Policy View

The Policy View, the Map View, and the Device View are the three main areas in the Cisco Security Manager to define and enforce the security configuration of a device in a Cisco Self-Defending Network. The previous example in the Device View detailed how a security policy or access control list (ACL) to permit HTTP or web traffic could be copied, or shared between multiple devices. Any shared policies that are created in the device view are also displayed in the Policy View.

Some users will want to select a device from either the device view or map view and configure a security policy for that device. Other users may want to start by selecting a security policy and then applying this security policy to multiple devices. The Policy View allows the user to first select or create the security policy and then apply the policy to the multiple devices.

The icon to launch the Policy View is located next to the Device View and Map View icons. Policy View, in addition to the Device View and Map View, can also be launched from the view drop-down tab on the main Cisco Security Manager homepage.

Figure 9-20 displays the policy types that can be configured in the Policy View. Policy types include Firewall (access rules, inspection rules, and so on), Network Address Translation (NAT), remote-access VPN, PIX/ASA/FWSM platform (bridging, routing, and so on), site-to-site VPN, router platform (802.1x, NAC, QoS, and so on), and FlexConfigs. FlexConfigs is a CLI template that enables a user to manually define CLI to be deployed to a device or group of devices. There are also predefined FlexConfig templates for common deployments that involve nonsecurity features, including how to configure voice over IP (VoIP) on IOS routers. FlexConfig also supports network and service objects, which can also use the Cisco Security Manager rule tables and VPN components.

Figure 9-20. Policy View Feature Set

Access Control List (ACL) Rules Security Policy

Let's say that a security operator wants to define a security policy to block the nasty Sasser virus on all devices in the . This operator can simply create a firewall access control list (ACL) rules policy from the Policy View to block Sasser and apply this policy to all interfaces of all devices with a single rule. Figure 9-21 displays how a rule to block the Sasser virus can be configured from the Policy View.

Figure 9-21. Policy Rule to Block the Sasser Virus

Policy Inheritance and Mandatory Security Policies

Security policies can be applied to all devices, a group of devices, or a single device. Security policies can also be implemented in a hierarchy. For example, say that a user wants to define a security policy to protect an SQL server in a data center in San Jose. The user may want to construct a common high-level security policy and then have the security policy for the San Jose SQL server inherit all the access control list (ACLs) rules defined for the common high-level security policy. The advantage of a policy hierarchy is that the common, course-grained security policy can be defined once and leveraged many times while being maintained or managed in a single, common policy. An example of how to create a policy hierarchy by allowing a policy type to inherit the security policy from a parent policy type is displayed in Figure 9-22.

Figure 9-22. Policy Inheritance

A security policy created from the Policy View can be either mandatory or default. Mandatory security policies take precedence over default security policies. Mandatory security policies can also be applied to specific administrative privileges. The ability to have mandatory security policies allows for multiple security operations and the network operations group to view and configure the same set of devices. For example, a senior security operator may define the security policy to deny IPSec VPN traffic received on an inside interface as mandatory because it may be required by corporate policy. Another security operator may have the ability to add default security policies to that device but cannot delete or modify the mandatory security policy.