Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Cisco Services Modules

Installation and Configuration for Common Criteria EAL4+ Evaluated Catalyst 6500 Series and Cisco 7600 Series Firewall Services

Downloads

Table Of Contents

Installation and Configuration for Common Criteria EAL4 Evaluated Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Version 3.1(3.17)

Contents

Introduction

Audience

Supported Hardware and Software Versions

Security Information

Organizational Security Policy

Security Implementation Considerations

Certified Configuration

Windows 2000 Documentation

Windows XP Documentation

Potential Insecure Configurations

Uncommitted Changes

Default Flow Policy

Physical Security

Administration Access

Servers and Proxies

Logging and Messages

Access Lists

Trusted and Untrusted Networks

Routed Mode

Transparent Mode

Inspection Policy

Public Access Servers

Using FTP and Telnet

Monitoring and Maintenance

Administrative Roles

Auditing Component Requirements

Password Complexity

AAA Server and Authentication Policy per the IT Environment

Determining the Software Version

Installation Notes

Verification of Hardware and Software Image

Configuration Notes (IOS/Supervisor)

Saving Your Configuration

Service Password Encryption

Layer 2 Security

Layer 3 Security

Disabling the HTTP Server

Disabling SNMP Management

Disabling the TFTP Server

Disabling Source Routing

Enabling Time-Stamps

Command-Specific Events

Idle Time Outs

Setting the System Clock

Configuring Authentication on the Supervisor

Configuring Secure Shell

Configuring System Log Messaging from the Supervisor to PFSS

Configuration Notes (FWSM)

FWSM Maintenance Partition

Saving Your Configuration

Using the established Command

Enabling Timestamps

Enabling Reliable Logging

Systems Logs

Server Settings

Configuring Authentication on FWSM

Configuring Console Access on FWSM to Use AAA (Optional)

Idle Time Outs

Configuring AAA for Telnet and FTP

Configuring SSH

Configuring Failover of FWSM

Inspecting ICMP

Unicast RPF

Same Security Traffic

Using the Syslog Server

Verifying the Correct Version of PFSS

Using the Syslog Server (PFSS Active Mode)

Changing the Syslog Server Parameters at the Windows 2000 System

Recovering from the Syslog Server Disk-Full Condition

Configuring System Log Message Search Functions Using the System Log Message Search

Setting Up the System Log Message Search Display

Configuring System Log Message Search Functions with the System Log Message Search (Log Searching Mode)

Searching System Log Messages Based on Syslog ID

Searching System Log Messages for Specific Commands Entered by the Administrator on the Supervisor

Searching System Log Messages Based on User ID

Searching Windows Audit Events

Searching System Log Messages Based on IP Address

Searching System Log Messages with the Advanced Option Feature

MD5 Hash Value for the Evaluated Configuration

Obtaining Documentation, Obtaining Support, and Security Guidelines


Installation and Configuration for Common Criteria EAL4 Evaluated Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Version 3.1(3.17)

April 2007

Contents

This document describes how to install and configure the Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module (FWSM) as certified by Common Criteria Evaluation Assurance Level 4 (EAL4).

In this guide, "FWSM"or "Firewall Services Module" applies to all models of the Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module, unless specifically noted otherwise.

Note Failure to follow the information provided in this document will result in the Firewall Services Module not being compliant with the evaluation, and may make it insecure.

This document includes the following sections:

Introduction

Audience

Supported Hardware and Software Versions

Security Information

Installation Notes

Configuration Notes (IOS/Supervisor)

Configuration Notes (FWSM)

Using the Syslog Server

Configuring System Log Message Search Functions Using the System Log Message Search

MD5 Hash Value for the Evaluated Configuration

Obtaining Documentation, Obtaining Support, and Security Guidelines

Introduction

This document is an addendum to the Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module documentation set, which should be read before configuring the FWSM.

Cisco product documentation includes:

Release Notes

Release Notes for the Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module, Software Release 3.1

Upgrade Guide

Upgrading the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module from Release 2.x to Release 3.1

Regulatory Compliance and Safety Information Guide

Regulatory Compliance and Safety Information for the Catalyst 6500 Series and Cisco 7600 Series Switches

Command Line Configuration Guide

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide, Version 3.1

Command Reference Guide

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference, Version 3.1

System Log Messages Guide

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Logging Configuration and System Log Messages, Version 3.1

For a complete list of documentation for the Catalyst 6500 series switch, go to:

http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html

For a complete list of documentation for the Cisco 7600 series routers, go to:

http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html

The FWSM documentation is available in printed-paper form, and online (in both HTML and PDF formats).

Audience

This document is written for administrators configuring the Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module software. This document assumes you are familiar with networks and network terminology, that you are a trusted individual, and that you are trained to use the Internet and its associated terms and applications.

Supported Hardware and Software Versions

Only the following combinations of hardware and software listed in Table 1 are compliant with the FWSM 3.1(3.17) EAL4 evaluation. Using hardware and software not specified invalidates the secure configuration.

Table 1 Supported Hardware and Software for FWSM

Hardware

FWSM

FWSM Part no. WS-SVC-FWM-1-K9

 

Supervisor

Sup720 or Sup2

Switch/Router

7600 Series chassis (7603, 7606, 7609, 7613) with Supervisor Engine 720.

Catalyst 6500 series (6503, 6506, 6509-NEB, 6509, 6513) with Cisco Catalyst 6500 Series Supervisor Engine 2 with Multilayer Switch Feature Card 2 (MSFC2) or Cisco Catalyst 6500 Series Supervisor Engine 720

Audit server

PC

Software

FWSM

Cisco FWSM Firewall image version 3.1(3.17)

 

Supervisor

Cisco IOS Software Release 12.2(18)SXF5

Audit server

Windows 2000 Professional Service Pack 3 and Q326886 hotfix or Windows XP Professional Service Pack 2 (including hotfixes 896423, 899587, 899588, 896422, 890859, 873333, 885250, 888302, 885835, and 907865) or Service Pack 2 (for audit server)

PIX Firewall Syslog Server (PFSS) 5.14


Security Information

In addition to the Regulatory Compliance and Safety Information document, the sections that follow provide additional security information for use with a Common Criteria Certified Firewall Services Module.

Organizational Security Policy

Security Implementation Considerations

Certified Configuration

Organizational Security Policy

Ensure that your FWSM is delivered, installed, managed, and operated in a manner that maintains an organizational security policy.

Security Implementation Considerations

The sections that follow provide implementation considerations that need to be addressed to administer the FWSM in a secure manner.

Note The certified configuration does not host public data. Do not use any components of the certified configuration to host and provide public data.

The threat of malicious attacks aimed at discovering exploitable vulnerabilities is considered moderate. A moderate attack potential for the certified configuration makes the following assumptions:

Identification

The time taken to identify the potential attack is negligible as knowledge that the certified configuration uses console port for local access and SSH for remote access can be considered common knowledge for an attacker of moderate attack potential.

No specialist technical experience is considered to be required to identify the vulnerability.

Public knowledge of the certified configuration operation is all that is required to identify this vulnerability.

Physical access to the certified configuration console port is required.

Only standard equipment is required.

Exploitation

Public knowledge of the certified configuration operation is all that is required to exploit this vulnerability.

Standard equipment is required to attempt a brute force or dictionary attack.

Other Factors

No physical access to the certified configuration may be obtained by untrusted persons as the certified configuration is physically secure (Assumption A.PHYSEC from the ST document).

Certified configuration administrators may not be considered attackers, and follow all administrator guidance (Assumption A.NOEVIL from the ST document).

Administrators use passwords of the level of complexity described in this document (see Password Complexity). Passwords will therefore be a combination of alphabetic and numeric characters. This password will be at least eight characters long and will be kept secret.

Certified Configuration

Use only the FWSM software Version 3.1(3.17). Only the hardware and software version combinations listed in Table 1 can be used to implement an evaluated configuration. Changing the software or hardware to a different version invalidates the evaluated status of a particular hardware platform.

The Certified Common Criteria Firewall Services ModuleVersion 3.1(3.17) excludes the following features:

Routing Information Protocol (RIP)

Simple Network Management Protocol (SNMP)

Dynamic Host Configuration Protocol (DHCP) Server

Virtual Private Networks (VPNs) through the IOS executing on the Supervisor or FWSM

The features that are specifically excluded must be disabled while the FWSM and Supervisor are operating in the evaluated configuration.

All other hardware and software features and functions of the FWSM are included in the evaluated product configuration and thus can be used in conjunction with the Target of Evaluation (TOE) Security Functions as long as the TOE functions are configured, operated, and managed in accordance with this document.

The FWSM Target of Evaluation relies on a Windows 2000 or Windows XP computer to act as an audit server. Windows is configured in the EAL4 evaluated configuration to support this TOE. Microsoft Windows Evaluated Configuration documentation can be found by clicking the following links:

Windows 2000 Documentation

Windows 2000 Common Criteria Evaluated Configuration User's Guide:

http://www.microsoft.com/technet/security/prodtech/Windows2000/w2kccug/default.mspx

Windows 2000 Common Criteria Evaluated Configuration Administrator's Guide:

http://www.microsoft.com/technet/security/prodtech/windows2000/w2kccadm/default.mspx

Windows 2000 Common Criteria Security Configuration Guide:

http://www.microsoft.com/technet/security/prodtech/windows2000/w2kccscg/default.mspx

Windows XP Documentation

Windows XP Common Criteria Evaluated Configuration User's Guide:

http://download.microsoft.com/download/d/3/0/d304ab38-567c-4fad-a368-a3661ca1a16d/wxp_common_criteria_user_guide.zip

Windows XP Common Criteria Evaluated Configuration Administrator's Guide:

http://download.microsoft.com/download/e/8/9/e897a1ee-0273-4694-b155-ad02f7b2b4d5/wxp_common_criteria_admin_guide.zip

Windows XP Common Criteria Security Configuration Guide:

http://download.microsoft.com/download/5/3/b/53b53a3e-39d5-4d30-86f2-146aa2c7be45/wxp_common_criteria_configuration_guide.zip

The configuration of the FWSM should be reviewed on a regular basis to ensure that the configuration continues to meet the organizational security policy when considering the following:

Changes in the FWSM configuration

Changes in the organizational security policy

Changes in the threats presented from the untrusted network(s)

Changes in the administration and operations staff or the physical environment of the FWSM

Potential Insecure Configurations

This section includes the following topics:

Uncommitted Changes

Default Flow Policy

Physical Security

Administration Access

Servers and Proxies

Logging and Messages

Access Lists

Trusted and Untrusted Networks

Public Access Servers

Using FTP and Telnet

Monitoring and Maintenance

Auditing Component Requirements

Password Complexity

Determining the Software Version

Uncommitted Changes

FWSM loads the saved startup configuration and automatically copies this configuration into the running configuration.

You can configure the running configuration to a specific need and save the running configuration. You can also save the updated configuration to the startup configuration. The running configuration is held in volatile memory so if the FWSM reboots and resumes operation when uncommitted changes were made, these changes will be lost and the FWSM will revert to the last configuration saved. For more information, see Saving Your Configuration.

Default Flow Policy

By default, the FWSM is configured with a default flow policy. The outbound interface refuses all external to internal flow of data. Administrators must take note of this, and ensure that the correct policy for the organization is followed when installing before users are permitted to use the FWSM. Set up access lists to enable traffic to flow through the FWSM. Specific permit or deny rules are required to be applied to a protocol, a source and destination IP address or network and optionally, the source and destination ports. For more information, see the Organizational Security Policy section to implement a suitable security policy.

Physical Security

The FWSM must be located in a physically secure environment to which only a trusted administrator has access. The secure configuration of the FWSM can be compromised if an intruder gains physical access to the FWSM. Similarly, the audit server used to store and manage the FWSM system log messages must be protected physically and with suitable identification and authentication mechanisms to ensure that only trusted administrators have access.

Administration Access

There are only two methods by which the administrator can manage the FWSM:

Using the serial interface directly connected to the Supervisor

Using SSH access with single user authentication

The FWSM does not have an external console port. You must session in to the FWSM to perform configuration by first connecting to the console on the Supervisor, and then executing the session command. For this certified configuration, there are two modules that are used to provide the certified configuration security functions: the FWSM itself and the Supervisor executing IOS. Each module has its own interfaces and executing operating system.

Servers and Proxies

To ensure complete security when the FWSM is shipped, inbound access to all proxies and servers is initially disabled. After the installation, you must explicitly permit each service and enable the services necessary for your security policy. See the configuration guides for information on how to configure the FWSM. Certification requires a completely controlled environment in which specified services are allowed and all others denied.

Logging and Messages

Monitoring activity in the log files is an important aspect of your network security and should be conducted regularly. Monitoring the log files lets you take appropriate and timely action when you detect security breaches or events that are likely to lead to a security breach in the future. Use the show logging command or the syslog server to view log files messages. See Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Logging Configuration and System Log Messages for information about sending messages, and archiving.

Access Lists

The access-list command operates on a first-match basis. Therefore, the last rule added to the access list is the last rule checked. Administrators must take note of this when entering the initial rules during the configuration, because it may impact the remainder of the rule parsing.

Trusted and Untrusted Networks

The FWSM can be used to isolate your network from the Internet or from another network. A trusted network is usually your internal network and an untrusted network may be the Internet or any other network. For this certified configuration, VLANs provide logical separation between various networks. The configuration of VLANs takes place on the Supervisor as the Supervisor is in control of all the network interfaces that exist on the platform. The Supervisor also can be configured to perform routing functions for the network.

The FWSM must be configured so that it acts as the only network connection between your internal network and any external networks. The FWSM will deny any information flows for which no rule is defined. Your security implementation is based on the control of traffic from one network to the other, and should support your security policy.

See "Assigning VLANs to the FWSM in Cisco IOS Software" in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide for additional information about configuring VLANs.

Note For increased security and to avoid risk of exposure caused by misconfiguring ACLs in non-admin contexts, the AAA server and management hosts must be located on remote networks protected from non-admin contexts by another means besides using the admin context.

In the default configuration, traffic types observe the default policy for inside to outside traffic. Table 2 shows the traffic types and their supported modes for inside to outside traffic.

Table 2 Traffic Types and Supported Modes - Inside to Outside 

Traffic Type
Single Routed Mode
Multiple Routed Mode
Single Transparent Mode
Multiple Transparent Mode

Spoofed traffic

No (RPF enabled)

No (RPF enabled)

No (ARP inspection enabled)

No (ARP inspection enabled)

Ethernet

Yes

Yes

Yes

Yes

ARP

No (router hop)

No (router hop)

Yes

Yes

CTIQBE

Yes

Yes

Yes

Yes

DNS

Yes

Yes

Yes

Yes

Echo

Yes

Yes

Yes

Yes

Finger

Yes

Yes

Yes

Yes

H.323

Yes

Yes

Yes

Yes

IP

Yes

Yes

Yes

Yes

ICMP

Yes

Yes

Yes

Yes

TCP

Yes

Yes

Yes

Yes

UDP

Yes

Yes

Yes

Yes

FTP

Yes

Yes

Yes

Yes

GTP

Yes

Yes

Yes

Yes

HTTP

Yes

Yes

Yes

Yes

ILS

Yes

Yes

Yes

Yes

MGCP

Yes

Yes

Yes

Yes

POP3

Yes

Yes

Yes

Yes

RSH

Yes

Yes

Yes

Yes

RTSP

Yes

Yes

Yes

Yes

Skinny

Yes

Yes

Yes

Yes

SIP

Yes

Yes

Yes

Yes

ESMTP

Yes

Yes

Yes

Yes

SunRPC

Yes

Yes

Yes

Yes

Telnet

Yes

Yes

Yes

Yes

TFTP

Yes

Yes

Yes

Yes

XDMCP

Yes

Yes

Yes

Yes

traceroute

Yes

Yes

Yes

Yes

STP

No

No

Yes

Yes

All other traffic

Yes

Yes

Yes

Yes


In the default configuration, traffic types observe the default policy for outside to inside traffic. Table 3 shows the traffic types and their supported modes for outside to inside traffic.

Table 3 Traffic Types and Supported Modes - Outside to Inside 

Traffic Type
Single Routed Mode
Multiple Routed Mode
Single Transparent Mode
Multiple Transparent Mode

Spoofed traffic

No (RPF enabled)

No (RPF enabled)

No (ARP inspection enabled)

No (ARP inspection enabled)

Ethernet

No

No

No

No

ARP

No (router hop)

No (router hop)

Yes

Yes

CTIQBE

No

No

No

No

DNS

No

No

No

No

Echo

No

No

No

No

Finger

No

No

No

No

H.323

No

No

No

No

IP

No

No

No

No

ICMP

No

No

No

No

TCP

No

No

No

No

UDP

No

No

No

No

FTP

No

No

No

No

GTP

No

No

No

No

HTTP

No

No

No

No

ILS

No

No

No

No

MGCP

No

No

No

No

POP3

No

No

No

No

RSH

No

No

No

No

RTSP

No

No

No

No

Skinny

No

No

No

No

SIP

No

No

No

No

ESMTP

No

No

No

No

SunRPC

No

No

No

No

Telnet

No

No

No

No

TFTP

No

No

No

No

XDMCP

No

No

No

No

traceroute

No

No

No

No

STP

No

No

Yes (can be denied by ACL)

Yes (can be denied by ACL)

All other traffic

No

No

No

No


PFSS is the Windows system log messaging service that provides the system audit store for the firewall. The PFSS shall be configured to communicate with the firewall according to the mode in which the firewall is operating.The PFSS server is required to have its own defined VLAN and interface for communications. The logging host command in this instance is configured to log messages over TCP to the audit server on the VLAN interface. Figure 1 shows the network topology for a single context.

Figure 1 Network Topology for Single Context

If the firewall is operating in multiple context mode, each context shall be defined to communicate with the audit server and configuration settings established to protect the audit server from receiving any other traffic other than that which is specifically allowed per policy. Figure 2 shows the network topology for multiple contexts.

Warning Configuring IPs on IOS interfaces that are in the same subnets as FWSM interfaces increases the potential for routing loops and bypassing of FWSM.

Note To ensure proper protection of the audit server, the PFSS server must be placed on a trusted network and must have access-control lists applied on the FWSM and IOS to only allow TCP and UDP system log messaging data to be sent to the PFSS.

Figure 2 Network Topology for Multiple Contexts

Host / Interface
IP Address
Description

PFSS Server

192.168.0.27

Connected to a physical port on VLAN 192

AAA

192.168.26.2

Connected to a physical port on VLAN 26

VLAN192

192.168.0.1

VLAN Interface for VLAN 192

BVI

192.168.50.254

Interface for Transparent-2

VLAN50

192.168.50.1

VLAN Interface for BVI to communicate with

BVI

192.168.40.254

Interface for Transparent-1

VLAN40

192.168.40.1

VLAN Interface for BVI to communicate with


Note The black dot in Figure 2 represents IOS enforcing ACLs to ensure that only approved syslog and AAA traffic can pass from the firewall contexts to / from the PFSS and AAA hosts, and no other traffic is ever permitted by IOS among firewall VLANs (VLANs 2, 40, or 50 in figure 2).

Routed Mode

In routed mode, the audit VLAN is connected through an IOS VLAN for a minimum of three defined interfaces: external, internal, and audit. The access lists within the FWSM are responsible for protecting the audit server in routed mode.

Transparent Mode

In transparent mode, a BVI management interface provides a third interface to the context for communication with the PFSS and the RADIUS or TACACS+ server. The external and internal interfaces in this configuration are running in transparent mode and do not have an IP address assigned. The BVI is owned or managed by FWSM and has an IP address. One IP address must be configured in order for that context to send system log messages through the BVI and authentication traffic to reach the RADIUS/TACACS+ server. Access-lists on the Supervisor are used to protect the audit and authentication traffic. Strict ACEs must be applied to each BVI to only permit system log messages and RADIUS/TACACS+ traffic from the single host IP of the transparent mode context to the specific host IPs of the PFSS and AAA servers.

Note The IOS VLAN interface and the transparent mode BVI must be on a /30 subnet. 

hostname(config)# interface VLAN192

hostname(config-if)# ip address 192.168.50.254 255.255.255.252

hostname(config-if)# ip access-group 101 in

hostname(config-if)# ip access-group 102 out

A transparent firewall does not participate in IP routing. The only IP configuration required for the FWSM is to set the management IP address for each bridge group. This address is required because the FWSM uses this address as the source address for traffic originating on the FWSM, such as system messages or communications with AAA servers. You can also use this address for remote management access. 

hostname(config)# interface vlan 50

hostname(config-if)# nameif inside

hostname(config-if)# security-level 100

hostname(config-if)# bridge-group 1

hostname(config-if)# interface vlan 500

hostname(config-if)# nameif outside

hostname(config-if)# security-level 0

hostname(config-if)# bridge-group 1

hostname(config-if)# interface bvi1

hostname(config-if)# ip address 192.168.50.1 255.255.255.252

A route must be configured on the FWSM to pass traffic from the current context to the syslog server via the VLAN on the Supervisor. 

hostname(config)# route inside 0.0.0.0 255.255.255.255 192.168.50.1

Note Use only a default route in the transparent context.

Transparent contexts using a BVI interface require static ARP entries for the IOS VLAN IP/MAC, which acts as the route gateway to the PFSS and AAA servers. The same IOS MAC addresses are visible in the transparent mode context on both sides of the firewall. If a static entry is not defined, then the firewall context will periodically move the MAC address back and forth between the inside MAC address table to the outside MAC address table. This movement breaks the route to the PFSS and AAA servers, and causes the context to stop passing traffic, because the context will see the PFSS logging host as down. 

hostname(config)# mac-address-table static inside 00d0.02de.040a

Note On FWSM, when the debug mac-address-table command and debug arp command are enabled at the same time, the messages overlap.

MAC address spoofing and IP address spoofing (for local subnets or VLANs) within each transparent mode context are to be specifically denied in the evaluated configuration. 

hostname(config)# arp-inspection outside enable no-flood

hostname(config)# arp-inspection inside enable no-flood

Warning Using the no-flood option without first configuring all necessary static ARP entries will [0]eventually result in disabling all connectivity to, from, or through the transparent context, because the ARP table and MAC-address-table will not learn MAC addresses and are empty, without the static entries.

Inspection Policy

A default inspection policy must be specified for each context in the evaluated configuration. This policy is determined by the protocols that are included in this evaluation and must be enabled by default. Enter the following commands: 

hostname(config)# policy-map global_policy

hostname(config)# class inspection_default

hostname(config)# inspect ctiqbe

hostname(config)# inspect esmtp

hostname(config)# inspect ftp strict

hostname(config)# inspect gtp

hostname(config)# inspect h323

hostname(config)# inspect http

hostname(config)# inspect icmp

hostname(config)# inspect icmp error

hostname(config)# inspect ils

hostname(config)# inspect mgcp

hostname(config)# inspect rsh

hostname(config)# inspect rtsp

hostname(config)# inspect sip

hostname(config)# inspect skinny

hostname(config)# inspect sunrpc

hostname(config)# inspect tftp

hostname(config)# inspect xdmcp

hostname(config)# inspect dns

hostname(config)# inspect smtp

Public Access Servers

If you are planning to host public access servers, you must decide where they will be located in relation to the FWSM. Placing servers on the network outside the FWSM leaves them open to attack. Placing servers on the internal network means you must open up your FWSM to allow access.

Using FTP and Telnet

File Transfer Protocol (FTP) is used to retrieve or deposit files on a remote system. Telnet is used to access a remote server using a console like connection over the network. The Common Criteria Security Target document requires that Telnet and FTP traffic through the FWSM must be authenticated before traffic is allowed to pass through. See Configuring AAA for Telnet and FTP for more information about how to configure the FWSM correctly to authenticate Telnet and FTP.

Note Use of the local user database for authentication of Telnet and FTP traffic through the firewall is not permitted in the evaluated configuration. All authentication of FTP and Telnet traffic through the firewall must be performed by use of single-use passwords via remote AAA servers.

To enforce compliance of FTP traffic with the FTP RFC, the strict option for the FTP inspection must be enabled in the evaluated configuration. 

hostname(config)# policy-map global_policy

hostname(config)# class inspection_default

hostname(config)# inspect ftp strict

Monitoring and Maintenance

The FWSM software provides several ways to monitor the FWSM, from logs to messages.

Ensure you know how you will monitor the FWSM, both for performance and for possible security issues.

Plan your backups. If there should be a hardware or software problem, you may need to restore the FWSM configuration.

The configuration of the FWSM should be reviewed on a regular basis to ensure that the configuration meets the security objectives of the organization in the face of the following:

Changes in the FWSM configuration

Changes in the security objectives

Changes in the threats presented by the external network

Administrative Roles

The certified configuration contains three administrative roles (shown in the following table) for use in the evaluated configuration.

Role Name
Description

Authorized Supervisor Administrator

Any administrator with knowledge of the enable password on the router. Privileged access is defined by any privilege level entering an enable password after individual login.

Authorized Firewall Administrator

Any administrator with knowledge of the enable password on the FWSM. Privileged access is defined by any privilege level entering an enable password after individual login.

Authorized Audit Administrator

The role assigned to a user that logs in and reviews the information recorded by the PFSS application.


Note The administrator of the chassis must be the administrator of any other blades installed in the chassis.

Auditing Component Requirements

The FWSM interacts with Windows 2000 for the purpose of storing the audit data. The server should be running Windows 2000 with Service Pack 4. The auditing machine will provide suitable audit records to the administrator, protect the stored audit records from unauthorized deletion, and will detect modifications to the audit records. It is the responsibility of the administrator to regularly review the audit records provided by the FWSM, and to take any relevant action as necessary to ensure the security of the Firewall Services Module. The location of the auditing machine and records should only be accessible to the administrator.

Password Complexity

Passwords must be 8 to 16 characters in length. The minimum password length must be enforced by the administrator. The following list of characters may be used in passwords:

26 uppercase letters (A - Z)

26 lowercase letters (a - z)

10 numbers (0 - 9)

Special characters (!"#$%&'()*+,-./:;<@[\`{|=>?]^_}~)

To construct a password, 94 characters are available for use, except for the space character, which is prohibited.

The password guidance included in this section applies to the creation and management of user passwords. Users must ensure that when creating or changing a password, the following requirements are met. Passwords must:

Be a minimum of 8 characters and a maximum of 16 characters

Include mixed-case alphabetical characters

Include at least one numeric character

Passwords must not include:

Birthdays

Names (parents, family, spouse, pets, or favorite sports player)

Sports teams

Towns, cities, or countries

AAA Server and Authentication Policy per the IT Environment

The AAA server specified for this certified configuration is included within the environment. The administrator must ensure that during installation, the AAA server is capable of the following:

Maintaining attributes for each user (identity, association of human user to with the administrator account, and password).

Firewall administrators shall authenticate with a single-use authentication mechanism before being allowed to access the firewall remotely.

Human users shall authenticate with a single-use authentication mechanism when using FTP or Telnet that passes through the firewall.

Reusable passwords are allowed for authorized administrators to access the firewall or router console directly using the local console.

Reusable passwords may be used for the console connection to the Supervisor, or the console connection from the Supervisor to the FWSM, or for use of the enable command on FWSM.

All authentication on the Supervisor must defer to the remote AAA server and not use the local user database.

The IT environment section from the security target document requires that the administrator follow guidance concerning what authentication types are required for each request to administer the certified configuration.

Determining the Software Version

Use the show version command to verify the software version of your FWSM unit. The certified configuration will return 3.1(3)17 as the software version.

Installation Notes

Read the appropriate installation guides before installing the FWSM.

Verification of Hardware and Software Image

To verify that the FWSM software and hardware were not tampered with during delivery, perform the following steps:

Step 1 Before unpacking the FWSM, inspect the physical packaging the equipment was delivered in. Verify that the external cardboard packing is printed with the Cisco Systems logo and motifs. If it is not, contact the supplier of the equipment (Cisco Systems or an authorized Cisco distributor/partner).

Step 2 Verify that the packaging has not obviously been opened and resealed by examining the tape that seals the package. If the package appears to have been resealed, contact the supplier of the equipment (Cisco Systems or an authorized Cisco distributor/partner).

Step 3 Verify that the box has a white tamper-resistant, tamper-evident Cisco Systems barcoded label applied to the external cardboard box. If it does not, contact the supplier of the equipment (Cisco Systems or an authorized Cisco distributor/partner). This label will include the Cisco product number, serial number, and other information regarding the contents of the box.

Step 4 Note the serial number of the FWSM on the shipping documentation. The serial number displayed on the white label affixed to the outer box will be that of the FWSM. Verify the serial number on the shipping documentation matches the serial number on the separately mailed invoice for the equipment. If it does not, contact the supplier of the equipment (Cisco Systems or an authorized Cisco distributor/partner).

Step 5 Verify that the box was indeed shipped from the expected supplier of the equipment (Cisco Systems or an authorized Cisco distributor/partner). This can be done by verifying with the supplier that they shipped the box with the courier company that delivered the box and that the consignment note number for the shipment matches that used on the delivery. Also verify that the serial numbers of the items shipped match the serial numbers of the items delivered. This verification should be performed by some mechanism that was not involved in the actual equipment delivery, for example, phone/FAX or other online tracking service.

Step 6 Once the FWSM is unpacked, inspect the unit. Verify that the serial number displayed on the unit itself matches the serial number on the shipping documentation and the invoice. If it does not, contact the supplier of the equipment (Cisco Systems or an authorized Cisco distributor/partner).

Step 7 There are three alternatives for obtaining a Common Criteria evaluated software image:

Download a Common Criteria evaluated software image file from Cisco.com onto a trusted computer system. To access this site, you must be a registered user and you must be logged in. Software images are available from Cisco.com at the following URL: http://www.cisco.com/public/sw-center/

The FWSM ships with a CD containing all current software images. The Common Criteria evaluated software image is available on this CD.

Customers can order a CD with all of the current software images from Cisco.com. There is a charge for this option.

Step 8 Download the c6svc-fwm-k9.3-1-3-17.bin file.

Step 9 Once the file is downloaded, verify that it was not tampered with by using an MD5 utility to compute an MD5 hash for the downloaded file and compare this with the MD5 hash for the image from the Certification Report published by CESG, which is available on its website. If the MD5 hashes do not match, contact Cisco TAC. The MD5 hash for this FWSM version is "9e68c34a7fcb0fb093404e5db84bc56b."

Step 10 To copy the image that was downloaded from the web to flash, enter the following commands:

a. copy tftp:/1.2.3.4/c6svc-fwm-k9.3-1-3-17.bin flash:

b. reload

Step 11 Start your FWSM. Confirm that your FWSM loads the image correctly and completes internal self-checks. At the prompt, enter the show version command. Verify that the version is correct. If the FWSM image fails to load, or if the FWSM version is not correct, contact Cisco TAC.

The following is sample output from the show version command, which displays the FWSM version: 

hostname# show version


FWSM Firewall Version 3.1(3)17 <system>


Compiled on Tue 31-Oct-06 19:49 by dalecki


FWSM up 9 mins 0 secs

failover cluster up 9 mins 0 secs


Hardware:  WS-SVC-FWM-1, 1024 MB RAM, CPU Pentium III 1000 MHz

Flash LEXAR ATA FLASH @ 0xc321, 20MB


 0: Int: Not licensed    : irq 5

 1: Int: Not licensed    : irq 7

 2: Int: Not licensed    : irq 11


Licensed features for this platform:

Maximum Interfaces     : 1000   

Inside Hosts        : Unlimited 

Failover          : Active/Active

VPN-DES           : Enabled  

VPN-3DES-AES        : Enabled  

Cut-through Proxy      : Enabled  

Guards           : Enabled  

URL Filtering        : Enabled  

Security Contexts      : 250    

GTP/GPRS          : Disabled 

VPN Peers          : Unlimited 


Serial Number: SBQ1234567

Running Activation Key: <1 2 3 4 5>

Configuration has not been modified since last system restart.

Configuration Notes (IOS/Supervisor)

This section includes the following topics:

Saving Your Configuration

Service Password Encryption

Layer 2 Security

Layer 3 Security

Disabling the HTTP Server

Disabling SNMP Management

Disabling Source Routing

Enabling Time-Stamps

Command-Specific Events

Idle Time Outs

Setting the System Clock

Configuring Authentication on the Supervisor

Configuring Secure Shell

Configuring System Log Messaging from the Supervisor to PFSS

Saving Your Configuration

IOS uses both a running configuration and a starting configuration. Configuration changes affect the running configuration. To save that configuration, the running configuration (held in memory) must be copied to the start-up configuration. This may be achieved by either using the write memory command or the copy system:running-config nvram:startup-config command. These commands should be used frequently when making changes to the configuration of the IOS router. If the IOS router reboots and resumes operation when uncommitted changes have been made, these changes will be lost, and the IOS router will revert to the last saved configuration.

Service Password Encryption

Ensure all passwords on the local router are stored encrypted by entering the following commands: 

Router# configure terminal

Enter configuration commands (one per line). End with Ctrl + Z.

Router(config)# service password-encryption

Layer 2 Security

To maintain the integrity of configured VLANs, implement the following guidelines:

Enable port security, and disable the Spanning Tree Protocol (STP) for all ports that do not require STP. For more information, see http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a0080150bcd.html

When using the "portfast" feature in an STP configuration, enable BPDU guard so that the port maintains a secure state when it enters the forwarding state. For more information, see http://www.cisco.com/warp/public/473/65.html

When using STP, enable the "root guard" enhancement. For more information, see http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800ae96b.shtml

To implement these features and prevent VLAN hopping, use the following commands on each port enabled in access mode: 

hostname(config)# interface GigabitEthernet 1/10

hostname(config-if)# switchport

hostname(config-if)# switchport mode access

hostname(config-if)# switchport access vlan

Note The vlan parameter in the previous line should not be specified as VLAN 1. 

hostname(config-if)# switchport trunk native vlan

Note The vlan parameter in the previous line should not be specified as VLAN 1. 

hostname(config-if)# switchport mode trunk

hostname(config-if)# switchport nonegotiate 

hostname(config-if)# no ip address

hostname(config-if)# no cdp enable

hostname(config-if)# no udld port

hostname(config-if)# spanning-tree portfast

hostname(config-if)# spanning-tree bpduguard enable

hostname(config-if)# vtp mode transparent

hostname(config)# no mls qos

Warning The use of VLAN 1 for in-band management traffic is prohibited in the evaluated configuration. The administrator must define a dedicated VLAN that keeps management traffic separate from user data and protocol traffic. The exception to that rule is when the FWSM requires maintenance that requires booting to the FWSM Maintenance Partition, and files need to be transferred between the FWSM Maintenance Partition and another host. The FWSM Maintenance Partition can only communicate on VLAN 1, and therefore VLAN 1 must be enabled on the Supervisor to support communication over VLAN1 between the FWSM Maintenance Partition and the trusted remote host.

Prune VLAN 1 from all the trunks and from all the access ports that do not require it (including unconnected and shutdown ports).

Do not configure the management VLAN on any trunk or access port that does not require it (including not connected and shut-down ports).

Layer 3 Security

IOS requires explicit ACLs to deny IP spoofing attempts and protect the PFSS and RADIUS/TACACS+ servers. Only one IP address can be assigned to an IOS interface in the evaluated configuration. It is not permitted for more than one interface of any type to have an IP address assigned to it, including any VLAN interface, Ethernet interface, or Loopback interface.

Warning Never assign IP addresses to a non-VLAN interface within IOS. Only VLAN interfaces can have assigned IP addresses. All traffic through the device must be inspected by at least one FWSM context, and specifying IP address on physical interfaces creates a potential routing of traffic from one physical interface to another, without forcing traffic to flow through the FWSM.

Use of more than one IP within IOS would be necessary only when FWSM is in multiple context mode. If more than one IP is applied to any interface on IOS that has an IP address assigned, apply an inbound ACL to do the following:

Explicitly permit traffic from specified source IPs to specified destination IPs.

If necessary, explicitly permit SSH traffic from a source host to the IP address of the IOS interface.

Never use the keyword any to specify a source or destination address range.

Explicitly deny all other traffic, and consider logging all other traffic with the log-input command on the ACE. When the Supervisor and FWSM are properly configured in the evaluated configuration, denying all other traffic through the interface should not affect the flow of network traffic, because all traffic needs to be routed through the FWSM.

Access control lists on the IOS must be configured to protect the PFSS (TCP system log message) traffic between the firewall contexts and the PFSS server. The IOS VLAN interface for the audit VLAN must have inbound and outbound ACLs applied. This ACL must also include permit statements for UDP system log messages to reach the PFSS from the Supervisor.

To add an ACL to allow traffic from the firewall to the PFSS server, enter the following command: 

hostname(config)# access-list 101 permit tcp 192.168.50.254 0.0.0.0 192.168.0.26 0.0.0.0 
eq 1470

To add an ACL to allow the UDP system log message to be sent from the Supervisor to the PFSS server, enter the following command: 

hostname(config)# access-list 101 permit udp 192.168.0.254 0.0.0.0 192.168.0.26 0.0.0.0 eq 
514

To allow return traffic from the PFSS server, enter the following command: 

hostname(config)# access-list 102 permit tcp 192.168.0.26 0.0.0.0 192.168.50.254 0.0.0.0 
gt 1024

To add an ACL to allow traffic from the firewall context to the RADIUS/TACACS+ server, enter the following commands: 

hostname(config)# access-list 103 permit udp 192.168.50.254 0.0.0.0 192.168.26.2 0.0.0.0 
eq 1645

hostname(config)# access-list 103 permit udp 192.168.50.254 0.0.0.0 192.168.26.2 0.0.0.0 
eq 1646

hostname(config)# access-list 103 permit udp 192.168.50.254 0.0.0.0 192.168.26.2 0.0.0.0 
eq 49

To add an ACL to allow traffic from the Supervisor to the RADIUS/TACACS+ server, enter the following commands: 

hostname(config)# access-list 103 permit udp 192.168.0.254 0.0.0.0 192.168.26.2 0.0.0.0 eq 
1645

hostname(config)# access-list 103 permit udp 192.168.0.254 0.0.0.0 192.168.26.2 0.0.0.0 eq 
1646
<