System information
164 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys
• Firewall Policy—You can select from three different methods for administering the
firewall policy for your VPN Client systems. Those methods are as follows:
— Policy Defined by Remote Firewall (AYT)—The user of the VPN Client
system has established firewall policy settings for a personalized firewall that
runs on the user’s system. That firewall can be a third-party firewall that works
with the Cisco VPN Client and VPN concentrator. The VPN Client uses the Are
You There (AYT) enforcement mechanism to periodically poll the firewall. If
the firewall doesn’t respond to the periodic “Are you there?” messages, the VPN
Client drops the connection to the VPN concentrator. A system administrator
can initially configure and install the firewall for these users, but each user is
allowed to configure his or her own policies beyond the initial settings. This
option is available for use with the Network ICE BlackIce Defender, Zone Labs
ZoneAlarm, and Zone Labs ZoneAlarm Pro firewall products.
— Policy Pushed (CPP)—When a corporation’s security policy mandates that
all VPN Clients use the same firewall policy, the system administrator can
configure the VPN concentrator to push a centralized, standardized firewall
policy to each VPN Client, which then passes the policy on to the local firewall
for enforcement. The administrator creates a set of traffic management rules on
the VPN concentrator, associates the rules with a filter, and designates the filter
as the firewall policy from the drop-down window for this attribute. This type of
firewall policy management is called push policy or Central Protection Policy
(CPP). This option is available for use with the Cisco Integrated Client Firewall,
Zone Labs ZoneAlarm, and Zone Labs ZoneAlarm Pro firewall products.
— Policy from Server—You can use the Zone Labs Integrity Server (IS), a stand-
alone firewall server, to manage firewall policy management and enforcement
through the VPN Client. A centralized firewall policy is maintained on the IS.
The IS then pushes this policy to each monitored VPN Client host and then
monitors the use of the policy on those hosts. The Zone Labs IS also communi-
cates with the VPN concentrator to manage connections and share session, user,
and status information. This option is only available for the Zone Labs Integrity
Server firewall product.
Modify Groups—HW Client Tab
Cisco VPN 3002 Hardware Clients provide additional authentication capabilities for peer and
user authentication. The VPN 3002 Hardware Client communicates with the VPN concentrator
to establish the tunnel and the user systems connect to the hardware client via Ethernet
connections. The user systems do not require the VPN Client.
chpt_04.fm Page 164 Friday, April 4, 2003 9:19 AM