The Cisco IOS Firewall feature set is available in Cisco IOS Release 12.0. This document introduces support for the Cisco IOS Firewall feature set on the Cisco 1720 router, which is new in Cisco IOS Release 12.0(1) XA.
The Cisco IOS Firewall feature set extends the security technology currently available in Cisco IOS software to provide firewall specific capabilities:
Context-based Access Control (CBAC)
Denial-of-service detection and prevention
Real-time alerts and audit trails
The Cisco IOS Firewall feature set adds advanced filtering capabilities to existing security functionality in Cisco routers. Some existing Cisco IOS security features include packet filtering via access control lists (ACLs), Network Address Translation (NAT), network-layer encryption, and TACACS+ authentication.
For complete information on the firewall feature set, refer to the Cisco IOS Release 12.0 Security Configuration Guide.
The tasks required to configure the Cisco IOS Firewall feature set are described in the Security Configuration Guide.
In addition to instructions for configuring specific IOS Firewall features, the Security Configuration Guide references a number of other security configuration guidelines:
When setting passwords for privileged access to the firewall, use the enable secret command rather than the enable password command, which does not have as strong an encryption algorithm.
Put a password on the console port. In authentication, authorization, and accounting (AAA) environments, use the same authentication for the console as for elsewhere. In a non-AAA environment, at a minimum configure the login and passwordpassword commands.
Think about access control before you connect a console port to the network in any way, including attaching a modem to the port. Be aware that a BREAK on the console port might give total control of the firewall, even with access control configured.
Apply access lists and password protection to all virtual terminal ports. Use access lists to limit who can Telnet into your router.
Don't enable any local service (such as SNMP or NTP) that you don't use. Cisco Discovery Protocol (CDP) and Network Time Protocol (NTP) are on by default, and you should turn these off if you don't need them.
To turn off CDP, enter the no cdp run global configuration command. To turn off NTP, enter the ntp disable interface configuration command on each interface not using NTP.
If you must run NTP, configure NTP only on required interfaces, and configure NTP to listen only to certain peers.
Any enabled service could present a potential security risk. A determined, hostile party might be able to find creative ways to misuse the enabled services to access the firewall or the network.
For local services that are enabled, protect against misuse. Protect by configuring the services to communicate only with specific peers, and protect by configuring access lists to deny packets for the services at specific interfaces.
Protect against spoofing: protect the networks on both sides of the firewall from being spoofed from the other side. You could protect against spoofing by configuring input access lists at all interfaces to pass only traffic from expected source addresses, and to deny all other traffic.
You should also disable source routing. For IP, enter the no ip source-route global configuration command. Disabling source routing at all routers can also help prevent spoofing.
Prevent the firewall from being used as a relay by configuring access lists on any asynchronous Telnet ports.
Normally, you should disable directed broadcasts for all applicable interfaces on your firewall and on all your other routers. For IP, use the no ip directed-broadcast command. Rarely, some IP networks do require directed broadcasts; if this is the case, do not disable directed broadcasts.
Directed broadcasts can be misused to multiply the power of denial-of-service attacks, because every denial-of-service packet sent is broadcast to every host on a subnet. Furthermore, some hosts have other intrinsic security risks present when handling broadcasts.
Configure the no ip proxy-arp command to prevent internal addresses from being revealed. (This is important to do if you don't already have NAT configured to prevent internal addresses from being revealed).