|
|
These release notes describe the features and caveats for Cisco Centri Firewall version 4.0 up to and including version 4.0.1(110).
These release notes discuss the following topics:
The Cisco Centri Firewall documentation set includes the following documents:
This release supports single-processor, Pentium and higher, Intel-based microcomputers running the Microsoft Windows NT 4.0 operating system and Service Pack 2 (English version only).
For the Japanese version of Windows NT 4.0, the Japanese version of Service Pack 3 is required.
This release requires a minimum of 32 MB of RAM.
This section defines the new software features provided by Centri Firewall version 4.0.1(110).
When you have applied a security policy to your domain, Centri Firewall makes sure that any domain user trying to access services through the firewall has permission by enforcing out-of-band user authentication. For this reason, you need to configure all clients on the domain to start up a logon script, which is a batch or executable file that runs automatically when a user logs on. This logon script, which is invisible to the user, must start the userauth program included with Centri Firewall so that the required out-of-band user authentication works properly.
We recommend that you install userauth on the domain controller and that you configure a logon script for each user who needs to meet the out-of-band authentication requirement. If your domain incorporates multiple domain controllers, then you must install the logon script on each domain controller and install userauth on the primary domain controller.
The command-line parameters for userauth are as follows:
For example, if your firewall machine is named "Centri," then the command-line parameters are as follows:
To configure userauth and a logon script for domain authentication, perform the following steps:
Step 1 On the domain controller, use Windows NT Explorer to create an executable directory (such as c:\firewall), copy userauth.exe from the bin directory of the firewall into that directory, and then share that directory as Firewall.
Step 2 Using a text editor such as Notepad, create a file named Firewall.bat in the %systemroot%\system32\repl\import\scripts directory of the domain controller.
Step 3 On the first line of the file, type REM For firewall authentication.
Step 4 On the second line of the file, type \\PDC\Firewall\userauth.exe Centri, where PDC is the name of the primary domain controller and Centri is the name of your firewall.
On the domain controller, you must then enable the logon script for each user who needs to meet the out-of-band authentication parameters. Perform the following steps:
Step 1 Click Start, point to Programs and then Administrative Tools (Common), and click User Manager.
The User Manager displays.
Step 2 In the list of users in the User Manager, double-click a username.
The User Properties box displays.
Step 3 In the User Properties box, click Profile.
The User Environment Profile box displays.
Step 4 In the Logon Script Name box, type Firewall.bat and then click OK for both the User Environment Profile box and the User Properties box.
For more information about logon scripts, refer to your Windows NT documentation.
For complete installation instructions, refer to the Cisco Centri Firewall Installation Guide. The following list identifies issues that you should be aware of before attempting to install the product:
\Explorer directory on the Cisco Centri Firewall CD-ROM.
This section describes the issues that you should understand before using the Cisco Centri Firewall, version 4.0.1(110) software.
Once Centri Firewall is installed, modifications to the local network stack addresses made using the Network applet in the Control Panel will have no effect on the system. To make modifications to these addresses and any installed IP addresses, use the Centri Firewall user interface.
Once Centri Firewall is installed, modifications to the routing rules on the firewall server made using the route command will have no effect on the system. To make modifications to the routing rules for the firewall server, use the Centri Firewall user interface.
If your Centri Firewall server stops sending traffic under high loads, the firewall server may be running low on Non-paged pool. To increase the Non-paged pool, perform the following procedure:
Step 1 To start the Registry editor, click Run on the Start menu and type regedt32. Press Enter.
Step 2 Select the following Registry entry from the HKEY_LOCAL_MACHINE key:
SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\NonPagedPoolSize
Step 3 Change the value of this entry using the appropriate value in the following table. The radix (decimal or hex) that you use should match the installed physical memory in your firewall server. The maximum Non-paged pool allowed is 128 MB decimal or 8000000 hex.
| Physical Memory in Firewall Server | Decimal Radix | Hex Radix |
|---|---|---|
| 32 MB | 8388608 | 800000 |
| 64 MB | 25165824 | 1800000 |
| 96 MB | 41943040 | 2800000 |
| 128 MB | 58720256 | 3800000 |
Microsoft Internet Explorer, version 4.0, uses the HTTP 1.1 protocol. Because Centri Firewall 4.0.1 (110) does not support the HTTP 1.1 protocol, any clients behind the firewall server that use the default configuration of Microsoft Internet Explorer, version 4.0, cannot communicate with the firewall. To allow users of this browser to interoperate with Centri Firewall, perform the following procedure for each client on which the browser is installed:
Step 1 Start Microsoft Internet Explorer.
Step 2 On the View menu, click Internet Options.
The Internet Options property panel displays.
Step 3 Click the Advanced tab.
The panel displays a list of categories and options for configuring the browser.
Step 4 In the list of options, scroll to the HTTP 1.1. settings category and verify that the Use HTTP 1.1 option is not selected.
Step 5 To close the Internet Options property panel and save your changes, click OK.
Do not back up the Centri Firewall Security Knowledge Base using a remote administrative interface.
You should set up your system configuration, and then you should back up this information by clicking Backup on the File menu. Procedures for backing up and restoring the firewall system are provided in the online help system (click Help Topics on the Help menu).
The default security policies applied during the Centri Setup program do not include default inbound security policies. To enable incoming communications, such as e-mail addressed to your network users from the Internet, you must apply a security policy to the Internet node on the Networks tree.
If your firewall services heavy traffic loads, you should reduce the level of audit records maintained in the Security Knowledge Base. Under sustained heavy loads, detailed audit records can overload the Security Knowledge Base, which can cause throughput problems that lead to slower performance.
Network services and applications that require dynamic port assignments (negotiated ports) to set up a session do not work unless a kernel proxy has been provided, such as FTP. Also, the TCP and UDP proxies do not allow this feature. Currently, only FTP supports this feature.
Default network services are not defined for NetBIOS and many frequently used network services in the Microsoft networking environment.
You should review the disk space requirement in the CentriServer node of the Networks tree. Otherwise, the firewall server may run out of disk space and shut down. The default value is 488 MB.
If you use an exposed service to communicate to an FTP server, you cannot perform FTP queries from the client that resides on the same site as the FTP server. Instead, the clients should communicate directly to that FTP server rather than passing through the Centri Firewall server.
During system boot, the domain controller cannot be found initially. This lack of connectivity is normal; once the firewall services are started, you can connect to the domain controller normally.
Do not define routing rules for the local stack. The routing rules for the local stack are defined by the firewall. If you change or define new routing rules for the local stack, the firewall may cease to function.
If you are running the network services in proxy mode and you have services that typically deal with multiple network services, such as HTTP using FTP and SLL, these additional services are controlled by security policies that enforce specific rules for those services. In other words, a security policy that would handle each of these additional services must include a separate set of rules for each of these services (such as FTP and SLL) or else another security policy should be used to control communications using these additional network services.
If you change the name of the computer (Windows NT computer name) after you install Centri Firewall or you remove the user account that you used to install the Centri Firewall, you cannot remove the software automatically. To remove the software after you change the computer name, you must remove the files and Registry entries manually using a user account with administrative privileges. The procedure identifies this process:
Step 1 Delete the Centri root directory and all files listed in that directory.
Step 2 Delete the fw.sys file located at %SystemRoot%/system32/drivers/.
Step 3 Delete the following Registry keys found under the HKEY_LOCAL_MACHINE key:
/SOFTWARE/Cisco Systems/Centri
/SYSTEM/CurrentControlSet/Services/Fw
/SYSTEM/CurrentControlSet/Services/FwAdapter
/SOFTWARE/Microsoft/Windows/CurrentVersion/App Paths/Cat.exe
/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/Centri v4.0
Step 4 In addition, from the Network applet in the Control Panel, click the Bindings tab to force a recalculation of the network bindings. You must reboot your computer when this recalculation is completed.
S/Key authentication is not supported by the HTTP kernel proxy.
Gopher is not supported in HTTP proxy mode.
If you add a rule to the HTTP filter list, it takes effect very quickly. However, if you remove a rule from the filter list, the time to take effect varies up to several hours. The size of the list and the speed of your DNS lookups is directly proportional to the time required for a removed rule to take effect.
If the HTTP authentication setting is "strict" and a user requests a page on WebServerA that makes requests to WebServerB, then the user will be required to authenticate twice, once for WebServerA and once for WebServerB.
In proxy mode, the deny message does not display.
Centri Firewall does not deal with passive mode FTP.
The command set should include support for blank entries that do not display the help information, as well as several control key options that support word and line erasures and quitting.
In proxy mode, the welcome and prompt strings do not display.
If you define a standalone IP kernel proxy, it will not take effect. Standalone IP kernel proxies do not work.
If you apply any security policies to a Windows NT domain, User account, or Group account and the firewall server cannot contact the domain controller or it is unavailable, then no communication requests are processed by the firewall server. Once communication has been re-established with the domain controller, basic communication through the firewall resumes.
If you design a security policy that does not contain a network service (e.g., if (time condition) then Accept or if (destination = X) then Accept), then the security kernel automatically assigns a "Reject" security policy because it cannot determine which kernel proxies to start. The fact that it is automatically rejected is not reflected in the Policy Builder control.
By default, no audit records are stored (including detailed statistics). You must enable the logging of audit records before you can use the reporting features. You should enable only those audit records that are required by your organization's security policy.
While the following case can appear for any service under high loads, you will see it most often with HTTP. When you have high loads, warning messages are often generated stating that a session was denied. These warning messages appear to be attacks, though they are actually late arriving packets for an already closed/completed session. The symptoms of these warning messages include the source address for a valid server connecting to port 80, and the destination address for a valid internal client that can initiate an HTTP session.
All activities of non-HTTP protocols that operate over HTTP are reported as part of HTTP if running in proxy mode. If they are not in proxy mode, then individual reports are generated for each network service, such as SSL.
Summary reports behave differently from detailed reports. If you generate a summary report from one "hour" through "now" (the current time), the current hour's report is generated, even if the current hour has just begun. This attribute holds true for time-range of "1 day," which starts at 12:00 a.m. If the current time is 9:00 a.m. and if you requested a summary report for "1 day," you'll get summary of data between midnight until 9:00 a.m. If you want a summary report between yesterday 9:00 a.m. and the current time, use "24 hours" instead of "1 day." However, detailed reports do not round off to the beginning of the time interval (hour/day/week). A detailed report for "1 day" generates the same report as for "24 hours."
To change the port on which the Centri Examining agent listens (by default, TCP port 8080), you must delete the Centri Examiner network service and create a new Centri Examiner service that requires a different port number. Once this network service is created, you must direct the built-in browser to the new port number by editing the value that is assigned in the HTML Report box on the Options dialog box, which is accessed by clicking Options on the Tools menu. A secondary effect of this issue occurs when you are trying to use the remote administrative interface. To get the correct information, you must direct the remote administrative interface to the firewall server (by clicking Options on the Tools menu), but you do not need to change the port on which the Centri Examiner service listens unless you have changed it on the firewall server due to a conflict of services. However, you must configure Microsoft Internet Explorer on the Remote Administrative Interface computer to bypass the proxy server for local (intranet) addresses. This configuration ensures that requests to the Examining agent are processed correctly.
When you make changes in the user interface, you must click OK to commit the changes. Once the changes are committed, the view area grays out. Unless otherwise noted, you must also click Save on the File menu to save all committed changes.
Under very heavy loads, it is possible to start multiple instances of the user interface. If you start the user interface and see the hour glass for five seconds, it is possible that another instance of the user interface has been detected running on a remote computer. If the other instance cannot reset the appropriate lock due to a heavy load on the Security Knowledge base, then the second instance may be allowed to start. If you do not see the hour glass for five seconds and the user interface begins loading, another instance is not running. You should be aware of this possibility, because running multiple instances of the user interface could cause serious repercussions in your security policies.
If you attempt to drag and drop a security policy onto an active network node that has its property sheet displaying in the View pane, the action will fail. You must deselect or close the active window before the drop operation will work.
If you rename an entry under the Services tree, any statistical data that you are generating for that service will be lost.
S/Key accounts cannot be extended using the Centri Firewall user interface. You must regenerate a new set of passwords.
The use of Cut, Copy, and Paste is not consistent.
The Undo and Redo options on the toolbar and in the Edit menu alter modifications to the Navigation pane only. They do not operate on the activities performed within the View pane.
Printing support is limited to the Navigation pane of the user interface. Support is not provided for entries in the View pane. Also, Print Preview may not preview correctly if you zoom in and out repeatedly.
If the URL location specified in the Options box (available under the Tools menu) is invalid, then the built-in browser control will crash. This problem exists within Microsoft Internet Explorer.
Some context-sensitive help topics are unavailable or apply to multiple controls.
This release of Centri Firewall was not tested with the English version of Windows NT Service Pack 3. You should use the English version of Windows NT Service Pack 2. If you choose to install Service Pack 3 on the firewall server after you install Centri Firewall, the firewall server will not operate correctly. (This notice does not apply to the Japanese version of Service Pack 3, which is required by Centri Firewall on the Japanese version of the Windows NT 4.0 operating system.)
This release does not support Microsoft Internet Information Server (IIS) on the native network stack (local stack). This caveat is related to the implementation of ISS, not to the design of Centri Firewall.
Remote Access Services (RAS) is not supported on the firewall server.
Because Progressive Network's RealPlayer requires the UDP connections (instead of the optional use of UDP in RealAudio), Cisco Systems, Inc. does not enable RealPlayer connections as part of the default security policy provided by the Centri Firewall Setup program. If you are using the Network Address Translation (NAT) feature, you will not be able to use RealPlayer.
SMC network adapter cards are not supported by this release of Centri Firewall. This problem is a result of SMC adapter driver implementations, not Centri Firewall.
Token Ring networks are not supported by this release of Centri Firewall.
This release has been tested only on single-processor computers (Intel-based). Multi-processor computers have not been tested.
This section describes the Centri Firewall code revision history.
Centri Firewall 4.0.1(110) fixes the following issues:
Cisco Connection Online (CCO) is Cisco Systems' primary, real-time support channel. Maintenance customers and partners can self-register on CCO to obtain additional information and services.
Available 24 hours a day, 7 days a week, CCO provides a wealth of standard and value-added services to Cisco's customers and business partners. CCO services include product information, product documentation, software updates, release notes, technical tips, the Bug Navigator, configuration notes, brochures, descriptions of service offerings, and download access to public and authorized files.
CCO serves a wide variety of users through two interfaces that are updated and enhanced simultaneously: a character-based version and a multimedia version that resides on the World Wide Web (WWW). The character-based CCO supports Zmodem, Kermit, Xmodem, FTP, and Internet e-mail, and it is excellent for quick access to information over lower bandwidths. The WWW version of CCO provides richly formatted documents with photographs, figures, graphics, and video, as well as hyperlinks to related information.
You can access CCO in the following ways:
For a copy of CCO's Frequently Asked Questions (FAQ), contact cco-help@cisco.com. For additional information, contact cco-team@cisco.com.
Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM, a member of the Cisco Connection Family, is updated monthly. Therefore, it might be more up to date than printed documentation. To order additional copies of the Documentation CD-ROM, contact your local sales representative or call customer service. The CD-ROM package is available as a single package or as an annual subscription. You can also access Cisco documentation on the World Wide Web at http://www.cisco.com, http://www-china.cisco.com, or http://www-europe.cisco.com.
If you are reading Cisco product documentation on the World Wide Web, you can submit comments electronically. Click Feedback on the title bar, and then select Documentation. After you complete the form, click Submit to send it to Cisco. We appreciate your comments.
|
|