|
|
"Understanding the Network Topology Tree," introduced the concept of traffic flows, which identify how network packets are allowed to flow across your network. Cisco Secure Policy Manager enables you to define rules that can affect such flows in two way:
The following sections describe the device-specific settings that enable you to affect traffic flows.
While routing rules can be viewed on non-managed gateway objects, such as clouds and routers, such rules are not distributed to those gateway objects by Cisco Secure Policy Manager. Instead, Cisco Secure Policy Manager assumes that you have defined such routing rules on those gateway objects.
 |
Note All static routing rules that have been defined using administrative interfaces other than Cisco Secure Policy Manager are replaced by those routing rules that are defined using Cisco Secure Policy Manager. Therefore, you should be sure to copy your current configuration to a safe location so that you can specify any non-derived static routing rules within Cisco Secure Policy Manager. |
This topic provides a high-level discussion about routing network packets and how a Policy Enforcement Point selects which routing rule to apply for a specific communication. Normally, you will not need to define new routing rules; however, you need to understand how routing works to define rules properly. Routing simply refers to delivery of network packets to their destinations over a network. To communicate with the Policy Enforcement Point, every network object must have a routing rule defined for that Policy Enforcement Point that permits the network object to reach the Policy Enforcement Point or it must use the default route. In addition, the Policy Enforcement Point must have a rule defined that permits it to reach the network on which the network object resides or to select the next gateway object in the path.
|
Note For the purpose of this discussion, a network object is a host or consumer of network services. It is an endpoint that acts as an initiator or recipient of a network communication. |
Before any network packet can traverse the network from NetObject A to NetObject B, routes must exist for NetObject B on every gateway object along the path from NetObject A to NetObject B. Like a bucket brigade, each object moves the network packet one step farther down the path. On the basis of the final destination of the packet, each object uses routing rules to determine the next object along the path. The next object's address is called the "hop address." For a network session to occur between NetObject A and NetObject B, the inverse routes must exist on every gateway object along the path from NetObject B to NetObject A. The two paths do not necessarily have to be symmetric.
Rules Required to Route Between Two Objects
In a scenario where NetObject A and NetObject B reside on networks directly attached to separate interfaces on a common Policy Enforcement Point (Gw1), six routing rules must exist for bi-directional communications:
Three types of routing rules exist on the Routes panel:
|
Note All static routing rules that have been defined using administrative interfaces other than Cisco Secure Policy Manager are replaced by those routing rules that are defined using Cisco Secure Policy Manager. Therefore, you should be sure to copy your current configuration to a safe location so that you can specify any non-derived static routing rules within Cisco Secure Policy Manager. |
The Network Topology tree identifies the possible traffic flows the Policy Enforcement Points could use to route network packets. Cisco Secure Policy Manager automatically derives routes for each Policy Enforcement Point based on the interfaces installed in it and the traffic flows permitted through it.
These rules are marked as "Derived" in the Routes panel. When you define routing rules, you only need to define rules for special cases where the derived rules are inadequate or where you need to override a derived rule---such rules are "MANUAL," which represent non-derived rules. The remainder of this topic provides details useful for managing non-derived rules.
|
Note If you define a MANUAL routing rule that overrides a derived routing rule, the derived routing rule will no longer appear in the Routes panel and no command set will be generated to enable that derived route. However, you can delete the MANUAL routing rule to have the derived routing rule generated and distributed as part of the command set. |
Just because a computer exists on your internal networks does not mean that Policy Enforcement Points have a routing rule defined for it. If a computer cannot communicate with a Policy Enforcement Point, most likely no routing rule is defined to reach that computer (or the computer does not have a routing rule to reach the gateway or Policy Enforcement Point). Even when the computer resides on your trusted networks, a Policy Enforcement Point drops all network packets destined for that computer if a route is not defined directly to that computer or the network on which that computer resides.
 |
Tips You can use Cloud nodes and cloud networks to ensure that all your networks are identified so that Cisco Secure Policy Manager can generate derived routing rules for all routes required to reach those networks contained within the cloud and the objects residing on those networks. |
Defining routing rules is similar to charting a course of travel. When you look at a map, you can plan an optimal route to a specific destination. When a Policy Enforcement Point determines what route to use, it selects the most specific rule (based on the highest netmask). Because Cisco Secure Policy Manager does not support dynamic routes, you can only define one routing rule for each network or cloud network defined within the Network Topology tree.
To understand how netmasks are used, consider a Policy Enforcement Point that is attached to the 10.0.0.0 network.
Example: We will consider two routing rules:
1. address: 10.1.2.0 netmask: 255.255.255.0 gateway: 10.0.0.4
2. address: 10.1.0.0 netmask: 255.255.0.0 gateway: 10.0.0.5
Rule 1 applies for network packets that are destined for the more exclusive 10.1.2.* subnetwork, whereas Rule 2 applies to those network packets destined to the 10.1.*.* subnetwork, but not to the 10.1.2.* subnetwork. For example, Rule 2 would apply to network packets destined for 10.1.3.13, and Rule 1 would apply to network packets destined for 10.1.2.13.
In this example, the largest netmask value determines which rule to use, selected from the list of available rules that are applicable to the destination address of a network packet.
Because the netmask value in Rule 1 is 255.255.255.0, we know to use the first three octets in the address when determining whether to apply this routing rule. In Rule 2, we know that only the first two octets are necessary for determining whether to apply it. Because Rule 1 has three significant octets, it has the highest netmask value. When the Policy Enforcement Point receives a network packet destined for a host on the 10.1.2 network, Rule 1 is always applied instead of Rule 2. Rule 1 applies because it is a valid rule for routing the network packet (as is Rule 2) and Rule 1 has a larger netmask value than Rule 2.
Currently, Policy Enforcement Points support the concept of classless networks, or Classless Inter-Domain Routing (CIDR). For more information about CIDR, review the Request for Comment (RFC) documents 1517, 1518, and 1519 at http://www.isi.edu/rfc-editor/catagories/rfc-proposed.html.
Each Policy Enforcement Point actually maintains two sets of routing rules: one set is dynamic and the other is static. The static routing rules are those rules marked as MANUAL, Derived, and Implicit and are listed in the Routes panel. The dynamic routing rules are updated by router-to-router communications, and this set of routing rules is not directly supported by Cisco Secure Policy Manager (although, you can use the Command panel on a Policy Enforcement Point to specify the commands required to enable dynamic routing rules).
 |
Warning Because dynamic routing rules are updated via router-to-router communications, the dynamic routes are vulnerable to attack due to the inherent security weakness in the protocols that support dynamic routes. |
You can perform the following tasks from the Routes panel. For step-by-step procedures on performing a specific task, click the appropriate task topic.
You can define new routing rules to optimize network packet delivery and to override a derived routing rule (by selecting the same target as that of a derived routing rule). All rules that you define are MANUAL routing rules.
|
Note You can only define routing rules on managed gateway objects (Policy Enforcement Points) that exist on your network. In addition, all static routing rules that have been defined using a non-Cisco Secure Policy Manager administrative interface are replaced by those routing rules that have been defined using Cisco Secure Policy Manager. |
To create a new MANUAL routing rule, perform the following task:
Step 2 To view the Routes panel, point to Properties, and click Routes on the shortcut menu.
Result: The Routes panel appears in the View pane.
Step 3 To begin defining a new rule, click Insert Route.
Result: A new rule appears as the last item in the Active Routing Rules list with the word "Unknown" selected in the Network box.
Step 4 To select the network, network shortcut, or cloud network to which you want this Policy Enforcement Point to be able to route
---or---
The options list displays all network, network shortcut, cloud networks, and IP ranges that are defined in the Network Topology tree. This options list also includes the (specify) option.
Step 5 If you selected an existing object, skip to Step 9. Otherwise continue with Step 6.
Step 6 To manually specify the network address, type the address of the network to which you are routing in the Network Address box under Selected Route.
Because routes to all directly connected networks are automatically derived, this value identifies an address of a network, network shortcut, or cloud network that is not directly connected to the Policy Enforcement Point---it does not belong to an object to which the Policy Enforcement Point's network interfaces are directly connected. This value is also a network that is not defined under the Network Topology tree.
Step 7 To specify the network mask that corresponds to the network specified in the Network Address box, type that value in the Network Mask box.
Step 8 To specify the gateway that is used to reach the object specified in the Network Address box, type the IP address of that gateway in the Gateway box under Active Routing Rules.
This value identifies a gateway that either
---or---
Step 9 Repeat Steps 3 through 7 for each new rule that you want to create.
Step 10 To accept your changes and close the selected panel, click OK.
Step 11 To save any changes that you have made, click Save on the File menu.
To optimize network packet delivery on your network, you can modify the rules that you define (type "MANUAL"). However, you cannot modify or delete routing rules that are marked as "Implicit" or "Derived," but you can override the derived rules. Derived rules are generated automatically by Cisco Secure Policy Manager.
|
Note You can only change routing rules on managed gateway objects (Policy Enforcement Points) that exist on your network. |
To change an existing routing rule, perform the following task:
Step 2 To view the Routes panel, point to Properties, and click Routes on the shortcut menu.
Result: The Routes panel appears in the View pane.
Step 3 To select the rule that you want to change, click that rule under the Active Routing Rules list.
Result: The boxes under Selected Route display the current settings for the selected rule.
|
Note You cannot change a rule that is marked "Implicit" or "Derived." However, you can override such a rule by defining a MANUAL rule to the same target network object. |
Step 4 To modify the IP address of the network, network shortcut, or cloud network for this rule, right-click that object in the Network box under Active Routing Rules, and then either
The options list displays all networks that are defined in the Network Topology tree.
---or---
Because routes to all directly connected networks are automatically derived, this value identifies an address of a network, network shortcut, or cloud network that is not directly connected to this gateway object---it does not belong to an object to which this gateway object's network interfaces are directly connected. This value is also a network that is not defined under the Network Topology tree.
Step 5 If you selected an existing network, skip to Step 8. Otherwise continue with Step 6.
Step 6 To modify the network mask of the network specified in the Network Address box, type the new network mask in the Network Mask box.
Step 7 To modify the IP address of the gateway used to reach the object specified in the Network Address box, type the new IP address in the Gateway box under Active Routing Rules.
This value identifies a gateway that either
---or---
Step 8 Repeat Steps 3 through 7 for each rule that you want to change.
Step 9 To accept your changes and close the selected panel, click OK.
Step 10 To save any changes that you have made, click Save on the File menu.
You can disable the generation of derived routing rules for a specific gateway object. When you disable the generation of derived routes, you must define the routing rules for all objects to/from which this gateway object can send/receive network packets; otherwise, this gateway object will not be able to communicate with any networks other than those to which it is directly attached.
The effect of disabling the generation of derived routing rules can reduce the time required by Cisco Secure Policy Manager to perform a Save or a Save and Update operation. While this feature may be used to view only MANUAL routes on a managed gateway object, disabling route generation on unmanaged gateway objects can still reduce the time required to perform a Save or Save and Update operation.
To disable the generation of derived routing rules, perform the following task:
Step 2 To view the Routes panel, point to Properties, and click Routes on the shortcut menu.
Result: The Routes panel appears in the View pane.
Step 3 To disable the generation of derived routing rules, select the Inhibit generation of non-MANUAL rules.
Result: Any derived routing rules, marked Implicit or Derived, are removed from the Routes panel. The only routing rules, based on this gateway object, that Cisco Secure Policy Manager will publish to any Policy Enforcement Points on your network are those MANUAL routing rules that you define in this panel.
Step 4 To accept your changes and close the selected panel, click OK.
Step 5 To save any changes that you have made, click Save on the File menu.
You can view the list of active routing rules defined for each gateway object. Routing rules instruct the Policy Enforcement Points on your network as to where to deliver network packets that it receives. These rules can optimize delivery to other networks.
To view the active routing rules, perform the following task:
Step 2 To view the Routes panel, point to Properties, and click Routes on the shortcut menu.
Result: The Routes panel appears in the View pane.
Step 3 To review the list of active rules, scroll through the Active Routing Rules list.
Step 4 To review the IP address assigned to the interface to which a network is attached for any given rule, click that rule in the Active Routing Rules list.
Result: The Interface Address field under Selected Route displays the value associated with the selected routing rule, as do the Network Address and Network Mask boxes.
Step 5 To close the selected panel, click OK.
Mapping rules refer to three types of rules that you can define from the Mapping panel:
Static translation and address hiding rules are enforced by a Policy Enforcement Point when network packets are transferred between two perimeters (inter-perimeter communications) attached to that Policy Enforcement Point. These rules are enforced on a per-Policy Enforcement Point basis, and you can only define these two rule types on a Policy Enforcement Point.
A path restriction rule enables you to restrict network flows across your network. Like static translation and address hiding rules, path restriction rules are enforced by Policy Enforcement Points. However, you can define path restriction rules on all gateway object types, including Policy Enforcement Points, routers, and clouds, and each Policy Enforcement Point along the restricted path enforces these rules by not permitting network services enabled by the security policies that you have defined to traverse that Policy Enforcement Point.
The following sections describe how each rule type works, when to use that rule type, and how to create, modify, and view those types of rules from the Mapping panel.
A static translation is a bi-directional one-to-one address mapping rule that gives external users access to one of your internal network hosts. Static translation rules apply to all forms of IP traffic, which means they do not limit access to the host based on a specific network service. A static rule maps an external IP address that is assigned to a network interface in the Policy Enforcement Point to an IP address that is assigned to the internal network host.
 |
Caution If you define a static translation rule for a Policy Distribution Point, you can cause a temporary command set publishing problem. The problem results because the connection to the Policy Enforcement Point is broken after the new command set is published to the Policy Enforcement Point because it effectively changes the address of the Cisco Secure Policy Manager host by which the current command set is being published. |
In this case, you have two possible solutions to resolve this temporary problem:
|
Note Because static translation rules take precedence over address hiding rules, you can use this rule type to force a specific translation while allowing other communications to be translated using the more generic address hiding rules. |
Example: We can define a static translation rule that maps from the external IP address 192.168.7.130 (alias address) to the internal file server 192.168.1.3 (real address).
|
Note To allow communication to these internal hosts, you must still define and apply security policies that permit session requests originating on the external networks to reach the internal servers. |
When the Policy Enforcement Point receives a session request where the source address matches the IP address of the internal file server, it changes the source address to the external IP address before placing the packet onto the network of which the external address is a member. Likewise, when the Policy Enforcement Point receives a network packet destined for the alias address, it changes the destination address to the address of the internal file server and places the new packet onto the network to which the internal file server belongs. Thus, the internal file server processes the packet as though it were originally destined for the file server. In both cases, all packets that are part of a valid session are remapped according to the translation rule (assuming that the active security policy permits the communication). If the active security policy does not permit a specific communication, the session request is rejected and the translation never occurs.
|
Warning If you expose your internal DNS servers using a static translation rule, you do not benefit from the address hiding feature provided by address hiding rules. External users can simply request information about your trusted networks from the DNS servers that you expose. |
You can perform the following tasks that are specific to static translation rules from the Mapping panel.
The following sections provide step-by-step instructions for defining these tasks.
A Policy Enforcement Point enables you to map an external IP address on the Policy Enforcement Point to an IP address assigned to an internal network object. To define a rule, you must map between an IP address on a particular interface of the Policy Enforcement Point and the network object that you want to translate.
|
Warning If you expose your internal DNS servers using a static translation rule, you do not benefit from the address hiding feature provided by network address translation. External users can simply request information about your trusted networks from the DNS servers that you expose. |
|
Note To allow communications with an exposed server, you must define and apply a security policy to the Internet node (or an untrusted network) that permits session requests originating on the untrusted networks to reach the internal server. |
To create a static translation rule, perform the following task:
Result: The Mapping panel appears in the View pane.
Step 2 To specify that you want to define a static translation rule, click Static Translation (bidirectional remapping) in the Select rule type box.
Result: The list of active static translation rules appears in the Static Translation list.
Step 3 To begin defining a new static translation rule, click Insert Rule.
Result: A new rule named S# is created in the Static Translation list.
Step 4 To specify which network object to translate with this rule, click that network or host in the Translate object box under Static Translation (bidirectional remapping).
The Translate object box displays a list of the network objects that reside under the Policy Enforcement Point node for which you are defining this rule. If you do not see the network object that you want to hide, you must define it within the Network Topology tree.
|
Caution If you define a static translation rule for a Policy Distribution Point, you can cause a temporary command set publishing problem. The problem results because the connection to the Policy Enforcement Point is broken after the new command set is published to the Policy Enforcement Point because it effectively changes the address of the Cisco Secure Policy Manager host by which the current command set is being published. |
In this case, you have two possible solutions to resolve this temporary problem:
|
Tips You can lock the Mapping panel by clicking the Lock this view box at the bottom of the panel, and then use a drag-and-drop operation to move a host from the Network Topology tree onto the Translate object box. |
Step 5 To specify the interface, or set of interfaces, from which the network or host will be translated, click the interface(s) in the via interface(s) box.
The via interface(s) box displays a list of the interfaces directly attached to the Policy Enforcement Point. However, this list does not contain the interface to which the network or host that you want to translate is attached. You cannot translate a host or network from the interface to which it is attached.
When you translate a network object from an interface, you are declaring that any network object attached to that interface cannot use the real address to access the translated network object. Instead, such network objects must deliver all network traffic to the address specified in the using address box (presumably, the address assigned to the interface to which the network objects are attached). The Policy Enforcement Point acts as a proxy agent between the translated network object and the interface objects by mapping between the two addresses. This mapping occurs for communications that originate either from the translated network object or from an object residing on the interface specified in this field.
|
Tips To select more than one value from this list, press and hold the Shift key or the Ctrl key while selecting an item in the list. The Shift+Click option enables you to select a sequential set of values. The Ctrl+Click option enables you to select values in any order. |
Step 6 To specify the IP address, or starting address of an IP range, that the internal network object's address(es) will be remapped to, type that IP address in the using address box.
This value is the specific alias IP address to which you want to translate the real addresses of the translated object. If the value in the through with box is also specified, this address identifies the starting address of the IP range that will be used to translate the network object. However, you can define a range of exactly one address. If the Policy Enforcement Point is exposing the network object to users on the Internet, this IP address must be a valid IP address that is registered with the American Registry for Internet Numbers (ARIN).
Step 7 To specify the ending address of the IP range that the internal network object address(es) will be remapped to, type that IP address in the through with box.
This value identifies the ending alias IP address in an IP address range that will be used for this translation rule. If the Policy Enforcement Point is exposing the network object to users on the Internet, this IP address must be a valid IP address that is registered with ARIN.
Step 8 To specify the network mask value of the IP range that the internal network object address(es) will be remapped to, type that value in the mask box.
This value identifies the mask of the network on which IP address(es) used as aliases are members. It represents the number of bits in the netmask.
Step 9 (PIX Firewall only: Optional) To specify the maximum number of simultaneous connections for this rule, type that value in the MaxC box.
This value is a whole number that represents the maximum number of simultaneous connections that can use this translation rule. The Policy Enforcement Point enforces this value against new session requests. Use 0 (zero) to specify the default value assigned to the Policy Enforcement Point.
Step 10 (PIX Firewall only: Optional) To specify the maximum number of simultaneous embryonic links for this rule, type that value in the EmbL box.
This value is a whole number (smaller than the MaxC value) that represents the maximum number of simultaneous embryonic links that can use this translation rule. The Policy Enforcement Point enforces this value against new session requests by restricting the number of session requests that have not completed the handshake. This feature enables you to guard against TCP_SYN attacks. Use 0 (zero) to specify the default value assigned to the Policy Enforcement Point.
Step 11 For each new rule that you want to create, repeat Steps 3 through 10.
Step 12 To accept your changes and close the selected panel, click OK.
Step 13 To save any changes that you have made, click Save on the File menu.
You can change the rules that the selected Policy Enforcement Point uses to apply address translation when external users are communicating with an internal network server that has an IP address you want to hide from those users.
|
Note To allow communications with an exposed server, you must define and apply a security policy to the Internet node (or an untrusted network) that permits session requests originating on the untrusted networks to reach the internal server. |
To change a static translation rule, perform the following task:
Step 2 To view the Mapping panel, point to Properties, and then click Mapping on the shortcut menu.
Result: The Mapping panel appears in the View pane.
Step 3 To specify that you want to change a static translation rule, click Static Translation (bidirectional remapping) in the Select rule type box.
Result: The list of active static translation rules appears in the Static Translation list.
Step 4 To select the rule that you want to change, click that rule under Static Translation (bi-directional mapping).
Step 5 To change which host on your internal network is used for this rule, click the new host in the Translate object box.
The list of hosts that are available in the Translate object box are those hosts that reside under the selected Policy Enforcement Point. If you do not see the host for which you want to define the new rule in this list, you must define that host in the Network Topology tree.
|
Caution If you define a static translation rule for a Policy Distribution Point, you can cause a temporary command set publishing problem. The problem results because the connection to the Policy Enforcement Point is broken once the new command set is published to the Policy Enforcement Point because it effectively changes the address of the Cisco Secure Policy Manager host by which the current command set is being published. |
In this case, you have two possible solutions to resolve this temporary problem:
|
Tips You can lock the Mapping panel by clicking the Lock this view box at the bottom of the panel, and then use a drag-and-drop operation to move a host from the Network Topology tree onto the Translate object box. |
Step 6 To specify the interface, or set of interfaces, from which the network or host will be hidden, click the interface(s) in the via interface(s) box.
The via interface(s) box displays a list of the interfaces directly attached to the Policy Enforcement Point. However, this list does not contain the interface to which the network or host that you want to hide is attached. You cannot hide a host or network from the interface to which it is attached.
When you hide a network object from an interface, you are declaring that any network object attached to that interface cannot use the real address to access the hidden network object. Instead, such network objects must deliver all network traffic to the address specified in the using address box (presumably, the address assigned to the interface to which the network objects are attached). The Policy Enforcement Point acts as a proxy agent between the hidden network object and the interface objects by mapping between the two addresses. This mapping occurs for communications that originate either from the hidden network object or from an object residing on the interface specified in this field.
|
Tips To select more than one value from this list, press and hold the Shift key or the Ctrl key while selecting an item in the list. The Shift+Click option enables you to select a sequential set of values. The Ctrl+Click option enables you to select values in any order. |
Step 7 To change the IP address on the selected host that is remapped, click the new IP address in the using address box.
The addresses that are available in the using address box are the IP addresses that have been previously assigned to that network host within the Network Topology tree.
Step 8 To change the address that you want to use when remapping to/from the internal host's IP address, click the new address in the through with box.
The list of addresses available in the through with box are the IP addresses assigned to the network adapter cards on the Policy Enforcement Point for which you are defining this new rule.
Step 9 For each new rule that you want to change, repeat Steps 3 through 8.
Step 10 To accept your changes and close the selected panel, click OK.
Step 11 To save any changes that you have made, click Save on the File menu.
You can view the static translation rules that are active on the selected Policy Enforcement Point. The Policy Enforcement Point maps these external IP addresses defined on the Policy Enforcement Point to IP addresses assigned to internal hosts, as well as vice versa, depending on the direction specified in the rule.
To view the active rules for static translation, perform the following task:
Step 2 To view the Mapping panel, point to Properties, and then click Mapping on the shortcut menu.
Step 3 To specify the rule type that you want to view, click Static Translation (bidirectional remapping) in the Select rule type box.
Step 4 To review the list of active rules, scroll through the list under Static Translation.
Step 5 To close the selected panel, click OK.
Address hiding, commonly referred to as network address translation (NAT), is the process of converting between IP addresses used within an intranet or other private network (called a subdomain) and Internet IP addresses (or external IP addresses on a Policy Enforcement Point). This approach makes it possible to use a large number of addresses within the subdomain without depleting the limited number of available numeric Internet IP addresses.
In addition to conserving IP addresses, address hiding provides additional security features for your network by hiding its internal structure and allowing logical mappings to users who compose the different groups and departments within your company. These logical mappings enable you to track your external network usage statistics much more easily.
|
Warning If you expose your internal DNS servers using a static translation rule, you do not benefit from the address hiding feature provided by address hiding rules. External users can simply request information about your trusted networks from the DNS servers that you expose. |
While some users may not need to use address hiding, you should keep this feature in mind as your network continues to grow. The following topics describe what problems address hiding can solve and how it works to solve these problems.
An address hiding translator provides several benefits for your network:
As these benefits indicate, network address translation overcomes several limitations associated with the current IP addressing scheme. We discuss these limitations below.
Conceals Internal IP Addresses from Internet Users. As the network administrator, you may wish to conceal internal network addresses from the Internet, which prevents them from being disclosed to possibly malicious users. An address hiding translator dynamically assigns a valid external IP address to an internal IP address by mapping the internal address to an external address. Because this mapping between the external and internal IP addresses is temporary (it lasts only for the duration of a session), your internal IP addresses are concealed from the Internet. Only the external addresses appear in the packets that are distributed across the Internet.
Requires Fewer Registered IP Addresses. To connect to the Internet, a company must purchase IP addresses from ARIN, which is the organization responsible for registering and assigning IP addresses to those who wish to connect to the Internet. Currently, IP addresses are allocated based on the size of the company that is requesting IP addresses. To prevent depletion of IP addresses on the Internet, small and medium organizations receive fewer IP addresses, regardless of plans for future expansion. An address hiding translator bypasses this limitation and ensures that you can continue to grow your network without acquiring additional addresses. Because an address hiding translator distributes the control and allocation of valid external IP addresses, it provides full connectivity and access to the Internet regardless of the size of your network or the number of users that you support.
Use of Invalid Internal Addresses. Because many companies use invalid IP addresses within their intranets, computers using those addresses cannot legally access the Internet. From the perspective of the routers, these addresses appear to belong to a network that is different from the Internet. If you have used such addresses, you may find that it is impractical to change them to valid internal addresses. The address hiding translator maintains the integrity of your internal addressing schemes by mapping registered IP addresses to all internal addresses, including invalid addresses.
|
Note Invalid IP addresses are also referred to as reserved addresses, which are IP addresses restricted to special purposes, such as internal domain or Internet service provider network usage. |
Network address translation solves these problems by temporarily reassigning a registered IP address to an internal computer that requests services across the Internet (or another external network). When residing on a Policy Enforcement Point, the address hiding translator acts as a buffer between the global Internet and the local IP networks called subnets. The internal subnets only require IP addresses that are unique to that subnet level. When a computer on one of these subnets sends traffic out over the Internet (thus traversing the Policy Enforcement Point), the address hiding translator strips the internal IP address (unique for that subnet) from the network packets and replaces that address with a unique external address that is registered and assigned to that subnet or site.
Often, the address hiding translator contains a pool of external IP addresses, which enables more than one internal computer to connect to the Internet at the same time. The pool contains those IP addresses that are registered with ARIN, http://www.arin.net. When you allocate IP addresses for your subnets, you must verify that those addresses do not conflict with the external IP addresses. Doing so ensures that the external IP addresses remain unique, enabling the address hiding translator to distinguish among computers. When a network packet is routed across the Policy Enforcement Point, the address hiding translator replaces the internal corporate address with a temporary external address. As soon as the application session is over, the external address is returned to the pool, where it can be reassigned during a new session request.
|
Note When using the Internet control message protocol (ICMP), you should be aware that the echo request and echo reply packets are not automatically mapped to ports. For simultaneous ping commands to work correctly, your site must possess multiple registered IP addresses. |
You can perform the following tasks that are specific to address hiding rules from the Mapping panel.
The following sections provide step-by-step instructions for defining these tasks.
You can define the address translation rules that the selected Policy Enforcement Point uses for inter-interface communications (transferring network packets between two interfaces). To define a rule, you map one or more external IP addresses (exposed) to an internal network address of any class. Thus, you can hide that internal network's actual address from networks that exist on other interfaces.
|
Note You cannot hide a network's address from computers on that network. Also, any address translation rules that you defined during installation are included in the list of active address translation rules shown in the Mapping panel. |
|
Caution Before you can hide a network address, the Policy Enforcement Point must have a route defined to access that network. These routes can be implicitly defined by the routes attached to the network interfaces installed on the Policy Enforcement Point, or you can explicitly define a route for that network. |
To create a new address translation rule, perform the following task:
Result: The Mapping panel appears in the View pane.
Step 2 To specify that you want to define an address hiding rule, click Address Hiding (source remapping) in the Select rule type box.
Result: The list of active address hiding rules appears in the Address Hiding list.
Step 3 To begin defining a new address hiding rule, click Insert Rule.
Result: A new rule named H# is created in the Address Hiding list.
Step 4 To specify which network object to hide with this rule, click that network or host in the Hide object box under Address Hiding (source remapping).
The Hide object box displays a list of the network objects that reside under the Policy Enforcement Point node for which you are defining this rule. If you do not see the network object that you want to hide, you must define it within the Network Topology tree.
|
Tips You can lock the Mapping panel by clicking the Lock this view box at the bottom of the panel, and then use a drag-and-drop operation to move a network host from the Network Topology tree onto the Hide object box. |
Step 5 To specify the interface, or set of interfaces, from which the network or host will be hidden, click the interface(s) in the from interface(s) box.
The from interface(s) box displays a list of the interfaces directly attached to the Policy Enforcement Point. However, this list does not contain the interface to which the network or host that you want to hide is attached. You cannot hide a network or host from the interface to which it is attached.
When you hide a network or host from an interface, you are declaring that any network object attached to that interface cannot use the real address to access the hidden network object. Instead, such network objects must deliver all network traffic to one of the addresses specified in the using address and through with boxes (presumably, the address assigned to the interface to which the network objects are attached). The Policy Enforcement Point acts as a proxy agent between the hidden objects and the interface objects by mapping between the two addresses. However, this mapping only occurs for communications that originate from the hidden object.
|
Tips To select more than one value from this list, press and hold the Shift key or the Ctrl key while selecting an item in the list. The Shift+Click option enables you to select a sequential set of values. The Ctrl+Click option enables you to select values in any order. |
Step 6 To specify the IP address, or starting address of an IP range, that the internal network object address(es) will be remapped to, type that IP address in the using address box.
This value is the specific alias IP address to which you want to translate the real addresses of the translated object. If the value in the through with box is also specified, this address identifies the starting address of the IP range that will be used to translate the network object. However, you can define exactly one address. If the Policy Enforcement Point is exposing the network object to users on the Internet, this IP address must be a valid IP address that is registered with ARIN.
Step 7 To specify the ending address of the IP range that the internal network object address(es) will be remapped to, type that IP address in the through with box.
This value identifies the ending alias IP address in an IP address range that will be used for this translation rule. If the Policy Enforcement Point is exposing the network object to users on the Internet, this IP address must be a valid IP address that is registered with ARIN.
Step 8 To specify the network mask value of the IP range that the internal network object address(es) will be remapped to, type that value in the mask box.
This value identifies the mask of the network on which IP address(es) used as aliases are members. It represents the number of bits in the netmask.
Step 9 (PIX Firewall only: Optional) To specify the maximum number of simultaneous connections for this rule, type that value in the MaxC box.
This value is a whole number that represents the maximum number of simultaneous connections that can use this translation rule. The Policy Enforcement Point enforces this value against new session requests. Use 0 (zero) to specify the default value assigned to the Policy Enforcement Point.
Step 10 (PIX Firewall only: Optional) To specify the maximum number of simultaneous embryonic links for this rule, type that value in the EmbL box.
This value is a whole number (smaller than the MaxC value) that represents the maximum number of simultaneous embryonic links that can use this translation rule. The Policy Enforcement Point enforces this value against new session requests by restricting the number of session requests that have not completed the handshake. This feature enables you to guard against TCP_SYN attacks. Use 0 (zero) to specify the default value assigned to the Policy Enforcement Point.
Step 11 For each new rule that you want to create, repeat Steps 3 through 10.
Step 12 To accept your changes and close the selected panel, click OK.
Step 13 To save any changes that you have made, click Save on the File menu.
You can change the address hiding rules that the selected Policy Enforcement Point uses for inter-interface communications (transferring network packets between two interfaces).
|
Note You cannot hide a network address from computers on that network. Also, any address translation rules that you defined during installation are included in the list of active address translation rules shown in this panel. |
|
Caution Before you can hide a network address, the Policy Enforcement Point must have a route defined to access that network. These routes can be implicitly defined by the routes attached to the network interfaces installed in the Policy Enforcement Point, or you can explicitly define a route for the network. |
To change an existing address hiding rule, perform the following task:
Result: The Mapping panel appears in the View pane.
Step 2 To specify that you want to change an address hiding rule, click Address Hiding (source remapping) in the Select rule type box.
Result: The list of active address hiding rules appears in the Address Hiding list.
Step 3 To specify which rule you want to change, click that rule in the list of rules under Address Hiding.
Step 4 To change the network or host that you want to hide, click the new network or host in the Hide object box under Address Hiding (source remapping).
The Hide object box displays a list of the networks and hosts that reside under the Policy Enforcement Point node for which you are defining this rule. If you do not see the network or host that you want to hide, you must define it within the Network Topology tree.
|
Tips You can lock the Mapping panel by clicking the Lock this view box at the bottom of the panel, and then use a drag-and-drop operation to move a network host from the Network Topology tree onto the Hide object box. |
Step 5 To specify that you want to hide the network from a different interface or set of interfaces, click the new interface(s) in the from interface(s) box.
The from interface(s) box displays a list of the interfaces attached to the Policy Enforcement Point. However, this list does not contain the interface to which the network or host that you want to hide is attached. You cannot hide a network or host from the interface to which it is attached.
When you hide a network or host from an interface, you are declaring that any network object attached to that interface cannot use the real address to access the hidden network object. Instead, such network objects must deliver all network traffic to one of the addresses specified in the using address box (presumably, the address assigned to the interface to which the network objects are attached). The Policy Enforcement Point acts as a proxy agent between the hidden network object and the interface objects by mapping between the two addresses. However, this mapping only occurs for communications that originate from the hidden network or host.
|
Tips To select more than one value from this list, press and hold the Shift key or the Ctrl key while selecting an item in the list. The Shift+Click option enables you to select a sequential set of values. The Ctrl+Click option enables you to select values in any order. |
Step 6 To change the IP address, or set of addresses, that the internal network/host address is remapped to, click the new IP address(es), in the using address box, that are assigned to the Policy Enforcement Point's network adapter card from which the external requests will originate.
These addresses identify the IP addresses, which are assigned to network adapter cards on the Policy Enforcement Point, that external servers will see when they receive a network packet that originated from the internal network or host that you are hiding. One of these addresses will appear as the source address of these network packets. The algorithm by which these addresses are applied is as follows:
1. Test the first address in list to see if the original transport layer port of the session request is available. If it is, that address/port pair is used.
2. Test the next address/original transport layer port until a match is found or the list of addresses is exhausted.
3. Test the first address in list to find the first available port. If no port is available for that address, test the next address in the list to find an available port. This step is repeated until an available port is found for one of the addresses in the list.
Step 7 For each new rule that you want to change, repeat Steps 3 through 6.
Step 8 To accept your changes and close the selected panel, click OK.
Step 9 To save any changes that you have made, click Save on the File menu.
You can view the address hiding rules that the selected Policy Enforcement Point uses for inter-interface communications transferring network packets between two interfaces.
To view the active rules for address hiding, perform the following task:
Result: The Mapping panel appears in the View pane.
Step 2 To specify the rule type that you want to view, click Address Hiding (source remapping) in the Select rule type box.
Step 3 To review the list of active rules, scroll through the list under Address Hiding.
Step 4 To close the selected panel, click OK.
When a network packet is routed across your network in a way that satisfies the following three criteria, it is following a path:
Simply stated, a path specifies how a packet gets from point A to point B over wires and other network media.
Paths are crucial to an understanding of where and how to define path restriction rules. When you define a path restriction rule, you prevent the flow of traffic across your network in one direction between two specific network objects.
|
Note You can define a path restriction rule on any gateway object, other than the Internet node, in the Network Topology tree. |
Two paths that follow the same route but travel in opposite directions identify a traffic flow, so traffic flows are bi-directional and symmetric. If you disable a traffic flow between two network objects, you are defining a flow restriction. While it is possible to define asymmetric path restrictions, we strongly recommend that you define symmetric path restrictions only. Figure 7-2 depicts symmetrical and asymmetrical communications.
A flow restriction is more precisely defined as a set of path restriction rules, enforced by the Policy Server Point of Cisco Secure Policy Manager, that overrides the connectivity interpretation of your Network Topology tree. A flow restriction essentially prevents any network packet from taking a specified path, just as if the network media along that path were not connected. In other words, if a network packet can take more than one path to reach a specific destination, you can eliminate some of those possible paths by defining a flow restriction.
Figure 7-3 illustrates an organization that has two sites connected to the Internet and a management network connected to both sites. The organization does not want network traffic originating from one site and destined for the Internet to travel across the Management Network, although that would be a valid traffic flow to the Internet. In addition, the organization does not want network traffic originating from one site and destined for the other site to travel over the Internet or the Management Network. They want to restrict such traffic to the Backbone Network.
To summarize, the organization in the example above wants to end up with the following traffic flows:
Flow restrictions have several benefits:
In addition, flow restrictions conserve Cisco Secure Policy Manager resources. The end result of a flow restriction is that applied security policies and generated routes are affected:
Three types of flow restrictions can be identified:
The following sections describe these three types of flow restrictions, explain what effects flow restrictions have across your network, and identify when you should define the different types of flow restriction.
An intra-gateway flow restriction enables you to keep traffic from crossing a gateway object through a specific pair of interfaces on it. Because this restriction type is symmetric, you must define a path restriction rule for each interface in the pair that restricts the path from the other interface in the pair.
Each path restriction rule used to define an intra-gateway flow restriction reads as follows:
Figure 7-4 illustrates a gateway object, Gw1, that has four interfaces---Gw1a, Gw1b, Gw1c, and Gw1d---connected to the network.
You can define an intra-gateway flow restriction for any of six possible flows:
When you define an intra-gateway flow restriction, you must first select the particular intra-gateway flow that you want to restrict, and then define a path restriction rule for both directions of that flow. To define the two required path restriction rules, use the following algorithm:
FOR the first interface in the pair
define a path restriction rule from the second interface; FOR the second interface in the pair
define a path restriction rule from the first interface;
As an example, we can define two path restriction rules on gateway object Gw1 that will prevent network traffic between interface Gw1a and interface Gw1b, which identifies the intra-gateway flow Gw1a:Gw1b. The two following rules restrict this specific flow:
By preventing the paths in both directions of the flow, we effectively prevent traffic between these two interfaces.
Each path restriction rule used to define an inter-gateway flow restriction reads as follows:
Figure 7-5 illustrates the basic symmetric flows that you can restrict between two gateway objects that have four interfaces connected to the network.
Assuming that Gw1c is connected to Gw2a, then nine inter-gateway flows are possible:
Gw1a:Gw2a (invalid) Gw1c:Gw2a (invalid) Gw1a:Gw2b Gw1c:Gw2b (invalid) Gw1a:Gw2c Gw1c:Gw2c (invalid) Gw1a:Gw2d Gw1c:Gw2d (invalid) Gw1b:Gw2a (invalid) Gw1d:Gw2a (invalid) Gw1b:Gw2b Gw1d:Gw2b Gw1b:Gw2c Gw1d:Gw2c Gw1b:Gw2d Gw1d:Gw2d
When you define an inter-gateway flow restriction, you must first select the particular inter-gateway flow that you want to restrict, and then define a path restriction rule to stop the flow in each direction (each symmetric path). In other words, you must define a path restriction rule to prevent the flow from the first gateway object and then define a path restriction rule to stop the same flow from the second gateway object.
A pair of paths is considered to be a flow only when each of those paths traverses the same gateway object. You can define a path restriction rule only in cases where the path traverses (enters at one interface and exists via a different interface) the gateway object on which the rule is being defined. The reason for this traversal requirement is that intrinsically a Policy Enforcement Point cannot affect a packet unless it traverses that Policy Enforcement Point; also, because the default security stance is "deny all" unless that service is explicitly permitted, it is ultimately the Policy Enforcement Points that are responsible for enabling the traffic flows and the network services permitted along those flows. To control specific traffic flows, Cisco Secure Policy Manager enables you to define path restriction rules on a per-interface basis.
This traversal requirement is illustrated in the preceding example, in which Gw1c is connected to Gw2a. This particular connection (marked invalid in the list of possible flows above) does not represent a flow because it does not traverse either Gw1 or Gw2. The other connections that are marked invalid traverse either Gw1 or Gw2, but not both, making them asymmetric flows. In the examples throughout this section, we assume that each interface is connected to a unique network segment unless it is directly connected to another interface in the examples.
When an inter-gateway flow traverses both gateway objects, that flow is a symmetric flow. You can quickly determine the symmetric flows between two gateway objects by studying only those interfaces that are not connected. You can do this by combining the two gateway objects at points of connectivity into a logical gateway object Gw(1,2) as identified in the preceding example. Using this technique, you can use the same algorithm for the logical gateway object that you use for the intra-gateway flow restrictions.
Each path restriction rule used to define a regional flow restriction reads as follows:
Figure 7-6 illustrates the basic symmetric flows that you can restrict among three gateway objects, where Gateway objects 1 (Gw1) and 2 (Gw2) have two interfaces connected to the network and Gateway Object 3 (Gw3) has three interfaces connected to the network. Each gateway object has an interface connected to Region Z, and, therefore, these gateway objects are the ones that bound that region.
Assuming that Gw1b, Gw2b, and Gw3c collectively are the interfaces that bound Region Z, then five regional flows are possible:
Gw1a:Gw2a Gw2a:Gw3a Gw1a:Gw2b (invalid) Gw2a:Gw3b Gw1a:Gw3a Gw2a:Gw3c (invalid) Gw1a:Gw3b Gw1a:Gw3c (invalid) Gw1b:Gw2a (invalid) Gw2b:Gw3a (invalid) Gw1b:Gw2b (invalid) Gw2b:Gw3b (invalid) Gw1b:Gw3a (invalid) Gw2b:Gw3c (invalid) Gw1b:Gw3b (invalid) Gw1b:Gw3c (invalid)
When you define a regional flow restriction, you are building on the inter-gateway flow restriction algorithm by defining an inter-gateway flow restriction for each flow that traverses the defined region. To define path restriction rules, use the following algorithm:
FOR each gateway bordering the region (Active Gateway) DO FOR each external interface on all other bordering gateways on the region DO define a path restriction rule from the external interface(s) on Active Gateway; END; \ FOR each external interface END; \ FOR each gateway
To understand the proper use of flow restrictions, you must consider the high-level traffic flows (paths) that are possible across your network. In addition, you must define a logical region across which you do not want traffic to flow. The logical region must be bordered by gateway objects, such as Cloud nodes, Router nodes, IOS Router nodes, or PIX Firewall nodes. Figure 7-7 presents a network flow diagram and identifies its regions and their bordering gateway objects.
From this high-level perspective, you can treat a particular region as a single gateway object because the goal of defining path restriction rules is to prevent traffic from traversing the multiple paths across that region. Paths can begin or end in a region, but they are not allowed to traverse it. The way that you manage a gateway object is analogous in that you are essentially preventing traffic flows from one interface to another on the same gateway.
Recall that the organization described at the beginning of this section wants to end up with the following traffic flows:
Assuming that we want to have these traffic flows, we must prevent the following specific symmetric traffic flows:
We can further refine the permitted flows to ensure that all traffic flowing between the Management Network and the Internet travels across Site B (not Site A). To prevent the flow across Site A, we define the inter-gateway flow restriction Gw1a:Gw5b.
You can perform the following tasks that are specific to path restriction rules from the Mapping panel.
The following sections provide step-by-step procedures for defining these tasks.
You can define the path restriction rules that the selected Policy Enforcement Point enforces against network traffic that traverses this Policy Enforcement Point. To define a rule, you specify the network object that you want to restrict the traffic flows to and from, and then you specify the interface(s) that should be used to enforce the rule.
|
Note You cannot restrict the paths used to reach a specific host or IP range. In other words, you cannot select a host or IP range as part of this rule type definition. |
To add a new path restriction rule, perform the following task:
Result: The Mapping panel appears in the View pane.
Step 2 To specify that you want to define a path restriction rule, click Path Restrictions in the Select rule type box.
Result: The list of active path restriction rules appears in the Path Restrictions list.
Step 3 To begin defining a new path restriction rule, click Insert Rule.
Result: A new rule named R# is created in the Path Restrictions list.
Step 4 To specify the network object to/from which you want to restrict network traffic, click that network object in the Disable paths to box under Path Restrictions.
The Disable paths to box displays a list of network objects that reside under the Network Topology tree. If you do not see the network object to/from which you want to restrict a specific network path, you must define it within the Network Topology tree. However, you can select neither Host nor IP Range nodes. To refer to an interface on another Policy Enforcement Point, you must select the interface by navigating the tree shown in the Disable paths to box in the Mapping panel. The interfaces are not first-level objects in the Network Topology tree in the Navigator pane.
Step 5 To specify the interface, or set of interfaces, that will enforce the path restriction rule, click that interface(s) in the from interface(s) box.
The from interface(s) box displays a list of the interfaces attached to the Policy Enforcement Points that can enforce the path restriction rule. If you are defining a rule on a specific Policy Enforcement Point, only the interfaces on that Policy Enforcement Point are presented as options for enforcing the rule. However, this list does not contain the interface to which the network object to which you are disabling the paths is attached. You cannot hide a network object from the interface to which it is attached.
When you disable paths to a network object from an interface, you are declaring that any packets received from or sent to that network object will not be permitted to traverse the selected interface(s). In other words, these interfaces cannot be used to reach the network object.
|
Tips To select more than one value from this list, press and hold the Shift key or the Ctrl key while selecting an item in the list. The Shift+Click option enables you to select a sequential set of values. The Ctrl+Click option enables you to select values in any order. |
Step 6 For each new rule that you want to create, repeat Steps 3 through 5.
To verify that the path restriction rule you are defining is a valid path restriction rule, ensure that the flow that you want to restrict actually traverses the gateway object on which you are defining this rule.
Step 7 To accept your changes and close the selected panel, click OK.
Step 8 To save any changes that you have made, click Save on the File menu.
You can change the active path restriction rules defined for the selected gateway object.
|
Note You cannot restrict the paths used to reach a specific host or IP range. In other words, you cannot select a host or IP range as part of this rule type definition. |
To change an active path restriction rule, perform the following task:
Result: The Mapping panel appears in the View pane.
Step 2 To specify that you want to change a path restriction rule, click Path Restrictions in the Select rule type box.
Result: The list of active path restriction rules appears in the Path Restrictions list.
Step 3 To select the path restriction rule that you want to modify, click that rule in the Path Restrictions list.
Step 4 To modify the network object to/from which you want to restrict network traffic, click the new network object in the Disable paths to box under Path Restrictions.
The Disable paths to box displays a list of the network objects that reside under the Network Topology tree. If you do not see the network object to/from which you want to restrict a specific network path, you must define it within the Network Topology tree. However, you can select neither Host nor IP Range nodes.
Step 5 To modify the interface, or set of interfaces, that currently enforces this path restriction rule, click the new interface(s) in the from interface(s) box.
The from interface(s) box displays a list of the interfaces attached to the Policy Enforcement Points that can enforce the path restriction rule. If you are defining a rule on a specific Policy Enforcement Point, only the interfaces on that Policy Enforcement Point are presented as options for enforcing the rule. However, this list does not contain the interface to which the network object to which you are disabling the paths is attached. You cannot hide a network object from the interface to which it is attached.
When you disable paths to a network object from an interface, you are declaring that any packets received from or sent to that network object will not be permitted to traverse the selected interface(s). In other words, these interfaces cannot be used to reach the network object.
|
Tips To select more than one value from this list, press and hold the Shift key or the Ctrl key while selecting an item in the list. The Shift+Click option enables you to select a sequential set of values. The Ctrl+Click option enables you to select values in any order. |
Step 6 For each new rule that you want to change, repeat Steps 3 through 5.
To verify that the path restriction rule you are defining is a valid path restriction rule, ensure that the flow that you want to restrict actually traverses the gateway object on which you are defining this rule.
Step 7 To accept your changes and close the selected panel, click OK.
Step 8 To save any changes that you have made, click Save on the File menu.
You can view the path restriction rules defined on a specific gateway object.
To view the active rules for path restrictions, perform the following task:
Result: The Mapping panel appears in the View pane.
Step 2 To specify the rule type that you want to view, click Path Restrictions in the Select rule type box.
Step 3 To review the list of active rules, scroll through the list under Path Restrictions.
Step 4 To close the selected panel, click OK.
Posted: Thu May 25 13:13:06 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.