Standard and extended access lists

Standard and extended access lists are used for static filtering of traffic passing through the firewall.

Dynamic access lists

Dynamic access lists are used to temporarily open ports to allow specific traffic through the firewall. These ports are closed as soon as the session is completed.

Reflexive access lists

Reflexive access lists only allow access as long as the connection state remains active. Reflexive access lists cannot be used in conjunction with CBAC.

System auditing

The Cisco IOS Firewall maintains an audit log of all changes made to the router.

TCP intercept

TCP intercept is used to prevent a SYN flood attack. It cannot be used in conjunction with CBAC.

Java blocking

The Cisco IOS Firewall can detect and block malicious Java code.

Context-Based Access Control

CBAC inspects traffic up to the application layer and can affect the traffic based on the configured policy.

Cisco IOS Firewall IPS

Cisco IOS Firewall IPS compares traffic to predefined attack signatures to detect and react to malicious traffic. The firewall IPS can react in any of the following manners:

• Reset the connection

DoS mitigation

The Cisco IOS Firewall can detect and react to potential DoS attacks.

Authentication proxy

Authentication proxy is used to proxy authentication requests to a AAA server. This allows for per-user or per-group policies.

Port-to-application mapping (PAM)

Port-to-application mapping enables administrators to configure applications to pass through the firewall using nonstandard ports.

Security server support

The Cisco IOS Firewall supports the following AAA servers:

• Kerberos

Network Address Translation (NAT)

The Cisco IOS Firewall can translate source and destination addresses. This allows for the use of RFC 1918 addresses on internal and DMZ segments, greatly reducing the attacker's ability to route attacks across public networks.

IPsec network security

The Cisco IOS Firewall supports IPsec standards and can be used to configure VPNs.



Neighbor router authentication

Neighbor router authentication is used to ensure that the Cisco IOS Firewall receives updated routing information from only authenticated sources.

Event logging

The Cisco IOS Firewall can be configured to log all traffic that passes through it. The firewall logs can prove helpful for troubleshooting and network forensics.

User authentication and authorization

Authentication and authorization allow for the configuration of peruser and per-group policies.

Real-time alerts

The Cisco IOS Firewall can generate alerts in real time, which greatly increases the ability to react to an attempted attack.


0 0

Post a comment