Cisco VPN Firewall Feature for VPN Client

Cisco VPN Firewall Feature for VPN Client

The VPN Client software now includes an integrated stateful firewall feature set that provides protection to the client. The feature set protects the VPN Client PC from Internet attacks both from split-tunneling implementations and IPSec tunnel connections to a VPN Concentrator. This feature is called Stateful Firewall (Always On).

Overview of Software Client Firewall Feature

The built-in Stateful Firewall (Always On) service provides even tighter security by blocking all new inbound sessions from all networks, regardless of whether a VPN connection is active. The Stateful Firewall filtering applies to both encrypted and nonencrypted traffic. Outbound traffic creates entries in a state table, which allows returning packets to be allowed through. Any sessions originating on the outside interface are blocked by default, though, because no state table entries exist.

Two exceptions exist to this no unsolicited inbound traffic rule. The first involves supporting DHCP services: DHCP client requests to a DHCP server pass out on one port, but the resulting responses return through a different port. The Stateful Firewall feature is programmed to know this and allows that specific inbound traffic. The second exception is edge services processor (ESP) traffic through ESP modules from the secure gateway. The Stateful Firewall software recognizes ESP traffic as packet filters, and not as session-based filters, and allows it through.

To enable the Stateful Firewall, click Stateful Firewall (Always on) on the Options menu, as shown in Figure 12-13. The check in front of the option indicates the Stateful Firewall (Always On) feature is enabled. This feature is disabled by default. The feature can be enabled or disabled by clicking the entry in the VPN Client Options menu.

Click To expand
Figure 12-13: Stateful Firewall (Always on) on the Options menu

During a VPN connection, you can view the status of the firewall features by double-clicking the lock icon in the taskbar system tray or right-clicking the same icon and choose Status from the resulting menu. You can also enable or disable the feature from the same menu. The result is a three-tab window, as shown in Figure 12-14, with the firewall features on the third tab. The information displayed on the tab varies according to the configured firewall policy.

Click To expand
Figure 12-14: Cisco System VPN Client Connection Status information box

Defining a Client Firewall Policy

The VPN Concentrator network administrator can define and manage the firewall policy using the Configuration | User Management | Base Group or Group | Client FW tab. You can choose from three options:

  • Are You There

  • Centralized Protection Policy

  • Client/Server

The Are You There Feature

Since v3.1, the Cisco VPN Client supports the Are You There (AYT) feature. When the AYT feature is enabled, the VPN Client polls the local firewall every 30 seconds to make sure it’s still running. While the VPN Client confirms the firewall is running, it doesn’t confirm that a specific policy is enforced.

If the security policy requires that remote users have firewalls running on their PCs, the VPN Concentrator can allow these clients to connect only if they have the designated firewall installed and running. If the designated firewall isn’t running, the connection attempts fails. Once the connection is established, the VPN Client uses the AYT feature to monitor the firewall to make sure it’s running. If the firewall stops for any reason, the VPN Client immediately drops the connection to the VPN Concentrator.

The Cisco System VPN Client Connection Status information box Firewall tab shows only the firewall policy (AYT) and the name of the firewall product, as shown in Figure 12-14 earlier.

The Central Policy Protection Feature

Central Policy Protection (CPP) is a stateful firewall policy that leverages the Cisco Integrated Client feature by letting the VPN Concentrator manage the client firewall policies. The specific policy rules are defined by the administrator on the VPN Concentrator, and then pushed down to the VPN Client every time a connection is attempted. The VPN Client then enforces these policy rules for all nontunneled (split-tunnel Internet) traffic while the tunnel is active.

Because CPP works only on out-of-tunnel Internet traffic, if the client is operating in a tunnel-everything mode, enabling CPP has no effect.

The Cisco System VPN Client Connection Status information box Firewall tab shows the firewall policy, the firewall in use, and firewall rules, as shown in Figure 12-15.

Click To expand
Figure 12-15: Firewall tab for CPP

Firewall Rules

The Firewall Rules section of the Status box shows all the firewall rules currently implemented on the VPN Client. The rules are arranged in order of importance, with the highest importance at the top. All but the last two rules are defined by the VPN administrator to allow inbound and outbound traffic between the VPN Client and the secure gateway, as well as between the VPN Client and the private networks with which it communicates. Because the rules are implemented from the top down, the VPN Client enforces them before trying the two CPP default rules at the bottom. This approach lets the traffic flow to and from private networks.

The bottom two rules define the filter’s default actions, which are to drop both inbound and outbound traffic. These rules are implemented only if the traffic doesn’t match any of the preceding rules.

To see the full fields of a specific rule, click the first column in the top half of the Firewall Rules: window; the selected rule is displayed in the bottom half of the window.

A firewall rule includes the following fields and options:


Action to be taken if the data traffic matches the rule: Drop—Discard the session. Forward—Allow the session to go through.


Direction of traffic to be affected by the rule: Inbound—traffic coming in to the local machine. Outbound—traffic going out from the local machine.

Source Address

Source address of the traffic this rule affects: Any—all traffic, for example, drop any inbound traffic. IP address and subnet mask—A specific host address. Local—The local machine for outbound traffic.

Destination Address

Destination address this rule affects: Any—All traffic. Local—Local machine if the direction is inbound.


The Internet Assigned Number Authority (IANA) number of the protocol covered by this rule concerns (6 for TCP, 17 for UDP).

Source Port

Source port used by TCP or UDP.

Destination Port

Destination port used by TCP or UDP.

The Stateful Firewall Process

In the stateful Cisco Integrated Client, firewall protocols TCP, UDP, and ICMP automatically allow inbound responses to outbound packets. To allow inbound responses to outbound packets for any other protocols, the network administrator needs to define specific filters on the VPN Concentrator. These are then passed down to the VPN Client the next time a session is established.

Client/Server Feature

The Client/Server policy supports the Zone Labs Integrity solution. Zone Labs Integrity is a Client/Server firewall solution in which the Integrity Server acts as the firewall server that pushes firewall policy to the Integrity Agent residing on the VPN Client PC. Because Integrity is a fully functional stateful personal firewall, it can intelligently decide on network traffic based on application layer information, as well as on traditional Layer 3 and 4 fields.

The Cisco System VPN Client Connection Status information box Firewall tab shows the firewall policy as Client/Server, the name of the product as ZoneLabs Integrity Agent, the user ID, session ID, and the addresses and port numbers of the firewall servers, as shown in Figure 12-16.

Click To expand
Figure 12-16: Client/Server Firewall tab

Client Firewall Statistics

The Statistics tab on the Cisco System VPN Client Connection Status dialog box shows statistics on the VPN Client data packets processed during the current session or since the statistics were reset. The data collected includes the following information. Figure 12-17 shows the Statistics tab information.

Click To expand
Figure 12-17: VPN Client connection statistics

Bytes in

Total data received after the secure packets have been decrypted.

Bytes out

Total amount of encrypted data transmitted through the tunnel.

Packets decrypted

Total number of data packets received on the port.

Packets encrypted

Total number of secured data packets transmitted out the port.

Packets bypassed

Total number of packets not processed by the VPN Client because they didn’t need to be encrypted, such as local ARPs and DHCP.

Packets discarded

Total number of packets the VPN Client rejected because they weren’t from the VPN peer device.

Clicking the RESET button clears these counters, but doesn’t impact the other two tabs. Clearing the counters often makes seeing the current activity easier, particularly if some time has passed since the last reset.

Part III: Virtual Private Networks (VPNs)