Полезная информация

cc/td/doc/product/software/ios120/120newft/120limit/120xa
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Cisco  IOS  Firewall Feature Set

Feature Summary

Platforms

Prerequisites

Supported MIBs and RFCs

Configuration Tasks

Configuration Example

Command Reference

Cisco  IOS  Firewall Feature Set

Feature Summary

The Cisco IOS Firewall feature set is available in Cisco IOS Release 12.0. This document introduces support for the Cisco IOS Firewall feature set on the Cisco 1720 router, which is new in Cisco IOS Release 12.0(1) XA.

The Cisco IOS Firewall feature set extends the security technology currently available in Cisco IOS software to provide firewall specific capabilities:

The Cisco IOS Firewall feature set adds advanced filtering capabilities to existing security functionality in Cisco routers. Some existing Cisco IOS security features include packet filtering via access control lists (ACLs), Network Address Translation (NAT), network-layer encryption, and TACACS+ authentication.

For complete information on the firewall feature set, refer to the Cisco  IOS Release  12.0 Security Configuration Guide.

Benefits

The information in this section is repeated from the Security Configuration Guide and summarizes the Cisco IOS Firewall feature set security services benefits:

You can use the Cisco IOS Firewall feature set to configure your Cisco IOS router as:

For a complete description of the Cisco IOS Firewall features, refer to the Security Configuration Guide.

Restrictions

The CBAC feature supports these switching modes: flow switching, fast switching, and process switching. The following restrictions apply when configuring both CBAC and NAT in the same firewall:

Platforms

Cisco IOS Release 12.0(1) XA supports only the Cisco 1720 router.

Prerequisites

For a complete description of the Cisco IOS Firewall feature set, including configuration instructions, read "Traffic Filtering and Firewalls" in the Security Configuration Guide.

Supported MIBs and RFCs

None.

Configuration Tasks

The tasks required to configure the Cisco IOS Firewall feature set are described in the Security Configuration Guide.

In addition to instructions for configuring specific IOS Firewall features, the Security Configuration Guide references a number of other security configuration guidelines:

To turn off CDP, enter the no cdp run global configuration command. To turn off NTP, enter the ntp disable interface configuration command on each interface not using NTP.
If you must run NTP, configure NTP only on required interfaces, and configure NTP to listen only to certain peers.
Any enabled service could present a potential security risk. A determined, hostile party might be able to find creative ways to misuse the enabled services to access the firewall or the network.
For local services that are enabled, protect against misuse. Protect by configuring the services to communicate only with specific peers, and protect by configuring access lists to deny packets for the services at specific interfaces.
You should also disable source routing. For IP, enter the no ip source-route global configuration command. Disabling source routing at all routers can also help prevent spoofing.
Directed broadcasts can be misused to multiply the power of denial-of-service attacks, because every denial-of-service packet sent is broadcast to every host on a subnet. Furthermore, some hosts have other intrinsic security risks present when handling broadcasts.

Configuration Example

Complete instructions and guidelines for configuring the Cisco IOS Firewall feature set are described in the Security Configuration Guide.

Command Reference

None. Cisco IOS Firewall feature set command descriptions are included in the Cisco  IOS Release  12.0 Security Reference Guide.


hometocprevnextglossaryfeedbacksearchhelp
Copyright 1989-1998 © Cisco Systems Inc.