Configuring Administrative Control Communications

• It discovers a subset of the existing configuration settings for the Policy Enforcement Points that it controls.

• It accepts the intermediate network policies from the Policy Server Point.

• It acts as a distributed component of the security system that generates command sets. It translates the intermediate policies into device-specific command sets for each Policy Enforcement Point that it controls.

• It acts as a distributed component of the security system that publishes command sets. It publishes the appropriate generated device-specific command set to each Policy Enforcement Point that it controls.

• It acts as a distributed component of the security system that provides feedback to the system and user. It queries each Policy Enforcement Point that it controls about the device's status with respect to publishing and discovery attempts, including successes and problems during a publishing attempt and connection problems during discovery.

These command sets can be published securely using secure protocols, such as PIX Secure Telnet, or the Policy Distribution Point can use an IPSec tunnel to publish the command sets securely to the Policy Enforcement Points that it controls.

Because each type of Policy Enforcement Point has its own control agent within the Policy Distribution Point component, a Policy Distribution Point can control more than one Policy Enforcement Point type and multiple Policy Enforcement Points of a specific type. For example, a single Policy Distribution Point can control three IOS Routers and four PIX Firewalls if configured to do so. However, in scenarios where a Policy Distribution Point controls more than one Policy Enforcement Point, it is critical to consider the placement of the primary server or secondary server on which the Policy Distribution Point resides in relation to the Policy Enforcement Points that you want it to control. In addition, some Policy Enforcement Points have restrictions with respect to which interface(s) in the device can be used to configure them. In such cases, considering the limitations of the Policy Enforcement Point can also help you determine the correct placement of Policy Distribution Points on your network.

Because the Policy Distribution Point component is installed on all Cisco Secure Policy Manager hosts, you can always alter the way that you want to configure your distributed security system. Just as you can enable or disable a Policy Monitor Point for use as a valid option in configuring your security system, you can also enable or disable a Policy Distribution Point. Cisco Secure Policy Manager uses the selection of a Policy Distribution Point to ensure that the communication between a selected Policy Distribution Point and the Policy Enforcement Points that it controls is permitted. The security policies and IPSec Tunnel Groups that enable these communications are automatically generated and maintained by Cisco Secure Policy Manager.

You can resolve many issues that can affect your ability to deploy network security policies to Policy Enforcement Points by carefully planning the placement of Policy Distribution Points within your network. The benefits of careful planning and placement include the following:

• Administrative connections to the Policy Enforcement Point are guaranteed by the security policies that are generated by Cisco Secure Policy Manager to enable these connections.

• Connections to Policy Enforcement Points are not lost because of changes to the active command set during the publishing operation.

• Better performance and more secure distribution of the command sets.

Because you can have more than one Policy Distribution Point on your network, you must consider the selection of a Policy Distribution Point on a per-Policy Enforcement Point basis. The best way to make this selection is to understand the scenarios that can be problematic with regard to command distribution and to understand the effects of device-specific changes that you want to make after the initial deployment.

The first thing to determine when selecting a Policy Distribution Point is the traffic flows for the communications that occur between the Policy Distribution Point and all the Policy Enforcement Points that it controls. Next, you must consider the other Policy Distribution Points on your network and their required traffic flows. It is imperative that these traffic flows do not cross.

When such traffic flows cross, they can only cross at a gateway object, which is referred to as a concentrating gateway object for the remainder of this discussion. If that concentrating gateway object is a managed gateway object, it identifies a possible point of failure in the publishing of command sets, because the policies managing that gateway object can be altered as well. Because concentrating gateway objects represent points along the path between one or more Policy Enforcement Points and a Policy Distribution Point, these concentrating gateway objects can potentially be updated before the farther Policy Enforcement Points are provided with command sets that reflect the changes on the concentrating gateway object. This case is most likely to occur if you have enabled automatic publishing of the command sets by selecting Automatic under Command Approval in the Options dialog box (available on the Tools menu) or in the Command panel of a specific Policy Enforcement Point.

In this example, the HQ Router acts as a concentrating gateway object when the Policy Distribution Point attempts to publish the generated command sets to the routers on Site A or Site B. Therefore, the only way to ensure that the traffic flows to the Site A and Site B routers are not broken is to publish to those outermost managed gateway objects before you publish to the HQ Router.

In this case, the traffic flows that you must protect against being terminated are the traffic flows between the primary servers and the secondary servers of Cisco Secure Policy Manager. This problem only arises in scenarios where you have a distributed installation type for Cisco Secure Policy Manager.

In such cases, Cisco Secure Policy Manager does not support the intelligent synchronization of command distribution across such concentrating gateway objects. In this configuration, PDPa is oblivious to the needs of PDPb during the time that PDPb is publishing the generated command set for Gw2. As a result, PDPa could publish command sets that disrupt or disable the ability for PDPb to publish command sets to Gw2.

• Administrative interface and IP address changes on a Policy Enforcement Point. If you specify a different administrative interface or modify the IP address used for the administrative interface at any time after your initial configuration, you must define a special security policy that enables the old interface to be used to issue the entire command set (because the connection may be lost in the middle once the new interface is configured).

• Administrative password. If you specify a different administrative password, such as an enable password, using the Pending Commands option in the Command panel on a Policy Enforcement Point or using a third-party administrative interface, you must make the corresponding change in the Enforcement panel of the Policy Enforcement Point in the GUI client before you can publish a new command set to the Policy Enforcement Point.

• IP address changes on Cisco Secure Policy Manager hosts. Any time that you change the IP address used by a host running some component of Cisco Secure Policy Manager or select a different Policy Distribution Point to control a Policy Enforcement Point (which is effectively a change in the IP address used to manage the Policy Enforcement Point), you jeopardize the ability of the system to actually publish the command sets to a Policy Enforcement Point. These addresses are best defined as static IP addresses (not leased via DHCP), and they are best left unmodified.

If you do modify the IP address that Cisco Secure Policy Manager uses to publish the commands to a Policy Enforcement Point (the address in the Enforcement panel) or if you select a different Policy Distribution Point to manage a specific Policy Enforcement Point, you must define an intermediate security policy that allows the network service selected in the Enforcement panel to enable both the old and the new IP addresses. Otherwise, the connection to the Policy Enforcement Point is broken while the Policy Distribution Point is publishing the command set that changes from the old address to the new address.

Warning You cannot define address hiding rules that hide Cisco Secure Policy Manager hosts from the Policy Enforcement Points that they are expected to manage. Defining such rules guarantees that the device-specific command sets cannot be published to the managed gateway objects for which Cisco Secure Policy Manager is responsible.

In this case, if you distribute the commands to Inside Gw or Middle Gw before you distribute them to Outside Gw, Outside Gw becomes unreachable by PDP. Even though the command set generated for Outside Gw understands the static translation rule, the command set to be replaced does not. Therefore, Outside Gw does not know to allow administrative updates from the translated PDP address.

Note The automatic command distribution to Outside Gw fails only when a change to the mapping rules occurs on Inside Gw or Middle Gw. In other words, it can occur when you add, delete, or modify an existing mapping rule for the Cisco Secure Policy Manager host, PDP. Once you use the manual distribution method to change the mapping rules, you can return to the automatic distribution method until a similar change occurs.

In this example, if the address of the PDP is not translated on any Policy Enforcement Points or it is translated only on Outside Gw, automatic updates would work fine, because in that case order does not matter.

Step 2 To view the Policy Distribution panel, point to Properties, and then click Policy Distribution on the shortcut menu.

Result: The Policy Distribution panel appears in the View pane.

Step 3 To change the availability of the Policy Distribution Point running on this host, select or clear the Disabled box under General Settings.

When this box is selected, the Policy Distribution Point is disabled. When the box is cleared, the Policy Distribution Point can be used to generate and publish command sets to the Policy Enforcement Points residing on your network.

Step 4 To accept your changes and close the selected panel, click OK.

Step 5 To save any changes that you have made, click Save on the File menu.

The first setting that you can review is the network service used for communications between the Policy Enforcement Point and a Cisco Secure Policy Manager host that is acting as the Policy Distribution Point for this Policy Enforcement Point. By default, for a PIX Firewall, this network service is PIX Secure Telnet, defined as TCP port 1467. For an IOS Router, this network service is Telnet, defined as TCP port 23. Currently, you cannot reconfigure the port settings associated with these network services. In addition, these network services are the only network services that are valid for downloading network policies to the respective Policy Enforcement Point.

As part of this general setting, you can specify which IP address, and therefore which interface, should be used to accept communication requests from Cisco Secure Policy Manager hosts.

Note For Policy Enforcement Points based on the 4.2.4, 4.2.5, and 4.4.1 versions of the PIX Firewall software, you must specify a Policy Distribution Point that resides upstream from the "inside" interface. This Policy Distribution Point server does not have to reside on the same network, but for security purposes, it must be reachable from the inside interface. In addition, you can use only the PIX Secure Firewall network service to manage the PIX Firewall. For Policy Enforcement Points based on the 5.0 and 5.1 versions of the PIX Firewall software, you must specify a Policy Distribution Point that resides upstream from any interface, except for the "outside" interface. This Policy Distribution Point server does not have to reside on the same network, but for security purposes, it must be reachable from a non-outside interface. In addition, you can use only the PIX Secure Firewall network service to manage the PIX Firewall. For Policy Enforcement Points based on the 5.1 version of the PIX Firewall software, you can specify a Policy Distribution Point server that resides downstream from the "outside" interface using PIX Secure Telnet that is passed through an IPSec tunnel. In other words, you must define an IPSec Tunnel Group definition that has the Policy Distribution Point and the outside interface address of the PIX Firewall as peers in that definition. In any release of the product, Cisco Secure Policy Manager does not support the basic Telnet network service for management of the PIX Firewall.

Next you must specify which Cisco Secure Policy Manager host is responsible for generating and publishing the command sets to the Policy Enforcement Point. In addition to specifying which host will publish the generated command sets to the Policy Enforcement Point, you can specify whether you want to encrypt all communications that occur between the Policy Enforcement Point and the host acting as its Policy Distribution Point. You can define an IPSec tunnel between the Policy Distribution Point and the Policy Enforcement Point, as well as specify the IPSec Tunnel Template you want to use when defining the IPSec Tunnel Group that supports this communication.

Note The tunnel group that supports this communication, as well as the security policy abstract that enables the tunnel and permits communications between the Policy Enforcement Point and the Cisco Secure Policy Manager host acting as its Policy Distribution Point, is automatically created and applied to the Cisco Secure Policy Manager host within the Cisco System Folder of the IPSec Tunnel Groups and Security Policy Enforcement branches under the Network Policy tree.

We also recommend that you never reuse an IPSec template that is used for the Policy Distribution Point-to-Policy Enforcement Point traffic. Instead, you should make copies of the template before you modify any settings. This recommendation exists because if you change any properties of this IPSec template, it would result in the generation of a modified IPSec bootstrap command set for any Policy Enforcement Points managed by the Policy Distribution Point for which you modified the template properties.

If you do modify the template used to manage a Policy Enforcement Point, all attempts to publish the generated command sets to the Policy Enforcement Points will fail and the following warning message will appear for each affected Policy Enforcement Point in the System Inconsistencies panel when you perform a Save and Update operation:

• (ire) Action(s) required: Change bootstrap settings with new PDP-PEP IPSec tunnel settings, then click Approve to publish. (signature=#)

To resolve this warning message, you must manually update the IPSec bootstrap settings for each affected Policy Enforcement Point (using a non-Cisco Secure Policy Manager administrative interface). After these settings are updated for each affected Policy Enforcement Point, these warning messages will be resolved when the command sets are published to each managed Policy Enforcement Point.

If you accidentally modify this IPSec template, you can perform a Reset operation. You will still receive the warning message identified above; however, this message will be resolved when you publish the generated command set to the affected Policy Enforcement Point, because the IPSec bootstrap settings have already been defined to resolve this issue.

As a general rule, any modifications to either tunnel peer affects the IPSec bootstrap settings, and, therefore, requires that you manually update the IPSec bootstrap settings for the Policy Enforcement Point acting as a peer in the generated IPSec Tunnel Group definition under the Cisco Systems Folder of the IPSec Tunnel Groups branch. Examples of such changes include the following:

Step 2 To view the Policy Enforcement Point panel, point to Properties and click Enforcement on the shortcut menu.

Result: The Policy Enforcement Point panel appears in the View pane.

Step 3 To select the host that is running the Policy Distribution Point that you want to use, click that host name in the Policy Distribution Point box under Policy Distribution.

This box displays only those primary and/or secondary servers defined under the Network Topology tree that have a Policy Distribution Point client/server product installed on them.

If you installed a standalone Cisco Secure Policy Manager, the Policy Distribution Point resides on that primary server. Otherwise, in a distributed installation, it can reside on either a primary or secondary server, depending on which feature sets you chose to install on the various hosts.

Step 4 To accept your changes and close the selected panel, click OK.

Step 5 To save any changes that you have made, click Save on the File menu.

Step 2 To view the Policy Enforcement Point panel, point to Properties and click Enforcement on the shortcut menu.

Result: The Policy Enforcement Point panel appears in the View pane.

Step 3 To select the IPSec Tunnel Template definition used to connect to the selected Policy Enforcement Point, click that template in the Use secure IPSec with template box under Policy Distribution.

This template must be defined under the IPSec Tunnel Templates branch of the Tools and Services tree. By default, the Policy Distribution Point does not use an IPSec tunnel when communicating with the Policy Enforcement Point.

Step 4 To accept your changes and close the selected panel, click OK.

Step 5 To save any changes that you have made, click Save on the File menu.

Step 6 Before publishing the command set to the Policy Enforcement Point, you must first configure the Policy Enforcement Point to accept the IPSec tunnel from the Policy Distribution Point. To configure the Policy Enforcement Point, refer to Cisco Secure Policy Manager Administrator's Guide: IPSec Tunnel Implementation.

Step 2 To view the Policy Enforcement Point panel, point to Properties and click Enforcement on the shortcut menu.

Result: The Policy Enforcement Point panel appears in the View pane.

Step 3 To select the host that is running the Policy Monitor Point that you want to use, click that host name in the Policy Monitor box under Logging.

This box displays only those primary and/or secondary servers defined under the Network Topology tree that have a Policy Monitor Point client/server product installed on them.

Step 4 To accept your changes and close the selected panel, click OK.

Step 5 To save any changes that you have made, click Save on the File menu.

Step 2 To view the Policy Enforcement Point panel, point to Properties and click Enforcement on the shortcut menu.

Result: The Policy Enforcement Point panel appears in the View pane.

Step 3 To select one or more hosts on which syslog servers are running, click those host names in the Syslog Monitors box under Logging.

This box displays only those hosts defined under the Network Topology tree that have a syslog client/server product installed on them. The host or hosts that you select must have a syslog application capable of processing the data streams. For instructions on installing and configuring these applications, refer to the documentation that came with those products.

Step 4 To accept your changes and close the selected panel, click OK.

Step 5 To save any changes that you have made, click Save on the File menu.

Step 2 To view the Policy Enforcement Point panel, point to Properties and click Enforcement on the shortcut menu.

Result: The Policy Enforcement Point panel appears in the View pane.

Step 3 To specify the enable password, type that password in the Enable password box under Authentication.

The enable password can be up to 16 alphanumeric characters. Also, you can use both uppercase and lowercase characters. This password is case sensitive.

Step 4 To accept your changes and close the selected panel, click OK.

Step 5 To save any changes that you have made, click Save on the File menu.

Step 2 To view the Policy Enforcement Point panel, point to Properties and click Enforcement on the shortcut menu.

Result: The Policy Enforcement Point panel appears in the View pane.

Step 3 To specify the Telnet password, type that password in the Telnet password box under Authentication.

The Telnet password can be up to 16 alphanumeric and special characters; however, you cannot use the question mark, space, or colon in the password. You can use both uppercase and lowercase characters, because this password is case sensitive.

Step 4 To accept your changes and close the selected panel, click OK.

Step 5 To save any changes that you have made, click Save on the File menu.

When you want to define a control channel tunnel group, which uses IPSec tunnels to communicate between the Policy Distribution Point and a specific managed Policy Enforcement Point that supports IPSec, you must bootstrap each IPSec-enabled Policy Enforcement Point to ensure that it can act as a peer in that IPSec Tunnel Group definition. While you have to bootstrap the Policy Enforcement Points, you do not have to bootstrap the Cisco Secure Policy Manager hosts.

When a Cisco Secure Policy Manager host participates in an IPSec tunnel group, it is used to securely publish the generated commands sets to a managed Policy Enforcement Point, such as a PIX Firewall or IOS Router. However, for a Cisco Secure Policy Manager host to act as an IPSec peer, you must have the Cisco Secure VPN Client software installed and operational on the host that is acting as the Policy Distribution Point that will be participating in the IPSec tunnel.

If this node is not a Cisco Secure Policy Manager host, it must be a gateway object that is capable of participating in an IPSec tunnel. As an IPSec-capable gateway object, the node can participate in two types of tunnels:

• If the gateway object is a managed Policy Enforcement Point, it can participate in an IPSec tunnel between the Cisco Secure Policy Manager host that is responsible for generating and publishing the device-specific command sets that Policy Enforcement Point.

• Whether the gateway object is managed or not, it can participate in a tunnel between itself and another gateway object, which acts as a peer for a specific IPSec session.

• Specify the strongest DES cipher that this node can support when encrypting the ESP payload and for encrypting the AH packets

• Enable the use of a certificate authority server by this node

• Specify the details of the pre-shared keys used by this node on a per-peer basis

In addition, you can discover the properties of the certificate currently installed on this node, if you have chosen to use certificates and have previously loaded the certificate on this node during the bootstrap process.

The following sections describe each of these settings.

When you specify triple DES as the strongest cipher, this value does not mean that triple DES will be used by all IPSec Tunnel Groups in which this node is defined as a peer. If the other peers do not support triple DES, this node can still be used with IPSec Tunnel Templates that specify standard DES as the cipher. Cisco Secure Policy Manager uses this DES cipher setting to perform a consistency check to verify that your IPSec Tunnel Group definitions are based on IPSec Tunnel Templates that the peers in the group can support.

For additional information on encryption, ciphers, and how encryption works, refer to Cisco Secure Policy Manager Administrator's Guide: IPSec Tunnel Implementation.

Certificate authority servers use HTTP as the protocol for renewing and validating certificates. They manage data about when the certificates managed by the server expire and the rules for automatically refreshing or issuing new certificates to the network objects that are subscribers to that certificate authority. In addition, certificate authority servers provide support for certificate revocation lists (CRLs), which enable you to specify that certain certificates should not be trusted.

If at some point the selected network object no longer requires access to this certificate authority server, you must clear the selection in the Trusted Certificate Authority box in the IPSec panel.

• Negotiations based on a pre-shared secret

• Negotiations based on a certificate

Pre-shared keys offer a simple, yet secure, solution for smaller networks because they do not require the support of a public key infrastructure (PKI). Pre-shared keys enable you to define a common shared secret to be used by two peers that are capable of using IKE to negotiate the settings for a specific IPSec session. Because IKE periodically negotiates new session keys for use when encrypting the network packets of an IPSec session during that session, pre-shared secrets offer a more secure IPSec solution than manual keys, which generate only one pair of session keys. In addition, because pre-shared keys enable you to specify a single secret that is shared between each peer pair, the key administration is also simpler than that of IPSec solutions based on manual keys.

To overcome the day-to-day key administration issues involved in changing pre-shared keys in accordance with a strong organizational security policy, you can also specify that you want an IPSec-enabled network object to use a digital certificate (sometimes referred to as RSA certificate signatures) as the shared secret that peers use to authenticate that network object. In this configuration, the IPSec-enabled network object publishes its public key to its peers, which use that certificate to authenticate that network object.

Unlike pre-shared keys, certificates enable IPSec peers to authenticate using a trusted certificate authority. Because they do not require an IPSec-enabled network object to know a pre-shared secret for each of its peers, digital certificates are more scalable, which means they can support larger enterprise networks. While digital certificates are more technologically complex than pre-shared keys and they require the support of a PKI within your organization (including the purchase of a certificate from a trusted certification authority), they also offer a more secure method of authentication because the certificates can be configured to expire at which time new certificates can be issued automatically by a certificate authority server.

This discovery process queries the node about that certificate and retrieves information, such as who issued the certificate, the serial number of the certificate, and the dates for which the certificate is valid.

You can use this information to ensure that you have the proper certificate loaded and to stay abreast of possible problems, such as expiration.

Result: The IPsec panel appears in the View pane.

Step 2 To specify which DES cipher is supported by this node, click that cipher in the list of ciphers in the DES Cipher Support box.

Two types of DES ciphers are available, depending on the type of software that is running on the selected node:

• DES. This option identifies that the node can support the standard DES cipher for IPsec-based communications, including the IKE authentication and the ESP payloads. If DES is not supported by the peer, the IPSec session request fails. All peers must, at a minimum, support the standard DES cipher.

• triple DES. This option identifies that the node can support the triple DES cipher. If a peer does not support triple DES, a node that supports triple DES can also support the standard DES cipher for the duration of a session.

Step 3 To accept your changes and close the selected panel, click OK.

Step 4 To save any changes that you have made, click Save on the File menu.

Result: The IPsec panel appears in the View pane.

Result: The Secret shared with peer label displays the name of the selected peer.

This list contains only those gateway objects and Cisco Secure Policy Manager hosts defined under the Network Topology tree that have the IPSec Support option selected in the General panel.

This secret identifies a valid secret that can be used by IKE to set up an IPSec tunnel between this node and the selected peer. The minimum length for this secret value is 8 characters and the maximum length is 128 alphanumeric characters. You cannot use Tab, Enter, spaces, question marks, or double quotes when defining this shared secret.

Result: The IPsec panel appears in the View pane.

Step 2 To specify which certificate authority server to use with this node, click that server in the list of certificate authority servers in the Trusted Certificate Authority Server box.

This value identifies a host defined in the Network Topology tree that has been configured to identify a certificate authority server by adding the Certificate Authority client-server product type to that host.

Step 3 To accept your changes and close the selected panel, click OK.

Step 4 To save any changes that you have made, click Save on the File menu.

Result: The IPsec panel appears in the View pane.

Step 2 To specify that you want to discover the information about the certificates used by this node, click Discover.

Result: The Discovery dialog box appears with the IPSec box selected under the Discovery Selections box.

Step 3 To discover the certificate information and other IPSec settings for this node, click Discover.

Result: The Discovery Status box displays the status of the device discovery, including the time remaining before the discovery process aborts its discover attempt. When this process is complete, a message stating "Configuration completed. The configuration attempt was successful" appears. In addition, the Results button appears, which when clicked provides information about the discovery in the Discovery Results dialog box. Specifically, the Discovery Results dialog box should display the following messages:

• IPSec capability detected.

• Triple DES capability detected. (This message only appears if this node supports triple DES.)

• # certificates detected. (Where # is the number of certificates discovered on this node.)

Step 4 To close the Discovery dialog box, click OK.

Result: The IPSec panel now displays information about each certificate that was discovered. This information is organized on separate subtabs (below the Trusted Certificate Authority box) for each certificate that is discovered.

Step 5 To accept your changes and close the selected panel, click OK.

Step 6 To save any changes that you have made, click Save on the File menu.