|
|
The final step to implementing IPSec with Cisco Secure Policy Manager is to create policy, or modify existing policy, to route the specified services through the tunnel defined by the IPSec Tunnel Template and IPSec Tunnel Group. This is accomplished by adding a Use Tunnel node to the policy decision tree, applying the policy to objects in the Security Policy Enforcement branch, and then generating and publishing the device-specific command sets.
This chapter presents only a brief discussion of the process for creating a policy and then generating the device-specific command sets and publishing those command sets to the devices. For more detailed information about this process, refer to the Cisco Secure Policy Manager online help or to the Policy Development and Enforcement Administrator's Guide (online).
The Use Tunnel node is one of two non-terminal action nodes that you can place on a condition branch of a security policy decision tree. A non-terminal action does not terminate the policy evaluation, so you will need to add a terminal action or a condition after the Use Tunnel node.
The Use Tunnel node routes the network traffic being evaluated through an IPSec tunnel. The tunnel used is determined by the tunnel group selected in the Use Tunnel node properties panel. Before you can place a Use Tunnel node in the decision tree, you must have configured a tunnel group (in the IPSec Tunnel Groups branch of the Network Policy tree) and the tunnel template (in the IPSec Tunnel Templates branch of the Tools and Services tree) upon which that tunnel group is based.
After you create (or modify) the security policy to use IPSec tunnels, you need to apply the policy to an object in the Security Policy Enforcement branch:
Finally, for your security policy to be implemented by your network devices, you need to generate and publish the command sets:
You can create a new security policy abstract in either the Security Policy Abstracts branch of the Tools and Services tree or directly on an object in the Security Policy Enforcement branch of the Network Policy tree. The difference is that when you create a security policy in the Security Policy Abstracts branch, it still needs to be applied to a network object in the Security Policy Enforcement branch so that the command sets can be generated, whereas when you create a security policy in the Security Policy Enforcement branch, it is already applied to the network object (and a security policy abstract is automatically added in the Security Policy Abstracts branch).
To create a new security policy abstract, perform the following task:
Result: A new node appears in the Navigator pane, and Policy Builder opens with the pre-populated decision tree displayed. If you created the new security policy abstract on the Security Policy Enforcement Branch, the abstract is automatically given the name of the object on which it was created and the abstract is automatically added to the Security Policy Abstracts branch. If you created the security policy abstract in the Security Policy Abstracts branch, the name box beside the security policy abstract icon is selected for editing.
Step 2 Type the new name in the Name box, and then press Enter.
Result: The name appears beside the new node and at the top of the Policy Builder pane.
 |
Tips If you cannot edit the name, as when you create the security policy abstract on an object in the Security Policy Enforcement branch, right-click the new security policy abstract icon in the Security Policy Enforcement branch and click Rename on the shortcut menu. |
Step 3 To learn how to modify the pre-populated decision tree by creating or changing condition and action nodes, refer to Adding a Node to the Decision Tree, and Changing a Node Type.
Step 4 To accept your changes and close Policy Builder, click Close.
Result: Policy Builder closes.
Step 5 To save any changes that you have made, click Save on the File menu.
You modify an existing security policy abstract by opening the policy it contains in Policy Builder. You can modify security policies from two places: the Security Policy Abstracts branch of the Tools and Services tree or the Security Policy Enforcement branch of the Network Policy tree.
Whenever you modify a security policy, the changes are propagated to all instances of that security policy. If you modify a policy in the Security Policy Abstracts branch, the changes propagate to all instances of that security policy in the Security Policy Enforcement branch. Likewise, if you modify a security policy in the Security Policy Enforcement branch, the changes propagate to all instances of that security policy in the Security Policy Enforcement branch and to the instance of that security policy that resides in the Security Policy Abstracts branch.
To modify an existing security policy abstract, perform the following task:
 |
Caution If you accidentally click New instead of Open, you will replace your existing applied policy with a completely new policy. If you replace the policy by accident, remove the new policy from the Security Policy Enforcement branch object, and then reapply the previous policy to the object. The previous policy will be located on the Security Policy Abstracts branch (or folder on the branch). Right-clicking the Security Policy Enforcement branch object where the new policy was accidentally created, selecting Policy, and then clicking Remove will remove the security policy attached to the object. |
Result: Policy Builder opens and displays the selected security policy abstract. Any changes that you make to the instantiated policy propagate to the template under the Security Policy Abstracts branch.
Step 2 To modify a security policy abstract in the Security Policy Abstracts branch, click the security policy abstract icon.
Result: Policy Builder opens and displays the selected security policy abstract. Any changes that you make to the security policy abstract are propagated to all instances of that security policy.
|
Tips If Policy Builder does not appear in the View pane, right-click the security policy abstract icon and select Policy, and then click Open. |
Step 3 To learn about how to modify the security policy decision tree, refer to Adding a Node to the Decision Tree, and Changing a Node Type.
Step 4 To accept your changes and close Policy Builder, click Close.
Result: Policy Builder closes.
Step 5 To save any changes that you have made, click Save on the File menu.
You construct a decision tree in Policy Builder by adding new nodes to the existing decision tree or by modifying the properties of existing nodes. To learn about modifying the properties of an existing node, refer to Modifying Node Properties.
To add a node to the decision tree, perform the following task:
You can choose from the following configurations for adding a node. Cisco Secure Policy Manager will allow you to select only valid configurations for the location in the decision tree in which you are adding the node. Additionally, the configuration you select determines the type of node you can add. You will not be able to choose an invalid node type for the selected configuration.
Result: The selected node type appears in the selected configuration. If you added a condition node or a Use Tunnel node, the property panel for that node automatically displays.
Step 2 To set properties of the new node:
| If the node is a... | Then Refer to... |
|---|---|
Source Condition | |
Service Condition | |
Destination Condition | |
Use Tunnel Action |
Step 3 To accept your changes and close Policy Builder, click Close.
Result: Policy Builder closes.
Step 4 To save any changes that you have made, click Save on the File menu.
You can change one node type to another in the security policy decision tree. If you simply want to change the properties of a particular node, refer to Modifying Node Properties.
To change the node type, perform the following task:
 |
Note Only nodes that you can place at that location in the decision tree will be available on the shortcut menu. For example, you will not be able to change a destination condition in an "or" statement to another type of condition node (source or service), because "or" statements require that the conditions connected by the "or" be of the same type. |
Result: The node changes to the selected node. If you changed the node to a condition or a Use Tunnel node, the node properties automatically appear.
Step 2 To configure the properties of a node:
| If the node is a... | Then Refer to... |
|---|---|
Source Condition | |
Service Condition | |
Destination Condition | |
Use Tunnel Action |
Step 3 To change additional nodes, repeat steps 1 and 2 above.
Step 4 To accept your changes and close Policy Builder, click Close.
Result: Policy Builder closes.
Step 5 To save any changes that you have made, click Save on the File menu.
You can change the properties of existing source, service, and destination condition nodes, as well as the use tunnel action node.
When you modify a security policy, the changes are propagated to all instances of that security policy.
To modify the node properties, perform the following task:
Result: The condition node's associated properties appear.
|
Tips You can also access a node's properties by double-clicking the node in the Policy Builder pane. |
Step 2 To configure the node's properties:
| If the node is a... | Then Refer to... |
|---|---|
Source Condition | |
Service Condition | |
Destination Condition | |
Use Tunnel Action |
Step 3 To modify the properties of additional nodes, repeat Step 1 and Step 2.
Step 4 To save your changes and close Policy Builder, click Close.
Result: Policy Builder closes.
Step 5 To save any changes you have made, click Save on the File menu.
You specify the actual source or destination for the source/destination condition nodes in the Specify source or destination condition dialog box.
You can specify the following items as sources or destinations in your security policy:
You will need to provide additional information based on the type of source or destination you select.
To specify a source or a destination condition, perform the following task:
|
Note You must be in the source or destination condition node's property panel to perform this procedure. If you are not already in the source or destination condition's property panel, right-click the condition node in Policy Builder, and then click Properties on the shortcut menu. |
a. Select External IP Address in the Indication Method field.
b. Type the source or destination IP Address in the External IP Addresses box, and then click Add.
c. Repeat Step b to add additional IP addresses to the list of IP addresses.
d. To remove an IP address from the list of source or destination IP addresses, select the address in the list and click Remove.
e. To replace an incorrectly entered IP address in the list, select the address in the list, type the new address over the old address in the External IP Addresses box, and click Replace.
f. To sort your list of source or destination IP addresses, click Sort.
Step 2 To specify an external host name as a source or destination condition:
a. Select External Host Name in the Indication Method field.
b. Type the host name (such as example.com) in the External Host Name box.
c. To verify that the host name is valid, click DNS Lookup.
|
Tips You can only specify a single external host name as a source or destination condition. To specify more than one external host name as a source, click DNS Lookup to discover the IP addresses for each host name, and then use the External IP Address indication method (see Step 1) to add those addresses to the source or destination condition. |
Step 3 To specify an object from your network topology as the source or destination condition:
a. Select Topology Object in the Indication Method field.
b. To find the network object to use as the source or destination, expand the tree structure in the Network Object box until you find the network object, and then click the network object to select it.
Step 4 To specify a Network Object Group as the source or destination condition:
a. Select Network Object Group in the Indication Method field.
b. Click the network object group name in the Network Object Group list.
Step 5 To specify a perimeter as the source condition:
a. Select Network Perimeter in the Indication Method field.
b. Click the perimeter name in the Perimeter list.
Step 6 To specify a gateway interface as the source or destination condition:
a. Select Interface in the Indication Method field.
b. Click the perimeter name in the Interface list.
Step 7 To accept your changes, click OK.
Result: The Specify source or destination condition dialog box closes.
Step 8 To close Policy Builder and save your changes to the decision tree, click Close
Result: Policy Builder closes.
Step 9 To save any changes that you have made, click Save on the File menu.
Every security policy must contain a Service Condition node that references one or more network services or network service bundles. A service condition forces consideration of the network services being requested.
When you specify a service condition, you can specify individual network services or a bundle of network services that you previously defined.
You specify the network service or network service bundle in the Specify Service Conditions dialog box.
To specify a service condition, perform the following task:
|
Note You must be in the service condition's property panel to perform this procedure. If you are not already in the service condition's property panel, right-click the service condition node in Policy Builder, and then click Properties on the shortcut menu. |
Result: The service that you selected appears in the If Service is box along with any other network service that you have added.
Step 2 To add a network service bundle to the condition, select one in the Use Network Service Bundle box, and then click either Add or Select.
Result: The network services that compose the network service bundle appear in the If Service is box.
When you click Add after selecting a network service bundle, only the network services in the bundle that are not already present in the If Service is box (if any) are added. However, when you click Select after selecting a network service bundle, all the network services in the If Service is box are replaced by the network services of the network service bundle that you selected.
Step 3 To remove a network service, select it in the If Service is box, and then click Remove.
Result: The service that you selected is removed from the If Service is box.
Step 4 To accept your changes, click OK.
Result: The Specify Service Condition dialog box closes.
Step 5 To close Policy Builder and save your changes to the decision tree, click Close.
Result: Policy Builder closes.
Step 6 To save any changes that you have made, click Save on the File menu.
When you create or modify a Use Tunnel node in the decision tree, you must specify the tunnel group that the policy will use to route the specified network services through. You specify the tunnel group in the property panel of the Use Tunnel node. Before you can select a tunnel group, you must have first created the tunnel group in the IPSec Tunnel Groups branch of the Network Policy tree.
To specify a tunnel group in a use tunnel action node, perform the following task:
|
Note You must be in the Use Tunnel property panel to perform this procedure. If you are not already in the Use Tunnel property panel, right-click the node in Policy Builder, and then select Properties on the shortcut menu. |
Result: The name of the selected tunnel group is highlighted in the Tunnel box.
Step 2 To accept your selection, click OK.
Result: The Specify Tunnel dialog box closes.
Step 3 To close Policy Builder and save your changes to the decision tree, click Close.
Result: Policy Builder closes.
Step 4 To save any changes that you have made, click Save on the File menu.
You can enforce a security policy on a network object either by performing a drag-and-drop operation in the Navigator pane or by using the Policy Assignment utility. The procedures below discuss using the drag-and-drop operation to apply policies.
To apply security policies to network objects, perform the following task:
Step 2 Click the security policy abstract in the Security Policy Abstracts branch that you want to enforce on the network object, and while holding down the mouse button drag the security policy over the network object in the Security Policy Enforcement branch, and then release the mouse button.
Result: A yellow scroll icon appears beside the network object in the Security Policy Enforcement branch.
|
Note If you are not ready to apply changes in network policy to your network and you only want to save the work in progress, use Save. |
|
Caution You should enable Consistency Check prior to all Save and Update operations as a safeguard against applying inconsistent configurations that may lead to network security risks. |
To save current changes and update the active network policy, perform the following task:
Result: The System Inconsistencies panel appears in the View pane.
Step 2 To specify the occurrence of a Consistency Check, click an option under Automatic Checking in the System Inconsistencies panel.
You can select from three options for Automatic Checking.
Step 3 To confirm your selection for Automatic Checking, click OK in the System Inconsistencies panel.
If you selected Disabled, a dialog box displays a message informing you that this selection can possibly compromise system integrity and/or system security. Click Yes to confirm your selection.
Step 4 To save current changes and update network policy, click Save and Update on the File menu.
Current configurations in the GUI client are checked for errors in consistency. If errors are detected, the Save and Update operation will be aborted. If no errors are detected, current configurations will be saved to the Primary Policy Database and network policies will be updated and enforced across your network.
From the Command panel, you can manually enter commands for a Policy Enforcement Point. These commands enable you to configure Policy Enforcement Point settings that are not controlled by Cisco Secure Policy Manager (Cisco Secure Policy Manager only controls security and security-related settings).
Prologue commands are commands that will be sent to the Policy Enforcement Point before the commands generated by Cisco Secure Policy Manager. Epilogue commands are commands that will be sent to the Policy Enforcement Point after the commands generated byCisco Secure Policy Manager. You can specify one or both types of commands for each Policy Enforcement Point.
To enter prologue or epilogue commands for the selected Policy Enforcement Point, perform the following task:
Step 2 To view the Command panel, point to Properties and click Command on the shortcut menu.
Result: The Command panel appears in the View pane.
Step 3 To enter prologue commands, select Prologue under Command Review/Edit. To enter epilogue commands, select Epilogue under Command Review/Edit.
Result: If you had previously specified prologue or epilogue commands for the selected Policy Enforcement Point, those commands appear in the Commands/Messages box. If you had not previously entered prologue or epilogue commands for the selected Policy Enforcement Point, the Commands/Messages box is blank.
Step 4 To enter the commands, type the commands in the Commands/Messages box in the same manner as you would at the command line of thePolicy Enforcement Point (or in a text configuration file for the Policy Enforcement Point). For information about the commands available for the selected Policy Enforcement Point, refer to the manufacturer's documentation.
|
Note When constructing prologue and epilogue command sets for IOS, you must make sure the command sets start and finish in the IOS config-mode. Additionally, the following types of commands should be followed by the exit command: crypto map crypto isakmp policy ip nat pool route-map |
Step 5 To accept your changes and close the selected panel, click OK.
Step 6 To save any changes that you have made, click Save on the File menu.
From the Command panel, you can manually approve the command set that Cisco Secure Policy Manager generates for the selected Policy Enforcement Point. This feature enables you to review and modify the generated command set before it is published to the selectedPolicy Enforcement Point. More importantly, it enables you to control the publishing order if you are managing more than one Policy Enforcement Point with Cisco Secure Policy Manager. This ability is important because it helps you ensure that commands published to one Policy Enforcement Point do not deny requisite communications to other Policy Enforcement Points before you can approve and publish the command sets for those Policy Enforcement Points.
To manually approve the generated command set for the selected Policy Enforcement Point, perform the following task:
Step 2 To view the Command panel, point to Properties, and click Command on the shortcut menu.
Result: The Command panel appears in the View pane.
Step 3 To review the Pending Commands command set, verify that that command set is selected under Command Review/Edit.
The command set that Cisco Secure Policy Manager generated for the selected Policy Enforcement Point appears in the Commands/Messages box. Review these commands to ensure that they satisfy the security policy of your organization. You can use the scroll bars to review the full set of commands.
Step 4 To approve the selected command set after you review it, click Approve Now under Command Approval.
Result: The pending command set is immediately published to the selected Policy Enforcement Point. The Status box message changes to "Processing completed."
Step 5 To accept your changes and close the selected panel, click OK.
Step 6 To save any changes that you have made, click Save on the File menu.
Posted: Thu May 25 13:39:37 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.