Cisco IOS Firewall Security Feature

Cisco systems software has developed a version of IOS with security-specific features integrated in current IOS software. It is available only on some Cisco IOS devices.

NOTE The need to provide firewall functionally in existing router models led Cisco down a path of enabling IOS to be security aware. Not many folks think of Cisco as a software company but, in fact, they sell more software than hardware.

The Cisco IOS features set consists of the following:

• Context-based Access Control (CBAC) provides internal users secure, per-application-based access control for all traffic across perimeters, such as between private enterprise networks and the Internet.

• Java blocking protects against unidentified, malicious Java applets.

• Denial-of-service detection and prevention defends and protects router resources from common attacks, checking packet headers and dropping suspicious packets.

• Audit trail details transactions, recording time stamp, source host, destination host, ports, duration, and the total number of bytes transmitted.

• Real-time alerts log alerts in case of denial-of-service attacks or other preconfigured conditions.

You can use the Cisco IOS Firewall feature set to configure your Cisco IOS router as follows:

• An Internet firewall or part of an Internet firewall

• A firewall between groups in your internal network

• A firewall providing secure connections to or from branch offices

• A firewall between your company's network and your company's partners' networks

For example, when a user authenticates from the Cisco IOS Firewall proxy, authentication is completed by HTTP and access lists are downloaded from AAA server to authorized or rejected connections. The IOS Firewall feature set has many different applications for today's IP networks.

CBAC provides secure, per-application access control across the network. CBAC is designed to enhance security for TCP and UDP applications, and supports protocols such as H.323, RealAudio, and SQL-based applications, to name a few.

CBAC can filter TCP/UDP packets based on application layer, transport, and network layer protocol information. Traffic is inspected for sessions that originate on any given interface and also inspect traffic flowing through a firewall. CBAC can inspect FTP, TFTP, or SMTP traffic, but does not inspect ICMP packet flows.

CBAC can even manually open and close openings in the firewall to test security in a network. The following list provides samples of protocols supported by CBAC:

• Java Blocking

The other major benefits of the Cisco IOS feature set include the following:

• Integrated solutions and no need for a PIX Firewall for investments already made in Cisco IOS routers.

• No new hardware is required (just a software upgrade).

• Allows for full IP routing capabilities.

• Cisco customers are already aware of IOS command structure.

Cisco IOS Security feature-enabled routers should always maintain the same secure polices described in Chapter 8, "Network Security Policies, Vulnerabilities, and Protection," such as password encryption and disabling nonessential service, such as Hypertext Transfer Protocol (HTTP) or Dynamic Host Configuration Protocol (DHCP).

0 0

Post a comment