This chapter describes how you can configure your Cisco networking device to function as a firewall, using Cisco IOS security features.
This chapter has these sections:
Firewalls are networking devices that control access to your organization's network assets. Firewalls are positioned at the entrance points into your network. If your network has multiple entrance points, you must position a firewall at each point to provide effective network access control.
Firewalls are often placed in between the internal network and an external network such as the Internet. With a firewall between your network and the Internet, all traffic coming from the Internet must pass through the firewall before entering your network.
Firewalls can also be used to control access to a specific part of your network. For example, you can position firewalls at all the entry points into a research and development network to prevent unauthorized access to proprietary information.
The most basic function of a firewall is to monitor and filter traffic. Firewalls can be simple or elaborate, depending on your network requirements. Simple firewalls are usually easier to configure and manage. However, you might require the flexibility of a more elaborate firewall.
Cisco IOS software provides an extensive set of security features, allowing you to configure a simple or elaborate firewall, according to your particular requirements. You can configure a Cisco device as a firewall if the device is positioned appropriately at a network entry point. Security features that provide firewall functionality are listed in the section "Create a Customized Firewall."
In addition to the security features available in standard Cisco IOS feature sets, there is a Cisco IOS Firewall feature set that gives your router additional firewall capabilities.
The Cisco IOS Firewall feature set combines existing Cisco IOS firewall technology and the new context-based access control (CBAC) feature. When you configure the Cisco IOS Firewall feature set on your Cisco router, you turn your router into an effective, robust firewall.
The Cisco IOS Firewall feature set is designed to prevent unauthorized, external individuals from gaining access to your internal network, and to block attacks on your network, while at the same time allowing authorized users to access network resources.
You can use the Cisco IOS Firewall feature set to configure your Cisco IOS router as:
The Cisco IOS Firewall feature set provides the following benefits:
To create a firewall customized to fit your organization's security policy, you should determine which Cisco IOS security features are appropriate, and configure those features. At a minimum, you must configure basic traffic filtering to provide a basic firewall. You can configure your Cisco networking device to function as a firewall by using the following Cisco IOS security features:
As well as configuring these features, you should follow the guidelines listed in the section "Other Guidelines for Configuring Your Firewall." This section outlines important security practices to protect your firewall and network. Table 17 describes Cisco IOS security features.
"Access Control Lists: Overview and Guidelines"
Standard and static extended access lists provide basic traffic filtering capabilities. You configure criteria that describe which packets should be forwarded, and which packets should be dropped at an interface, based on each packet's network layer information. For example, you can block all UDP packets from a specific source IP address or address range. Some extended access lists can also examine transport layer information to determine whether to block or forward packets.
To configure a basic firewall, you should at a minimum configure basic traffic filtering. You should configure basic access lists for all network protocols that will be routed through your firewall, such as IP, IPX, AppleTalk, and so forth.
"Configuring Lock-and-Key Security (Dynamic Access Lists)"
Lock-and-Key provides traffic filtering with the ability to allow temporary access through the firewall for certain individuals. These individuals must first be authenticated (by a username/password mechanism) before the firewall allows their traffic through the firewall. Afterwards, the firewall closes the temporary opening. This provides tighter control over traffic at the firewall than with standard or static extended access lists.
"Configuring IP Session Filtering
Reflexive access lists filter IP traffic so that TCP or UDP "session" traffic is only permitted through the firewall if the session originated from within the internal network.
You would only configure Reflexive Access Lists when not using Context-Based Access Control.
"Configuring TCP Intercept
TCP Intercept protects TCP servers within your network from TCP SYN-flooding attacks, a type of denial-of-service attack.
You would only configure TCP Intercept when not using Context-Based Access Control.
"Configuring Context-Based Access Control"
Context-Based Access Control (CBAC) examines not only network layer and transport layer information, but also examines the application-layer protocol information (such as FTP information) to learn about the state of TCP and UDP connections. CBAC maintains connection state information for individual connections. This state information is used to make intelligent decisions about whether packets should be permitted or denied, and dynamically creates and deletes temporary openings in the firewall.
CBAC is only available in the Cisco IOS Firewall Feature Set.
"Configuring TACACS+," "Configuring TACACS and Extended TACACS," "Configuring RADIUS," and "Configuring Kerberos"
The Cisco IOS Firewall feature set can be configured as a client of the following supported security servers:
You can use any of these security servers to store a database of user profiles. To gain access into your firewall or to gain access through the firewall into another network, users must enter authentication information (such as a username and password), which is matched against the information on the security server. When users pass authentication, they are granted access according to their specified privileges.
"Configuring IP Addressing" chapter in the Network Protocols Configuration Guide, Part 1
You can use Network Address Translation (NAT) to hide internal IP network addresses from the world outside the firewall.
NAT was designed to provide IP address conservation and for internal IP networks that have unregistered (not globally unique) IP addresses: NAT translates these unregistered IP addresses into legal addresses at the firewall. NAT can also be configured to advertise only one address for the entire internal network to the outside world. This provides security by effectively hiding the entire internal network from the world.
NAT gives you limited spoof protection because internal addresses are hidden. Additionally, NAT removes all your internal services from the external name space.
NAT does not work with the application-layer protocols RPC, VDOLive, or SQL*Net "Redirected." (NAT does work with SQL*Net "Bequeathed.") Do not configure NAT with networks that will carry traffic for these incompatible protocols.
"Configuring Cisco Encryption Technology"
Cisco Encryption Technology (CET) selectively encrypts IP packets that are transmitted across unprotected networks such as the Internet. You specify which traffic is considered sensitive and should be encrypted. This encryption prevents sensitive IP packets from being intercepted and read or tampered with.
"Configuring IPSec Network Security"
IPSec is a framework of open standards developed by the Internet Engineering Task Force (IETF) that provides security for transmission of sensitive information over unprotected networks such as the Internet. IPSec acts at the network layer, protecting and authenticating IP packets between participating IPSec devices ("peers") such as Cisco routers.
IPSec services are similar to those provided by Cisco Encryption Technology, a proprietary security solution introduced in Cisco IOS Software Release 11.2. (The IPSec standard was not yet available at Release 11.2.) However, IPSec provides a more robust security solution, and is standards-based.
"Neighbor Router Authentication: Overview and Guidelines"
Neighbor router authentication requires the firewall to authenticate all neighbor routers before accepting any route updates from that neighbor. This ensures that the firewall receives legitimate route updates from a trusted source.
"Troubleshooting the Router" chapter in the "System Management" part of the Configuration Fundamentals Configuration Guide
Event logging automatically logs output from system error messages and other events to the console terminal. You can also redirect these messages to other destinations such as virtual terminals, internal buffers, or syslog servers. You can also specify the severity of the event to be logged, and you can configure the logged output to be timestamped. The logged output can be used to assist real-time debugging and management, and to track potential security breaches or other nonstandard activities throughout a network.
"Configuring Authentication" and
Authentication and authorization help protect your network from access by unauthorized users.
As with all networking devices, you should always protect access into the firewall by configuring passwords as described in the chapter "Configuring Passwords and Privileges." You should also consider configuring user authentication, authorization, and accounting as described in the chapters in the "Authentication, Authorization, and Accounting (AAA)" part of this document.
You should also consider the following recommendations: