Firewall Tab

The Firewall tab displays information about the VPN Client's firewall configuration.

Configuring the Firewall on the Concentrator

The VPN Concentrator's network manager specifies the name of the firewall that the VPN Client is enforcing, such as the Cisco Integrated Client, Zone Labs ZoneAlarm, ZoneAlarm Pro, BlackICE Defender, and so on, and sets up the firewall policy under the Configuration | User Management | Base Group or Group | Client FW tab. The following firewall policy options exist:

Note     CPP affects only Internet traffic. Traffic across the tunnel is unaffected by its policy rules. If you are operating in tunnel everything mode, enabling CPP has no effect.

  • Client/Server, corresponding to "Policy from Server" (Zone Labs Integrity) on the VPN Concentrator, relates to Zone Labs Integrity solution. The policy is defined on the Integrity Server in the private network and sent to the VPN Concentrator, which in turns sends it to the Integrity Agent on the VPN Client PC to implement. Since Integrity is a fully functional personal firewall, it can intelligently decide on network traffic based on applications as well as data.

    Table 3-1 summarizes the policy options available for the various supported firewalls.

    Table 3-1 Firewalls and Policy Options Summary 

    Firewall

    Policy Options

    AYT

    Pushed (CPP)

    From Server

    Cisco Integrated Firewall


    X


    Network Ice BlackICE Defender

    X



    Zone Labs ZoneAlarm

    X

    X


    Zone Labs ZoneAlarm Pro

    X

    X


    Zone Labs ZoneAlarm or ZoneAlarm Pro

    X

    X


    Zone Labs Integrity



    X

    Sygate Personal Firewall

    X



    Sygate Personal Firewall Pro

    X



    Sygate Security Agent

    X



    Cisco Intrusion Prevention Security Agent

    X



    Custom Firewall

    X

    X

    X

    Viewing Firewall Information on the VPN Client

    The Firewall tab displays information about the VPN Client's firewall configuration, including the firewall policy and the configured firewall product. The remaining contents of the Firewall tab depend on these two configured options.

    The information shown on this tab varies according to your firewall policy.

    AYT Firewall Tab

    The Firewall tab shows that AYT is running and displays the name of the firewall product that supports AYT. AYT is used in conjunction with Cisco Intrusion Prevention Security Agent or Zone Labs Zone Alarm or Zone Alarm Pro to ensure that the firewall is enabled and running on a system, but not to confirm that a specific policy is enforced.

    Centralized Protection Policy (CPP) Using the Cisco Integrated Client

    CPP is a stateful firewall policy that is defined on and controlled from the VPN Concentrator. It can add protection for the VPN Client PC and private network from intrusion when split tunneling is in use. CPP sends down a stateful firewall policy for the integrated firewall in the VPN Client for use while connected with split tunneling. For CPP, the Firewall tab shows you the firewall rules in effect.

    This status screen lists the following information:

    Firewall Rules

    The Firewall Rules section shows all of the firewall rules currently in effect on the VPN Client. Rules are in order of importance from highest to lowest level. The rules at the top of the table allow inbound and outbound traffic between the VPN Client and the secure gateway and between the VPN Client and the private networks with which it communicates. For example, there are two rules in effect for each private network that the VPN Client connects to through a tunnel (one rule that allows traffic outbound and another that allows traffic inbound). These rules are part of the VPN Client software. Since they are at the top of the table, the VPN Client enforces them before examining CPP rules. This approach lets the traffic flow to and from private networks.

    CPP rules (defined on the VPN Concentrator) are only for nontunneled traffic and appear next in the table. For information on configuring filters and rules for CPP, see VPN Client Administrator Guide, Chapter 1. A default rule "Firewall Filter for VPN Client (Default)" on the VPN Concentrator lets the VPN Client send any data out, but permits return traffic in response only to outbound traffic.

    Finally, there are two rules listed at the bottom of the table. These rules, defined on the VPN Concentrator, specify the filter's default action, either drop or forward. If not changed, the default action is drop. These rules are used only if the traffic does not match any of the preceding rules in the table.

    Note     The Cisco Integrated Client firewall is stateful in nature, where the protocols TCP, UDP, and ICMP allow inbound responses to outbound packets. For exceptions, refer to VPN Client Administrator Guide, Chapter 1. If you want to allow inbound responses to outbound packets for other protocols, such as HTTP, a network administrator must define specific filters on the VPN Concentrator.

    You can move the bars on the column headings at the top of the box to expand their width; for example, to display the complete words Action and Direction rather than Act or Dir. However, each time you exit from the display and then open this status tab again, the columns revert to their original width. Default rules on the VPN Concentrator (drop any inbound and drop any outbound) are always at the bottom of the list. These two rules act as a safety net and are in effect only when traffic does not match any of the rules higher in the hierarchy.

    To display the fields of a specific rule, click on the first column and observe the fields in the next area below the list of rules. For example, the window section underneath the rules displays the fields for the rule that is highlighted in the list.

    A firewall rule includes the following fields:

    Client/Server Firewall Tab

    When Client/Server is the supported policy, the Firewall tab displays the name of the firewall policy, the name of the product, the user ID, session ID, and the addresses and port numbers of the firewall servers in the private network. Zone Labs Integrity is a Client/Server firewall solution in which the Integrity Server (IS) acts as the firewall server that pushes firewall policy to the Integrity Agent (IA) residing on the VPN Client PC. Zone Labs Integrity can also provide a centrally controlled always on personal firewall.



    Copyright © 1998-2004, Cisco Systems, Inc. All rights reserved.