Table of Contents
Cisco IOS Firewall Feature Set
Feature Summary
Platforms
Prerequisites
Supported MIBs and RFCs
Configuration Tasks
Configuration Example
Command Reference
The Cisco IOS Firewall feature set is available in Cisco IOS Release 12.0. This document introduces support for the Cisco IOS Firewall feature set on the Cisco 1720 router, which is new in Cisco IOS Release 12.0(1) XA.
The Cisco IOS Firewall feature set extends the security technology currently available in Cisco IOS software to provide firewall specific capabilities:
- Context-based Access Control (CBAC)
- Java blocking
- Denial-of-service detection and prevention
- Real-time alerts and audit trails
The Cisco IOS Firewall feature set adds advanced filtering capabilities to existing security functionality in Cisco routers. Some existing Cisco IOS security features include packet filtering via access control lists (ACLs), Network Address Translation (NAT), network-layer encryption, and TACACS+ authentication.
For complete information on the firewall feature set, refer to the Cisco IOS Release 12.0 Security Configuration Guide.
The information in this section is repeated from the Security Configuration Guide and summarizes the Cisco IOS Firewall feature set security services benefits:
- CBAC provides internal users secure, per-application-based access control for all traffic across perimeters such as between private enterprise networks and the Internet.
- Java blocking protects against unidentified, malicious Java applets.
- Denial-of-service detection and prevention defends and protects router resources against common attacks, checking packet headers and dropping suspicious packets.
- Audit trail details transactions, recording time stamp, source host, destination host, ports, duration, and total number of bytes transmitted.
- Real-time alerts log alerts in case of denial-of-service attacks or other pre-configured conditions.
You can use the Cisco IOS Firewall feature set to configure your Cisco IOS router as:
- An Internet firewall or part of an Internet firewall
- A firewall between groups in your internal network
- A firewall providing secure connections to or from branch offices
- A firewall between your company's network and your company's partners' networks
For a complete description of the Cisco IOS Firewall features, refer to the Security Configuration Guide.
The CBAC feature supports these switching modes: flow switching, fast switching, and process switching. The following restrictions apply when configuring both CBAC and NAT in the same firewall:
- You can configure both NAT and CBAC at the router only with fast switching and process switching.
- If you enable CBAC and flow switching at the router, you cannot enable NAT.
Cisco IOS Release 12.0(1) XA supports only the Cisco 1720 router.
For a complete description of the Cisco IOS Firewall feature set, including configuration instructions, read "Traffic Filtering and Firewalls" in the Security Configuration Guide.
None.
The tasks required to configure the Cisco IOS Firewall feature set are described in the Security Configuration Guide.
In addition to instructions for configuring specific IOS Firewall features, the Security Configuration Guide references a number of other security configuration guidelines:
- When setting passwords for privileged access to the firewall, use the enable secret command rather than the enable password command, which does not have as strong an encryption algorithm.
- Put a password on the console port. In authentication, authorization, and accounting (AAA) environments, use the same authentication for the console as for elsewhere. In a non-AAA environment, at a minimum configure the login and password password commands.
- Think about access control before you connect a console port to the network in any way, including attaching a modem to the port. Be aware that a BREAK on the console port might give total control of the firewall, even with access control configured.
- Apply access lists and password protection to all virtual terminal ports. Use access lists to limit who can Telnet into your router.
- Don't enable any local service (such as SNMP or NTP) that you don't use. Cisco Discovery Protocol (CDP) and Network Time Protocol (NTP) are on by default, and you should turn these off if you don't need them.
- To turn off CDP, enter the no cdp run global configuration command. To turn off NTP, enter the ntp disable interface configuration command on each interface not using NTP.
- If you must run NTP, configure NTP only on required interfaces, and configure NTP to listen only to certain peers.
- Any enabled service could present a potential security risk. A determined, hostile party might be able to find creative ways to misuse the enabled services to access the firewall or the network.
- For local services that are enabled, protect against misuse. Protect by configuring the services to communicate only with specific peers, and protect by configuring access lists to deny packets for the services at specific interfaces.
- Protect against spoofing: protect the networks on both sides of the firewall from being spoofed from the other side. You could protect against spoofing by configuring input access lists at all interfaces to pass only traffic from expected source addresses, and to deny all other traffic.
- You should also disable source routing. For IP, enter the no ip source-route global configuration command. Disabling source routing at all routers can also help prevent spoofing.
- Prevent the firewall from being used as a relay by configuring access lists on any asynchronous Telnet ports.
- Normally, you should disable directed broadcasts for all applicable interfaces on your firewall and on all your other routers. For IP, use the no ip directed-broadcast command. Rarely, some IP networks do require directed broadcasts; if this is the case, do not disable directed broadcasts.
- Directed broadcasts can be misused to multiply the power of denial-of-service attacks, because every denial-of-service packet sent is broadcast to every host on a subnet. Furthermore, some hosts have other intrinsic security risks present when handling broadcasts.
- Configure the no ip proxy-arp command to prevent internal addresses from being revealed. (This is important to do if you don't already have NAT configured to prevent internal addresses from being revealed).
- Keep the firewall in a secured (locked) room.
Complete instructions and guidelines for configuring the Cisco IOS Firewall feature set are described in the Security Configuration Guide.
None. Cisco IOS Firewall feature set command descriptions are included in the Cisco IOS Release 12.0 Security Reference Guide.
Copyright 1989-1998
©
Cisco Systems Inc.
