Cisco VPN Client

1

• Cisco VPN Client
• Firewall Feature
• Chapter 6

2
Lecture 5 - Objectives

• Identify the Stateful Firewall feature
• Define CIC (Cisco Integrated Client) and CPP
  (Central Policy Protection)
• Describe the Are You There feature
• Configure AYT (Are You There)
• Configure Firewall Filter Rules
• Recognize Default Rules
• Customize Firewall Policy
• Identify Configuring Rules
• Configure Stateful Firewall
• Configure VPN Concentrator for Firewall Usage
• Define Firewall Settings
• List 3 Firewall Policies
• Monitor VPN Client Firewall Statistics
• Enable Automatic Client Update via Cisco VPN 3000
  Concentrator Series Manager

3
Chapter 6Software Client Firewall Feature

• Enforces rules and policies to protect corporate
  network from third-party networks
• Addresses Internet traffic security issue created
  by using a split tunnel
• 4 Firewall Features
• AYT (Are You There)
• Stateful Firewall
• CPP (Central Policy Protection)
• CIC (Cisco Integrated Client firewall)

4
Chapter 6 - Stateful Firewall

• Cisco Integrated Client firewall
• Software Client release 3.5 and up
• Licensed from Zone Labs
• Default policy
• Blocks inbound traffic not related to outbound
• DHCP and ARP are exceptions
• When enabled active for tunneled and non-tunneled
  traffic
• CPP used to centrally define rules for CIC

5
Chapter 6 Cisco Integrated Client (CIC)

• Transparent to the user
• Designed by Zone Labs

6
Chapter 6 Central Policy Protection

• Policy defined on Concentrator pushed to Software
  Client
• Firewall Filter for VPN Client (Default)
• Software Client forwards policy to local firewall
  for enforcement
• Applicable to CIC or ZoneLabs
• Software Client Connection Status used to verify
  firewall configuration

7
Chapter 6 - Are You There

• Concentrator configured requiring Software
  Clients to have specific firewall
• Software Client ensures firewall is running
• Drops connection to Concentrator if firewall
  stops
• Periodically polls firewall to determine it is
  active

8
Chapter 6Are You There Configuration

• 4 Basic Steps
• Select setting from Firewall Setting Row
• Default is no firewall
• Firewall required permits only users with
  designated firewall to connect
• Firewall Optional notifies users without a
  firewall of supported firewall
• Identify firewall
• Currently 4 vendors as well as custom
• Optionally configure custom firewall
• Select Firewall Policy

9
Chapter 6Configuring Firewall Filter Rules

• Specifications that allow or deny specific types
  of traffic
• Can be applied to either an interface or a VPN
  group
• Figure 6-2 page 269
• Configuration
• Policy Management
• Traffic Management
• Rules

Figure 6.2 Configuration\Policy
Management\Traffic Management\Rules Screen
10
Chapter 6 Default Rules

• are listed in Table 6-3 page 270
• add, modify, copy, or delete rules
• While configuring rules, remember that the rule
  is based on the viewpoint of the VPN concentrator
• This means that if the rule is to be used on a
  VPN Client, you must verify that the rule is set
  for the client, not the head-end concentrator

11
Chapter 6 - Customized Firewall Policy

• Define rules to restrict traffic
• Apply to inbound or outbound
• Define action to drop (default) or forward
• Select protocol or create new one using IANA
  assigned protocol number
• Define Source and Destination addresses
• Defined ports if TCP or UDP protocol

12
Chapter 6 Configuring Rules

• Name, Direction, and Action
• Protocol and TCP connection
• Source address and destination address
• TCP/UDP source and destination ports
• ICMP packet type
• The TCP Connection and Internet Control Message
  Protocol (ICMP) Packet Type are not applicable on
  the VPN Client

13
Chapter 6Name, Direction, and Action

• Maximum of 48 characters
• Inbound and Outbound from a pull-down menu
• Action
• Drop
• Drop and Log
• Forward
• Forward and Log
• Apply IPSec
• Apply IPSec and Log

14
Chapter 6Protocol and TCP Connection

• Select protocol from a pull-down menu
• Or place a protocol number in the other box
• The TCP Connection field is ignored for client
  firewall rules

15
Chapter 6Source Address and Destination Address

• The pull-down menu lists all the network lists
  that are configured on the concentrator
• Define the range of IP addresses to which this
  list applies

16
Chapter 6TCP/UDP Source and Destination Ports

• Can select a range
• Can use the pull-down menu to select specific
  ports
• Table 6-5 page 275

17
Chapter 6Stateful Firewall Configuration

• Software clients Stateful Firewall feature is
  easily configured on the Cisco VPN Client
• Choose the Options pull-down menu
• Check the Always On option next to Stateful
  Firewall
• Choose the Options pull-down menu again, and make
  sure that there is a check mark in front of the
  Stateful Firewall (Always On) option.

18
Chapter 6Stateful Firewall Configuration
19
Chapter 6 Configuring the VPN Concentrator for
Firewall Usage

• All firewall options, other than the Stateful
  (Always On) option, are done on the VPN
  Concentrator
• Firewall Setting
• Firewall
• Custom Firewall
• Firewall Policy

Figure 6.6 The Client FW Tab
20
Chapter 6 Firewall Setting

• No Firewall (Default)
• Firewall Required
• All users in the group must use this firewall
• Firewall must be active during tunnel activation
• If software terminates so does tunnel
• Firewall Optional

21
Chapter 6 Firewall

• Pull-down menu for the specific firewall
• Cisco Integrated Client Firewall
• Network ICE BlackICE Defender
• Zone Labs Zone Alarm
• Zone Labs Zone AlarmPro
• Zone Labs Zone Alarm or Zone Labs
• Zone AlarmPro
• Zone Labs Integrity Client
• Custom Firewall
• Plus some Sygate

22
Chapter 6 Custom Firewall

• When options become available
• Provide the necessary codes
• Vendor ID
• Product ID fields.
• Combine firewalls from a vendor
• Cannot use multiple vendors

23
Chapter 6 Firewall Policy

• Policy defined by remote firewall (AYT)
• Policy Pushed (CPP)
• Policy from Server

24
Chapter 6Policy defined by remote firewall (AYT)

• allows policies defined by the remote firewall
• The firewall must be running
• A poll is sent from the VPN Client to the
  firewall service on the workstation every 30
  seconds
• If the firewall does not answer, the connection
  is dropped

25
Chapter 6 Policy defined by remote firewall (AYT)

• VPN Client polls a firewall installed on the
  client PC every 30 seconds
• If the firewall does not answer these polls, the
  VPN Client drops the tunnel
• the VPN Client does not enforce a policy but
  rather ensures that a software firewall on the PC
  is running

26
Chapter 6 Policy Pushed Central Protection
Policy (CPP)

• The concentrator to push the policy defined down
  to the client
• The list depends on the filters you have defined
  on the concentrator
• If the VPN Client has a firewall, these rules are
  added to the local firewalls rules
• This means that the more restrictive of the two
  sets of rules applies
• For example, if the VPN concentrators rule
  allows web browsing but the clients firewall
  does not, no web browsing is allowed

27
Chapter 6 Policy Pushed Central Protection
Policy (CPP)

• CPP allows the VPN concentrator to define rules
  for use during split-tunnel operation
• known as a push policy

28
Chapter 6 Policy from Server

• The users within the group to use a Zone Labs
  Integrity Server (IS) to mange their security
  settings on the firewall
• Configure the appropriate IP address of the IS
• Verify that the IS is reachable from the VPN
  concentrator

29
Chapter 6 Monitoring VPN Client Firewall
Statistics

• General
• Statistics

30
Chapter 6 Monitoring VPN Client Firewall
Statistics

• General

• Statistics

Figure 6.7 The Cisco Systems VPN Client
Connection Status\General
Figure 6.8 The Cisco Systems VPN Client
Connection Status\Statistics
31
Enabling Automatic Client Update Through the
Cisco VPN 3000 Concentrator Series Manager

• Ensure that all your users systems are running
  the same client
• Cisco Secure VPN (CSVPN) Client software can be
  upgraded by pushing the configuration from any of
  the devices in the VPN 3000 Concentrator Series
• Software upgrade is pending on the client

32
Enabling Automatic Client Update Through the
Cisco VPN 3000 Concentrator Series Manager

• Groups Screen

• Client Update

Figure 6.9 Configuration\User Management\Groups
Figure 6.10 Configuration\User Management\Groups\C
lient Update\Modify
33
Lecture 5 - Summary

• Features within the Software Client and
  Concentrator provide the capability to meet
  differing VPN requirements. A good way to
  restrict what users can do is through
  configuration of the client firewall features and
  the Cisco Integrated Client.

34
Lecture 5 - Summary

• Identify the Stateful Firewall feature
• Define CIC (Cisco Integrated Client) and CPP
  (Central Policy Protection)
• Describe the Are You There feature
• Configure AYT (Are You There)
• Configure Firewall Filter Rules
• Recognize Default Rules
• Customize Firewall Policy
• Identify Configuring Rules
• Configure Stateful Firewall
• Configure VPN Concentrator for Firewall Usage
• Define Firewall Settings
• List 3 Firewall Policies
• Monitor VPN Client Firewall Statistics
• Enable Automatic Client Update via Cisco VPN 3000
  Concentrator Series Manager