|
|
Security policies are the means by which you configure your Policy Enforcement Points to permit or deny network traffic. In Cisco Secure Policy Manager, security policies take the form of graphical decision trees contained within a security policy abstract. The security policy abstract is then applied to network objects in the Security Policy Enforcement branch of the Network Policy tree.
Successfully building and applying security policies is a complex task. It requires careful planning, a thorough understanding of the policy development and deployment process, an understanding of what security policies can and cannot control, and a thorough understanding of how the security policies are evaluated. Only by understanding these concepts, and how they are interrelated, can you build effective, scalable security policies.
Each step, described in the Step column, may contain several sub-steps and should be performed in the order presented. References to the specific procedures used to perform each step appear in the Reference column.
| Step | Reference | |
|---|---|---|
| 1. Populate the Network Topology Tree (prerequisite) Before you can begin to build security policies in Cisco Secure Policy Manager, you must populate your Network Topology tree. The Network Topology tree performs three main functions in the construction and deployment of security policies. First of all, it provides source and destination objects within the security policies. Secondly, it provides the objects used to populate the Security Policy Enforcement branch (where security policies are applied to network objects). Finally, it provides the topology and routing information for the device-specific command sets generated by the system. | |
| 2. Populate the Security Policy Enforcement Branch The Security Policy Enforcement branch is where the security policies are applied to network objects. It is a good idea to populate the Security Policy Enforcement branch before you begin to build security policies. The way you populate your Security Policy Enforcement branch will determine the syntax for your security policies. Also, you will be better able to visually identify the policies that are required to meet your business objectives, as well as identify the policy constructors and decisions you will need make to build the security policies. | "Adding a Network Object to the Security Policy Enforcement Branch" section |
| 3. Develop Policy Components Before you begin to develop your policies, you should plan and develop the components of those policies. These components include the following:
| "Changing Default Protocol Settings" section "Defining a Network Service" section |
|
|
Moving a Perimeter Between Policy Domains "Creating a New IPSec Tunnel Template" section "Creating an IPSec Tunnel Group" section
|
|
|
|
| 4. Develop Security Policy Abstracts After you have formulated your overall security strategy, built your network topology, populated your Security Policy Enforcement branch, and created the necessary policy constructors, you then construct the actual policies that will be applied to objects in your Security Policy Enforcement branch. You create and manage your policies on the Security Policy Abstracts branch of the Tools and Services tree and use Policy Builder to develop and modify the contents of each security policy. | "Creating a Security Policy Abstract" section |
| 5. Assign Policy After creating and populating your security policies, you use the Policy Enforcement tool to assign your policies to objects in the Security Policy Enforcement branch. | |
| 6. Generate and Publish the Command Sets The final step in the policy development and deployment process is the generation of device-specific command sets and publication of those command sets to the Policy Enforcement Points. You generate the command sets from the Command Console panel. After generating the command sets, you have the opportunity to review each Policy Enforcement Point's device-specific command set. You can also define commands, either as a prologue or epilogue command set, that are not automatically derived by Cisco Secure Policy Manager and import and export your custom commands sets to ease administration of like Policy Enforcement Points. | "Command Generation, Verification, and Publication Checklist" section |
Before you can enforce a security policy on a network object, policy domain, perimeter, or network object group, you must add that object to the Security Policy Enforcement branch of the Network Policy tree. Where you place the object in the Security Policy Enforcement branch does affect which security policies apply to it (policy inheritance).
To add a network object to the Security Policy Enforcement branch, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To add a network object to the Security Policy Enforcement branch, click the object in the Network Topology tree, the Network Objects Group branch, or the Policy Domains branch, and, while holding down the mouse button, drag the object over the node in the Security Policy Enforcement branch under which you want to place the network object and then release the mouse button.
Result: The object appears in the Security Policy Enforcement branch underneath the parent node on which you dropped the object. Also, an empty scroll icon appears beside the new network object node.
Step 3 To save any changes that you have made, click Save on the File menu.
 |
Note When you make a change to a network object in the Network Topology tree, such as renaming it, that change automatically propagates up to the representation of that object in the Security Policy Enforcement branch. |
To create a security policy enforcement folder, perform the following task:
Result: The Network Policy tree appears in the Navigator pane.
Step 2 To find the network object or folder under which you want to define a new folder, expand the Network Policy tree and the Security Policy Enforcement branch until you view the desired network object in the Navigator pane.
|
Note You can also define a folder just below the Security Policy Enforcement branch. If this location is where you want to define the folder, continue with Step 3. |
Step 3 To access the shortcut menu, right-click the icon under which you want to define a new folder.
Step 4 To create a new folder, point to New and then click Security Policy Folder on the shortcut menu.
Result: A new node named "Security Policy Folder #" appears under the selected node.
Step 5 To name the folder, type the new name in the selected box and press Enter.
Result: The new name appears in the Name box of the selected node.
The name of the folder may include up to 256 alphanumeric characters, but it may not include quotation marks (") or semicolons (;).
 |
Tips If you cannot edit the name, right-click the new Security Policy Folder node, and click Rename on the shortcut menu. |
Step 6 To save any changes that you have made, click Save on the File menu.
Most network protocol definitions contain default settings, some of which you can modify in the protocol definition's property panel. If you change a setting in the property panel, the new value becomes the default value shown when creating a new network service based on that protocol.
|
Note Although Policy Enforcement Points use instance settings defined for the network service, such as the implicitly or explicitly defined TCP or UDP port number for a particular network service, they cannot enforce session-based settings, such as the Idle Timeout value. Two exceptions exist to this session-based setting rule (the Policy Enforcement Point will interpret these settings correctly): ICMP: Type and Code settings RPC: Program Number setting With regard to timeout settings, the Policy Enforcement Points implement timeout values as global timeouts that are enforced across all sessions of a specific type. To specify these global timeout settings, see the Settings 1 panel on each Policy Enforcement Point node in the Network Topology tree for which you want to enforce such settings. |
To change a default protocol setting, perform the following task:
Result: The Tools and Services tree appears in the Navigator pane.
Step 2 To find the protocol that you want to modify, expand the Tools and Services tree and the Protocol Definitions branch, and the branch representing the layer at which the protocol functions (Application, Transport, or Network).
Step 3 To access the panel for the protocol that you want to modify, click the protocol icon in the Navigator pane.
Result: The panel for the protocol appears in the View pane.
|
Tips If the panel for the protocol does not appear in the View pane, right-click the protocol icon in the Navigator pane and click Properties on the context menu. |
Step 4 To change a setting, double-click the existing value in any box and then type the new value or, if a list of values is provided, select the value from the list of values.
Result: The new value is applied to the protocol definition.
Step 5 To accept any changes that you make and close the panel, click OK.
Step 6 To save any changes that you have made, click Save on the File menu.
Result: If you accepted the changes, all subsequent network services that you create referencing this protocol will show the values you entered as the default values (but, you can make changes to the settings within the service without affecting the default setting you specified). Pre-existing network services, though, will remain unaffected.
You define network services with the Network Service Installation Wizard.
|
Note Before defining a network service, you should check the Network Services Library to see if the required service has been pre-defined in Cisco Secure Policy Manager. Cisco Secure Policy Manager has many more network services defined than are shown in the Network Services branch. These services are stored in the Network Services Library and can be added to the Network Services branch as needed. |
To define a network service, perform the following task:
Result: The Tools and Services tree appears in the Navigator pane.
Step 2 To access the Network Service Installation Wizard, expand the Tools and Services tree and right-click the Network Services icon in the Navigator pane, point to New, and click Service Wizard.
Result: The first panel of the Network Service Installation Wizard appears.
Step 3 To name the network service, type the desired name in the Service Name box.
Result: The name is applied to the new network service.
You cannot use the same name for two network services. If you attempt to do so, you will receive an error message and will not be allowed to proceed to the next panel until you submit a unique name. Cisco Secure Policy Manager enables long names and the use of most alphanumeric or symbol characters. Also, you can use both uppercase and lowercase characters. However, you cannot use quotation marks (") or a semicolon (;).
Step 4 To specify the highest-level protocol layer (application, transport, or network), select a protocol layer in the list. To continue, click Next.
Result: The Select Next Protocol panel appears, from which you can select the corresponding network protocol for that layer.
Step 5 To specify the network protocol for that layer, select one in the list of supported protocols. To continue, click Next.
Result: The Protocol Settings panel for the selected protocol appears.
Step 6 To change the settings for this protocol layer (if you want them to be different from the default values), specify the new settings in the Protocol Settings panel. To continue, click Next.
You can either accept the default session settings for the protocol, or you can alter one or more settings, which affects only the network service that you are creating.
Step 7 To define a protocol for each requisite layer of the network service, depending on which protocol layer you selected initially, repeat Steps 5 and 6 until you have defined a protocol for each requisite layer of the network service.
Result: After you have defined all layers, the Finish Network Service Wizard panel appears.
Step 8 To finish creating the new network service, click Finish.
Result: The Network Service Installation Wizard closes, and the new network service appears under the Network Services branch.
Step 9 To save any changes that you have made, click Save on the File menu.
The following procedure will assist you in creating a network service bundle. You can store network service bundles within appropriately named folders for easier reference.
To create a network service bundle, perform the following task:
Result: The Tools and Services tree appears in the Navigator pane.
Step 2 Expand the Tools and Services tree and the Network Service Bundles branch.
Step 3 To create the network service bundle, right-click the Network Service Bundles branch icon in the Navigator pane, point to New, and click Network Service Bundle on the shortcut menu.
Result: A new icon representing the network service bundle appears in the Navigator pane with the name selected for editing. The network bundle's property panel appears in the View pane.
|
Note You do not need to create a new network service bundle directly under the Network Service Bundles branch, but can instead right-click a folder icon (the folder in which you want to store the new network service bundle) under the branch to create the network service bundle inside the folder. |
Step 4 To name the bundle, type the name in the selected Name box, and then press Enter.
Result: The new name is applied to the new bundle.
Cisco Secure Policy Manager enables long names and the use of most alphanumeric or symbol characters. Also, you can use both uppercase and lowercase characters. However, you cannot use quotation marks (") or a semicolon(;).
|
Tips If you cannot edit the name, right-click the new folder node, and click Rename on the shortcut menu. |
Step 5 To add a network service to the bundle, select the network service in the Available network services box, and then click Add.
Result: The network service name moves to the Included network services box. Repeat this procedure until you have added all desired network services to the network service bundle.
|
Note You cannot select multiple services in the Available network services box; you must add each service individually. |
Step 6 To remove a network service, select it in the Included network services box, and then click Remove.
Result: The network service name no longer appears in the Included network services box. Repeat this procedure until you have removed all unwanted network services from the network service bundle.
|
Note You cannot select multiple services in the Included network services box; you must remove each service individually. |
Step 7 To accept your changes and close the panel, click OK.
Step 8 To save any changes that you have made, click Save on the File menu.
Follow the procedures below to create a network object group. You can store network object groups directly under the Network Object Groups branch or within appropriately named folders for easier reference.
To create a network object group, perform the following steps:
Result: The Tools and Services tree appears in the Navigator pane.
Step 2 Expand the Tools and Services tree and the Network Object Groups branch.
Step 3 To create the network object group, right-click the Network Object Groups branch icon in the Navigator pane, point to New, and click Network Object Group on the shortcut menu.
Result: A new icon representing the network object group appears in the Navigator pane. The Name box of the new network object group is active. The property panel for the network object group appears in the View pane.
|
Note You do not need to create a network object group directly in the branch, but can instead right-click the folder icon of a network object group folder to create the group directly in the folder. |
Step 4 To name the network object group, type the name in the selected Name box, and then press Enter.
Result: The new name is applied to the new network object group.
Cisco Secure Policy Manager enables long names and the use of most alphanumeric or symbol characters. Also, you can use both uppercase and lowercase characters. However, you cannot use quotation marks (") or a semicolon (;).
|
Tips If you cannot edit the name, right-click the new network object group icon and click Rename on the shortcut menu. |
Step 5 To add a network object to the network object group, expand the Network Topology tree that appears in the Available Network Objects box, select the network object, and then click Add.
Result: The network object name appears in the Included Network Objects box. Repeat this procedure until you have added all desired network objects to the new network object group.
|
Note You cannot select multiple objects in the Available Network Objects box. You must select and add each needed object individually. |
Step 6 To remove a network object from the network object group, select it in the Included Network Objects box, and then click Delete.
Result: The network object name no longer appears in the Included Network Objects box.
|
Note You cannot select multiple objects in the Included Network Objects box. You must select and remove each unwanted object individually. |
Step 7 To accept your changes and close the property panel, click OK.
Step 8 To save any changes that you have made, click Save on the File menu.
To create a policy domain, perform the following task:
Result: The Tools and Services tree appears in the Navigator pane.
Step 2 Expand the Tools and Services tree and right-click the Policy Domains branch, point to New on the shortcut menu, and then click Policy Domain.
Result: A new node representing the new policy domain appears under the Policy Domains branch. The default name of the policy domain is automatically selected for renaming.
Step 3 Type the new name in the selected box, and then press Enter.
Result: The new name appears in the Name box of the selected folder.
Cisco Secure Policy Manager enables long names and the use of most alphanumeric or symbol characters. Also, you can use both uppercase and lowercase characters. However, you cannot use quotation marks (") or a semicolon (;).
|
Tips If you cannot edit the name, right-click the new Policy Domain node, and click Rename on the shortcut menu. |
Step 4 To save any changes you have made, click Save on the File menu.
To move a perimeter between policy domains, perform the following task:
Result: The Tools and Services tree appears in the Navigator pane.
Step 2 Expand the Tools and Services tree, the Policy Domains branch, and the policy domain that contains the perimeter.
Step 3 Drag the icon of the perimeter you want to move and drop it on the destination policy domain.
Result: The perimeter is moved to the designated policy domain.
If the policy domain that originally contained the perimeter is referenced in a policy, the perimeter will no longer be referenced in the policy and the appropriate commands will be removed when the command sets are next generated.
If the policy domain that now contains the perimeter is referenced in a policy, the perimeter will be included in the policy and the appropriate commands created when the command sets are next generated.
Step 4 To save any changes you have made, click Save on the File menu.
Follow the procedures below to create an IPSec Tunnel Template. You can create both IKE and manual IPSec Tunnel Templates.
To create an IPSec Tunnel Template, perform the following task:
Result: The Tools and Services tree appears in the Navigator pane.
Step 2 To find the IPSec Tunnel Templates branch, expand the Tools and Services tree. If you are going to create the tunnel template in a folder under the IPSec Tunnel Templates branch, expand the branch and subfolders as well.
Step 3 To access the shortcut menu, right-click the IPSec Tunnel Templates branch icon or the icon of the folder in which you want to create the new tunnel template.
Step 4 To create the IPSec Tunnel Template, point to New, and then to IPSec Tunnel Template, and then click Manual Tunnel Template or IKE Tunnel Template, depending upon the type of template you need to create.
Result: A new node representing the IPSec Tunnel Template appears under the IPSec Tunnel Templates branch (or folder on the branch) in the Navigator pane, and the General and Protocol panels for the template appear in the View pane. The default name of the template is automatically selected for renaming.
Step 5 To name the IPSec Tunnel Template, type the new name in the Name box, and then press Enter.
Result: The name appears beside the new node in the Navigator pane.
|
Tips If you cannot edit the name, right-click the new IPSec Tunnel Template icon and click Rename on the shortcut menu. |
Step 6 To learn how to configure the tunnel template by setting the security methods and protocols, refer to the following topics.
Step 7 To save your changes and close both the General and Protocol panels, click OK.
Step 8 To save any changes that you have made, click Save on the File menu or toolbar.
For manual tunnel templates, the IKE settings are not displayed in the General panel; only the template name and type are displayed.
You might modify the General panel for an IKE IPSec Tunnel Template to increase or decrease the authentication or encryption strength of an IKE negotiation. Increasing the authentication or encryption strength results in stronger security, yet slower performance, for the IKE negotiation. Decreasing the authentication or encryption strength results in a faster performance, yet a higher security risk.
To modify the General panel settings, perform the following task:
|
Note This task is performed from the General panel of the selected IPSec Tunnel Template. If the General panel does not appear in the View pane, right-click the icon of the tunnel template to be modified, select Properties from the shortcut menu, and then click General. |
Result: The hash algorithm is set for SHA for strong authentication or MD5 for basic authentication.
Step 2 To change the key exchange algorithm, click one of the values in the Diffie-Hellman group ID list under IKE Tunnel Options.
Result: The hash algorithm is set for Diffie-Hellman group ID 1 for basic encryption or Diffie-Hellman group ID 2 for strong encryption.
Step 3 To change the authentication method, click one of the values in the IKE Tunnel Options list.
Result: The authentication method is set for Certificate (RSA Encryption) for strong authentication, Certificate (RSA Signature) for basic authentication, or Shared Secret for basic authentication.
Step 4 To change the encryption algorithm, click one of the values in the Encryption Algorithm list.
Result: The encryption algorithm is set to either DES for basic encryption or triple DES for strong encryption.
Step 5 To specify a time, in seconds, after which the IKE session renegotiates, enter a numeric value expressed in hh:mm notation in the Renegotiate IKE after box. If you do not want to restrict the length of an IKE session, you can disable this timeout by specifying zero (0) as the value.
Step 6 To save your changes and close the General panel, click OK.
Step 7 To save any changes that you have made, click Save on the File menu.
You can modify the IPSec protocol and algorithms used during the IPSec session in the IPSec Tunnel Template's Protocol panel.
For a manual tunnel, you can select only one AH protocol and associated algorithm and one ESP protocol and associated algorithms for the tunnel template. For an IKE tunnel, you can create up to three proposals that each contain AH and ESP protocols. When you specify more than one proposal, the first proposal in the list is negotiated first. If the receiving tunnel endpoint cannot support the protocols in the first proposal, the second proposal is attempted, and so on down the list. If the two tunnel endpoints cannot negotiate a set of compatible protocols, the IPSec session is dropped.
You might modify the Protocol panel for an IKE IPSec Tunnel Template to increase or decrease the authentication or encryption strength of an IKE renegotiation. Increasing the authentication or encryption strength results in stronger security, yet slower performance, for the IKE renegotiation. Decreasing the authentication or encryption strength results in a faster performance, yet a higher security risk, during the IKE renegotiation.
To modify the Protocol panel settings, perform the following task:
|
Note This task is performed from the Protocols panel of the selected IPSec Tunnel Template. If the Protocols panel does not appear in the View pane, right-click the icon of the tunnel template to be modified, select Properties from the shortcut menu, and then click Protocols. |
|
Note Before you add a security protocol to a manual IPSec Tunnel Template proposal, you may have to remove the pre-populated security protocol from the current proposal, and then add the security protocol you prefer. To remove a security protocol from the current proposal, select one protocol from the IKE Negotiable Protocols or Manual Protocol box, and then click Remove. |
Result: The security protocol is added to the proposal.
Step 2 To add additional proposals for IKE negotiation, click New Proposal in the Protocol panel of an IKE IPSec Tunnel Template. To remove a proposal, click the proposal to be removed, and then click Remove.
|
Note The option of adding an additional proposal is not available for the Manual Protocol box in the Protocol panel of manual IPSec Tunnel Templates. For manual IPSec Tunnel Templates, only one proposal can be specified because no IKE renegotiations occur. |
Result: The additional proposal appears in the IKE Negotiable Protocols box in the Protocol panel of the IKE IPSec Tunnel Template. The first proposal in the list is the most preferred proposal; the tunnel peers will attempt to negotiate a tunnel with those settings first. If that proposal cannot be negotiated, the peers will attempt to negotiate the second proposal, and then the third.
Step 3 To remove an unwanted proposal from an IKE negotiation, click the proposal to select it, and then click Remove.
Result: The unwanted proposal and the protocols that it contains are removed from the IKE Negotiable Protocols box.
Step 4 To change a proposal's priority in a list of more than one proposal, click a proposal in the IKE Negotiable Protocol box in the Protocol panel of an IKE IPSEc Tunnel Template. Then, click Move Up to increase a proposal's priority, or Move Down to decrease a proposal's priority.
|
Note Prioritizing proposals is not available for the Manual Protocol box in the Protocol panel of manual IPSec Tunnel Templates. For manual IPSec Tunnel Templates, only one proposal can be specified because no IKE renegotiations occur. |
Result: The proposal becomes either first, second, or third priority in the IKE Negotiable Protocols box in the Protocol panel of the IKE IPSec Tunnel Template.
Step 5 To specify a period of time to elapse and/or a number of kilobytes to transfer before a renegotiation of the IPSec session keys occurs, enter one or both of the following values under Renegotiate Protocol after.
Two values are possible:
Result: The IPSec session keys will renegotiate after the period of time elapses or the number of kilobytes transfer as specified. When both values are set, renegotiation occurs when either value (Time or KBytes) is met.
Step 6 To change the perfect forward secrecy encryption strength, click one of the values in the Perfect Forward Secrecy list.
Three perfect forward secrecy encryption values are available:
Result: Perfect forward secrecy is either enabled with strong encryption or basic encryption, or disabled.
Step 7 To save your changes and close the Protocol panel, click OK.
Step 8 To save any changes that you have made, click Save on the File menu.
Follow the procedures below to create a new IPSec Tunnel Group. This procedure applies to creating both IKE and manual IPSec Tunnel Groups.
To create a IPSec Tunnel Group, perform the following task:
Result: The Network Policy tree appears in the Navigator pane.
Step 2 To find the IPSec Tunnel Groups branch, expand the Network Policy tree. If you are going to create the tunnel group in a folder under the IPSec Tunnel Groups branch, expand the branch as well.
Step 3 To create an IPSec Tunnel Group, access the shortcut menu by right-clicking the IPSec Tunnel Group branch icon or the icon of the folder in which you want to create the new tunnel group. Then, point to New on the shortcut menu and select IPSec Tunnel Group, and then click Manual Group or IKE Group, depending upon the type of group you need to create.
Result: A dialog box appears, displaying a drop-down list of possible tunnel templates on which to base the tunnel group. For an IKE tunnel group, only IKE tunnel templates are displayed in the list. For manual tunnel groups, only manual tunnel templates are displayed in the list.
Step 4 To select the tunnel template on which the tunnel group will be based, click the down arrow next to the Tunnel Templates drop-down list, click a template name to select the template, and then click OK.
Result: A new node representing the IPSec Tunnel Group appears under the IPSec Tunnel Groups branch (or folder on the branch) in the Navigator pane, and the Peers property panel for the tunnel group appears in the View pane. The default name of the tunnel group is automatically selected for renaming in the Navigator pane.
Step 5 To name the IPSec Tunnel Group, type the new name in the Name box, and then press Enter.
Result: The name appears beside the new node and at the top of the Navigator pane.
Cisco Secure Policy Manager enables long names and the use of most alphanumeric or symbol characters. Also, you can use uppercase and lowercase characters. However, you cannot use quotation marks (") or a semicolon (;).
|
Tips If you cannot edit the name, right-click the new IPSec Tunnel Group icon and click Rename on the shortcut menu. |
Step 6 To learn how to configure the tunnel group by adding peers and manual keys (for manual tunnel groups), refer to the following topics:
Step 7 To save your changes and close the Peers panel, click OK.
Step 8 To save your changes to the Policy Database, click Save on the File menu.
Result: If you have not populated the IPSec Tunnel Group with at least two tunnel endpoints, Cisco Secure Policy Manager will abort the Save operation and display an error message. To recover from this, make sure all of your IPSec Tunnel Groups are fully populated before attempting to Save.
|
Tips You can also create a tunnel group by dragging an IPSec Tunnel Template from the IPSec Tunnel Templates branch of the Tools and Services tree and dropping it on the IPSec Tunnel Groups branch of the Network Policy Tree. However, you will not be able to save your configuration to the Policy Database until you populate your new IPSec Tunnel Group with tunnel endpoints and, for manual tunnel groups, manual keys. |
The primary function of an IPSec Tunnel Group is to define the tunnel peers. In Cisco Secure Policy Manager, you define the tunnel peers in the tunnel group's Peers panel. A peer can be configured as a hub or as a spoke. This task describes adding a hub or spoke to or removing a hub or spoke from an IPSec Tunnel Group, and applies to both IKE and manual tunnel groups.
In setting up the peers of a tunnel group, you need to consider the configuration of those peers. Hubs are peers that connect to every other hub in the tunnel group, creating a mesh configuration. Spokes are peers that connect to a single hub. A hub may have more than one spoke, but it will only create tunnels between the hub and each spoke; the spokes on a hub will not have tunnels defined between them.
To add a tunnel endpoint to or remove a tunnel endpoint from a tunnel group, perform the following task:
|
Note This task is performed from the Peers panel of the selected IPSec Tunnel Group. If the Peers panel does not appear in the View pane, right-click the icon of the tunnel group to be modified, point to Properties from the shortcut menu, and then click Peers. |
Result: A tunnel endpoint is added to the list in the Peers box, labeled Unidentified Hub or Unidentified Spoke, depending upon the configuration in which it was added. The settings for the tunnel endpoint appear to the right of the list. For an IKE tunnel group, the settings consist of Name, Interface, and IP Address. For a manual tunnel group, the settings consist of Name, Interface, IP Address, and Associated Keys.
Step 2 To select the network object represented by the tunnel endpoint, click the Name box to view a list of the network objects in your network topology that support IPSec and click the name of the network object to be represented by the tunnel endpoint.
Result: The Unidentified Hub or Unidentified Spoke label in the Peers box is replaced by the name of the network object selected in the Name box. If the selected network object is a host with a single interface, such as a server or workstation, the Interface box is set to N/A and the IP Address box automatically displays the IP address assigned to the interface. If the selected network object is a Policy Enforcement Point, the Interface and IP Address boxes are set to Auto select.
Step 3 To specify an interface, click the Interface box to reveal the network object's interfaces, and then click the desired interface. You can also select Auto select, which will automatically select the closest interface to the peer with which the IPSec session will be created.
Result: The selected interface appears in the Interface box, and the IP Address field is automatically populated with the selected interface's IP address. The IP address appears in the Peers box in parentheses next to the network object's name.
Step 4 To specify a particular IP address for an interface that has more than one IP address assigned to it, click the IP Address box to reveal the IP addresses assigned to the interface, and then click the desired IP address. You can also select Auto select, which will automatically select the IP address assigned to the connection to the peer with which the IPSec session will be created.
 |
Caution If the tunnel peer participates in more than one tunnel group, you must use the same IP address for the interface in each tunnel group the peer participates in. Failure to do so will result in tunnel conflicts. To avoid potential conflicts, you should choose Auto when configuring the IP address for the interface of a tunnel peer. With Auto selected, Cisco Secure Policy Manager will automatically select the correct IP address for the IPSec tunnel. If you do not select Auto, you should either select the loopback address for the interface or make sure that the address selected for the interface is the same in every IPSec Tunnel Group the peer participates in. |
Step 5 To add more tunnel endpoints to the tunnel group, repeat Steps 1 through 3 until all tunnel endpoints have been added.
Step 6 To configure the manual keys (for manual tunnel groups), refer to Configuring Manual Keys.
Step 7 To remove a tunnel endpoint from the tunnel group, click the tunnel endpoint that you want to remove in the Peers box, and then click Remove.
Result: The selected tunnel endpoint is removed from the tunnel group. If you removed a tunnel endpoint configured as a hub, any spokes that were attached to the hub are also removed.
Step 8 To save your changes and close the Peers panel, click OK.
Step 9 To save any changes that you have made, click Save on the File menu.
Manual IPSec Tunnel Groups require that you specify the manual key for each peer. The manual key is the key used by the other peers to authenticate and/or encrypt the data sent to the peer. Each protocol and transform within that protocol (authentication and/or encryption) must be assigned a key value. The length of the key depends upon the transform.
|
Note This procedure applies to manual tunnel groups only. |
To configure a manual key, perform the following task:
Result: The Network Policy tree appears in the Navigator pane.
Step 2 To find the manual IPSec Tunnel Group for which you want to configure a manual key, expand the Network Policy tree, the IPSec Tunnel Groups branch, and the folder (if any) that contains the tunnel group.
Step 3 To view the tunnel group's settings, right-click the tunnel group icon, point to Properties on the shortcut menu, and then click Peers.
Result: The selected tunnel group's Peers panel appears in the View pane.
Step 4 To select the peer for which to define the manual keys, click the peer name in the Peers box.
Result: The settings for the selected peer appear to the right of the Peers box.
Step 5 To select the protocol/stage/transform for which to define the manual key, click the protocol/stage/transform/combination in the Protocol/Stage/Transform box.
Result: If a key had been previously defined for the selected peer, protocol, and stage, that key appears in the Key box. If a key had not been previously defined, "(Specify a Key)" appears in the Key box. The length of the key required for the particular algorithm and the length of the current entry in the Key box appears above the Key box.
Step 6 To specify the format of the key, select the ASCII check box. When the box is selected, the key appears in ASCII format. When the box is cleared, the key appears in hexadecimal format.
Result: The key appears in the selected format.
Step 7 To enter the new key, select the text that appears in the Key box and type the new key. You can also import a previously saved key by clicking Import Key.
Result: As you type, the Current key length field that appears above the Key box tracks the length of the key. Once you reach the necessary length, as shown by the Current key length message above the Key box, you will be unable to type any additional characters. You will not be able to enter another key or save your changes to the manual tunnel group until you have entered a key of the proper length.
Step 8 To save the entered key to a file, click Export Key.
Result: The Export To dialog box appears, enabling you to save the key in *.key file format.
Step 9 To name and save the file for the key, type a name for the key file in the File name box, and click Save.
Step 10 To enter another key for the selected peer, repeat Steps 5 through 9. To enter the keys for another peer in the tunnel group, repeat Steps 3 through 9.
Step 11 To save your changes and close the Peers panel, click OK.
Step 12 To save any changes that you have made, click Save on the File menu.
You can create a security policy abstract in either the Security Policy Abstracts branch of the Tools and Services tree or directly on an object in the Security Policy Enforcement branch of the Network Policy tree. The difference is that when you create a security policy in the Security Policy Abstracts branch, it still needs to be applied to a network object in the Security Policy Enforcement branch for the command sets to be generated, whereas when you create a security policy in the Security Policy Enforcement branch, it is already applied to the network object (and a security policy abstract is automatically added in the Security Policy Abstracts branch).
To create a security policy abstract, perform the following task:
Result: A new node appears in the Navigator pane, and Policy Builder opens with the pre-populated decision tree displayed. If you created the new security policy abstract on the Security Policy Enforcement Branch, the abstract is automatically given the name of the object on which it was created and the abstract is automatically added to the Security Policy Abstracts branch. If you created the security policy abstract in the Security Policy Abstracts branch, the name box beside the security policy abstract icon is selected for editing.
Step 2 To name the security policy, type the new name in the Name box, and then press Enter.
Result: The name appears beside the new node and at the top of the Policy Builder pane.
|
Tips If you cannot edit the name, as when you create the security policy abstract on an object in the Security Policy Enforcement branch, right-click the new security policy abstract icon in the Security Policy Enforcement branch and click Rename on the shortcut menu. |
Step 3 To learn how to modify the pre-populated decision tree by creating or changing condition and action nodes, refer to Adding a Node to the Decision Tree and Changing the Node Type.
Step 4 To accept your changes and close Policy Builder, click Close.
Step 5 To save any changes that you have made, click Save on the File menu.
You construct a decision tree in Policy Builder by adding new nodes to the existing decision tree or by modifying the properties of existing nodes. To learn about modifying an existing node's properties, refer to Modifying Node Properties.
To add a node to the decision tree, perform the following task:
You can choose from the following configurations for adding a node. Cisco Secure Policy Manager will only allow you to select valid configurations for the location in the decision tree in which you are adding the node. Additionally, the configuration you select determines the type of node you can add. You will not be able to choose an invalid node type for the selected configuration.
Result: The selected node type appears in the selected configuration. If you added a condition node or a Use Tunnel node, the property panel for that node automatically display.
Step 2 To set the new node's properties
| If node is a... | Then refer to... |
|---|---|
Source Condition | |
Service Condition | |
Destination Condition | |
Use Tunnel Action |
Step 3 Click Close to accept your changes.
Step 4 To save any changes that you have made, click Save on the File menu.
You can change one node type to another in the security policy decision tree. If you simply want to change the properties of a particular node, refer to Modifying Node Properties.
To change the node type, perform the following task:
|
Note Only nodes that you can place at the selected location in the decision tree will be selectable from the shortcut menu. For example, you will not be able to change a destination condition in an "OR" statement to another type of condition node (source or service), because "OR" statements require that the conditions connected by the "OR" be of the same type. |
Result: The node changes to the selected node. If you changed the node to a condition or a Use Tunnel node, the node's property panel automatically appears.
Step 2 To configure a node's properties,
| If node is a... | Then refer to... |
|---|---|
Source Condition | |
Service Condition | |
Destination Condition | |
Use Tunnel Action |
Step 3 To change additional nodes, repeat Steps 1 and 2 above.
Step 4 To save your changes and close Policy Builder, click Close.
Step 5 To save any changes that you have made, click Save on the File menu.
You can change the properties of existing source, service, and destination condition nodes, as well as the Use Tunnel action node.
When you modify a security policy, the changes are propagated to all instances of that security policy.
To modify the node properties, perform the following task:
Result: The condition node's properties panel appears.
|
Tips You can also access a node's properties panel by double-clicking the node in the Policy Builder pane. |
Step 2 To configure the node's properties refer to the following table
| If node is a... | Then refer to... |
|---|---|
Source Condition | |
Service Condition | |
Destination Condition | |
Use Tunnel Action |
Step 3 To modify the properties of additional condition nodes, repeat Step 1 and Step 2 above.
Step 4 To accept your changes and close Policy Builder, click OK.
Step 5 To save any changes you have made, click Save on the File menu.
You can specify the following items as sources in your security policy:
You will need to provide additional information based on the type of source you select.
To specify a source condition, perform the following task:
|
Note You must be in the source condition's property panel to perform this procedure. If you are not already in the source condition's property panel, right-click the source condition node in Policy Builder, and then select Properties on the shortcut menu. |
a. Select External IP Address under Indication Method.
b. Type the source or destination IP Address in the External IP Addresses box, and then click Add.
c. Repeat Step b to add additional IP addresses to the list of IP addresses.
d. To remove an IP address from the list of source or destination IP addresses, select the address in the list and click Remove.
e. To replace an incorrectly entered IP address in the list, select the address in the list, type the new address over the old address in the External IP Addresses box, and click Replace.
f. To sort your list of source or destination IP addresses, click Sort.
Step 2 To specify an external host name as a source or destination condition:
a. Select External Host Name under Indication Method.
b. Type the host name (such as example.com) in the External Host Name box.
c. To verify that the host name is valid, click DNS Lookup.
|
Tips You can only specify a single external host name as a source or destination condition. To specify more than one external host name as a source, click DNS Lookup to discover the IP addresses for each host name, and then use the External IP Address indication method (Step 1) to add those addresses to the source or destination condition. |
Step 3 To specify an object from your network topology as the source or destination condition:
a. Select Topology Object under Indication Method.
b. To find the network object to use as the source or destination, expand the tree structure in the Network Object box until you find the network object, and then click the network object to select it.
Step 4 To specify a network object group as the source or destination condition:
a. Select Network Object Group under Indication Method.
b. Click the network object group name in the Network Object Group list.
Step 5 To specify a policy domain or perimeter as the source or destination condition:
a. Select Policy Domain / Perimeter under Indication Method.
b. Expand the Policy Domains tree that appears at the bottom of the dialog box.
c. Click the policy domain or perimeter name in the Policy Domains tree.
Step 6 To specify a gateway interface as the source or destination condition:
a. Select Interface under Indication Method.
b. Click the interface name in the Interface list.
Step 7 To accept your changes, click OK.
Step 8 To accept your changes and close Policy Builder, click OK.
Step 9 To save any changes that you have made, click Save on the File menu.
You specify the network service condition in the Specify Service Conditions dialog box.
To specify a service condition, perform the following task:
|
Note You must be in the service condition's property panel to perform this procedure. If you are not already in the service condition's property panel, right-click the service condition node in Policy Builder, and then select Properties on the shortcut menu. |
Result: The service that you selected appears in the If Service is box along with any other network service that you have added.
Step 2 To add a network service bundle to the condition, select one in the Use Network Service Bundle box, and then click either Add or Select.
Result: The network services that compose the network service bundle appear in the If Service is box.
When you click Add after selecting a network service bundle, only the network services in the bundle that are not already added to the If Service is box (if any) are added. However, when you click Select after selecting a network service bundle, all the network services in the If Service is box are replaced by the network services of the network service bundle that you selected.
Step 3 To remove a network service, select it in the If Service is box, and then click Remove.
Result: The service that you selected is removed from the If Service is box.
Step 4 To accept your changes and close the Specify Service Conditions dialog box, click OK.
Step 5 To accept your changes and close Policy Builder, click Close.
Step 6 To save any changes that you have made, click Save on the File menu.
You can specify the following items as destinations in your security policy:
You will need to provide additional information based on the type of destination you select.
To specify a destination condition, perform the following task:
|
Note You must be in the destination condition's property panel to perform this procedure. If you are not already in the destination condition's property panel, right-click the node in Policy Builder, and then select Properties on the shortcut menu. |
a. Select External IP Address under Indication Method.
b. Type the destination IP Address in the External IP Addresses box.
c. To add that IP address to the list of destination IP addresses, click Add.
d. Repeat Steps b and c to add additional IP addresses to the list of destination IP addresses.
e. To remove an IP address from the list of destination IP addresses, select the address in the list and click Remove.
f. To replace an incorrectly entered IP address in the list, select the address in the list, type the new address over the old address in the External IP Addresses box, and click Replace.
g. To sort your list of destination IP addresses, click Sort.
Step 2 To specify an external host name as a destination condition:
a. Select External Host Name under Indication Method.
b. Type the host name (such as example.com) in the External Host Name box.
c. To verify that the host name is valid, click DNS Lookup.
|
Tips You can only specify a single external host name as a destination condition. To specify more than one external host name as a destination, click DNS Lookup to discover the IP addresses for each host name, and then use those addresses to populate the address list using the External IP Addresses indication method. |
Step 3 To specify an object from your network topology as the destination condition:
a. Select Topology Object under Indication Method.
b. To find the object to use as the destination, expand the tree structure in the Network Object box until you find the network object, and then click the network object to select it.
Step 4 To specify a Network Object Group as the destination condition:
a. Select Network Object Group under Indication Method.
b. To select the network object group, click the network object group name in the Network Object Group list.
Step 5 To specify a perimeter as the destination condition:
a. Select Network Perimeter under Indication Method.
b. To select the perimeter to be used as the destination, click the perimeter name in the Perimeter list.
Step 6 To specify a gateway interface as the destination condition:
a. Select Interface under Indication Method.
b. To select the interface to be used as the destination, click the perimeter name in the Interface list.
Step 7 To accept your changes and close the Specify source or destination condition dialog box, click OK.
Step 8 To accept your changes and close Policy Builder, click Close.
Step 9 To save any changes that you have made, click Save on the File menu.
To specify a destination condition, perform the following task:
|
Note You must be in the Use Tunnel property panel to perform this procedure. If you are not already in the Use Tunnel property panel, right-click the node in Policy Builder, and then select Properties on the shortcut menu. |
Result: The name of the selected tunnel group is highlighted in the Tunnel field.
Step 2 To accept your selection and close the Specify tunnel dialog box, click OK.
Step 3 To accept your changes and close Policy Builder, click Close.
Step 4 To save any changes that you have made, click Save on the File menu.
You can enforce a security policy on a network object either by performing a drag-and-drop operation in the Navigator pane or by using the Policy Assignment utility. The procedures below discuss using the drag-and-drop operation to apply policies.
To apply security policies to network objects, perform the following task:
Step 2 Click the security policy abstract in the Security Policy Abstracts branch that you want to enforce on the network object, and while holding down the mouse button drag the security policy over the network object in the Security Policy Enforcement branch, and then release the mouse button.
Result: A yellow scroll icon appears beside the network object in the Security Policy Enforcement branch.
Posted: Mon Jun 5 10:56:19 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.
