|
|
Whenever you create or modify your network policy, you need to generate and publish the device-specific command sets for those changes to take effect on the Policy Enforcement Points.
Cisco Secure Policy Manager uses the policies applied to the objects in the Security Policy Enforcement branch in conjunction with the network topology and routing information contained in the Network Topology tree to generate the device-specific commands. Additionally, you can define additional commands to be published to the devices as Prologue commands (which are sent to the device before the generated commands are sent) or Epilogue commands (which are sent to the device after the generated commands are sent).
Upon installation of Cisco Secure Policy Manager, the default method of command set publication is set to "manual," which means that you need to approve each device's set of generated commands before publishing them to the device. You can change this default setting to automatically publish the command sets as they are generated. However, this option is not recommended for any but the most basic of network topologies. Refer to "About Policy Distribution Points" for more information. You can also override the default command publication on a per-device basis.
The following checklist provides an overview of the command generation, verification, and publication process. Before you publish your command sets, you should become familiar with these steps and the various options for performing them.
Each step, described in the Step column, may contain several sub-steps and should be performed in the order presented. References to the specific procedures used to perform each step appear in the Reference column.
| Step | Reference | |
|---|---|---|
| 1. Understand Distribution Point and Publishing Order Restraints The selection of a Policy Distribution Point for a Policy Enforcement Point can be restricted by your network topology layout. Before you publish to your devices, you should verify that you have selected a valid Policy Distribution Point. In addition, the order in which you publish your command sets to the various Policy Enforcement Points on your network can affect your ability to successfully publish all the generated command sets. Therefore, you must study the common scenarios that can disrupt command distribution to ensure that you publish your generated command sets in an order that does not disrupt the ability to publish to all of your Policy Enforcement Points. | |
| 2. Set the Default Command Publication Method Depending on your network topology and the number of Policy Enforcement Points that you are managing with Cisco Secure Policy Manager, you must determine whether you can automatically publish the generated command sets or if you must publish the command sets manually. | "Specifying Policy Update Default" section "Specifying the Command Set Approval Method" section (per device) |
| Within Cisco Secure Policy Manager, two settings are available for selecting the publishing method: a global default value that applies to all newly created Policy Enforcement Points, and a per-Policy Enforcement Point setting available on the Command panel. |
|
| 3. Generate Command Sets Before Cisco Secure Policy Manager actually begins managing a Policy Enforcement Point, you must generate the commands using the Save and Update command on the File menu. Each time you perform a Save and Update operation, Cisco Secure Policy Manager generates new command sets for each Policy Enforcement Point defined in your Network Topology tree. The resulting command sets are presented in the Pending Commands in the Command panel for each Policy Enforcement Point. | |
| 4. Verify Command Sets You can verify the command sets that will be sent to the Policy Enforcement Points before they are actually sent if you have not set Cisco Secure Policy Manager to automatically publish the command sets when you perform a Save and Update operation. The command sets will be located in the Pending Commands field in the Command Panel for each Policy Enforcement Point. | |
| 5. Add Custom Commands to the Command Sets Cisco Secure Policy Manager enables you to add custom commands on a per-device basis. The custom commands enable you to set features on the Policy Enforcement Point that are not controlled directly by Cisco Secure Policy Manager. Prologue commands are commands that are sent to the Policy Enforcement Point before the system-generated commands are sent. Epilogue commands are commands that are sent to the Policy Enforcement Point after the system-generated commands are sent. | |
| 6. Bootstrap Devices for IPSec Command Publication If you are using an IPSec tunnel to publish command sets to a Policy Enforcement Point, you will need to bootstrap the Policy Enforcement Point with the appropriate IPSec settings before publishing the command sets. | |
| 7. Publish Command Sets If you have not set the commands to be published automatically by a Save and Update operation, you must manually approve and publish the command sets for each device. | |
| 8. Verify that the Command Sets were Published Successfully After you have approved your command sets and initiated the publishing process, you can verify that they were successfully published to the Policy Enforcement Point or detect when problems arise. The last step involved in publishing the command sets is to determine that the command set that you wanted published to a Policy Enforcement Point is actively running on that gateway object. Cisco Secure Policy Manager provides status information during the publishing phase to assist you in making this determination. |
Within the Cisco Secure Policy Manager system, the Policy Distribution Point plays a critical role. This component performs the following tasks:
These command sets can be published securely using secure protocols, such as PIX Secure Telnet, or the Policy Distribution Point can use an IPSec tunnel to publish the command sets securely to the Policy Enforcement Points that it controls.
Because each type of Policy Enforcement Point has its own control agent within the Policy Distribution Point component, a Policy Distribution Point can control more than one Policy Enforcement Point type and multiple Policy Enforcement Points of a specific type. For example, a single Policy Distribution Point can control three IOS Routers and four PIX Firewalls if configured to do so. However, in scenarios where a Policy Distribution Point controls more than one Policy Enforcement Point, it is critical to consider the placement of the primary server or secondary server on which the Policy Distribution Point resides in relation to the Policy Enforcement Points that you want it to control. In addition, some Policy Enforcement Points have restrictions with respect to which interface(s) in the device can be used to configure them. In such cases, considering the limitations of the Policy Enforcement Point can also help you determine the correct placement of Policy Distribution Points on your network.
Because the Policy Distribution Point component is installed on all Cisco Secure Policy Manager hosts, you can always alter the way that you want to configure your distributed security system. Just as you can enable or disable a Policy Monitor Point for use as a valid option in configuring your security system, you can also enable or disable a Policy Distribution Point. Cisco Secure Policy Manager uses the selection of a Policy Distribution Point to ensure that the communication between a selected Policy Distribution Point and the Policy Enforcement Points that it controls are permitted. The security policies and IPSec Tunnel Groups that enable these communications are automatically generated and maintained by Cisco Secure Policy Manager.
The design of your security system deployment should focus on reducing the time required to generate and publish command sets to the Policy Enforcement Points residing on your network, as the publishing act temporarily prevents the Policy Enforcement Point from passing traffic. In addition, this design should focus on quickly monitoring data streams about network activity and detecting and notifying the proper personnel of potential security problems.
You can resolve many issues that can affect your ability to deploy network security policies to Policy Enforcement Points by carefully planning the placement of Policy Distribution Points within your network. The benefits of careful planning and placement include the following:
Because you can have more than one Policy Distribution Point on your network, you must consider the selection of a Policy Distribution Point on a per-Policy Enforcement Point basis. The best way to make this selection is to understand the scenarios that can be problematic with regard to command distribution and to understand the effects of device-specific changes that you want to make after the initial deployment.
You should not arbitrarily select the Policy Distribution Point to control a Policy Enforcement Point. When you define global network policies, it is possible in scenarios where you are controlling multiple Policy Enforcement Points to effect changes that temporarily disable the required communications between the Policy Distribution Point and one or more Policy Enforcement Points that it controls.
The first thing to determine when selecting a Policy Distribution Point is the traffic flows for the communications that occur between the Policy Distribution Point and all the Policy Enforcement Points that it controls. Next, you must consider the other Policy Distribution Points on your network and their required traffic flows. It is imperative that these traffic flows do not cross.
When such traffic flows cross, they can only cross at a gateway object, which is referred to as a concentrating gateway object for the remainder of this discussion. If that concentrating gateway object is a managed gateway object, it identifies a possible point of failure in the publishing of command sets, as the policies managing that gateway object can be altered as well. Since concentrating gateway objects represent points along the path between one or more Policy Enforcement Points and a Policy Distribution Point, these concentrating gateway objects can potentially be updated before the farther Policy Enforcement Points are provided with command sets that reflect the changes on the concentrating gateway object. This case is most likely to occur if you have enabled automatic publishing of the command sets by selecting Automatic under Command Approval in the Options dialog box (available on the Tools menu) or in the Command panel of a specific Policy Enforcement Point.
Figure 7-1 presents a simple topology that identifies crossing traffic flows from a single Policy Distribution Point.
In this example, the HQ Router acts as a concentrating gateway object when the Policy Distribution Point attempts to publish the generated command sets to the routers on Site A or Site B. Therefore, the only way to ensure that the traffic flows to the Site A and Site B routers are not broken is to publish to those outermost managed gateway objects before you publish to the HQ Router.
You can also have crossing traffic flows in topological scenarios that have multiple Policy Distribution Points, as illustrated in Figure 7-2.
In this case, the traffic flows that you must protect against being terminated are the traffic flows between the primary servers and the secondary servers of Cisco Secure Policy Manager. This problem only arises in scenarios where you have a distributed installation type for Cisco Secure Policy Manager.
A third, and unsupported, traffic flow crossing also involves a distributed installation scenario. In this case, two or more Policy Distribution Points publish to different Policy Enforcement Points, and one of the managed Policy Enforcement Points acts as the concentrating gateway object. Figure 7-3 illustrates this crossing traffic flow.
In such cases, Cisco Secure Policy Manager does not support the intelligent synchronization of command distribution across such concentrating gateway objects. In this configuration, PDPa is oblivious to the needs of PDPb during the time that PDPb is publishing the generated command set for Gw2. As a result, PDPa could publish command sets that disrupt or disable the ability for PDPb to publish command sets to Gw2.
When defining your network topology and making modifications to the Policy Enforcement Points on that network, you must also consider the device-specific settings that affect the traffic flows. The following devices specific settings are of particular concern:
You can construct network topologies for which you should not use automatic command distribution. The problem lies in the order that command sets are downloaded to various Policy Enforcement Points. The problem occurs when a Cisco Secure Policy Manager server attempts to publish command sets to an external Policy Enforcement Point from behind an internal Policy Enforcement Point that translates the server's real address. In some cases, the automatically downloaded command sets can fail and prevent the download of generated command sets to some Policy Enforcement Points in the topology.
Figure 7-4 assumes that you have a network topology in which you have defined three Cisco Secure PIX Firewalls (called Outside Gw, Middle Gw, and Inside Gw in this example) and that the Cisco Secure Policy Manager host (PDP) that distributes command sets to each of these Policy Enforcement Points resides upstream from Inside Gw. Now assume that you have defined a mapping rule on either Middle Gw or Inside Gw that performs a one-to-one static translation for the addresses of PDP.
 |
Warning You cannot define address hiding rules that hide Cisco Secure Policy Manager hosts from the Policy Enforcement Points that they are expected to manage. Defining such rules guarantees that the device-specific command sets cannot be published to the managed gateway objects for which Cisco Secure Policy Manager is responsible. |
In this case, if you distribute the commands to Inside Gw or Middle Gw before you distribute them to Outside Gw, Outside Gw becomes unreachable by PDP. Even though the command set generated for Outside Gw understands the static translation rule, the command set to be replaced does not. Therefore, Outside Gw does not know to allow administrative updates from the translated PDP address.
 |
Note The automatic command distribution to Outside Gw fails only when a change to the mapping rules occurs on Inside Gw or Middle Gw. In other words, it can occur when you add, delete, or modify an existing mapping rule for the Cisco Secure Policy Manager host, PDP. Once you use the manual distribution method to change the mapping rules, you can return to the automatic distribution method until a similar change occurs. |
In this example, if the address of the PDP is not translated on any Policy Enforcement Points or it is translated only on Outside Gw, automatic updates would work fine, because in that case order does not matter.
You can specify either a manual or automatic policy update default.
To specify policy update default, perform the following task:
Result: The Options dialog box appears.
Step 2 To select a policy update default, select one of the two options under Policy Update Default.
Step 3 To accept your changes and close the Options dialog box, click OK. To reject your changes and close the Options dialog box, click Cancel.
Step 4 To save any changes that you have made, click Save on the File menu.
From the Command panel, you can specify the method that you want to use for approving command sets generated by Cisco Secure Policy Manager. Approving the generated command sets is the step that precedes publishing the commands to their corresponding Policy Enforcement Points. This feature enables you to follow an administrative policy that matches the needs of your organization's security policy, as well as to select a method that ensures the publishing order is correct.
To specify an approval method for command sets generated by Cisco Secure Policy Manager, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the PIX Firewall or IOS Router node for which you want to specify the command approval method, expand the Network Topology tree until you view that Policy Enforcement Point node in the Navigator pane.
You can expand or collapse the tree structure in one of two ways:
Step 3 To access the shortcut menu, right-click the Policy Enforcement Point icon for which you want to specify the command approval method.
Step 4 To view the Command panel, point to Properties, and click Command on the shortcut menu.
Result: The Command panel appears in the View pane.
Step 5 To specify which method to follow for approving commands that are generated for this Policy Enforcement Point, click that method under Command Approval.
Three approval methods exist:
Step 6 To accept your changes and close the Command panel, click OK. To reject your changes and close the Command panel, click Cancel.
Step 7 To save any changes that you have made, click Save on the File menu.
|
Note If you are not ready to apply changes in network policy to your network and you only want to save the work in progress, use Save. |
 |
Caution You should enable Consistency Check prior to all Save and Update operations as a safeguard against applying inconsistent configurations that may lead to network security risks. |
To save current changes and update the active network policy, perform the following task:
Result: The System Inconsistencies panel appears in the View pane.
Step 2 To specify the occurrence of a Consistency Check, click an option under Automatic Checking in the System Inconsistencies panel.
You can select from three options for Automatic Checking.
Step 3 To confirm your selection for Automatic Checking, click OK on the System Inconsistencies panel.
If you selected Disabled, a dialog box displays a message informing you that this selection can possibly compromise system integrity and/or system security. Click Yes to confirm your selection.
Step 4 To save current changes and update network policy, click Save and Update on the File menu.
Current configurations in the GUI client are checked for errors in consistency. If errors are detected, the Save and Update operation will be aborted. If no errors are detected, current configurations will be saved to the Primary Policy Database and network policies will be updated and enforced across your network.
To review the generated command set for the selected Policy Enforcement Point, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the PIX Firewall or IOS Router node for which you want to review/approve the generated command set, expand the Network Topology tree until you view that Policy Enforcement Point node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the Policy Enforcement Point icon for which you want to review/approve the generated command set.
Step 4 To view the Command panel, point to Properties, and click Command on the shortcut menu.
Result: The Command panel appears in the View pane.
Step 5 To review the Pending Commands command set, select that option under Command Review/Edit.
Result: The command set that Cisco Secure Policy Manager generated for the selected Policy Enforcement Point appears in the Commands/Messages box. Review these commands to ensure that they satisfy your organization's security policy. You can use the scroll bars to review the full set of commands.
 |
Tips To expand the Command/Message box when reviewing the generated command sets, click the << button at the bottom of the Command panel. To collapse the Command/Message box so that you can select a different command set, click the >> button at the bottom of the Command panel. |
Step 6 To review the Prologue command set, select that option under Command Review/Edit.
Result: The Prologue commands appear in the Commands/Message box.
Step 7 To review the Epilogue command set, select that option under Command Review/Edit.
Result: The Epilogue commands appear in the Commands/Message box.
Step 8 To close the Command panel, click OK.
From the Command panel, you can manually enter commands for a Policy Enforcement Point. These commands enable you to configure Policy Enforcement Point settings that are not controlled by Cisco Secure Policy Manager (Cisco Secure Policy Manager only controls security and security-related settings).
Prologue commands are commands that will be sent to the Policy Enforcement Point before the commands generated by Cisco Secure Policy Manager. Epilogue commands are commands that will be sent to the Policy Enforcement Point after the commands generated by Cisco Secure Policy Manager. You can specify one or both types of commands for each Policy Enforcement Point.
To enter prologue or epilogue commands for the selected Policy Enforcement Point, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the PIX Firewall or IOS Router node for which you want to enter prologue or epilogue commands, expand the Network Topology tree until you view that Policy Enforcement Point node in the Navigator pane.
You can expand or collapse the tree structure in one of two ways:
Step 3 To access the shortcut menu, right-click the Policy Enforcement Point icon for which you want to enter the prologue or epilogue commands.
Step 4 To view the Command panel, point to Properties and click Command on the shortcut menu.
Result: The Command panel appears in the View pane.
Step 5 To enter prologue commands, select Prologue under Command Review/Edit. To enter epilogue commands, select Epilogue under Command Review/Edit.
If you had previously specified prologue or epilogue commands for the selected Policy Enforcement Point, those commands appear in the Commands/Messages box. If you had not previously entered prologue or epilogue commands for the selected Policy Enforcement Point, the Commands/Messages box is blank.
Step 6 To enter the commands, type the commands in the Commands/Messages box in the same manner as you would at the command line of the Policy Enforcement Point (or in a text configuration file for the Policy Enforcement Point). For information about the commands available for the selected Policy Enforcement Point, refer to the manufacturer's documentation.
|
Note When constructing prologue and epilogue command sets for IOS, you must make sure the command sets start and finish in the IOS config-mode. Additionally, the following types of commands should be followed by the exit command: crypto map crypto isakmp policy ip nat pool route-map |
Step 7 To accept your changes and close the Command panel, click OK. To reject your changes and close the Command panel, click Cancel.
Step 8 To save any changes that you have made, click Save on the File menu.
After using the Enforcement panel to configure the Policy Enforcement Point to use IPSec communication between the Policy Distribution Point and Policy Enforcement Point, you need to manually enter the IPSec commands into the Policy Enforcement Point before you can publish the command sets to that Policy Enforcement Point. Cisco Secure Policy Manager generates the required commands for the Policy Enforcement Point, but it does not automatically distribute them to the Policy Enforcement Point because the shared secret would be sent in clear text. The bootstrap commands are available in the Commands/Messages box in the Command panel associated with the Policy Enforcement Point.
|
Note When Cisco Secure Policy Manager detects an IPSec tunnel with a sequence number of 1, it assumes that it is the bootstrap tunnel. The IPSec tunnel generated by this procedure will be given a sequence number of 1. If you choose to enter your own IPSec crypto map commands to create the tunnel instead of using the generated commands, the tunnel must be given a sequence number of 1. Non-bootstrap tunnels created by Cisco Secure Policy Manager start at sequence number 5. If you manually define non-bootstrap IPSec tunnels, either on the Policy Enforcement Point or through Cisco Secure Policy Manager's prologue/epilogue commands, make sure that you do not assign any of them sequence number 1. Failure to observe this numbering restriction can result in a loss of communication between the Policy Distribution Point and the Policy Enforcement Point. |
To bootstrap a Policy Enforcement Point, perform the following task:
Step 2 To access the shortcut menu, right-click the Policy Enforcement Point icon for which you need to manually configure for IPSec communication with the Policy Distribution Point.
Step 3 To view the Command panel, point to Properties and click Command on the shortcut menu.
Result: The Command panel appears in the View pane.
Step 4 To view the generated commands, click Pending Commands in the Command Review/Edit box.
Result: The list of commands that have been generated but not yet published to the selected Policy Enforcement Point appears in the Commands/Messages box.
Step 5 To find the IPSec bootstrap commands, scroll down the Commands/Messages box until you see the "IPSec bootstrap configuration" heading.
Step 6 Copy the list of commands that appears after the IPSec bootstrap configuration heading and paste them into a text file. On a console running Windows 95 or Windows NT, you can use Notepad. On a UNIX workstation, you can use vi.
|
Note If no commands appear after the IPSec bootstrap configuration heading, select Save and Update from the File menu or toolbar and verify that the policy generation processing has completed with no errors. To verify the policy generation, select Consistency Check from the Tools menu. If the commands still do not appear, make sure you selected an IPSec template in the Use secure IPSec with template field of the Policy Distribution Point box in the Enforcement panel. |
Step 7 Delete the exclamation point (!) from the beginning of each line.
|
Tips You can use the search and replace function of your text editor, if available, to quickly remove all exclamation points. |
Result: The command set is ready to be entered into the Policy Enforcement Point. If you will be accessing the Policy Enforcement Point from a workstation other than the one the GUI client is installed on, you will need to save to a location that is accessible from your point of access to the Policy Enforcement Point, such as a diskette or ftp server.
Step 8 Access the Policy Enforcement Point using a terminal console or Telnet session. It is recommended that you enter the bootstrap configuration information from a console terminal, because any information sent via Telnet is sent in clear text. You may be required to enter a password to gain access to the Policy Enforcement Point.
Step 9 Enter the Policy Enforcement Point's configuration mode.
|
Note To enter configuration mode on a PIX Firewall or IOS Router with Firewall Feature Set: 1. At the EXEC mode prompt, type enable and press Enter. Result: The Policy Enforcement Point enters the privileged EXEC mode. Depending upon the configuration of your Policy Enforcement Point, you may be required to enter a password before you are allowed to enter this mode. 2. To enter the global configuration mode, type config t and press Enter. Result: The Policy Enforcement Point enters global configuration mode. |
Result: The Policy Enforcement Point enters the required configuration mode.
Step 10 To enter the configuration commands, copy the commands from the text file and paste them into your terminal or Telnet session. Do not paste the IPSec bootstrap configuration heading or the dashed lines that appear above and below the heading.
Result: The commands are entered, line by line, into the Policy Enforcement Point. The command set automatically places the Policy Enforcement Point into the proper configuration mode for each command being entered.
Step 11 Label and save the configuration file. If you ever need to revert back to standard communication between the Policy Distribution Point and the Policy Enforcement Point, you will need to manually issue the "no" version of the commands to remove the IPSec settings from the Policy Distribution Point.
To manually approve the generated command set for the selected Policy Enforcement Point, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the PIX Firewall or IOS Router node for which you want to review/approve the generated command set, expand the Network Topology tree until you view that Policy Enforcement Point node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the Policy Enforcement Point icon for which you want to review/approve the generated command set.
Step 4 To view the Command panel, point to Properties, and click Command on the shortcut menu.
Result: The Command panel appears in the View pane.
Step 5 To review the Pending Commands command set, verify that command set is selected under Command Review/Edit.
The command set that Cisco Secure Policy Manager generated for the selected Policy Enforcement Point appears in the Commands/Messages box. Review these commands to ensure that they satisfy your organization's security policy. You can use the scroll bars to review the full set of commands.
Step 6 To approve the selected command set after you review it, click Approve Now under Command Approval.
Result: The pending command set is immediately published to the selected Policy Enforcement Point. The Status box message changes to "Processing completed."
Step 7 To accept your changes and close the Command panel, click OK. To reject your changes and close the Command panel, click Cancel.
Step 8 To save any changes that you have made, click Save on the File menu.
To verify the publishing status of the generated command set for the selected Policy Enforcement Point, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the PIX Firewall or IOS Router node for which you want to review/approve the generated command set, expand the Network Topology tree until you view that Policy Enforcement Point node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the Policy Enforcement Point icon for which you want to review/approve the generated command set.
Step 4 To view the Command panel, point to Properties, and click Command on the shortcut menu.
Result: The Command panel appears in the View pane.
Step 5 To determine the current state of the publishing phase, refer to the message in the Status box.
The status box displays interactive messages about the publishing phase, such as attempting to connect, upload complete (no errors), etc. If warnings or messages are generated, you can review these messages in the Distributions Status message box.
Step 6 To review the Distribution Status messages, select that option under Command Review/Edit.
The Distribution Status messages appear in the Commands/Message box. These messages indicate the status and errors detected when the command set that is currently loaded was published to the Policy Enforcement Point. Included in this status are the actual commands published to the Policy Enforcement Point by Cisco Secure Policy Manager and any responses provided by the Policy Enforcement Point. An example error message is "Could not connect to device. Device not responding: connection failed in 1 seconds."
|
Tips To expand the Command/Message box when reviewing the command/message sets, click the << button at the bottom of the Command panel. To collapse the Command/Message box so that you can select a different command/message set, click the >> button at the bottom of the Command panel. |
Step 7 To close the Command panel, click OK.
Posted: Mon Jun 5 10:44:22 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.
