Firewall Parameters in VPN 3000 Concentrator

The configuration for the Firewall client parameters resides in the Configuration | User Management | Group or Base Group Client FW tab. As illustrated in Figure 7.2, the Firewall Setting configuration at the top of the screen determines whether an active firewall is required when connecting. By default, the firewall policy feature is not enabled. If you want to ensure firewall security, choose the Firewall Required option. Recall that this option mandates the presence of the chosen firewall when users belonging to this group are initiating a session. If you want a more lenient approach, choose the Firewall Optional option. This option sends a notification to the connecting user reporting that the firewall is not detected on the client and should be installed and activated.

After establishing the firewall settings, you must select the firewall vendor and product that the users in the group contain. The concentrator supports the following vendors and products:

• Cisco The VPN Concentrator supports the Cisco Integrated Client (CIC) Firewall that is incorporated in the Cisco Unity Client.

• NetworkICE The BlackICE Defender/Agent interoperates with the Cisco VPN 3000 Concentrator to support AYT policies.

• Zone Labs Zone Labs' ZoneAlarm and ZoneAlarm Pro support both AYT and CPP policy.

• Sygate Starting with Cisco VPN Concentrator software release 4.0, the VPN Concentrator also supports AYT with the Sygate Personal Firewall and the Sygate Personal Firewall Pro. In addition, Sygate's Enterprise Security Agent also supports the Cisco AYT policy feature.

• Custom Designed for future use, the Cisco Concentrator lets you define a custom firewall based upon the Vendor ID and the Product ID. This feature currently is not used because all supported firewall vendors and products are in the list.

Sygate's products are recent additions to the VPN 3000 Concentrator's supported firewall products. At the time of this writing, the Seagate products are not considered a testable item and should not be considered. The mention of this product is for future exam revisions.

The final configuration step is to decide which firewall policy you want to enable. Certain vendors and products can support only specific policies. Table 7.1 outlines all the products and their supported firewall features.

It is imperative to remember which policy feature each vendor supports.

With the exception of the CIC client and the Zone Labs Integrity client, most vendors support the AYT feature. With this feature, the VPN Concentrator can poll the client every 30 seconds to ensure that the firewall is installed and active. If it does not detect a client with the AYT messages, the tunnel will be terminated. If you want to use this policy, select the policy defined by the remote firewall (AYT) field.

The Zone Labs ZoneAlarm products and the Cisco CIC client can inherit rules pushed from a defined filter in the concentrator. If you want to utilize the CPP policy, select the Policy Pushed (CPP) field, followed by the filter that you want to push down to the clients. The VPN 3000 Concentrator contains a built-in firewall filter called "Firewall Filter for VPN Client." This filter states that all incoming traffic is blocked and all outgoing traffic is allowed (similar to the stateful firewall on the VPN Unity Client).

The final available policy is the Policy from Server field. This field should be selected when integrating a VPN 3000 Concentrator with an enterprise Zone Labs Integrity Server. Be sure to define this firewall server in the Configuration | System | Servers | Firewall page and change the default port setting if you have done so on the IS server.