Intrusion protection
Configuring firewall rules
Firewall rules provide the ability to configure IP table rules to control access to the VCS at the IP level. On
the VCS, these rules have been classified into groups and are applied in the following order:
n
Dynamic system rules: these rules ensure that all established connections/sessions are maintained. They
also include any rules that have been inserted by the automated detection feature as it blocks specific
addresses. Finally, it includes a rule to allow access from the loopback interface.
n
Non-configurable application rules: this incorporates all necessary application-specific rules, for example to
allow SNMP traffic and H.323 gatekeeper discovery.
n
User-configurable rules: this incorporates all of the manually configured firewall rules (as described in this
section) that refine — and typically restrict — what can access the VCS. There is a final rule in this group
that allows all traffic destined for the VCS LAN1 interface (and the LAN 2 interface if the
Advanced
Networking
option key is installed).
There is also a final, non-configurable rule that drops any broadcast or multicast traffic that has not already
been specifically allowed or denied by the previous rules.
By default any traffic that is destined for the specific IP address of the VCS is allowed access, but that traffic
will be dropped if the VCS is not explicitly listening for it. You have to actively configure extra rules to lock
down the system to your specifications.
Note that return traffic from outbound connections is always accepted.
User-configured rules
The user-configured rules are typically used to restrict what can access the VCS. You can:
n
Specify the source IP address subnet from which to allow or deny traffic.
n
Choose whether to drop or reject denied traffic.
n
Configure well known services such as SSH, HTTP/HTTPS or specify customized rules based on
transport protocols and port ranges.
n
Configure different rules for the LAN 1 and LAN 2 interfaces (if the
Advanced Networking
option key is
installed), although note that you cannot configure specific destination addresses such as a multicast
address.
n
Specify the priority order in which the rules are applied.
Setting up and activating firewall rules
The
Firewall rules configuration
page is used to set up and activate a new set of firewall rules.
The set of rules shown will initially be a copy of the current active rules. (On a system where no firewall rules
have previously been defined, the list will be empty.) If you have a lot of rules you can use the
Filter
options
to limit the set of rules displayed. Note that the built-in rules are not shown in this list.
You can then change the set of firewall rules by adding new rules, or by modifying or deleting any existing
rules. Any changes made at this stage to the current active rules are held in a pending state. When you have
completed making all the necessary changes you can activate the new rules, replacing the previous set.
Cisco VCS Administrator Guide (X8.1.1)
Page 34 of 507
Network and system settings
Intrusion protection