|
|
The Cisco IOS Firewall feature set is a security-specific option for Cisco IOS software. It integrates robust firewall functionality and intrusion detection for every perimeter of the network and enriches existing Cisco IOS security capabilities. It adds greater depth and flexibility to existing Cisco IOS security solutions such as authentication, encryption, and failover by including state-of-the-art security features such as stateful, application-based filtering, dynamic per-user authentication and authorization, defense against network attacks, Java blocking, and real-time alerts. When combined with Cisco IOS IPSec software and other Cisco IOS software-based technologies like L2TP tunneling and Quality of Service (QoS), the Cisco IOS Firewall provides a complete, integrated virtual private network (VPN) solution. Router-Based Firewall Functionality - Available on a wide range of Cisco IOS-based routers, the Cisco IOS Firewall offers sophisticated security and policy enforcement for connections within an organization (intranet) and between partner networks (extranets), as well as for securing Internet connectivity for remote and branch offices. The Cisco IOS Firewall is the best choice for integrating multiprotocol routing with security policy enforcement and enabling managers to configure a Cisco router as a firewall. The Cisco IOS Firewall scales to allow customers to choose a router platform based on bandwidth, LAN and WAN density, and multiservice requirements, while benefiting from advanced security. A general guideline for choosing the right Cisco router for varied security environments. Small/home offices — Cisco 800, UBR904, 1600, 1720 series routers Branch and extranet environments — Cisco 2500, 2600, 3600 series routers VPN and WAN — aggregation points or other high throughput environments — Cisco 7100 and 7200 series routers The Cisco IOS Firewall feature set interoperates seamlessly with Cisco IOS software, providing great value for the many benefits it delivers. The most outstanding benefits include: Flexibility — installed on a Cisco router, this all-in-one scalable solution performs multiprotocol routing, perimeter security, intrusion detection, VPN functionality, and per-user authentication and authorization. Investment protection — integrating firewall functionality into a multiprotocol router leverages an existing router investment without the cost and learning curve associated with a new platform. VPN support — deploying Cisco IOS Firewall with Cisco IOS encryption and QoS VPN features enables extremely secure, low-cost transmissions over public networks and ensures mission—critical application traffic receives high priority delivery. Scalable deployment — available for a wide variety of router platforms, the Cisco IOS Firewall scales to meet any network`s bandwidth and performance requirements. Easier management — with Cisco ConfigMaker software, a network administrator can configure Cisco IOS security features (including the Cisco IOS Firewall, Network Address Translation, and Cisco IPSec) from a central console over the network. The recent addition of the Cisco IOS Firewall feature set on the Cisco 1720, 2600, 3600, 7100, and 7200 series routers has brought some important new benefits including multiservice integration (data/voice/video/dial), advanced security for dialup connections, and integrated routing and security at the Internet gateway for large enterprises and service provider customer premise equipment (CPE) on the Cisco 7200 series. The Cisco IOS Firewall CBAC engine provides secure, per-application access control across network perimeters. CBAC enhances security for TCP and user datagram protocol (UDP) applications that use well-known ports (such as file transfer protocol (FTP) and e-mail traffic) by scrutinizing source and destination addresses. CBAC allows network administrators to implement firewall intelligence as part of an integrated, single-box solution. For example, sessions with an extranet partner involving Internet applications, multimedia applications, or Oracle databases would no longer necessitate opening a network doorway accessible via weaknesses in the partner`s network. CBAC lets tightly-secured networks run today`s basic application traffic plus advanced applications such as multimedia and video conferencing securely through a router. CBAC is a per-application control mechanism for IP traffic including standard TCP and UDP Internet applications, multimedia applications (including H.323 and other video applications), and Oracle databases. Before CBAC, administrators could permit advanced application traffic only by writing permanent ACLs that essentially left firewall doors open, so most administrators opted to deny all such application traffic. Now with CBAC, they can securely permit multimedia and other application traffic by opening the firewall as needed, and closing it all other times. For example, if CBAC is configured to allow Microsoft NetMeeting, when an internal user initiates a connection, the firewall permits return traffic. However, if an external NetMeeting source initiates a connection with an internal user, CBAC denies entry and drops the packets. Intrusion detection-intrusion detection capability in the critical packet path provides dynamic monitoring, interception, and reporting of network attacks and misuse Authentication proxy — LAN-based, dynamic, per-user authentication and authorization via TACACS+ and RADIUS authentication servers enables setting individual security policies Dynamic port mapping — allows CBAC-supported applications to run on non-standard ports Configurable audit trail and alerts — Cisco IOS Firewall alerts and audit trails are now configurable on a per-application basis. Java blocking is also configurable on a modular basis. Improved attack detection and defense for e-mail servers — new intrusion detection specifically for SMTP-oriented attacks. The Cisco IOS Firewall feature set has been available in Cisco IOS as of release 11.2(11)P. The table below shows the platforms on which the Cisco IOS Firewall feature set has been released. Cisco IOS Firewall Feature Set
Product Overview
Key Features and Benefits
Context-based Access Control (CBAC)
New IOS Firewall Features in Cisco IOS 12.0(5)T
Specifications
Cisco IOS Firewall Feature Set Packaging
|
Cisco IOS Software Release |
Hardware Platforms Supported |
|---|---|
|
Cisco IOS software release IOS 11.2(11)P and above |
1600, 2500 |
|
IOS 11.3(3)T and above |
1600, 2500 IOS 12.0 1600, 2500 |
|
IOS 12.0(1)T and above |
1600, 2500,2600, 3600 |
|
IOS 12.0(1)XA |
1720 only |
|
IOS 12.0(2)T and above |
1600, 1720, 2500, 2600, 3600 |
|
IOS 12.0(3)T and above |
1600, 1720, 2500, 2600, 3600, 7200 |
|
IOS 12.0(4)T and above |
800, uBR904, 1600, 1720, 2500, 2600, 3600,7200 |
|
IOS 12.0(4)XA |
7100 |
|
IOS 12.0(5)T and above |
800, 1600, 1720, 2500, 2600, 3600, 7100, 7200 |
The Cisco IOS packaging structure has divided Feature Sets into three (3) solution suites:.
Basic functionality for the following areas:
IP
Desktop
Enterprise
A key value add "Plus" feature sets with one (1) or more features (varies by platform)
Solution specific feature sets such as encryption (56-bit, 3DES, etc.), and ISDN feature set
Product packaging varies per platform. Memory requirements for running the Cisco IOS Firewall feature set depend on router platform and Cisco IOS image.
|
Image |
Description |
|---|---|
|
IP Images |
|
|
IP/FW |
IP routing and Cisco IOS Firewall feature set |
|
IP/FW Plus IPSec 56 |
IP protocol, Cisco IOS Firewall feature set, Plus features (value-added features; varies by platform), and IPSec with 56-bit DES encryption capabilities |
|
IP/FW Plus IPSec 3DES |
IP protocol, Cisco IOS Firewall feature set, Plus features (value-added features; varies by platform), and IPSec with 168-bit 3DES encryption capabilities |
|
Desktop Images |
|
|
IP/IPX/FW Plus |
IP and IPX protocols, Cisco IOS Firewall feature set, Plus features (varies by platform), and 56-bit IPSec capabilities |
|
IP/IPX/AT/DEC Firewall Plus |
IP, IPX, AT, and DEC protocols, Cisco IOS Firewall feature set, and Plus features (varies by platform) |
|
IP/IPX/AT/IBM/FW Plus IPSec 56 |
IP, IPX, AT, and IBM protocols, Cisco IOS Firewall feature set, Plus features (varies by platform), and IPSEC with DES 56-bit encryption capabilities. |
|
Enterprise Images |
|
|
Enterprise Firewall Plus IPSec 56 |
Enterprise package, Cisco IOS Firewall feature set, Plus features (varies by platform), and IPSEC with DES 56-bit encryption capabilities. |
|
Enterprise Firewall Plus IPSec 3DES |
Enterprise package, Cisco IOS Firewall feature set, Plus features (varies by platform), and IPSEC with 3DES 168-bit encryption capabilities. |
The Cisco IOS Firewall feature set is a security specific value added option for Cisco IOS software. It has been enhanced to include additional features in Cisco IOS release 12.0(5)T. The following charts indicate which features are available in which release and for the different supported platforms.
|
Cisco IOS release |
Initial features (Phase I) |
Enhanced features (Phase I +) |
Full features (Phase II) |
|---|---|---|---|
|
11.2(11)P and above, 11.(3)3T and above,12.0, 12.0(1)T - 12.0(4)T, 12.0(4)XE |
|
NA |
NA |
|
12.0(5)T and above |
NA |
|
|
|
Cisco IOS software release |
Cisco IOS Firewall feature support |
Hardware Platforms Supported |
|---|---|---|
|
12.0(5)T |
Full (Phase II) |
Cisco 2600, 3600,7200 |
|
12.0(5)XE |
Full (Phase II) |
Cisco 7100 |
|
12.0(6)T |
Full (Phase II) |
Cisco 1720, 2600, 3600,7100, 7200 |
|
12.0(5)T |
Enhanced (Phase I +) |
Cisco 800, uBR900, 1600, 2500 |
For information on ordering the Cisco IOS Firewall, access Cisco Connection On-Line at: