|
|
The layout of the Network Topology tree closely follows the logic behind the physical implementation of your network. For a basic setup, you only need to define each gateway object, such as a router, firewall, or switch, that is responsible for routing traffic across your network and identify the interfaces and networks attached to those gateway objects. You can use clouds to describe networks that reside behind gateways that are not actual Policy Enforcement Points, which are managed gateway objects. If you have a more complicated network topology, you can define additional hosts, authentication servers, and IP ranges.
When you describe the physical layout of your network, you want to define the different gateway objects on your network and the networks that are attached to those gateway objects. The Internet node is a special gateway object (a cloud) that represents the Internet to which all networks that you are defining are attached, directly or indirectly. Therefore, you should view your network from the connection to your Internet service provider (ISP) through the innermost gateway objects on your network.
Figure 2-1 depicts a simplistic example of when to use a cloud object. To use a cloud successfully in this example, three criteria must be satisfied:
1. The IOS Router node is the Policy Enforcement Point that exists on this network.
2. A single high-level policy can address the security concerns of each network depicted in the cloud.
3. An internal gateway object exists that can be used to reach, in some way, all networks depicted in the cloud.
Assuming these three criteria are true, we can define a single gateway address to reach all the networks within that cloud and to serve as the default gateway for those networks to reach the 172.16.1.0 network.
Figure 2-2 shows how this topology would be represented in the Network Topology tree.
The first task that you must perform after installing Cisco Secure Policy Manager is to define the basics of your network topology. This task involves identifying the network assets for which you want to define specific security policies, identifying the Policy Enforcement Points that can enforce/effect the security policies for these network assets, identifying the policy enablement hosts, and creating a network topology that represents these network objects in a manner that ensures that you can define and apply security policies to those network objects.
The checklist below outlines the steps required to understand the decision-making process and basic flow required to complete the definition of your Network Topology tree. Each step, described in the Step column, may contain several substeps and should be performed in the order presented. References to the specific procedures used to perform each step appear in the Reference column.
| Step | Reference | |||
|---|---|---|---|---|
| 1. Identify the required network objects on your network
| |||
| Result: You should have a completed worksheet that identifies the required network objects, their IP addresses, and the types of network servers that run on the policy enablement hosts. This worksheet is used to complete Step 2. |
| ||
| 2. Define the outermost gateway objects When you define your network topology, you must define it from downstream (from the Internet) to upstream (into your internal networks). The easiest method for defining gateway objects is to use the Topology Wizard. Using the Topology Wizard, you can discover the interface and device settings or specify them manually. You can access the Topology Wizard by clicking Topology Wizard on the Wizards menu. In addition, you can manually define any gateway object. The tasks referenced by this step are the tasks that explain how to manually define a gateway object. You must define the interface settings on the Internet node before you can define any other gateway objects. If you use the Topology Wizard, the interface settings for the Internet node are defined automatically based on the configuration information that you provide. One of the most important concepts within Cisco Secure Policy Manager is a Cloud node. A strongly suggested guideline is that unless you must define a managed gateway or a specific network on which special hosts, such as a policy enablement host, resides, you should use a Cloud node to represent all gateways and networks. You can define networks going into and out of a Cloud node, as well as networks contained within the cloud. For more information on Cloud nodes, refer to Step 5 in this checklist. Result: The outermost networks and gateway devices are defined and the connections between those gateway devices and the Internet node, which represent connections to Internet service providers, are defined. | "Specifying Interface Settings of the Internet Node" section "Creating an IOS Router Node" section "Specifying the Interface Settings for an IOS Router" section "Creating a PIX Firewall Node" section "Specifying the Interface Settings for a PIX Firewall" section "Defining a Cloud Node" section | ||
| 3. Define network assets Network assets represent those network objects, such as specific networks and hosts, for which you want to define exceptional network policies. These network objects are the ones that identified in Step 1, with the exception of the Cisco Secure Policy Manager hosts, which will be defined during the next step. Result: The network assets that you identified in Step 1 are defined under the Network Topology tree. | "Creating a Network Node" section "Creating a Host Node" section "Specifying a Client/Server Product is Running on a Host Node" section | ||
| 4. Define Cisco Secure Policy Manager hosts The Primary Server node represents one of two server types that host the client/server products for Cisco Secure Policy Manager. The Primary Server node indicates that this host is running the Primary Policy Database, where all configuration information is stored and to which all GUI clients connect to view or edit the system configuration. This node organizes those settings specific to the subsystems that store and retrieve audit event records, generate and display reports, and publish network policies to Policy Enforcement Points. These subsystems include the Primary Policy Database, Policy Monitor Point, Policy Report Point, and Policy Distribution Point. The Secondary Server node indicates that this host is running a distributed installation feature set. Depending on what feature set you installed, this node organizes those settings specific to the subsystems that store and retrieve audit event records, generate and display reports, and publish network policies to Policy Enforcement Points. These subsystems can include the Secondary Policy Database, Policy Monitor Point, Policy Report Point, and Policy Distribution Point. | |||
|
Result: All Cisco Secure Policy Manager hosts are defined within your Network Topology. |
| ||
| 5. Define reachable networks When you define the remainder of your network topology, you should use Cloud nodes. In fact, you should define Cloud nodes for as much of your network as possible. Clouds provide a logical grouping of networks, and thereby, hosts residing on those networks, that are reachable via an upstream gateway. The Cloud node is a special gateway object that attaches cloud networks to fully defined networks. To attach the two types of networks, the Cloud node identifies the IP addresses, representing default gateways, attached to those interfaces residing on the fully defined networks (which are either upstream or downstream of the cloud). The Cloud node also has a special interface type called Cloud Networks, which organizes the cloud networks. In terms of the Cloud node, cloud networks exist within the cloud. However, in reality, they exist upstream from the default gateway specified on the downstream interface of the Cloud node. | "Defining a Cloud Node" section | ||
| Cloud nodes organize those settings required to identify and route to networks that reside upstream from the gateway. Clouds are unique gateway objects because they do not require at least two real interfaces, as do Policy Enforcement Points. Instead, the Cloud node has at least one real interface (the downstream interface) and exactly one Cloud Networks interface (an upstream interface). When you specify an IP address associated with a non-cloud interface, you are specifying the default gateway through which the cloud networks organized under the Cloud Networks interface (and therefore, within the cloud) can be reached. Result: All internal networks that are reachable from other network objects within your network are defined within one or more Cloud nodes. |
|
Before Cisco Secure Policy Manager can actually generate and publish, or distribute, network policies to the Policy Enforcement Points that you want the system to help you administer, you must identify all the Policy Enforcement Points and other hosts and servers that enable policy enforcement. The following list identifies the different network objects that you must define, assuming that they are part of your network infrastructure.
 |
Note The level of support that Cisco Secure Policy Manager provides for Policy Enforcement Points depends on the product type and the version of software that is running on the Policy Enforcement Point. In other words, not all products are supported in the same way. For example, Cisco Secure Policy Manager actually specifies the interface names and types for the interfaces installed in PIX Firewalls. However, for IOS Routers, this support is provided by other management applications. Cisco Secure Policy Manager requires these settings to be specified only to ensure that it generates the correct commands, not because it generates and publishes the commands that name and specify the type of interfaces installed in an IOS Router. |
 |
Tips You do not have to define all the Policy Enforcement Points that exist on your network manually, which can be a tedious task. Instead, if you have installed Cisco Secure Policy Manager on your production network, you can use the Topology Wizard to discover the device settings for any particular Policy Enforcement Point. |
This worksheet identifies network objects and information that you must identify and define in the Network Topology tree.
| Network Object Type | Required Information | |||
|---|---|---|---|---|
| ISP Connections | IP Address used by your outermost gateways to reach the ISP connections | |||
|
| |||
|
| |||
| Valuable Network Assets | asset name | IP address or network address | associated network mask (if asset is a network) | |
|
|
|
| |
|
|
|
| |
|
|
|
| |
|
|
|
| |
|
|
|
| |
| Policy Enforcement Points | IP addresses/per interface | associated network address | associated network mask | |
| Policy Enablement Hosts | hostname | IP address | client/server product type | |
| Reachable Networks | network name | network address | default gateway address for network | |
Posted: Mon Jun 5 10:49:02 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.
