Figure 121 Cisco IOS Firewall Functions

[View full size image]

The Cisco IOS Firewall and Advanced Security feature set integrate the following technologies:

• VPN services The Cisco IOS Firewall supports dynamic multipoint virtual private networks (VPN). This allows PPP and point-to-multipoint (p2mp) VPNs to be dynamically configured supporting hub-and-spoke or full-mesh architectures with stateful IPsec failover to provide redundancy. Scalability has been increased to minimize bandwidth overhead, reduce jitter, and provide the highest quality of service (QoS) for voice and video traffic, as well as data. A low-latency queue (LLQ) for IPsec traffic has been integrated to provide QoS for encrypted voice and video. IPsec Network Address Translation (NAT) transparency has been added to all encrypted traffic to traverse NAT/PAT (Port Address Translation) devices, easing the integration of VPN connectivity across diverse network and addressing infrastructures. The Cisco IOS Firewall VPN supports Advanced Encryption Standard (AES) encryption with up to 256-bit keys.

• Intrusion protection The Cisco IOS Intrusion Prevention System (IPS) supports several signatures to offer improved protection against attacks. Chapter 13 discusses the Cisco IOS IPS in detail.

• Firewall services The core of the Cisco IOS Firewall is the advanced firewall engine. This engine tracks the state and context of network connections to secure traffic flow. It enhances security for TCP and UDP applications that use well-known ports, such as e-mail (SMTP) and Telnet traffic, by examining source and destination addresses. The Cisco IOS Firewall services include the following:

- Authentication proxy LAN-based, dynamic, per-user authentication and authorization via TACACS+ and RADIUS authentication servers for both inbound and outbound users. Chapter 16 , "Authentication Proxy and the Cisco IOS Firewall," discusses authentication proxy in greater detail.

- Audit trail Details transactions. Records time stamp, source host, destination host, ports, duration, and total number of types transmitted for detailed reporting. Can be configured on a per-application, per-feature basis.

- Basic and advanced traffic filtering Standard and extended IP access control lists (ACL). Lock-and-key dynamic ACLs grant temporary access through firewalls upon user identification.

- Context-Based Access Control (CBAC) Provides internal users with secure, per-application access. Chapter 15 , "Context-Based Access Control" discusses CBAC in greater detail.

- DoS detection and prevention Defends and protects router resources against common attacks. This is a function of the Cisco IOS IPS.

- Dynamic port mapping Allows CBAC-supported applications to run on nonstandard ports.

- Event logging Enables administrators to track potential security breaches or other nonstandard activities in real time by logging system error message output to a console terminal or syslog server.

- Firewall management A wizard-based network configuration tool that offers step-by-step guidance through network design, addressing, and Cisco Firewall feature set implementation.

- URL filtering support The Cisco IOS Firewall supports the N2H2 and Websense protocols to provide web access control and auditing.

- Java applet blocking Protects against unidentified, malicious Java applets.

- Network Address Translation (NAT) Hides the internal network from the outside for enhanced security.

- Peer router authentication Ensures that routers receive reliable routing information from trusted sources.

- Policy-based multi-interface support Provides the ability to control user access by IP address and interface as determined by the security policy.

- Redundancy/failover Automatically routes traffic to a backup router if a failure occurs.

- Firewall transparency Cisco IOS Software Release 12.3(7) introduced the transparent Cisco IOS Firewall. A transparent Cisco IOS Firewall can be implemented on an existing network without having to reconfigure statically defined devices because it utilizes a combination of CBAC and ACLs configured on the bridged interface. The firewall is considered to be transparent because it is intercepting packets at Layer 2 and is not restricted to traditional Layer 3 firewall limitations. You can configure both the Layer 2 and Layer 3 firewall on the same device.

• Quality of service The Cisco IOS Firewall Advanced Security feature set is an add-in to Cisco IOS Software and provides support for QoS.

• Multiprotocol support The Cisco IOS Firewall Advanced Security features set is an add-in to Cisco IOS Software and provides support for multiple protocols.

• Multicast support The Cisco IOS Firewall Advanced Security features set is an add-in to Cisco IOS Software and provides support for multicast.

• Advanced routing support The Cisco IOS Firewall Advanced Security features set is an add-in to Cisco IOS Software and provides support for advanced routing protocols.

• VoIP support The Cisco IOS Firewall Advanced Security features set is an add-in to Cisco IOS

Software and provides support for Session Initiation Protocol (SIP) and Skinny Client Control Protocol (SCCP). An enhancement to VoIP functionality includes support for Voice and Video over VPNs (V3PNs). Combining the multipoint VPN technology with low-latency queuing (LLQ) for IPsec provides the support. LLQ is a QoS method for providing class-based weighted fair queuing of traffic.

0 0

Post a comment