|
|
| Step | Reference | |
|---|---|---|
| 1. Define Network Topology The first step in getting started with Cisco Secure Policy Manager is to define your network's topology in the Network Topology tree. You do not need to map your entire network in the Network Topology tree; only specific items are needed by Cisco Secure Policy Manager to be able to create and enforce security policies. The Network Topology topics and checklist will assist you in determining what network objects you need to include in the Network Topology tree. | |
| 2. Define Monitoring Settings Cisco Secure Policy Manager provides the ability to audit the flow of traffic that passes through your Policy Enforcement Points. | |
| Once you set up the events you want logged by the system, you can configure the system to notify you by e-mail, pager, or pop-up window when specific events occur. You can also obtain detail and summary information about the audit events with Cisco Secure Policy Manager's reporting features. You can schedule reports to be run at regular intervals, or obtain on-demand reports at any time to receive the most current information. The reports are available in HTML or ASCII text format. | "Checklist for Defining Audit Event Rules" section |
| 3. Organize Network Objects in the Security Policy Enforcement Branch Before you begin to create your security policies, you should arrange your network objects in the Security Policy Enforcement branch. Unlike the Network Topology tree, this is not a physical representation of your network. Instead, it is a logical view of only those items against which you want to enforce security policies. | "Task 3: Organize Network Objects in the Security Policy Enforcement Branch" section "Adding a Network Object to the Security Policy Enforcement Branch" section |
| 4. Define Policy Abstracts Once you have populated the Security Policy Enforcement branch, you create your security policies in the Security Policy Abstracts branch of the Tools and Services tree (or, optionally, on the objects in the Security Policy Enforcement branch). Security policies take the form of graphical decision trees constructed with the Policy Builder utility. Each tree will have a source, service, and destination component followed by an action, such as permit or deny, that the Policy Enforcement Point should take when the conditions are met. With security policies, you define the services that are permitted between two endpoints, and any specific parameters for the network session, such as tunneling or Java blocking. | |
| 5. Assign Policy Abstracts to Network Objects in the Security Policy Enforcement Branch After creating your security policies, you must attach those policies to the network objects in the Security Policy Enforcement branch of the Network Policy tree. One of the strengths of Cisco Secure Policy Manager is the ability to create standard policies that you can apply across your network. For example, you can create a policy that permits HTTP traffic to the Internet, and apply the same policy to the multiple objects in the Security Policy Enforcement branch to create a consistent policy for all network users. | "Task 5: Assign Policies in the Security Policy Enforcement Branch" section |
| 6. Generate, Verify, and Publish Command Sets The final step in the overall process is to generate, verify, and publish the command sets to the Policy Enforcement Points. | "Task 6: Generate, Verify, and Publish Command Sets" section "About Policy Distribution Points" section "Checklist for Generating, Verifying, and Publishing Command Sets." section |
In the Network Topology tree, you must map some portion of your physical network topology from the outside to the inside, or downstream to upstream. To create this mapping, start from the most downstream point of the network segment that you want to control using Cisco Secure Policy Manager and continue defining upstream into the networks that you want to protect. This outside-to-inside perspective means that you start with the network connection to the outermost, downstream Policy Enforcement Point that you want to manage. Commonly, you construct your network to reflect your connection from the Internet node (the sea of information, to complete the downstream/upstream analogy) to your internal, upstream networks.
 |
Note While you typically have more than one outermost gateway object (one for each connection point to the Internet), we illustrate the basic concepts in this discussion using a single outermost gateway object. |
You must first consider the downstream network to which your outermost gateway object's downstream interface is attached. This downstream network always contains the default gateway to which the Policy Enforcement Point delivers all network packets that are destined downstream of this gateway object. In many cases, the default gateway is an IP address (or hop address) assigned to an upstream interface of a border/access router owned by your Internet service provider. However, you can manage only an internal segment of a larger network, and in such cases, the default gateway point maps to a router or other gateway object that you own. In either case, this outermost point represents the default gateway for the network objects that are members of the same perimeter, and this "gateway" is represented by an IP address and network definition assigned to the Internet node in the Network Topology tree.
Let's study a simple example. Figure 1-1 identifies a simple network topology:
When this network is mapped into the Network Topology tree, it will look something like the following:
Figure 1-1 identifies seven key pieces that are mapped into the Network Topology tree as follows:
The answer to this question depends on what type of security policies you need to define, where your Policy Enforcement Points are positioned in your network, and where your Cisco Secure Policy Manager servers are positioned. The goal is to define all the network objects that Cisco Secure Policy Manager must know about and all the unique network objects for which you want to define a unique security policy. The key phrase is "you must adequately describe your physical network topology." This definition is required because Cisco Secure Policy Manager must know the location of the objects on your network with which it must interact and communicate.
The extent to which you define your network topology depends on what you want to do. If you intend to enforce a security policy directly on a network object (as opposed to indirectly by applying a security policy to a parent node, such as a network), you must define that network object and include it in the Security Policy Enforcement branch of the Network Policy tree, a task described later in this collection of topics.
However, some network objects are required. You must define the following network objects under the Network Topology tree:
While you do not have to define every network object that physically exists on your network, you must ensure that all network objects that encompass multiple child network objects (such as an internal network) are present. Basically, if you intend to define a special security policy for any network object directly (as opposed to indirectly by applying a more general security policy to a parent node, such as a network), you need to define it in the Network Topology tree. In addition, to actually define a unique policy for a network object, you must reference it in the Security Policy Enforcement branch of the Network Policy tree.
You don't define rules for the Policy Enforcement Points directly, instead you apply "policies" to the network objects against which you want those policies to be enforced. Cisco Secure Policy Manager generates the "rules" that these policies represent and distributes these device-specific rule sets to the individual Policy Enforcement Points. Therefore, if you are familiar with defining rules for a PIX Firewall or IOS router, you can understand that if you want to define specific rules for specific network objects, you must define those network objects in the Network Topology tree, as well as any objects that those network objects are dependent on, such as a host's parent network.
One feature of Cisco Secure Policy Manager is that it provides the ability to audit the flow of traffic across your Policy Enforcement Points, such as a PIX Firewall and IOS Router. Auditing enables two other features: notifications and reporting. However, before you can generate any notifications or reports, you must specify the settings for the logging and retention of audit records about events within the system or logged by a Policy Enforcement Point. To specify these settings, you must perform three subtasks:
Step 2 Select the Cisco Secure Policy Manager host that will monitor the Policy Enforcement Point Syslog streams.
Step 3 Define the Syslog settings that the Policy Enforcement Points must generate and specify which Cisco Secure Policy Manager hosts will study the resulting Syslog streams.
Once you specify and save these settings, you can receive customized reports that present the types of audit information most useful to you. In addition, you can receive notification messages by e-mail, pager, or pop-up windows that inform you about the occurrence of those events in which you have registered a specific interest.
Even though you have defined the network objects in the Network Topology tree, this tree only reflects the physical network layout of your network. You cannot directly enforce security policies on the network objects in the Network Topology tree. Instead, you must place the network objects against which you want to enforce security polices in the Security Policy Enforcement branch of the Network Policy tree.
The structure of the Security Policy Enforcement branch does not have to reflect the physical topology of the Network Topology tree. Instead, you can create a logical order based on the order in which you want the policies to be enforced. In addition, you can use Security Policy folders to define logical groups that allow high-level policy assignment. In these folders, you place multiple network objects so that you can enforce a single security policy on all the network objects. You can also enforce a security policy indirectly on a network object that is not present in the Security Policy Enforcement branch by applying a security policy to its parent node that is represented in that branch. However, to apply a security policy directly to a network object, the network object must be represented in the Security Policy Enforcement branch.
Once you have defined your network topology, you must create security policy abstracts and enforce those security policies on the appropriate network objects. Until you create security policies and enforce them on network objects, your Policy Enforcement Points will not permit access to network services traversing the Policy Enforcement Points.
Working with security policies is a multiple-step process:
Step 2 Define any custom network services that your network users require.
Step 3 Define your security policy abstracts, using Policy Builder.
Network services are the building blocks of security policies. They define a particular type of network traffic that you can reference in a security policy abstract, such as the protocols on which the network service depends and the corresponding port number. Cisco Secure Policy Manager comes with numerous preconfigured network services, but you also have the ability to create customized network services.
Network services (and network service bundles) are displayed in the Tools and Services tree. While many of the preconfigured network services are displayed here, some of them are not. You can go to the Service Library (click Service Library on the Wizards menu) to add other preconfigured network services to the tree.
After you populate the Security Policy Enforcement branch with network objects and define the policy abstracts to protect those objects, you must assign those policy abstracts to the objects in the Security Policy Enforcement branch. You cannot use Cisco Secure Policy Manager to generate and publish device-specific command sets to a Policy Enforcement Point until you assign the policies from which the command sets are derived.
To enforce a security policy on a network object, you can use a drag-and-drop operation to move the security policy abstract onto a network object or folder in the Security Policy Enforcement branch. Another easy-to-use tool for applying policies is the Policy Assignment panel (click Policy Assignment on the Tools menu).
Cisco Secure Policy Manager generates device-specific command sets that are interpretable by Policy Enforcement Points, such as a PIX Firewall and IOS Router. These command sets are based on the defined network topology, audit event filter rules, and the organization and assigned policies within the Security Policy Enforcement branch. The commands include conduits, routing rules, and other settings. A translation process must take place to ensure that the device-specific command sets are generated from the intermediary representation used by Cisco Secure Policy Manager.
The Save and Update command on the File menu is responsible for generating the device-specific command sets that can be published to the Policy Enforcement Points. After you successfully perform a Save and Update operation, you can view the generated command set, using the Command panel on the Policy Enforcement Point for which you want to download that command set. When you are managing multiple Policy Enforcement Points, the Save and Update operation generates commands for each Policy Enforcement Point identified in the Network Topology tree. In addition, it includes all the routing and mapping rules that are either derived by Cisco Secure Policy Manager or manually entered by you as part of these rule sets.
After you generate and view the commands, you can publish them to the Policy Enforcement Point by manually approving them, which is the default publishing method. Later, when you become more familiar with developing security policies, you can configure Cisco Secure Policy Manager to automatically publish the command sets to all the Policy Enforcement Points that you are administering each time you click Save and Update on the File menu.
Posted: Thu May 25 13:02:23 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.
