|
|
The Network Services branch of the Tools and Services tree contains a variety of common network services (based on the TCP/IP protocol suite) that you can reference within your security policy abstracts or that you can combine into larger network service bundles that contain multiple network services.
The Network Services branch lists only active services. When a service is active, it appears in the Network Services branch and is available for use in network service bundles and in the service condition node of security policy abstracts. By default, the Network Services branch lists many common network services. Cisco Secure Policy Manager has additional, inactive services pre-defined in the Network Services Library that can be added to the Network Services branch whenever you need them.
If you need a network service that is not listed in the Network Services branch or in the Network Services library, you can create customized network services with the Network Service Wizard.
You cannot create folders under the Network Services branch, as you can under other branches of the Tools and Services tree.
A network service describes the parameters for a particular type of network traffic, such as what protocols and port the traffic uses. You can reference network services directly within your security policy abstracts, or you can create larger collections of network services, called network service bundles, that you can also reference within your security policy abstracts. The network service, then, describes what the network traffic is, while the security policy abstract that references the network service defines who can use the network service, and under what circumstances.
By default, the Network Services branch lists the most common network services, but Cisco Secure Policy Manager has many more pre-defined network services that are stored in the Network Services Library. You can add the network services listed in the Network Services Library to the Network Services branch whenever you have the need. Also, you can create customized network services with the Network Service Installation Wizard. Using this wizard, you can create new network services that you can then reference when building security policy abstracts.
When you modify the session settings for a protocol within a network service, you are changing the settings for that service only. Any other network service that references the same protocol will not be changed. For example, changing the TCP port number in the TCP (POP-3) network service will not affect the TCP port number in the NNTP network service session settings.
Because the list of pre-defined network services is quite large, not to mention that the user can add many more customized network services, the Network Services Library acts as a repository for less commonly used network services. However, only pre-defined network services that are not in the Network Services branch appear in the Network Services Library---you cannot add user-defined network services to the Network Services Library.
You can view all network services that have been defined by first expanding the Network Services branch in the Navigator pane, and then by accessing the Network Services Library from the Wizards menu. If you do not see the service you need, you can access the Network Service Installation Wizard directly from the Network Services Library. Any services you create with the Network Service Installation Wizard will appear in the Network Services branch.
Even though Cisco Secure Policy Manager comes with pre-defined network services in the Network Services branch and in the Network Services Library, the demands of your network might require the creation of custom network services. The Network Service Installation Wizard assists you in creating these custom network services.
The Network Service Installation Wizard takes you through each step of defining a new network service. The wizard first asks you to specify the name and the top-level protocol layer (application, transport, or network) of the new service. When naming the service, you cannot specify a name used by an existing network service (a network service that is defined in the Network Services branch or in the Network Services Library). If you attempt to do so, you will receive an error message and will not be allowed to proceed to the next panel of the wizard until you submit a unique name. Cisco Secure Policy Manager enables long names and the use of most alphanumeric or symbol characters. Also, you can use both uppercase and lowercase characters. However, you cannot use quotation marks (") or a semicolon (;).
After specifying the name and the top-level protocol layer, the Network Service Installation Wizard takes you through each protocol layer, enabling you to specify the protocol and protocol settings for each layer. Depending on the type of network service you are creating, you may have to specify protocols and settings for all three protocol layers. For example, if you define a network service with the application layer as the top-level protocol layer, you will need to specify the protocols and settings for the application, transport, and network layers. If you define a network service with the transport layer as the top-level protocol layer, you will only need to specify the protocols and settings for the transport and network layers. If you define a network service with the network layer as the top-level protocol layer, you will only need to specify the protocol and settings for the network layer.
After you create a custom network service with the Network Service Installation Wizard, the network service appears under the Network Services branch of the Tools and Services tree. Unlike the network services that come pre-defined with Cisco Secure Policy Manager, a custom network service does not move to the Network Services Library when you delete it from the Network Services branch.
You can perform the following tasks from the Network Services branch of the Tools and Services tree.
Cisco Secure Policy Manager contains more network services than appear in the Network Services branch of the Tools and Services tree. You can add these pre-defined, "hidden" network services to the branch with the Network Services Library.
You can access the Network Services Library from the Network Services branch, from the Network Service Installation Wizard, or from the Wizards menu on the Cisco Secure Policy Manager menu bar.
 |
Note The Network Services Library can only store those services that came pre-defined in Cisco Secure Policy Manager. User-created network services cannot be stored in the Network Services Library. |
To add a network service, perform the following task:
Result: The Network Services Library appears in the View pane.
Step 2 To add a network service to the Network Services branch, select a service in the Network Services Library box, and then click Install. To add multiple services at one time, hold down the Shift key (if they are consecutively listed) or the Control key (if they are not consecutively listed) while selecting the services.
Result: The selected network service appears under the Network Services branch of the Tools and Services tree. It no longer appears in the Network Services Library.
Step 3 To close the Network Services Library, click Close.
Result: The Network Services Library closes.
You define network services with the Network Service Installation Wizard.
|
Note Before defining a new network service, you should check the Network Services Library to see if the required service has been pre-defined in Cisco Secure Policy Manager. Cisco Secure Policy Manager has many more network services defined than are shown in the Network Services branch. These services are stored in the Network Services Library and can be added to the Network Services branch as needed. |
To define a new network service, perform the following task:
Result: The first panel of the Network Service Installation Wizard appears.
Step 2 To name the new network service, type the desired name in the Service Name box.
Result: The name is applied to the new network service.
You cannot use the same name for two network services. If you attempt to do so, you will receive an error message and will not be allowed to proceed to the next panel until you submit a unique name. Cisco Secure Policy Manager enables long names and the use of most alphanumeric or symbol characters. Also, you can use both uppercase and lowercase characters. However, you cannot use quotation marks (") or a semicolon (;).
Step 3 To specify the highest-level protocol layer (application, transport, or network), select a protocol layer in the list. To continue, click Next.
Result: The Select Next Protocol panel appears, from which you can select the corresponding network protocol for that layer.
Step 4 To specify the network protocol for that layer, select one in the list of supported protocols. To continue, click Next.
Result: The Protocol Settings panel for the selected protocol appears.
Step 5 To change the settings for this protocol layer (if you want them to be different from the default values), specify the new settings in the Protocol Settings panel. To continue, click Next.
You can either accept the default session settings for the protocol, or you can alter one or more settings, which affects only the network service that you are creating.
Step 6 To define a protocol for each requisite layer of the network service, depending on which protocol layer you selected initially, repeat Steps 4 and 5 until you have defined a protocol for each requisite layer of the network service.
Result: After you have defined all layers, the Finish Network Service Wizard panel appears.
Step 7 To finish creating the new network service, click Finish.
Result: The Network Service Installation Wizard closes, and the new network service appears under the Network Services branch.
Step 8 To save any changes that you have made, click Save on the File menu.
You can change the session settings, such as port numbers, for protocols used by a network service. This change affects only that particular network service.
|
Note While Policy Enforcement Points use instance settings defined for the network service, such as the implicitly or explicitly defined TCP or UDP port number for a particular network service, the Policy Enforcement Points supported by Cisco Secure Policy Manager cannot enforce session-based settings, such as the Idle Timeout value. Two exceptions exist to this session-based setting rule: ICMP: Type and Code settings RPC: Program Number setting With regard to timeout settings, the Policy Enforcement Point implements timeout values as global timeouts that are enforced across all sessions of a specific type. To specify these global timeout settings, see the Settings 1 panel on each Policy Enforcement Point node in the Network Topology tree for which you want to enforce such settings. |
To configure session settings for a network service, perform the following task:
Step 2 Click the network service icon in the Navigator pane.
Result: The panel for the highest-level protocol appears in the View pane (application layer being higher than transport layer, and transport layer being higher than network layer).
 |
Tips If the properties panel for the network service does not display, right-click the network service icon in the Navigator pane and click Properties on the shortcut menu. |
Step 3 To change a setting, double-click the existing value in any box, and then type the new value, or click an item in a list box where available.
Result: The new value is applied only to that network service unless you also change the protocol definition itself.
Step 4 To make setting changes to lower-level protocols of the network service, expand the network service in the Navigator pane to reveal the lower level protocols, and then select the protocol to be changed under the network service. The settings are changed as in Step 3.
Result: The new value is applied only to that network service unless you also change the protocol definition itself.
Step 5 To accept your changes and close the panel, click OK.
Step 6 To save any change you have made, click Save on the File menu.
Posted: Mon Jun 5 20:03:46 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.