The Firewall tab displays information about the VPN Client's firewall configuration.
The VPN Concentrator's network manager specifies the name of the firewall that the VPN Client is enforcing, such as the Cisco Integrated Client, Zone Labs ZoneAlarm, ZoneAlarm Pro, BlackICE Defender, and so on, and sets up the firewall policy under the Configuration | User Management | Base Group or Group | Client FW tab. The following firewall policy options exist:
AYT (Are You There) enforces the use of a specific firewall but does not require you to have a specific firewall policy. The supported firewall software on the VPN Client PC controls its own rules. The VPN Client polls the firewall every 30 seconds to make sure it is still running, but does not confirm that a specific policy is enforced.
Centralized Protection Policy (CPP) or "Policy Pushed" as defined on the VPN Concentrator lets you define a stateful firewall policy that the VPN Client enforces for Internet traffic while a tunnel is in effect. CPP is for use during split tunneling and is not relevant for a tunnel everything configuration. In a tunnel everything configuration, all traffic other than tunneled traffic is blocked during the tunneled connection. This policy takes advantage of the Cisco Integrated Client. The policy rules are defined on the VPN Concentrator and sent to the VPN Client during each connection attempt. The VPN Client enforces these rules for all non-tunneled traffic while the tunnel is active.
Note CPP affects only Internet traffic. Traffic across the tunnel is unaffected by its policy rules. If you are operating in tunnel everything mode, enabling CPP has no effect.
Client/Server, corresponding to "Policy from Server" (Zone Labs Integrity) on the VPN Concentrator, relates to Zone Labs Integrity solution. The policy is defined on the Integrity Server in the private network and sent to the VPN Concentrator, which in turns sends it to the Integrity Agent on the VPN Client PC to implement. Since Integrity is a fully functional personal firewall, it can intelligently decide on network traffic based on applications as well as data.
Table 3-1 summarizes the policy options available for the various supported firewalls.
The Firewall tab displays information about the VPN Client's firewall configuration, including the firewall policy and the configured firewall product. The remaining contents of the Firewall tab depend on these two configured options.
The information shown on this tab varies according to your firewall policy.
AYT--When the Are You there (AYT) is the supported capability, the Firewall tab shows only the firewall policy (AYT) and the name of the firewall product. AYT enforces the use of a specific personal firewall but does not require you to have a specific firewall policy.
Centralized Protection Policy (CPP)--When CPP is the supported capability, the Firewall tab includes the firewall policy, the firewall in use, and firewall rules.
Client/Server--When the Client/Server is the supported capability, the Firewall tab displays the firewall policy as Client/Server, the name of the product as ZoneLabs Integrity Agent, the user ID, session ID, and the addresses and port numbers of the firewall servers.
The Firewall tab shows that AYT is running and displays the name of the firewall product that supports AYT. AYT is used in conjunction with Cisco Intrusion Prevention Security Agent or Zone Labs Zone Alarm or Zone Alarm Pro to ensure that the firewall is enabled and running on a system, but not to confirm that a specific policy is enforced.
CPP is a stateful firewall policy that is defined on and controlled from the VPN Concentrator. It can add protection for the VPN Client PC and private network from intrusion when split tunneling is in use. CPP sends down a stateful firewall policy for the integrated firewall in the VPN Client for use while connected with split tunneling. For CPP, the Firewall tab shows you the firewall rules in effect.
This status screen lists the following information:
Firewall Policy--The policy established on the VPN Concentrator for this VPN Client.
Product--The name of the firewall currently in use, such as Cisco Integrated Client, Zone Alarm Pro, and so on.
Firewall Rules--Information about the firewall rules currently in effect, as described in the following section.
The Firewall Rules section shows all of the firewall rules currently in effect on the VPN Client. Rules are in order of importance from highest to lowest level. The rules at the top of the table allow inbound and outbound traffic between the VPN Client and the secure gateway and between the VPN Client and the private networks with which it communicates. For example, there are two rules in effect for each private network that the VPN Client connects to through a tunnel (one rule that allows traffic outbound and another that allows traffic inbound). These rules are part of the VPN Client software. Since they are at the top of the table, the VPN Client enforces them before examining CPP rules. This approach lets the traffic flow to and from private networks.
CPP rules (defined on the VPN Concentrator) are only for nontunneled traffic and appear next in the table. For information on configuring filters and rules for CPP, see VPN Client Administrator Guide, Chapter 1. A default rule "Firewall Filter for VPN Client (Default)" on the VPN Concentrator lets the VPN Client send any data out, but permits return traffic in response only to outbound traffic.
Finally, there are two rules listed at the bottom of the table. These rules, defined on the VPN Concentrator, specify the filter's default action, either drop or forward. If not changed, the default action is drop. These rules are used only if the traffic does not match any of the preceding rules in the table.
Note The Cisco Integrated Client firewall is stateful in nature, where the protocols TCP, UDP, and ICMP allow inbound responses to outbound packets. For exceptions, refer to VPN Client Administrator Guide, Chapter 1. If you want to allow inbound responses to outbound packets for other protocols, such as HTTP, a network administrator must define specific filters on the VPN Concentrator.
You can move the bars on the column headings at the top of the box to expand their width; for example, to display the complete words Action and Direction rather than Act or Dir. However, each time you exit from the display and then open this status tab again, the columns revert to their original width. Default rules on the VPN Concentrator (drop any inbound and drop any outbound) are always at the bottom of the list. These two rules act as a safety net and are in effect only when traffic does not match any of the rules higher in the hierarchy.
To display the fields of a specific rule, click on the first column and observe the fields in the next area below the list of rules. For example, the window section underneath the rules displays the fields for the rule that is highlighted in the list.
A firewall rule includes the following fields:
Action--The action taken if the data traffic matches the rule:
Direction--The direction of traffic to be affected by the firewall:
Source Address--The address of the traffic that this rule affects:
Destination Address--The packet's destination address that this rule checks (the address of the recipient).
Protocol--The Internet Assigned Number Authority (IANA) number of the protocol that this rule concerns (6 for TCP; 17 for UDP and so on).
When Client/Server is the supported policy, the Firewall tab displays the name of the firewall policy, the name of the product, the user ID, session ID, and the addresses and port numbers of the firewall servers in the private network. Zone Labs Integrity is a Client/Server firewall solution in which the Integrity Server (IS) acts as the firewall server that pushes firewall policy to the Integrity Agent (IA) residing on the VPN Client PC. Zone Labs Integrity can also provide a centrally controlled always on personal firewall.
Firewall Policy--This field shows that Client/Server is the supported policy.
Product--Lists the name of the Client/Server solution currently in use, such as Zone Labs Integrity Client.
User ID--In the format xx://IP address of the VPN Concentrator/group name and user name
Session ID--The session ID of the connection between all of the entities. This is used to initialize the firewall client and is helpful for troubleshooting.
Servers--The IP address and port number of each firewall server.
Copyright © 1998-2004, Cisco Systems, Inc. All rights reserved.