|
|
As discussed in "Understanding the Network Topology Tree," the Network Topology tree organizes the device-specific settings for Policy Enforcement Points, as well as for other network objects. This chapter focuses on the settings that are specific to Policy Enforcement Points, such as global policy override and other device-centric settings.
For information on configuring the communications between a Policy Enforcement Point and Policy Distribution Point (a Cisco Secure Policy Manager server), refer to "Configuring Administrative Control Communications." For information on configuring the way that network traffic flows across your network, refer to "Defining Traffic Flows and Shaping Rules."
From the Settings 1 panel, you can specify certain device-specific settings for the selected PIX Firewall. These settings include global network policy overrides that are enabled for this Policy Enforcement Point only, such as timeout settings for certain services as well as all sessions, global ICMP service enablement, and the timeout settings for user authentication sessions. In addition, you can specify the configuration settings for options such as generating and labeling syslog data streams and whether to enable the SMTP Flood Guard security feature to protect your e-mail server against flood attacks.
The settings that you specify in the Settings 1 panel are presented to the PIX Firewall as global settings that affect all network policies that the PIX Firewall enforces against network traffic traversing the firewall. A policy can only be enforced when network traffic passes from one perimeter to another.
You can perform the following tasks from the Settings 1 panel. For step-by-step procedures on performing a specific task, click the appropriate task topic.
You can specify global policy overrides for specific types of inbound ICMP network traffic that the PIX Firewall receives from either upstream or downstream networks. This feature is useful for enabling common features required by administrative tools like ping and traceroute.
To specify the global policy overrides for specific types of ICMP traffic, perform the following task:
Step 2 To specify the global policy override, select the box for the appropriate type of ICMP traffic that you want to permit under Policy overrides for Inbound ICMP.
You can enable the following policy overrides:
Step 3 To accept your changes and close the selected panel, click OK.
Step 4 To save any changes that you have made, click Save on the File menu.
You can specify global values for specific types of network service that the PIX Firewall uses to forcefully end network sessions based on those network services. This feature is useful for ending stagnant sessions and limiting the length of time that a particular session can last.
To specify the global timeout settings for specific session types, perform the following task:
Step 2 To specify the timeout values in minutes for specific session types, type that value in the appropriate box under Timeouts.
You can specify a global timeout value for the following session types:
Step 3 To accept your changes and close the selected panel, click OK.
Step 4 To save any changes that you have made, click Save on the File menu.
To generate meaningful reports about the network activity of the PIX Firewall, you must select the appropriate log level that generates the syslog details required to track session-specific data. From the Settings 1 panel, you can specify that you want to enable logging, specify the log level, and specify the log facility for the selected PIX Firewall.
 |
Note The log levels generated by the PIX Firewall are listed in the Log level (trap) box. This list is ordered to indicate events recorded, and each subsequent log level option includes all the events generated by the previous log level in that list. |
To specify the PIX Firewall log settings, perform the following task:
Step 2 To specify that you want to enable logging, select the Enable logging check box under Logging.
By default, this option is selected.
Step 3 To specify the facility number that you want this PIX Firewall to use when generating syslog data streams, select that number in the Log facility box under Logging.
The syslog facility is useful when you have a central syslog monitoring system that needs to distinguish among the various network devices that generate syslog data streams. This value enables you to specify that the selected PIX Firewall has a syslog facility value between 16 and 23. This value is included in any syslog messages that are generated by this PIX Firewall. The default value for this box is 20.
Step 4 To specify the level of syslog messages that you want this PIX Firewall to generate, select that level in the Log level (trap) box under Logging.
This value identifies the syslog logging level generated by the PIX Firewall. You can specify one of the following values for this box:
|
Note This setting directly affects what level of reports you can generate about the network activity for this PIX Firewall. We recommend that you select Information or Debugging to ensure that all report data is available. |
Step 5 To accept your changes and close the selected panel, click OK.
Step 6 To save any changes that you have made, click Save on the File menu.
You can specify that you want a PIX Firewall to guard against flood attacks that occur on the TCP ports. By enabling this feature, you can improve availability of TCP-based sessions, which protects your network against TCP_SYN flood attacks. This attack simply consumes resources by requesting new sessions without actually completing the handshake. By consuming all available connections, a TCP_SYN flood attack can prevent those sessions that you want to allow through your PIX Firewall from ever occurring. Flood Guard reclaims these resources by canceling unanswered session requests when the number of possible connections is running low.
To enable the Flood Guard e-mail protection, perform the following task:
Step 2 To enable Flood Guard for all TCP traffic traversing this PIX Firewall, select the Enable Flood Guard check box under Configuration.
By default, this option is not selected.
Step 3 To accept your changes and close the selected panel, click OK.
Step 4 To save any changes that you have made, click Save on the File menu.
For each interface installed in a PIX Firewall, you can specify that the settings are specific to the propagation of routes; specifically, they enable routing table updates and/or broadcasts of the default route on a per-interface basis.
 |
Warning Any use of routing protocols, such as RIP, exposes your networks to attacks based on the inherent weakness in routing protocols. We do not recommend that you select these options. |
To specify the interface route settings, perform the following task:
Step 2 To view the Interfaces panel, point to Properties, and then click Interfaces on the shortcut menu.
Step 3 To specify the interface for which you want to specify the route settings, select that interface in the Interfaces box.
Result: The name and type settings appear under Edit Interface Selection.
Step 4 To view the Settings 1 dialog box, click Settings under Edit Interface Selection.
Result: The Settings 1 dialog box appears.
Step 5 To enable the selected interface to provide information to upstream and/or downstream gateway objects that request routing table updates, select Allow routing table updates.
Step 6 To enable the selected interface to broadcast information about default routes, select Allow to broadcast default routes.
Step 7 To accept your changes and close the selected panel, click OK.
Step 8 To save any changes that you have made, click Save on the File menu.
The Settings 1, Settings 2, and Settings 3 panels organize the device-specific configuration and policy override settings for an instance of a Policy Enforcement Point based on the IOS Router. This Policy Enforcement Point represents a gateway object over which you have administrative control, and one for which Cisco Secure Policy Manager can generate and publish device-specific network policies based on the global network policy that you define under the Network Policy tree. A Policy Enforcement Point accepts commands generated by a Policy Enforcement Point control agent that resides on a primary or secondary server on which a Policy Distribution Point is running.
The settings that you specify in these panels are presented to the IOS Router as global settings that affect all network policies that the IOS Router enforces against network traffic traversing the router. A policy can only be enforced when network traffic passes from one perimeter to another.
You can perform the following tasks from the Settings 1, Settings 2, and Settings 3 panels. For step-by-step procedures on performing a specific task, click the appropriate task topic.
For IOS Routers, you can specify that the router should overload the global pool of IP addresses when enforcing the mapping rules defined on the router. This option enables you to conserve addresses in the inside global address pool by allowing the router to use one global address for many local addresses. When this overloading is configured, the router maintains enough information from higher-level protocols (for example, TCP or UDP port numbers) to translate the global address back to the correct local address. When multiple local addresses map to one global address, each TCP or UDP port number of each inside host distinguishes between the local addresses.
To specify that this IOS Router should enable address translation overload, perform the following task:
Step 2 To view the Settings panel, point to Properties, and then click Settings 1 on the shortcut menu.
Step 3 To specify that this IOS Router should overload the global pool of IP addresses when enforcing the mapping rules defined for it, select the Enable NAT Overload check box.
The default value for this option is Off (cleared).
Step 4 To accept your changes and close the selected panel, click OK.
Step 5 To save any changes that you have made, click Save on the File menu.
For IOS Routers, you can specify that you want the router to permit ICMP echo-reply traffic for those network packets that originate from a network attached to any interface in the router and that are destined for the router or a network attached to another interface on that router. Much of the traffic that this setting enables supports network applications such as ping and traceroute.
Because ICMP traffic is not inspected by content-based access control (CBAC), you must enable this option to permit return traffic for ICMP commands. For example, a user on a protected network uses the ping command to get the status of a host on an unprotected network; without entries in the access list that permit echo reply messages, the user on the protected network gets no response to the ping command.
Currently, Cisco Secure Policy Manager does not implicitly permit any ICMP echo-reply traffic for a Policy Enforcement Point on any outgoing interfaces. If you want to be able to ping between two network objects, all IOS Router nodes in the path between the two objects must have this feature enabled.
 |
Caution As with any network services designed with the sole purpose of providing information about the objects residing on your network, this feature could enable what many administrators consider to be a security hole. |
To specify that this IOS Router should allow ICMP echo-reply traffic, perform the following task:
Step 2 To view the Settings panel, point to Properties, and then click Settings 1 on the shortcut menu.
Step 3 To specify that this IOS Router should permit ICMP echo-reply traffic, select the Enable Replied ICMP check box.
The default value for this option is Off (cleared).
Step 4 To accept your changes and close the selected panel, click OK.
Step 5 To save any changes that you have made, click Save on the File menu.
To generate meaningful reports about the network activity of the IOS Router, you must select the appropriate log level that generates the syslog details required to track session-specific data. From the Settings 1 panel, you can specify that you want to enable logging, specify the log level, and specify the log facility for the selected IOS Router.
|
Note The log levels generated by the IOS Router are listed in the Log level (trap) box. This list is ordered to indicate events recorded, and each subsequent log level option includes all the events generated by the previous log level in that list. |
To specify the IOS Router log settings, perform the following task:
Step 2 To view the Settings panel, point to Properties, and then click Settings 1 on the shortcut menu.
Step 3 To specify that you want to enable logging, select the Enable logging check box under Logging.
By default, this option is selected.
Step 4 To specify the facility number that you want this IOS Router to use when generating syslog data streams, select that value in the Log facility box under Logging.
The syslog facility is useful when you have a central syslog monitoring system that needs to distinguish among the various network objects that generate syslog data streams. This value enables you to specify that the selected IOS Router has a syslog facility value that can be differentiated from other network objects. This value is included in any syslog messages that are generated by this IOS Router. The default value for this box is local7.
Step 5 To specify the level of syslog messages that you want this IOS Router to generate, select that level in the Log level (trap) box under Logging.
This value identifies the syslog logging level generated by the IOS Router. You can specify one of the following values for this box:
|
Note Debugging. Generates syslog messages that assist you in debugging. It also generates logs that identify the commands issued during FTP sessions and the URLs requested during HTTP sessions. Includes all Emergency, Alert, Critical, Error, Warning, Notification, and Information messages. This setting directly affects what level of reports you can generate about the network activity for this IOS Router. We recommend that you select Information or Debugging to ensure that all report data is available. |
Step 6 To accept your changes and close the selected panel, click OK.
Step 7 To save any changes that you have made, click Save on the File menu.
For IOS Routers running Cisco Secure Integrated Software or Cisco Secure Integrated VPN Software, you can specify specific settings for CBAC commands that are generated for this Policy Enforcement Point by Cisco Secure Policy Manager. These CBAC settings enable you to customize specific global options, such as timeouts, half-open session thresholds, and session initiation rate thresholds.
To specify the global CBAC settings for the IOS Router, perform the following task:
Step 2 To view the Settings panel, point to Properties, and then click Settings 2 on the shortcut menu.
Step 3 To specify the length of time the software waits for a TCP session to reach the established state before dropping the session, type that value in the TCP Synwait-time box.
The default value for this timeout setting is 30 seconds.
Step 4 To specify the length of time a TCP session will be managed after the firewall detects a FIN-exchange, type that value in the TCP Finwait-time box.
The default value for this timeout setting is 5 seconds.
Step 5 To specify the length of time a DNS name lookup session will be managed after no activity, type that value in the TCP Finwait-time box.
The default value for this timeout setting is 5 seconds.
Step 6 To specify the number of existing half-open sessions that can exist before the software starts deleting half-open sessions, type that value in the Max-incomplete High Number box.
The default value for this session threshold setting is 500 sessions.
Step 7 To specify the number of existing half-open sessions that will cause the software to stop deleting half-open sessions, type that value in the Max-incomplete Low Number box.
The default value for this session threshold setting is 400 sessions.
Step 8 To specify the rate (in number of sessions per minute) of new unestablished sessions that will cause the software to start deleting half-open sessions, type that value in the One-minute High Number box.
The default value for this session threshold setting is 500 sessions/minute.
Step 9 To specify the rate (in number of sessions per minute) of new unestablished sessions that will cause the software to stop deleting half-open sessions, type that value in the One-minute Low Number box.
The default value for this session threshold setting is 400 sessions/minute.
Step 10 To specify the number of existing half-open TCP sessions with the same destination host address that will cause the software to start dropping half-open sessions to the same destination host address, type that value in the TCP Max-incomplete Host box.
The default value for this session threshold setting is 50 sessions.
Step 11 To specify the length of time the software waits for a TCP session to reach the established state before dropping the session, type that value in the Block-Time (Seconds) box.
The default value for this timeout setting is 30 seconds.
Step 12 To accept your changes and close the selected panel, click OK.
Step 13 To save any changes that you have made, click Save on the File menu.
For IOS Routers running Cisco Secure Integrated Software or Cisco Secure Integrated VPN Software, you can specify the specific settings for the inspection commands used to study the network services supported by these software modules. You can specify the time that a session can remain idle before the router tears down the session automatically. In addition, you can specify whether you want to provide additional information within the syslog messages about such sessions evaluated by the router or issue alerts when certain suspicious network activities are detected.
To specify the global inspection command settings for the IOS Router, perform the following task:
Step 2 To view the Settings panel, point to Properties, and then click Settings 3 on the shortcut menu.
Step 3 To specify the maximum period of time that a session can remain idle, type that value in the text box to the right of each network service for which you want to modify the idle timeout value.
Step 4 To specify that the IOS Router should log summary data about a session, select the Audit-trail check box to the right of the network service name.
This option generates an additional per-session transaction log of network activities. The message is issued at the end of each inspected session and it records the source/destination addresses and ports, as well as the number of bytes transmitted by the client and server. It is an informational syslog message type, and therefore, you must specify that this router generates at least the informational log level.
Step 5 To specify that the IOS Router should issue alerts to the console and generate a special alert-level syslog message when it detects suspicious network activities, select the Alert check box to the right of the network service name.
This option generates console and syslog alerts when the following network activities are detected:
Step 6 To accept your changes and close the selected panel, click OK.
Step 7 To save any changes that you have made, click Save on the File menu.
Posted: Thu May 25 13:12:16 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.