|
|
Instead of defining conduits and outbound commands for each PIX Firewall on your network, Cisco Security Manager enables you to define security policies that describe what traffic you want to allow into and out of your networks. Security policies are the means by which you configure your Policy Enforcement Points (PEPs), for example, PIX Firewalls, to accept or deny network traffic. Instead of defining security policies on a per PIX Firewall basis, you define them as high-level policies and apply them to the network objects for which you want them to be in effect.
The primary function of Cisco Security Manager is to distribute command sets that regulate network traffic that traverses your PEPs, such as your PIX Firewall. However, you do not have to specify these command sets as device-specific conduits and outbound commands for each PIX Firewall on your network. Instead, you can use Policy Builder to construct graphical decision trees representing high-level security policies that define which network services should be allowed between two network objects, such as a network, host, perimeter, IP range, or the Internet (the access point to your Internet service provider's network). Policy Builder uses Service and Destination condition nodes and terminal action nodes, such as Accept, Reject, and Use Parent Policy, to describe what you want to allow or not allow. Cisco Security Manager performs the task of converting these user-friendly security policies into meaningful command sets that the PEP can accept.
Working with security policies is a multi-task process:
1. You must populate your Network Topology tree, and then add the network objects on which you want to enforce security policies to the Security Policy Enforcement branch of the Network Policy tree.
2. You must construct security policies that permit or deny network services to the network objects on which you plan to enforce those security policies.
3. You must instantiate those security policies by applying them in the Security Policy Enforcement tree.
The remainder of this chapter is organized around these three tasks. In the next section, we will use the network objects that we specified when we defined our Network Topology tree to populate the Security Policy Enforcement branch. In the last section, we combine the task of defining the security polices with the task of applying them to the Security Policy Enforcement branch objects.
Using the Policy Assignment panel, we can populate the Security Policy Enforcement branch with the network objects, listed under the Network Topology tree, for which we want to restrict network traffic or allow particular network services to reach from specified sources. The Security Policy Enforcement branch is an important part of the overall security policy definition because the network objects that you drag and drop onto this branch represent the source of the network traffic that you want to control.
So, with this in mind, let us consider what we want to drag onto this tree. As we stated in the "Assumptions and Desired Policy" section, we want to apply special policies for the following network objects:
The placement of these network objects in the Security Policy Enforcement branch does matter, simply because the order of the objects dictates the order of evaluation for the security policy rules that are applied to these objects in the task described in the "Define and Apply Security Policies" section.
Therefore, we need to verify that each network object is referenced in the Security Policy Enforcement branch. The following procedure explains how to perform this task and how we should order the network objects in this branch to ensure that we can devise the correct security policy.
Step 1 To access the Policy Assignment panel, click Policy Assignment on the Tools menu.
Result: The split-pane Policy Assignment panel appears in the View pane.
Step 2 To lock the Policy Assignment panel in place, select the Lock this view check box at the bottom of the panel.
Result: After locking a view, you can click objects in the Navigator pane while the contents of the View pane remain static. You must clear this check box before the contents of the View pane can be updated.
You can expand or collapse the tree structure in one of two ways:
Step 3 To view the Network Topology tree alone, click Network Topology on the Navigator toolbar.
Result: The Network Topology tree appears alone in the Navigator pane.
Step 4 To find the networks under Corporate Firewall, expand the Network Topology tree until you view those networks in the Navigator pane.
Step 5 To drag a reference of the internal network onto the Security Policy Enforcement branch, click Net - 10.1.2.0 in the Navigator pane and, while holding down the mouse button, drag and drop Net - 10.1.2.0 onto the Trusted Networks folder under Security Policy Enforcement in the Policy Assignment panel.
Result: A reference to the Net - 10.1.2.0 appears in the Security Policy Enforcement branch under the Trusted Networks folder on which you dropped the object. Also, an empty scroll icon appears beside the new node.
Step 6 To drag a reference to the e-mail server onto the internal network, click Corporate E-mail Server in the Navigator pane and, while holding down the mouse button, drag and drop Corporate E-mail Server onto the Net - 10.1.2.0 node under Trusted Networks in the Policy Assignment panel.
Result: A reference to the corporate e-mail server appears in the Security Policy Enforcement branch under the Net - 10.1.2.0 node on which you dropped the object. Also, an empty scroll icon appears beside the new node.
Step 7 To drag a reference to the web server onto the internal network, click Corporate Web Server in the Navigator pane and, while holding down the mouse button, drag and drop Corporate Web Server onto the Net - 10.1.2.0 node under Trusted Networks in the Policy Assignment panel.
Result: A reference to the corporate web server appears in the Security Policy Enforcement branch under the Net - 10.1.2.0 node on which you dropped the object. Also, an empty scroll icon appears beside the new node.
Step 8 To drag a reference of the DMZ network onto the Security Policy Enforcement branch, click Net - 10.1.1.0 in the Navigator pane and, while holding down the mouse button, drag and drop Net - 10.1.1.0 onto the Trusted Networks folder under Security Policy Enforcement in the Policy Assignment panel.
Result: A reference to the Net - 10.1.1.0 appears in the Security Policy Enforcement branch under the Trusted Networks folder on which you dropped the object. Also, an empty scroll icon appears beside the new node.
Step 9 To move the Cisco Security Manager folder under the Net - 10.1.1.0, click Cisco Security Manager in the Policy Assignment panel and, while holding down the mouse button, drag and drop Cisco Security Manager onto Net - 10.1.1.0.
Result: The Cisco Security Manager folder appears in the Security Policy Enforcement branch under the Net - 10.1.1.0 node on which you dropped the object.
Step 10 To unlock the Policy Assignment panel, clear the Lock this view check box at the bottom of the panel.
Result: You can now save your changes.
Step 11 To save any changes that you have made to the Policy Database, click Save on the File menu.
Using the Policy Assignment panel, we can define security policies and apply security polices to the network objects that we have placed in the Security Policy Enforcement branch. We can break this task into three smaller tasks:
Figure 4-1 depicts the Policy Assignment panel as it will appear when you complete the procedures defined in this chapter.
We want to define the security policy that restricts all network traffic from the Internet except for the following network services and destinations:
Figure 4-2 depicts the Policy Builder control version of the Internet Policy as it will appear when you complete the procedure defined in this section.
The following procedure describes how to define and apply this security policy to the implicit source of the communications, the Internet node.
Step 1 To access the Policy Assignment panel, click Policy Assignment on the Tools menu.
Result: The split-pane Policy Assignment panel appears in the View pane.
Step 2 To lock the Policy Assignment panel in place, select the Lock this view check box at the bottom of the panel.
Result: After locking a view, you can click objects in the Navigator pane while the contents of the View pane remain static.
Step 3 To create a new security policy, click the New button under the Security Policy Abstracts branch in the Policy Assignment panel.
Result: The Policy Builder control appears with the Security Policy Abstract 1 policy. Policy Builder is the graphical decision tree tool used to define security policies.
Step 4 To view a brief description of the current condition and action nodes, click Details on the Policy Builder toolbar.
Step 5 To access the shortcut menu, right-click the If service is All IP condition node.
Step 6 To access the Specify Service Conditions dialog box, click Properties on the shortcut menu.
Result: The Specify Service Conditions dialog box appears.
Step 7 To remove the All IP network service definition, click All IP under If Service is, and then click Remove >> under Add or Remove individual Network Services.
Result: The All IP network service is removed from the If Service is box.
Step 8 To add the ICMP echo reply network service to the If Service is box, click ICMP Echo Reply under Add or Remove individual Network Services, and then click << Add.
Result: The ICMP echo reply network service appears in the If Service is box.
If service is ICMP Echo Reply. Now, we need to complete the definition of this conditional branch to ensure that we allow only this service to reach the Admin-NT host.
Step 9 To accept your changes and close the Specify Service Conditions dialog box, click OK.
Result: The If service is ICMP Echo Reply condition node appears in Policy Builder.
Step 10 To access the shortcut menu, right-click the if destination is Internet Perimeter condition node.
Step 11 To access the Specify destination conditions dialog box, click Properties on the shortcut menu.
Result: The Specify destination conditions dialog box appears.
Step 12 To specify that you want to select a destination object that is defined under the Network Topology tree, click Network Object under Indication Method.
Result: The Network Topology tree appears in the Network Object box.
Step 13 To specify that you want to restrict access to the Cisco Security Manager server, click Admin-NT in the Network Object box.
Step 14 To accept your changes and close the Specify destination conditions dialog box, click OK.
Result: The If destination is ADMIN-NT condition node appears in Policy Builder.
Step 15 To change the action associated with the condition branch that you just defined, right-click the then Reject node to the right of the If destination is ADMIN-NT node, point to Change To, and then click Accept on the shortcut menu.
Result: The Reject node changes to an Accept node.
Step 16 To continue defining the next condition branch, right-click the Otherwise Reject node coming down from the If service is ICMP Echo Reply node, point to Change To, and then click If Service is on the shortcut menu.
Result: The Specify Service Conditions dialog box appears.
Step 17 To add the HTTP network service to the If Service is box, click HTTP under Add or Remove individual Network Services, and then click << Add.
Result: The HTTP network service appears in the If Service is box.
If service is HTTP. Now, we need to complete the definition of this conditional branch to ensure that we allow only this service to reach the corporate web server host.
Step 18 To accept your changes and close the Specify Service Conditions dialog box, click OK.
Result: The If service is HTTP condition node appears in Policy Builder.
Step 19 To change the action associated with the condition branch that you just defined, right-click the then Reject node to the right of the If service is HTTP node, point to Change To, and then click If Destination is on the shortcut menu.
Result: The Specify destination conditions dialog box appears.
Step 20 To specify that you want to select a destination object that is defined under the Network Topology tree, click Network Object under Indication Method.
Result: The Network Topology tree appears in the Network Object box.
Step 21 To specify that you want to restrict access to the corporate web server, click Corporate Web Server in the Network Object box.
Step 22 To accept your changes and close the Specify destination conditions dialog box, click OK.
Result: The If destination is Corporate Web Server condition node replaces the Reject node in Policy Builder.
Step 23 To change the action associated with the condition branch that you just defined, right-click the then Reject node to the right of the If destination is Corporate Web Sever node, point to Change To, and then click Accept on the shortcut menu.
Result: The Reject node changes to an Accept node.
Step 24 To continue defining the next condition branch, right-click the Otherwise Reject node coming down from the If service is HTTP node, point to Change To, and then click If Service is on the shortcut menu.
Result: The Specify Service Conditions dialog box appears.
Step 25 To add the SMTP network service to the If Service is box, click SMTP under Add or Remove individual Network Services, and then click << Add.
Result: The SMTP network service appears in the If Service is box.
If service is SMTP. Now, we need to complete the definition of this conditional branch to ensure that we allow only this service to reach the corporate e-mail server.
Step 26 To accept your changes and close the Specify Service Conditions dialog box, click OK.
Result: The If service is SMTP condition node appears in Policy Builder.
Step 27 To change the action associated with the condition branch that you just defined, right-click the then Reject node to the right of the If service is SMTP node, point to Change To, and then click If Destination is on the shortcut menu.
Result: The Specify destination conditions dialog box appears.
Step 28 To specify that you want to select a destination object that is defined under the Network Topology tree, click Network Object under Indication Method.
Result: The Network Topology tree appears in the Network Object box.
Step 29 To specify that you want to restrict access to the corporate e-mail server, click Corporate E-Mail Server in the Network Object box.
Step 30 To accept your changes and close the Specify destination conditions dialog box, click OK.
Result: The If destination is Corporate E-Mail Server condition node replaces the Reject node in Policy Builder.
Step 31 To change the action associated with the condition branch that you just defined, right-click the then Reject node to the right of the If destination is Corporate E-Mail Sever node, point to Change To, and then click Accept on the shortcut menu.
Result: The Reject node changes to an Accept node.
Step 32 To specify that you want to use any parent policies if none of the condition branches in this security policy satisfies a session request, right-click the Otherwise Reject node coming down from the If service is SMTP node, point to Change To, and then click Use Parent Policy on the shortcut menu.
Result: The Reject node changes to a Use Parent Policy node.
 | Tips Because the default security policy is Reject All, any session requests that do not satisfy this policy will be rejected anyway; however, the Use Parent Policy action type results in a cleaner policy design and allows future inheritance without modifications to existing policies |
Step 33 To close Policy Builder, click Close on the Policy Builder toolbar.
Result: A new policy called Security Policy Abstract 1 appears under the Security Policy Abstracts branch in the Policy Assignment panel.
Step 34 To access the shortcut menu, right-click Security Policy Abstract 1 under the Security Policy Abstracts branch.
Step 35 To select the Name box, click Rename on the shortcut menu.
Step 36 To rename the selected security policy abstract, type Internet Policy in the selected box, and then press Enter.
Result: The new name appears in the Name box of the selected node.
Policy Manager enables long names and the use of most alphanumeric or symbol characters. Also, you can use both uppercase and lowercase characters. However, you cannot use quotation marks (") or a semicolon (;).
Step 37 To attach the Internet Policy to the Internet node, click Internet Policy under the Security Policy Abstracts branch, and then click the Internet node under the Security Policy Enforcement branch, and then click Attach Policy.
Result: The Internet Policy is attached to the Internet node.
Step 38 To unlock the Policy Assignment panel, clear the Lock this view check box at the bottom of the panel.
Result: You can now save your changes.
Step 39 To save any changes that you have made to the Policy Database, click Save on the File menu.
Figure 4-3 depicts the SecureScript translation of the Internet Policy as it appears when you complete the procedure defined in this section.
Next, we want to define and apply a security policy to the internal network and DMZ network that allows the HTTP, DNS, FTP, SMTP, and Telnet services to reach all unknown networks, represented by the Internet node. In addition, we want to allow ICMP echo reply to reach the Cisco Security Manager server.
Figure 4-4 depicts the Policy Builder control version of the Trusted Networks Policy as it will appear when you complete the procedure defined in this section.
The following procedure describes how to define and apply this security policy to the implicit sources of the communications, which are collectively represented by the high-level logical group called the Trusted Networks folder.
Step 1 To access the Policy Assignment panel, click Policy Assignment on the Tools menu.
Result: The split-pane Policy Assignment panel appears in the View pane.
Step 2 To lock the Policy Assignment panel in place, select the Lock this view check box at the bottom of the panel.
Result: After locking a view, you can click objects in the Navigator pane while the contents of the View pane remain static.
Step 3 To create a new security policy, click New under the Security Policy Abstracts branch in the Policy Assignment panel.
Result: The Policy Builder control appears with the Security Policy Abstract 2 policy. Policy Builder is the graphical decision tree tool used to define security policies.
Step 4 To view a brief description of the current condition and action nodes, click Details on the Policy Builder toolbar.
Step 5 To access the shortcut menu, right-click the If service is All IP condition node.
Step 6 To access the Specify Service Conditions dialog box, click Properties on the shortcut menu.
Result: The Specify Service Conditions dialog box appears.
Step 7 To remove the All IP network service definition, click All IP under If Service is, and then click Remove >> under Add or Remove individual Network Services.
Result: The All IP network service is removed from the If Service is box.
Step 8 To add the ICMP echo reply network service to the If Service is box, click ICMP Echo Reply under Add or Remove individual Network Services, and then click << Add.
Result: The ICMP echo reply network service appears in the If Service is box.
If service is ICMP Echo Reply. Now, we need to complete the definition of this condition branch to ensure that we allow only this service to reach the Admin-NT host.
Step 9 To accept your changes and close the Specify Service Conditions dialog box, click OK.
Result: The If service is ICMP Echo Reply condition node appears in Policy Builder.
Step 10 To access the shortcut menu, right-click the If destination is Internet Perimeter condition node.
Step 11 To access the Specify destination conditions dialog box, click Properties on the shortcut menu.
Result: The Specify destination conditions dialog box appears.
Step 12 To specify that you want to select a destination object that is defined under the Network Topology tree, click Network Object under Indication Method.
Result: The Network Topology tree appears in the Network Object box.
Step 13 To specify that you want to restrict access to the Cisco Security Manager server, click Admin-NT in the Network Object box.
Step 14 To accept your changes and close the Specify destination conditions dialog box, click OK.
Result: The If destination is ADMIN-NT condition node appears in Policy Builder.
Step 15 To change the action associated with the condition branch that you just defined, right-click the then Reject node to the right of the If destination is ADMIN-NT node, point to Change To, and then click Accept on the shortcut menu.
Result: The Reject node changes to an Accept node.
Step 16 To continue defining the next condition branch, right-click the Otherwise Reject node coming down from the If service is ICMP Echo Reply node, point to Change To, and then click If Service is on the shortcut menu.
Result: The Specify Service Conditions dialog box appears.
Step 17 To add the HTTP network service to the If Service is box, click HTTP under Add or Remove individual Network Services, and then click << Add.
Result: The HTTP network service appears in the If Service is box.
Step 18 To add the DNS resolving network service to the If Service is box, click DNS Resolving under Add or Remove individual Network Services, and then click << Add.
Result: The DNS resolving network service appears in the If Service is box.
Step 19 To add the FTP network service to the If Service is box, click FTP under Add or Remove individual Network Services, and then click << Add.
Result: The FTP network service appears in the If Service is box.
Step 20 To add the SMTP network service to the If Service is box, click SMTP under Add or Remove individual Network Services, and then click << Add.
Result: The STMP network service appears in the If Service is box.
Step 21 To add the Telnet network service to the If Service is box, click Telnet under Add or Remove individual Network Services, and then click << Add.
Result: The Telnet network service appears in the If Service is box.
Step 22 To accept your changes and close the Specify Service Conditions dialog box, click OK.
Result: The If service is Security Policy Abstract 2.bundle.1 condition node appears in Policy Builder.
Step 23 To change the action associated with the condition branch that you just defined, right-click the then Reject node to the right of the If service is Security Policy Abstract 2.bundle.1 node, point to Change To, and then click If Destination is on the shortcut menu.
Result: The Specify destination conditions dialog box appears.
Step 24 To specify that you want to select a perimeter object that is defined under the Network Topology tree, click Perimeter under Indication Method.
Result: The list of available perimeters appears in the Perimeter box.
Step 25 To specify that you want to restrict access to all unknown networks, click Internet Perimeter in the Perimeter box.
We want to select the Internet Perimeter because it identifies all unknown networks to which the PIX Firewall is attached. We chose the last perimeter that the network packet will cross when leaving the networks organized under the Trusted Networks folder. In this case, the last point over which we have control is the Internet Perimeter to which the outside interface of the PIX Firewall is attached.
Step 26 To accept your changes and close the Specify destination conditions dialog box, click OK.
Result: The If destination is Internet Perimeter condition node replaces the Reject node in Policy Builder.
Step 27 To change the action associated with the condition branch that you just defined, right-click the then Reject node to the right of the If destination is Internet Perimeter node, point to Change To, and then click Accept on the shortcut menu.
Result: The Reject node changes to an Accept node.
Step 28 To specify that you want to use any parent policies if none of the condition branches in this security policy satisfies a session request, right-click the Otherwise Reject node coming down from the If service is Security Policy Abstract 2.bundle.1 node, point to Change To, and then click Use Parent Policy on the shortcut menu.
Result: The Reject node changes to a Use Parent Policy node.
Step 29 To close Policy Builder, click Close on the Policy Builder toolbar.
Result: A new policy called Security Policy Abstract 2 appears under the Security Policy Abstracts branch in the Policy Assignment panel.
Step 30 To access the shortcut menu, right-click Security Policy Abstract 2 under the Security Policy Abstracts branch.
Step 31 To select the Name box, click Rename on the shortcut menu.
Step 32 To rename the selected security policy abstract, type Trusted Net Policy in the selected box, and then press Enter.
Result: The new name appears in the Name box of the selected node.
Step 33 To attach the Trusted Net Policy to the Trusted Networks folder, click Trusted Net Policy under the Security Policies Abstract branch, and then click the Trusted Networks folder under the Security Policy Enforcement branch, and then click Attach Policy.
Result: The Trusted Net Policy is attached to the Trusted Networks folder.
Step 34 To unlock the Policy Assignment panel, clear the Lock this view check box at the bottom of the panel.
Result: You can now save your changes.
Step 35 To save any changes that you have made to the Policy Database, click Save on the File menu.
Figure 4-5 depicts the SecureScript translation of the Trusted Networks Policy as it appears when you complete the procedure defined in this section.
SecureScript Translation of Trusted Networks Policy
The last security policy that we need to define explicitly allows the Cisco Security Manager server to use ICMP to test network connectivity. Because we have already allowed the back channel, ICMP echo reply, to access the Cisco Security Manager server in the two previous policies, we simply need to ensure that ICMP echo request is allowed for the Cisco Security Manager server. The following procedure describes how to define and apply the security policy to the implicit source, which is the Cisco Security Manager folder.
Step 1 To access the Policy Assignment panel, click Policy Assignment on the Tools menu.
Result: The split-pane Policy Assignment panel appears in the View pane.
Step 2 To lock the Policy Assignment panel in place, select the Lock this view check box at the bottom of the panel.
Result: After locking a view, you can click objects in the Navigator pane while the contents of the View pane remain static.
Step 3 To create a new security policy, click New under the Security Policy Abstracts branch in the Policy Assignment panel.
Result: The Policy Builder control appears with the Security Policy Abstract 3 policy. Policy Builder is the graphical decision tree tool used to define security policies.
Step 4 To view a brief description of the current condition and action nodes, click Details on the Policy Builder toolbar.
Step 5 To access the shortcut menu, right-click the If service is All IP condition node.
Step 6 To access the Specify Service Conditions dialog box, click Properties on the shortcut menu.
Step 7 To remove the All IP network service definition, click All IP under If Service is, and then click Remove >> under Add or Remove individual Network Services.
Result: The All IP network service is removed from the If Service is box.
Step 8 To add the ICMP echo request network service to the If Service is box, click ICMP Echo Request under Add or Remove individual Network Services, and then click << Add.
Result: The ICMP echo request network service appears in the If Service is box.
If service is ICMP Echo Request. Now, we need to complete the definition of this condition branch to ensure that we allow this service to reach all network objects residing on both the Internet Perimeter and the Internal Perimeter.
Step 9 To accept your changes and close the Specify Service Conditions dialog box, click OK.
Result: The If service is ICMP Echo Request condition node appears in Policy Builder.
Step 10 To access the shortcut menu, right-click the If destination is Internet Perimeter condition node.
Step 11 To specify that you want to add an OR condition node, point to Continue, and then to OR, and then click If Destination is on the shortcut menu.
Result: The Specify destination conditions dialog box appears.
Step 12 To specify that you want to select a perimeter object that is defined under the Network Topology tree, click Perimeter under Indication Method.
Result: The list of available perimeters appears in the Perimeter box.
Step 13 To specify that you want to enable access to all internal networks, click Internal Perimeter in the Perimeter box.
Step 14 To accept your changes and close the Specify destination conditions dialog box, click OK.
Result: The If destination is Internal Perimeter condition node appears in Policy Builder.
Step 15 To change the action associated with the condition branch that you just defined, right-click the then Reject node to the right of the If destination is Internal Perimeter node, point to Change To, and then click Accept on the shortcut menu.
Result: The Reject node changes to an Accept node.
Step 16 To specify that you want to use any parent policies if none of the condition branches in this security policy satisfies a session request, right-click the Otherwise Reject node coming down from the If service is ICMP Echo Request node, point to Change To, and then click Use Parent Policy on the shortcut menu.
Result: The Reject node changes to a Use Parent Policy node.
 | Tips Because both higher-level and lower-level policies are applied to the Cisco Security Manager server, we want to be sure that the composite policy is constructed correctly. Therefore, the Use Parent Policy action is the correct choice. |
Step 17 To close Policy Builder, click Close on the Policy Builder toolbar.
Result: A new policy called Security Policy Abstract 3 appears under the Security Policy Abstracts branch in the Policy Assignment panel.
Step 18 To access the shortcut menu, right-click Security Policy Abstract 3 under the Security Policy Abstracts branch.
Step 19 To select the Name box, click Rename on the shortcut menu.
Step 20 To rename the selected security policy abstract, type Admin Policy in the selected box, and then press Enter.
Result: The new name appears in the Name box of the selected node.
Step 21 To attach the Admin Policy to the Cisco Security Manager folder, click Admin Policy under the Security Policy Abstracts branch, and then click the Cisco Security Manager folder under the Security Policy Enforcement branch, and then click Attach Policy.
Result: The Admin Policy is attached to the Cisco Security Manager folder.
Step 22 To unlock the Policy Assignment panel, clear the Lock this view check box at the bottom of the panel.
Result: You can now save your changes.
Step 23 To save any changes that you have made to the Policy Database, click Save on the File menu.
Posted: Fri Aug 20 15:21:37 PDT 1999
Copyright 1989-1999©Cisco Systems Inc.