Cisco has developed a version of IOS with security-specific features integrated in current IOS software. It is available on only some Cisco IOS devices.
NOTE The need to provide firewall functionally in existing router models led Cisco down a path of enabling IOS to be security aware. Not many folks think of Cisco as a software company but, in fact, it sells more software than hardware.
The Cisco IOS Firewall feature set consists of the following:
■ Context-Based Access Control (CBAC) provides to internal users secure, per-application-based access control for all traffic across perimeters, such as between private enterprise networks and the Internet.
■ Java blocking protects against unidentified, malicious Java applets.
■ DoS detection and prevention defends and protects router resources from common attacks, checking packet headers and dropping suspicious packets.
■ Audit trail details transactions, recording time stamp, source host, destination host, ports, duration, and the total number of bytes transmitted.
■ Real-time alerts log alerts in case of DoS attacks or other preconfigured conditions.
You can use the Cisco IOS Firewall feature set to configure your Cisco IOS router as the following bulleted points demonstrate:
■ An Internet firewall
■ A firewall between groups in your internal network
■ A firewall providing secure connections to or from branch offices
■ A firewall between your company's network and your company's partners' networks
For example, when a user authenticates from the Cisco IOS Firewall proxy, authentication is completed by HTTP and access lists are downloaded from a AAA server to authorized or rejected connections. The Cisco IOS Firewall feature set has many different applications for today's IP networks.
CBAC provides secure, per-application access control across the network. CBAC is designed to enhance security for TCP and UDP applications, and supports protocols such as H.323, RealAudio, and SQL-based applications, to name a few.
CBAC can filter TCP/UDP packets based on application layer, transport layer, and network layer protocol information. Traffic is inspected for sessions that originate on any given interface and also inspect traffic flowing through a firewall. CBAC can inspect FTP, TFTP, or SMTP traffic, but does not inspect ICMP packet flows. Additionally, network administrators can debug network issues by using ICMP without concern that possible intruders may enter the network. Cisco IOS Firewall uses stateful inspection to trust ICMP messages that are generated within a private network and to permit the associated ICMP replies.
CBAC can even manually open and close openings (configure conduits, for example) in the firewall to test security in a network.
The following list provides samples of protocols supported by CBAC:
■ Java Blocking
The other major benefits of the Cisco IOS Firewall feature set include the following:
■ Integrated solutions and no need for a PIX Firewall for investments already made in Cisco IOS routers.
■ No new hardware is required (just a software upgrade).
■ Allows for full IP routing capabilities.
■ Cisco customers are already aware of IOS command structure.
Cisco IOS Firewall feature-enabled routers should always maintain the same secure polices described in Chapter 7, "Network Security Policies, Vulnerabilities, and Protection," such as password encryption and disabling nonessential services such as HTTP or DHCP.
Was this article helpful?