Cisco Secure VPN Exam Certification Guide - Cisco press
.pdf278 Chapter 6: Configuring the Cisco VPN Client Firewall Feature
Figure 6-6 The Client FW Tab
Firewall Setting
The default setting is No Firewall, which means that there is no requirement for any firewall, including the Stateful Firewall (Always On) feature. The other two choices, Firewall Required and Firewall Optional, both work with the Firewall field discussed in the next section.
Choosing Firewall Required means that all the users within this group must use the specified firewall. Additionally, this firewall must be running during the time that the tunnel is active. Should the firewall software terminate, the tunnel is dropped. The VPN concentrator notifies the client that the firewall configuration does not match the required settings. Choose this option only when all the clients are Windows-based PCs. No other types of clients, including the VPN 3002 Hardware Client, can use this option and successfully connect.
Choosing Firewall Optional means that a client connecting with the specified firewall running can connect using that firewall. If the specified firewall is not installed or running, the client can still connect, but it receives a warning message. VPN 3002 Concentrators and non-Windows- based clients can also connect with this setting.
Configuring the VPN Concentrator for Firewall Usage 279
Firewall
This Firewall pull-down menu allows you to choose the specified firewall for the group. The firewall specified determines the policy options that are supported. The options are listed in Table 6-6.
Table 6-6 |
Firewall Options |
|
|
|
|
|
Choice |
Usage |
|
|
|
|
Cisco Integrated Client Firewall |
The Stateful Firewall feature built into the VPN Client. |
|
|
|
|
Network ICE BlackICE Defender |
A third-party personal firewall. |
|
|
|
|
Zone Labs Zone Alarm |
A third-party personal firewall. |
|
|
|
|
Zone Labs Zone AlarmPro |
The professional version of the Zone Labs Alarm personal |
|
|
firewall. |
|
|
|
|
Zone Labs Zone Alarm or Zone Labs |
Allows the user to use either of the two firewalls. |
|
Zone AlarmPro |
|
|
|
|
|
Zone Labs Integrity Client |
A policy pushed from a server to the client system that works |
|
|
with the Zone Labs Zone Alarm and Zone AlarmPro. |
|
|
|
|
Custom Firewall |
As of this writing, this feature is included for future use. This |
|
|
option will eventually allow the administrator to choose from |
|
|
any compliant firewall. Currently, this option allows you to |
|
|
choose only those firewalls previously listed, but you can use |
|
|
any combination of these firewalls by entering the associated |
|
|
numbers separated by commas in the product ID. You must |
|
|
have only a single vendor, although you can choose multiple |
|
|
products from that vendor. |
|
|
|
Custom Firewall
Should you choose to use the Custom Firewall option when it becomes available, Table 6-7 provides you with the necessary codes to be input into the Vendor ID and Product ID fields.
Table 6-7 |
Vendor and Product ID Codes |
|
|
|
|
|
|
|
|
|
Vendor |
Vendor ID |
Product |
Product ID |
|
|
|
|
|
|
Cisco Systems |
1 |
Cisco Integrated Client (CIC) |
1 |
|
|
|
|
|
|
Zone Labs |
2 |
Zone Alarm |
1 |
|
|
|
|
|
|
Zone Labs |
2 |
Zone AlarmPro |
2 |
|
|
|
|
|
|
Zone Labs |
2 |
Integrity |
3 |
|
|
|
|
|
|
Network ICE |
3 |
BlackICE Defender/Agent |
1 |
|
|
|
|
|
280 Chapter 6: Configuring the Cisco VPN Client Firewall Feature
Should you wish to combine, for example, Zone Alarm, Zone AlarmPro, and Integrity into a single firewall option, you would enter 2 into the Vendor ID field and 1,2,3 into the Product ID field. You cannot use multiple vendors.
You can enter an optional description if you are using a custom firewall.
Firewall Policy
The Firewall Policy option allows you to select the firewall protection provided by the client firewall. The options are as follows:
•
•
•
Policy defined by remote firewall (AYT)
Policy Pushed (CPP)
Policy from Server
The following sections describe each of these options in more detail.
Policy Defined by Remote Firewall (AYT)
The Policy Defined by Remote Firewall (AYT) option allows policies defined by the remote firewall. The firewall must be running. A poll is sent from the VPN Client to the firewall service on the workstation every 30 seconds. If the firewall does not answer, the connection is dropped.
Policy Pushed (CPP)
The Policy Pushed (CPP) option causes the concentrator to push the policy defined down to the client. The list shown depends on the filters you have defined on the concentrator. If the VPN Client has a firewall, these rules are added to the local firewall’s rules. This means that the more restrictive of the two sets of rules applies. For example, if the VPN concentrator’s rule allows web browsing but the client’s firewall does not, no web browsing is allowed.
Policy from Server
The Policy from Server option causes the users within the group to use a Zone Labs Integrity Server (IS) to mange their security settings on the firewall. If you choose this option, make sure that the Configuration | System | Servers | Firewall Server screen has the appropriate IP address of the IS and that the IS is reachable from the VPN concentrator.
Monitoring VPN Client Firewall Statistics 281
Monitoring VPN Client Firewall Statistics
23 Client firewall statistics
Viewing the VPN Client firewall statistics is easy. When you first connected the client, an icon was placed in the Windows System tray. Click the icon shaped like a padlock on the lower-right side of your screen. This brings up the General screen. This should be similar to the screen shown in Figure 6-7.
Figure 6-7 The Cisco Systems VPN Client Connection Status | General Screen
This screen shows the client IP address and the server IP address. Next, you see the encryption and authentication used for this connection. Then, you see whether transparent tunneling is active. If it is, the tunneling port number is shown. This is followed by the compression in use and a notation regarding the local LAN access. If a personal firewall were in effect, it would be listed here. Any firewall policy in use, such as AYT or CPP, is shown.
To look at the statistics for this connection, click the Statistics tab. An example of this screen is shown in Figure 6-8. On this screen, you can see the bytes in and out as well as the networks.
282 Chapter 6: Configuring the Cisco VPN Client Firewall Feature
Figure 6-8 The Cisco Systems VPN Client Connection Status | Statistics Screen
The top of the Statistics screen shows a number of items, as described in Table 6-8.
Table 6-8 |
Connection Statistics |
|
|
|
|
|
Statistic |
Meaning |
|
|
|
|
Bytes in |
The total amount of secure data received |
|
|
|
|
Bytes out |
The total amount of encrypted data transmitted through the tunnel |
|
|
|
|
Packets decrypted |
The total number of encrypted packets received and decrypted on the port |
|
|
|
|
Packet encrypted |
The total number of encrypted packets transmitted out the port |
|
|
|
|
Packets bypassed |
The total number of data packets that the VPN client did not process because |
|
|
they did not need to be encrypted |
|
|
|
|
Packets discarded |
The total number of data packets that the VPN client rejected because they did |
|
|
not originate from the gateway |
|
|
|
The Secured routes section of this screen lists the IPSec SAs. Notice the key icon that is on the left of the networks listed. This icon indicates that the network is protected. The lack of a key indicates no protection for that network. The Bytes column shows the total amount of data that this SA has processed.
Enabling Automatic Client Update Through the Cisco VPN 3000 Concentrator Series Manager 283
Enabling Automatic Client Update Through the Cisco VPN 3000 Concentrator Series Manager
One last topic needs to be discussed that does not fall under the firewall character of this chapter, but it does relate to the VPN Client. That topic is the Automatic Client Update feature of the Cisco VPN 3000 Concentrator Series, which can help ensure that all your users’ systems
are running the same client, making the implementation of firewall policies that much easier for you.
The CSVPN Client software can be upgraded by pushing the configuration from any of the devices in the VPN 3000 Concentrator Series. This means that the administrator needs to make a single change at the head-end VPN concentrator instead of manually upgrading each individual CSVPN from. This is especially efficient on large installations. Using the Automatic Client Update feature lets you control the version of the client that is used and control the initial configuration of the client.
The CSVPN Client is sent an ISAKMP message when it connects to the head-end concentrator, receiving notification that a software upgrade is pending. This ISAKMP message contains the IP address of a TFTP server, the directory path on the server, and filename to download.
Setting up the head-end VPN 3000 Series Concentrator for automatically updating CSVPN is simple through the GUI. Configuring the concentrator for Automatic Client Update consists of the following steps:
Step 1 Navigate to Configuration | User Management | Groups, and select the group. This example uses rtpvpn1 (Internally Configured).
Step 2 Choose Modify Client Update (see Figure 6-9).
Step 3 Choose Add from the Client Update screen to add a new client package.
Step 4 On the next screen, shown in Figure 6-10, enter Windows as the client type, enter tftp://IP address of server/filename as the URL, and enter the revision number.
Step 5 Select Apply to finish the setup at the head-end.
284 Chapter 6: Configuring the Cisco VPN Client Firewall Feature
Figure 6-9 The Configuration | User Management | Groups Screen
Figure 6-10 The Configuration | User Management | Groups | Client Update | Modify Screen
The next time that CSVPN connects, the user receives a message indicating that a software update is pending and prompting him/her through the process. When the user is notified, the user has the option to launch the install or cancel and perform the installation the next time the user connects to the concentrator.
286 Chapter 6: Configuring the Cisco VPN Client Firewall Feature
Table 6-9 |
VPN Client Abilities (Continued) |
|
|
|
|
|
Client Ability |
Description |
|
|
|
|
Compression |
LZS (Lempel-Ziv standard) |
|
|
|
|
Authentication methods |
Authentication methods include the following: |
|
|
• XAUTH (eXtended AUTHentication) |
|
|
• Remote Authentication Dial-In User Service (RADIUS) |
|
|
with the following: |
|
|
— MSCHAPv2 (NT password expiration) |
|
|
— State/Reply message attributes (token cards) |
|
|
— RSA SecurID (Security Dynamics) |
|
|
— Windows NT Domain Authentication |
|
|
— MX.509v3 digital certificates |
|
|
|
|
Digital certificates |
Digital certificates supported include the following: |
|
|
• Simple Certificate Enrollment Protocol (SCEP) |
|
|
• Entrust Entelligence |
|
|
• Smartcards through MS CAPI: |
|
|
— Activcard |
|
|
— eAladdin |
|
|
— Gemplus |
|
|
— Datakey |
|
|
• Internet Explorer Certificate Enrollment |
|
|
• Authorities include the following: |
|
|
— Baltimore |
|
|
— Entrust |
|
|
— GTE Cybertrust |
|
|
— Microsoft |
|
|
— RSA Keon |
|
|
— VeriSign |
|
|
|
Stateful Firewall (Always On) Feature 287
Table 6-10 describes the available products and the policies that are available on these products.
Table 6-10 VPN Policies and Products
Policy/Product |
Device |
Purpose |
|
|
|
|
|
Stateful Firewall (Always On) |
VPN Client |
Blocks all traffic except for the following: |
|
|
|
• From the head-end network |
|
|
|
• |
DHCP |
|
|
• |
ESP |
|
|
|
|
CPP with CIC |
VPN concentrator |
Centralized control: |
|
|
|
• Concentrator defines the rules |
|
|
|
• |
Pushed rules |
|
|
Used with split tunnels |
|
|
|
|
|
CPP with Zone Alarm and Zone |
VPN concentrator |
Centralized control: |
|
AlarmPro |
|
• Concentrator defines the rules |
|
|
|
||
|
|
• |
Pushed rules |
|
|
Used with split tunnels |
|
|
|
|
|
Personal Firewall Enforcement |
VPN Client |
Used when you have a personal firewall |
|
(AYT) |
|
Rules are based on the personal firewall’s |
|
|
|
||
|
|
rules |
|
|
|
Tunnel is dropped if firewall does not answer |
|
|
|
polls |
|
|
|
Used with the following: |
|
|
|
• |
Zone Alarm |
|
|
• |
Zone AlarmPro |
|
|
• |
BlackICE |
|
|
|
|
Stateful Firewall (Always On) Feature
Remember the following key points about the Stateful Firewall (Always On) feature:
•Uses only firewall with no control from the concentrator
•Configured at the client
•Split tunnel by turning off
•Allows DHCP and ESP in even when on