Overview of Cisco Firewall MIB
==============================
This MIB Module models status and performance
statistics pertaining to the common features supported
by Cisco firewall implementations. For each firewall
feature, capability (if applicable) and statistics are
defined. Supporting the configuration of firewall
features is outside the scope of this MIB.
Following are the major firewall features:
1) 'Stateful Packet Filtering'
Creating and maintaining the state of authorized
traffic flows dynamically to permit only
flows authorized by the policy is a mandatory
function of a firewall.
This MIB instruments the activity and memory
usage by this function.
2) 'Application Inspection'
This refers to the function of inspecting the
headers of layer 3 and layer 4 protocols and
creating dynamic entries in the connection
table for traffic flows spawned by an already
established traffic flow.
This MIB reflects the protocols that are being
inspected.
3) 'URL Filtering'
This refers to the function of facilitating
or restricting URL access requests through
the firewall by consulting either local policy
or that configured on a dedicated URL filtering
server.
This MIB instruments the URL filtering activity,
the status and activity of distinct URL filtering
servers configured on the firewall and the
impact of the performance of the URL filtering
servers on the latency and throughput of the
firewall.
4) 'Proxy Authentication'
This refers to the function of authenticating
and/or authorizing users on behalf of servers
on the secure side of the firewall. This operation
could affect the throughput of the firewall.
The MIB objects pertaining to Proxy Authentication
will be defined in a subsequent revision of this
MIB.
5) 'Transparent Mode Operation'
A firewall could operate as a bridge and yet
filter traffic based on layer 3-layer 7 control
and payload information. Operating in this mode
makes it easy to implement a firewall without
fragmenting existing subnets. Another advantage
of this mode of operation is enhanced security.
This MIB instruments the status, activity,
and performance of the firewall in this mode.
Please note that to fully manage a firewall
operating in this mode, the firewall must also
support the bridge MIB (BRIDGE-MIB).
6) 'Advanced Application Inspection and Control'
This function is also termed 'Application
Firewall' and pertains to inspecting payload and
headers of application traffic to make sure the
traffic flows conform to the configured security
policy.
Monitoring this function entails identifying the
security alerts generated by this function and
measuring the impact on firewall performance by
this task. Application Firewall will be
instrumented in a separate MIB dedicated for the
function.
7) 'Failover' or 'Redundancy'
Redundancy configuration is essential for business
critical firewalls.
Instrumenting this function entails reflecting
the configuration of redundancy and identifying
failover events.
The MIB objects pertaining to Proxy Authentication
will be defined in a subsequent revision of this
MIB.
The management information for each firewall feature
is defined in a distinct module compliance unit. The
compliance units corresponding to basic features of
firewalls are defined as mandatory.
Acronyms
========
Following are definitions of some terms used in this
module. Please refer to the module conformance for a
glossary of feature-specific terms.
`Firewall'
A firewall is a set of related programs,
implemented on a host or a network device, that
protects the resources of a private network from
users from other networks. Common firewalling
functions include stateful packet filtering,
proxy authentication of users on behalf of
applications on the secure side of the firewall,
URL access control, inspection of payload of
traffic streams to determine security threats.
`Layer2 Firewall' or 'Transparent Firewall'
A firewall device that operates as a bridge
while performing firewalling function.
`Connection'
The record in the firewall of a traffic strean
that has been authorized to flow through the
firewall.
`Half Open Connection'
For a connection oriented protocol: a connection
that has not reached the established on both the
sides of the connection.
For a connection-less protocol: the connection
corresponding to a traffic stream where traffic
flow has occurred (since the establishment of the
connection entry) only on one direction.
`Embryonic Connection'
The connection entry corresponding to an
application layer protocol in which the signaling
channel has been established while the setup of
the data channel is underway.
`Policy'
An element of firewall configuration that
identifies the access rights to a resource by a
traffic source. An example of a policy is an
Access Control Rule.
`Policy Target'
An entity to which a policy is applied so that
the action corresponding to the policy is taken
only on traffic streams associated with the
entity. An example of a policy target is an
interface.
`URL Filtering Server'
A server which is employed by the firewall to
enforce URL access policies.
`Protocol Data Unit' or PDU
An instance of the unit of information using which
a protocol operates is called the Protocol Data
Unit or the PDU of the protocol.
`Deep Packet Inspection'
The task of examining the contents of the payloads
of one or more layer 7 application protocols
with a view to enforcing the local security
policies termed 'Deep Packet Inspection'.
`Advanced Application Inspection and Control'
An entity that performs deep packet inspection
of layer 7 application protocol data units is
termed an 'Application Firewall'.