encountered. The options are as follows:
•Select Permit when you want to allow traffic through the interface.
•Select Deny when you want to block traffic through the interface.
|
Interface
|
drop-down list
|
Specify the interface(s) to which to apply the rule. The options are as follows:
•Inside - The inside interface.
•Outside - The outside interface.
•DMZ1 - The DMZ interface. (There are can be multiple DMZ interfaces.)
|
Can child policy override this rule?
|
checkbox
|
Specify whether or not a child policy can override this rule. If yes, put a check mark. If not, leave it blank. Normally the parent policy will take precedence.
|
Comment
|
text box
|
(Optional) You can enter any comments here.
|
Save
|
button
|
Click Save when done to save changes and close the dialog box.
|
Cancel
|
button
|
Click Cancel to exit the dialog box without saving changes.
|
Figure 6-7 Network Objects Dialog Box
Figure 6-8 Add Protocols Dialog Box
Figure 6-9 Add Protocol Bundles Dialog Box
Step 3 When done, click Save.
Specifying Inspection Rules
Step 1 Click Next to continue. The Firewall Policy - Inspect Rules page appears as shown in Figure 6-10.
Note Alternately, if you are modifying an existing policy, click Service Design > Policy Manager > Create > Firewall Policy. Select the name of the policy and click Edit > Next > Next to access the Firewall Policy - Inspect Rules page.
Figure 6-10 The Firewall Policy - Inspection Rules Page
Step 2 There are two default inspection rules, one for TCP and one for UDP traffic. To add additional rules, click Create. The Firewall Policy - Inspection Rule Editor dialog box appears as shown in Figure 6-11.
Figure 6-11 Firewall Inspection Rule Editor Dialog Box
Table 6-3 Firewall Inspection Rule Editor Fields
Field Name
|
Type
|
Instructions
|
Application
|
drop-down list
|
Specify applications for which to inspect packets. Choose applications from the drop-down list. Depending on what applications you choose, some fields will be required for you to enter information.
|
Port
|
Text box
|
Enter a port. Some applications require you to specify a port.
|
End Port
|
Text box
|
(Optional) Enter a port number. If you want to monitor a port range, input a port number.
|
RPC Program Number
|
Text box
|
If grayed out, you do not need to enter an RPC number. Otherwise, enter the RPC program number for the protocol.
|
Save
|
button
|
Click Save when done to save changes and close the dialog box.
|
Cancel
|
button
|
Click Cancel to exit the dialog box without saving changes.
|
Step 3 Click Save.
Applying URL Filtering
For Cisco IOS and PIX Firewall devices, you can perform URL filtering by linking to third-party software, either N2H2 or Websense. To use this feature, you must specify the location of the server running the URL filtering software.
For Cisco IOS devices only, if you have a URL pattern that you want to filter out, you can enter the URL pattern in the URL Exclusive Domains section of the URL Filtering page.
Step 1 Click Next to continue. The Firewall Policy - URL Filtering page appears as shown in Figure 6-12.
Note Alternately, if you are modifying an existing policy, click Service Design > Policy Manager > Create > Firewall Policy. Select the name of the policy and click Edit > Next > Next > Next to access the Firewall Policy - URL Filtering page.
Figure 6-12 The Firewall Policy - URL Filtering Page
Step 2 Follow the instructions in Table 6-4 to apply URL filtering.
Table 6-4 Firewall Policy - URL Filtering Fields
Field Name
|
Type
|
Instructions
|
Enable URL Filtering
|
checkbox
|
To turn on URL filtering, put a check mark in this field.
|
Vendor Name
|
drop-down list
|
Choose the third-party URL filtering software vendor name, either Websense or N2H2.
|
Timeout
|
text box
|
Enter a timeout value to specify how long to wait without getting a response from the Websense server before timing out.
|
Interface
|
drop-down list
|
Specify the device interface on which the third party software is located.
|
Server IP Address
|
combo box
|
To specify the URL server IP address, click Create. This launches the Firewall URL Server Editor dialog box, as shown in Figure 6-13. Follow the instructions in Table 6-5.
|
URL Exclusive Domains
|
combo box
|
For Cisco IOS devices only. To add a URL to the filtering list, click Create. This launches the Firewall URL Exclusive Domain Editor dialog box, as shown in Figure 6-15. Follow the instructions in Table 6-6.
Refer to the Cisco IOS version you have and see if the feature is supported.
URL Exclusive Domains: Cisco IOS-specific. To add a URL to the list, follow the steps below. Refer to the Cisco IOS version you have and see if the feature is supported.
a. Click Create. The Firewall URL Exclusive Domain Editor dialog box appears.
|
Figure 6-13 Firewall URL Server Editor Dialog Box
Table 6-5 Firewall URL Server Editor Fields
Field Name
|
Type
|
Instructions
|
Server IP Address
|
combo box
|
There are two ways to enter the server IP address. You can do either of the following:
•Enter the server address directly into the text box, or
•If you want to use a previously defined network object, click Select and the Firewall URL Server Editor dialog box appears as shown in Figure 6-14. Click the button next to the predefined network object that contains the server IP address and click Select, or click Cancel to exit the dialog box without saving changes. (Network objects are created at Home > Service Design > Network Objects Manager.) For more information on creating network objects, refer to the Cisco IP Solution Center Infrastructure Guide, 3.0.
|
Port
|
text box
|
Enter the port on which you want to filter traffic.
|
Protocol
|
drop-down list
|
Select the protocol you want to filter.
|
Save
|
button
|
Click Save when done to save changes and close the dialog box.
|
Cancel
|
button
|
Click Cancel to exit the dialog box without saving changes.
|
Figure 6-14 Network Objects Dialog Box
Figure 6-15 Firewall URL Exclusive Domain Editor Dialog Box
Table 6-6 Firewall URL Exclusive Domain Editor Fields
Field Name
|
Type
|
Instructions
|
URL Pattern
|
text box
|
Enter a URL pattern you want to filter.
|
Action
|
drop-down list
|
Select Permit to allow traffic to pass through from the URL you entered, or select Deny to block traffic from that URL.
|
Comment
|
text box
|
(Optional) Enter any comments. Click Save when done to close the dialog box.
|
Save
|
button
|
Click Save when done to save changes and close the dialog box.
|
Cancel
|
button
|
Click Cancel to exit the dialog box without saving changes.
|
Step 3 Click Next to continue.
Specifying a Syslog Server
The Firewall Policy - Syslog page allows you to specify the syslog facility and syslog level to use for syslog messages, the interface through which to send syslog messages, and the IP address of the syslog server. To specify these syslog attributes, perform the following steps:
Step 1 After clicking Next on the URL Filtering page, the Firewall Policy - Syslog page appears as shown in Figure 6-16.
Note Alternately, if you are modifying an existing policy, click Service Design > Policy Manager > Create > Firewall Policy. Select the name of the policy and click Edit > Next > Next > Next > Next to access the Firewall Policy - Syslog page.
Figure 6-16 The Firewall Policy - Syslog Page
Table 6-7 Firewall Policy - Syslog Fields
Field Name
|
Type
|
Instructions
|
Enable Syslog
|
checkbox
|
Check to enable system logging. You must check this box before you can set the syslog options.
|
Syslog Facility
|
drop-down list
|
Specify the type of syslog facility you want to use. The options are as follows:
•For Cisco IOS devices only - cron, daemon, kern, lpr, mail, news, or sys9 through sys14.
•For Cisco IOS and PIX Firewall devices - local0 through local7.
|
Syslog Level
|
drop-down list
|
Specify level of system logging you want to see. The options are emergencies, alerts, critical, errors, warnings, notifications, informational, and debugging.
|
Timestamp
|
checkbox
|
To enable a timestamp on the log, put a check mark in the box.
|
Log Server IP Address
|
combo box
|
To add a log server, click Create. The Firewall Log Server page appears as shown in Figure 6-17. Follow the directions in Table 6-8.
|
Figure 6-17 Firewall Log Server Editor Dialog Box
Table 6-8 Firewall Log Server Editor Fields
Field Name
|
Type
|
Instructions
|
Server IP Address
|
combo box
|
There are two ways to enter the server IP address. You can do either of the following:
•Enter the server address directly into the text box, or
•If you want to use a previously defined network object, click Select and the Firewall URL Server Editor dialog box appears as shown in Figure 6-18. Click the button next to the predefined network object that contains the server IP address and click Select, or click Cancel to exit the dialog box without saving changes. (Network objects are created at Home > Service Design > Network Objects Manager.) For more information on creating network objects, refer to the Cisco IP Solution Center Infrastructure Guide, 3.0.
|
Interface
|
drop-down list
|
Select the interface on which the log server is located.
|
Save
|
button
|
Click Save when done to save changes and close the dialog box.
|
Cancel
|
button
|
Click Cancel to exit the dialog box without saving changes.
|
Figure 6-18 Network Objects Dialog Box
Step 2 Click Next to continue.
Specifying Authentication Proxy
The Authentication Proxy page allows you to enable an authentication proxy. An external AAA server is required, so you must have one already in your ISC repository before you can use this feature. For more information on adding devices to your ISC repository, refer to the Cisco IP Solution Center Infrastructure Getting Started Guide, 3.0.
Step 1 After clicking Next on the Syslog page, the Firewall Policy - Authentication Proxy page appears as shown in Figure 6-19. Follow the instructions in Table 6-9.
Note Alternately, if you are modifying an existing policy, click Service Design > Policy Manager > Create > Firewall Policy. Select the name of the policy and click Edit > Next > Next > Next > Next > Next to access the Firewall Policy - Authentication Proxy page.
Figure 6-19 The Firewall Policy - Authentication Proxy Page
Table 6-9 Firewall Policy - Authentication Proxy Fields
Field Name
|
Type
|
Instructions
|
Enable Authentication Proxy
|
checkbox
|
Check to enable authentication proxy. You must check this box before you can set the authentication options.
|
AAA Server
|
button
|
Click Select to specify a AAA server. The AAA Server for AAA Server Selection dialog box appears as shown in Figure 6-20.
Figure 6-20 AAA Server for AAA Server Selection Dialog Box
Click the radio button next to the AAA server you want to select, and click Select.
If the AAA server you want to select is not listed, you need to define it. Refer to the Cisco IP Solution Center Infrastructure Getting Started Guide, 3.0 for more information on how to add an AAA server to your repository.
|
Use Local Order
|
drop-down list
|
Specify the local order. There are three choices:
•None - Only use the AAA server.
•Before - Authenticate using the local database first, and then use the AAA server.
•After - Authenticate using the AAA server and if authentication fails, use the local database.
|
Interface
|
drop-down list
|
Specify the interface on which the AAA server resides:
•Inside - The inside interface.
•Outside - The outside interface.
•DMZ1 - The DMZ interface. (There are can be multiple DMZ interfaces.)
|
Protocols
|
Add/Remove selections
|
Select the protocols in Available Protocols for which you want to authenticate users and click Add. You can select the following
•http - HTTP.
•telnet - Telnet.
•ftp - FTP.
If you accidently add a protocol to Selected Protocols that you do not want to use to authenticate users, select the protocol and click Remove.
|
Step 2 Click Finish when done. Confirmation that your policy has been created is displayed in the Status box in the lower-left corner of the page, as shown in Figure 6-21.
Figure 6-21 The Policies Page After Successfully Creating A Policy
Creating Firewall Service Requests
Once you have created a firewall policy, follow the steps below to create a firewall service request:
Note Before you continue, check that the CPE device has its interfaces marked and all network objects for it have been defined. If not, adding the CPE device into the service request will fail.
Step 1 Click Home > Service Inventory > Inventory and Connection Manager > Service Requests. The Service Requests page appears.
Figure 6-22 The Service Requests Page
Step 2 Click Create > Firewall. The Select Policy page appears as shown in Figure 6-23.
Figure 6-23 The Select Policy Page
Step 3 Check the radio button next to the firewall policy you want to provision and click OK. The Firewall Service Editor page appears, as shown in Figure 6-24. This page allows you to select the firewall or firewalls to which you want to apply the firewall policy.
Figure 6-24 The Firewall Service Editor Page
Table 6-10 Firewall Service Editor Fields
Field Name
|
Type
|
Instructions
|
Policy
|
non-editable field
|
The policy name.
|
Change Policy
|
button
|
Click to select a different firewall policy.
|
Customer
|
non-editable field
|
The name of the customer to which the policy applies.
|
Description
|
text box
|
(Optional) Enter a description about this particular service request.
|
Step 4 Click Add Firewall. The CPE for Firewall Service Request dialog box appears.
Figure 6-25 CPE for Firewall Service Request Dialog Box
Step 5 Choose the firewall device (defined as a CPE device) and click Select.
Step 6 This returns you to the Firewall Service Editor page. Click Add Firewall again for each firewall device you want to add and click Select. After adding three firewall devices, the Firewall Service Editor page appears as shown in Figure 6-26.
Figure 6-26 The Firewall Service Editor With Firewalls Added
Step 7 Click Save SR. The your newly created service request will appear in the list of service requests on the Service Request page as shown in Figure 6-27.
Figure 6-27 The Service Request Page With New Firewall Service Request Added
Step 8 Refer to "Provisioning Services,"for instructions on how to deploy your service request.
Adding Templates To Service Requests (Optional)
There may be features ISC does not support. If this is the case, a template can be included in the service request to append or prepend the CPE device configuration. To add a template, perform the following steps:
Step 1 Click Add Templates on the Firewall Service Editor page (Figure 6-26). The Add/Remove Templates dialog box appears as shown in Figure 6-28.
Figure 6-28 Add/Remove Templates Dialog Box
Step 2 Click Add. The Template DataFile Chooser page appears. The templates are on the left column and the associated data files are on the right.
Figure 6-29 The Template DataFile Chooser Page
Step 3 Find the template type you want to add and expand the folder view.
Step 4 Click the name of the template you want to add. The associated data files will be displayed on your right.
Step 5 To view the configlets, click View.
Step 6 Click Accept to continue.
Step 7 Click OK on the Add/Remove page.
Step 8 Click Save when done.
Feedback
