Cisco VPN Firewall Feature for VPN Client

Overview of Software Client Firewall Feature

The built-in Stateful Firewall (Always On) service provides even tighter security by blocking all new inbound sessions from all networks, regardless of whether a VPN connection is active. The Stateful Firewall filtering applies to both encrypted and nonencrypted traffic. Outbound traffic creates entries in a state table, which allows returning packets to be allowed through. Any sessions originating on the outside interface are blocked by default, though, because no state table entries exist.

Two exceptions exist to this no unsolicited inbound traffic rule. The first involves supporting DHCP services: DHCP client requests to a DHCP server pass out on one port, but the resulting responses return through a different port. The Stateful Firewall feature is programmed to know this and allows that specific inbound traffic. The second exception is edge services processor (ESP) traffic through ESP modules from the secure gateway. The Stateful Firewall software recognizes ESP traffic as packet filters, and not as session-based filters, and allows it through.

To enable the Stateful Firewall, click Stateful Firewall (Always on) on the Options menu, as shown in Figure 12-13. The check in front of the option indicates the Stateful Firewall (Always On) feature is enabled. This feature is disabled by default. The feature can be enabled or disabled by clicking the entry in the VPN Client Options menu.

Figure 12-13: Stateful Firewall (Always on) on the Options menu

During a VPN connection, you can view the status of the firewall features by double-clicking the lock icon in the taskbar system tray or right-clicking the same icon and choose Status from the resulting menu. You can also enable or disable the feature from the same menu. The result is a three-tab window, as shown in Figure 12-14, with the firewall features on the third tab. The information displayed on the tab varies according to the configured firewall policy.

Figure 12-14: Cisco System VPN Client Connection Status information box

Defining a Client Firewall Policy

The VPN Concentrator network administrator can define and manage the firewall policy using the Configuration | User Management | Base Group or Group | Client FW tab. You can choose from three options:

• Are You There

• Centralized Protection Policy

• Client/Server

The Are You There Feature

Since v3.1, the Cisco VPN Client supports the Are You There (AYT) feature. When the AYT feature is enabled, the VPN Client polls the local firewall every 30 seconds to make sure it’s still running. While the VPN Client confirms the firewall is running, it doesn’t confirm that a specific policy is enforced.

If the security policy requires that remote users have firewalls running on their PCs, the VPN Concentrator can allow these clients to connect only if they have the designated firewall installed and running. If the designated firewall isn’t running, the connection attempts fails. Once the connection is established, the VPN Client uses the AYT feature to monitor the firewall to make sure it’s running. If the firewall stops for any reason, the VPN Client immediately drops the connection to the VPN Concentrator.

The Cisco System VPN Client Connection Status information box Firewall tab shows only the firewall policy (AYT) and the name of the firewall product, as shown in Figure 12-14 earlier.

The Central Policy Protection Feature

Central Policy Protection (CPP) is a stateful firewall policy that leverages the Cisco Integrated Client feature by letting the VPN Concentrator manage the client firewall policies. The specific policy rules are defined by the administrator on the VPN Concentrator, and then pushed down to the VPN Client every time a connection is attempted. The VPN Client then enforces these policy rules for all nontunneled (split-tunnel Internet) traffic while the tunnel is active.

Because CPP works only on out-of-tunnel Internet traffic, if the client is operating in a tunnel-everything mode, enabling CPP has no effect.

The Cisco System VPN Client Connection Status information box Firewall tab shows the firewall policy, the firewall in use, and firewall rules, as shown in Figure 12-15.

Figure 12-15: Firewall tab for CPP

Client/Server Feature

The Client/Server policy supports the Zone Labs Integrity solution. Zone Labs Integrity is a Client/Server firewall solution in which the Integrity Server acts as the firewall server that pushes firewall policy to the Integrity Agent residing on the VPN Client PC. Because Integrity is a fully functional stateful personal firewall, it can intelligently decide on network traffic based on application layer information, as well as on traditional Layer 3 and 4 fields.

The Cisco System VPN Client Connection Status information box Firewall tab shows the firewall policy as Client/Server, the name of the product as ZoneLabs Integrity Agent, the user ID, session ID, and the addresses and port numbers of the firewall servers, as shown in Figure 12-16.

Figure 12-16: Client/Server Firewall tab

Client Firewall Statistics

The Statistics tab on the Cisco System VPN Client Connection Status dialog box shows statistics on the VPN Client data packets processed during the current session or since the statistics were reset. The data collected includes the following information. Figure 12-17 shows the Statistics tab information.

Figure 12-17: VPN Client connection statistics

Clicking the RESET button clears these counters, but doesn’t impact the other two tabs. Clearing the counters often makes seeing the current activity easier, particularly if some time has passed since the last reset.