The VPN Client software now includes an integrated stateful
firewall feature set that provides protection to the client. The feature set
protects the VPN Client PC from Internet attacks both from split-tunneling
implementations and IPSec tunnel connections to a VPN Concentrator. This feature
is called Stateful Firewall (Always On).
Overview of
Software Client Firewall Feature
The built-in Stateful Firewall (Always On) service provides
even tighter security by blocking all new inbound sessions from all networks,
regardless of whether a VPN connection is active. The Stateful Firewall
filtering applies to both encrypted and nonencrypted traffic. Outbound traffic
creates entries in a state table, which allows returning packets to be allowed
through. Any sessions originating on the outside interface are blocked by
default, though, because no state table entries exist.
Two exceptions exist to this no unsolicited inbound traffic rule.
The first involves supporting DHCP services: DHCP client requests to a DHCP
server pass out on one port, but the resulting responses return through a
different port. The Stateful Firewall feature is programmed to know this and
allows that specific inbound traffic. The second exception is edge services
processor (ESP) traffic through ESP modules from the secure gateway. The
Stateful Firewall software recognizes ESP traffic as packet filters, and not as
session-based filters, and allows it through.
To enable the Stateful Firewall, click Stateful Firewall (Always
on) on the Options menu, as shown in Figure 12-13. The check in front of the option
indicates the Stateful Firewall (Always On) feature is enabled. This feature is
disabled by default. The feature can be enabled or disabled by clicking the
entry in the VPN Client Options menu.
During a VPN connection, you can view the status of the firewall
features by double-clicking the lock icon in the taskbar system tray or
right-clicking the same icon and choose Status from the resulting menu. You can
also enable or disable the feature from the same menu. The result is a three-tab
window, as shown in Figure 12-14, with the firewall features on the
third tab. The information displayed on the tab varies according to the
configured firewall policy.
Defining a
Client Firewall Policy
The VPN Concentrator network administrator can define and
manage the firewall policy using the Configuration | User Management | Base
Group or Group | Client FW tab. You can choose from three options:
The Are You
There Feature
Since v3.1, the Cisco VPN Client supports the Are You There
(AYT) feature. When the AYT feature is enabled, the VPN Client polls the local
firewall every 30 seconds to make sure it’s still running. While the VPN Client
confirms the firewall is running, it doesn’t confirm that a specific policy is
enforced.
If the security policy requires that remote users have firewalls
running on their PCs, the VPN Concentrator can allow these clients to connect
only if they have the designated firewall installed and running. If the
designated firewall isn’t running, the connection attempts fails. Once the
connection is established, the VPN Client uses the AYT feature to monitor the
firewall to make sure it’s running. If the firewall stops for any reason, the
VPN Client immediately drops the connection to the VPN Concentrator.
The Cisco System VPN Client Connection Status information box
Firewall tab shows only the firewall policy (AYT) and the name of the firewall
product, as shown in Figure 12-14 earlier.
Sections
Comments (0 posted)
Syndication
