CISCO-UNIFIED-FIREWALL-MIB
Overview of Cisco Firewall MIB ============================== This MIB Module models status and performance statistics pertaining to the common features supported by Cisco firewall implementations. For each firewall feature, capability (if applicable) and statistics are defined. Supporting the configuration of firewall features is outside the scope of this MIB. Following are the major firewall features: 1) 'Stateful Packet Filtering' Creating and maintaining the state of authorized traffic flows dynamically to permit only flows authorized by the policy is a mandatory function of a firewall. This MIB instruments the activity and memory usage by this function. 2) 'Application Inspection' This refers to the function of inspecting the headers of layer 3 and layer 4 protocols and creating dynamic entries in the connection table for traffic flows spawned by an already established traffic flow. This MIB reflects the protocols that are being inspected. 3) 'URL Filtering' This refers to the function of facilitating or restricting URL access requests through the firewall by consulting either local policy or that configured on a dedicated URL filtering server. This MIB instruments the URL filtering activity, the status and activity of distinct URL filtering servers configured on the firewall and the impact of the performance of the URL filtering servers on the latency and throughput of the firewall. 4) 'Proxy Authentication' This refers to the function of authenticating and/or authorizing users on behalf of servers on the secure side of the firewall. This operation could affect the throughput of the firewall. The MIB objects pertaining to Proxy Authentication will be defined in a subsequent revision of this MIB. 5) 'Transparent Mode Operation' A firewall could operate as a bridge and yet filter traffic based on layer 3-layer 7 control and payload information. Operating in this mode makes it easy to implement a firewall without fragmenting existing subnets. Another advantage of this mode of operation is enhanced security. This MIB instruments the status, activity, and performance of the firewall in this mode. Please note that to fully manage a firewall operating in this mode, the firewall must also support the bridge MIB (BRIDGE-MIB). 6) 'Advanced Application Inspection and Control' This function is also termed 'Application Firewall' and pertains to inspecting payload and headers of application traffic to make sure the traffic flows conform to the configured security policy. Monitoring this function entails identifying the security alerts generated by this function and measuring the impact on firewall performance by this task. Application Firewall will be instrumented in a separate MIB dedicated for the function. 7) 'Failover' or 'Redundancy' Redundancy configuration is essential for business critical firewalls. Instrumenting this function entails reflecting the configuration of redundancy and identifying failover events. The MIB objects pertaining to Proxy Authentication will be defined in a subsequent revision of this MIB. The management information for each firewall feature is defined in a distinct module compliance unit. The compliance units corresponding to basic features of firewalls are defined as mandatory. Acronyms ======== Following are definitions of some terms used in this module. Please refer to the module conformance for a glossary of feature-specific terms. `Firewall' A firewall is a set of related programs, implemented on a host or a network device, that protects the resources of a private network from users from other networks. Common firewalling functions include stateful packet filtering, proxy authentication of users on behalf of applications on the secure side of the firewall, URL access control, inspection of payload of traffic streams to determine security threats. `Layer2 Firewall' or 'Transparent Firewall' A firewall device that operates as a bridge while performing firewalling function. `Connection' The record in the firewall of a traffic strean that has been authorized to flow through the firewall. `Half Open Connection' For a connection oriented protocol: a connection that has not reached the established on both the sides of the connection. For a connection-less protocol: the connection corresponding to a traffic stream where traffic flow has occurred (since the establishment of the connection entry) only on one direction. `Embryonic Connection' The connection entry corresponding to an application layer protocol in which the signaling channel has been established while the setup of the data channel is underway. `Policy' An element of firewall configuration that identifies the access rights to a resource by a traffic source. An example of a policy is an Access Control Rule. `Policy Target' An entity to which a policy is applied so that the action corresponding to the policy is taken only on traffic streams associated with the entity. An example of a policy target is an interface. `URL Filtering Server' A server which is employed by the firewall to enforce URL access policies. `Protocol Data Unit' or PDU An instance of the unit of information using which a protocol operates is called the Protocol Data Unit or the PDU of the protocol. `Deep Packet Inspection' The task of examining the contents of the payloads of one or more layer 7 application protocols with a view to enforcing the local security policies termed 'Deep Packet Inspection'. `Advanced Application Inspection and Control' An entity that performs deep packet inspection of layer 7 application protocol data units is termed an 'Application Firewall'.