Cisco IOS Firewall Overview

This chapter describes how you can configure your Cisco networking device to function as a firewall, using Cisco IOS Firewall security features.

About Firewalls

Firewalls are networking devices that control access to your organization's network assets. Firewalls are positioned at the entrance points into your network. If your network has multiple entrance points, you must position a firewall at each point to provide effective network access control.

Firewalls are often placed in between the internal network and an external network such as the Internet. With a firewall between your network and the Internet, all traffic coming from the Internet must pass through the firewall before entering your network.

Firewalls can also be used to control access to a specific part of your network. For example, you can position firewalls at all the entry points into a research and development network to prevent unauthorized access to proprietary information.

The most basic function of a firewall is to monitor and filter traffic. Firewalls can be simple or elaborate, depending on your network requirements. Simple firewalls are usually easier to configure and manage. However, you might require the flexibility of a more elaborate firewall.

The Cisco IOS Firewall Solution

Cisco IOS software provides an extensive set of security features, allowing you to configure a simple or elaborate firewall, according to your particular requirements. You can configure a Cisco device as a firewall if the device is positioned appropriately at a network entry point. Security features that provide firewall functionality are listed in the " Creating a Customized Firewall" section.

In addition to the security features available in standard Cisco IOS feature sets, Cisco IOS Firewall gives your router additional firewall capabilities.

The Cisco IOS Firewall Feature Set

The Cisco IOS Firewall feature set combines existing Cisco IOS firewall technology and the Context-based Access Control (CBAC) feature. When you configure the Cisco IOS Firewall on your Cisco router, you turn your router into an effective, robust firewall.

The Cisco IOS Firewall features are designed to prevent unauthorized external individuals from gaining access to your internal network and to block attacks on your network, while at the same time allowing authorized users to access network resources.

You can use the Cisco IOS Firewall features to configure your Cisco IOS router as one of the following:

•

A firewall between your company's network and your company's partners' networks

Creating a Customized Firewall

To create a firewall customized to fit your organization's security policy, you should determine which Cisco IOS Firewall features are appropriate, and configure those features. At a minimum, you must configure basic traffic filtering to provide a basic firewall. You can configure your Cisco networking device to function as a firewall by using the following Cisco IOS Firewall features:

In addition to configuring these features, you should follow the guidelines listed in the " Other Guidelines for Configuring Your Firewall" section. This section outlines important security practices to protect your firewall and network. Table 17 describes Cisco IOS security features.

Table 17 Cisco IOS Features for a Robust Firewall
Feature	Chapter	Comments
Standard Access Lists and Static Extended Access Lists	"Access Control Lists: Overview and Guidelines"	Standard and static extended access lists provide basic traffic filtering capabilities. You configure criteria that describe which packets should be forwarded, and which packets should be dropped at an interface, based on each packet's network layer information. For example, you can block all UDP packets from a specific source IP address or address range. Some extended access lists can also examine transport layer information to determine whether to block or forward packets. To configure a basic firewall, you should at a minimum configure basic traffic filtering. You should configure basic access lists for all network protocols that will be routed through your firewall, such as IP, IPX, AppleTalk, and so forth.
Lock-and-Key (Dynamic Access Lists)	"Configuring Lock-and-Key Security (Dynamic Access Lists)"	Lock-and-Key provides traffic filtering with the ability to allow temporary access through the firewall for certain individuals. These individuals must first be authenticated (by a username/password mechanism) before the firewall allows their traffic through the firewall. Afterwards, the firewall closes the temporary opening. This provides tighter control over traffic at the firewall than with standard or static extended access lists.
Reflexive Access Lists	"Configuring IP Session Filtering (Reflexive Access Lists)"	Reflexive access lists filter IP traffic so that TCP or UDP "session" traffic is only permitted through the firewall if the session originated from within the internal network. You would only configure Reflexive Access Lists when not using Context-based Access Control.
TCP Intercept	"Configuring TCP Intercept (Preventing Denial-of-Service Attacks)"	TCP Intercept protects TCP servers within your network from TCP SYN-flooding attacks, a type of denial-of-service attack. You would only configure TCP Intercept when not using Context-based Access Control.
Context-based Access Control	"Configuring Context-Based Access Control"	Context-based Access Control (CBAC) examines not only network layer and transport layer information, but also examines the application-layer protocol information (such as FTP information) to learn about the state of TCP and UDP connections. CBAC maintains connection state information for individual connections. This state information is used to make intelligent decisions about whether packets should be permitted or denied, and dynamically creates and deletes temporary openings in the firewall. CBAC also generates real-time alerts and audit trails. Enhanced audit trail features use SYSLOG to track all network transactions. Real-time alerts send SYSLOG error messages to central management consoles upon detecting suspicious activity. Using CBAC inspection rules, you can configure alerts and audit trail information on a per-application protocol basis. CBAC is only available in the Cisco IOS Firewall feature set.
Cisco IOS Firewall Intrusion Detection System	"Configuring Cisco IOS Firewall Intrusion Detection System"	The Cisco IOS Firewall Intrusion Detection System (IDS) acts as an in-line intrusion detection sensor, watching packets and sessions as they flow through the router, scanning each to match any of the IDS signatures. When it detects suspicious activity, it responds before network security can be compromised and logs the event through Cisco IOS syslog. The network administrator can configure the IDS system to choose the appropriate response to various threats. When packets in a session match a signature, the IDS system can be configured to: •Send an alarm to a syslog server or a Cisco NetRanger Director (centralized management interface) •Drop the packet •Reset the TCP connection
Authentication Proxy	"Configuring Authentication Proxy"	The Cisco IOS Firewall authentication proxy feature allows network administrators to apply specific security policies on a per-user basis. Previously, user identity and related authorized access was associated with a user's IP address, or a single security policy had to be applied to an entire user group or sub network. Now, users can be identified and authorized on the basis of their per-user policy, and access privileges tailored on an individual basis are possible, as opposed to general policy applied across multiple users.
Port to Application Mapping	"Configuring Port to Application Mapping"	Port to Application Mapping (PAM) is a feature of Cisco IOS Firewall. PAM allows you to customize TCP or UDP port numbers for network services or applications. PAM uses this information to support network environments that run services using ports that are different from the registered or well-known ports associated with an application. The information in the PAM table enables CBAC supported services to run on nonstandard ports.
Security Server Support	"Configuring TACACS+," "Configuring RADIUS," and "Configuring Kerberos"	The Cisco IOS Firewall feature set can be configured as a client of the following supported security servers: •TACACS+ (including CiscoSecure) •RADIUS •Kerberos You can use any of these security servers to store a database of user profiles. To gain access into your firewall or to gain access through the firewall into another network, users must enter authentication information (such as a username and password), which is matched against the information on the security server. When users pass authentication, they are granted access according to their specified privileges.
Network Address Translation	"Configuring IP Addressing" chapter in the Cisco IOS IP Configuration Guide	You can use Network Address Translation (NAT) to hide internal IP network addresses from the world outside the firewall. NAT was designed to provide IP address conservation and for internal IP networks that have unregistered (not globally unique) IP addresses: NAT translates these unregistered IP addresses into legal addresses at the firewall. NAT can also be configured to advertise only one address for the entire internal network to the outside world. This provides security by effectively hiding the entire internal network from the world. NAT gives you limited spoof protection because internal addresses are hidden. Additionally, NAT removes all your internal services from the external name space. NAT does not work with the application-layer protocols RPC, VDOLive, or SQLNet "Redirected." (NAT does work with SQLNet "Bequeathed.") Do not configure NAT with networks that will carry traffic for these incompatible protocols.
IPSec Network Security	"Configuring IPSec Network Security"	IPSec is a framework of open standards developed by the Internet Engineering Task Force (IETF) that provides security for transmission of sensitive information over unprotected networks such as the Internet. IPSec acts at the network layer, protecting and authenticating IP packets between participating IPSec devices ("peers") such as Cisco routers.
Neighbor Router Authentication	"Neighbor Router Authentication: Overview and Guidelines"	Neighbor router authentication requires the firewall to authenticate all neighbor routers before accepting any route updates from that neighbor. This ensures that the firewall receives legitimate route updates from a trusted source.
Event Logging	"Troubleshooting the Router" chapter in the "System Management" part of the Cisco IOS Configuration Fundamentals Configuration Guide	Event logging automatically logs output from system error messages and other events to the console terminal. You can also redirect these messages to other destinations such as virtual terminals, internal buffers, or syslog servers. You can also specify the severity of the event to be logged, and you can configure the logged output to be timestamped. The logged output can be used to assist real-time debugging and management, and to track potential security breaches or other nonstandard activities throughout a network.
User Authentication and Authorization	"Configuring Authentication" and "Configuring Authorization"	Authentication and authorization help protect your network from access by unauthorized users.

Other Guidelines for Configuring Your Firewall

As with all networking devices, you should always protect access into the firewall by configuring passwords as described in the chapter "Configuring Passwords and Privileges." You should also consider configuring user authentication, authorization, and accounting as described in the chapters in the "Authentication, Authorization, and Accounting (AAA)" part of this guide.

•

When setting passwords for privileged access to the firewall, use the enable secret command rather than the enable password command, which does not have as strong an encryption algorithm.

•

Put a password on the console port. In authentication, authorization, and accounting (AAA) environments, use the same authentication for the console as for elsewhere. In a non-AAA environment, at a minimum configure the login and password password commands.

•

Think about access control before you connect a console port to the network in any way, including attaching a modem to the port. Be aware that a break on the console port might give total control of the firewall, even with access control configured.

•

Apply access lists and password protection to all virtual terminal ports. Use access lists to limit who can Telnet into your router.

•

Do not enable any local service (such as SNMP or NTP) that you do not use. Cisco Discovery Protocol (CDP) and Network Time Protocol (NTP) are on by default, and you should turn these off if you do not need them.

To turn off CDP, enter the no cdp run global configuration command. To turn off NTP, enter the ntp disable interface configuration command on each interface not using NTP.

If you must run NTP, configure NTP only on required interfaces, and configure NTP to listen only to certain peers.

Any enabled service could present a potential security risk. A determined, hostile party might be able to find creative ways to misuse the enabled services to access the firewall or the network.

For local services that are enabled, protect against misuse. Protect by configuring the services to communicate only with specific peers, and protect by configuring access lists to deny packets for the services at specific interfaces.

•

Protect against spoofing: protect the networks on both sides of the firewall from being spoofed from the other side. You could protect against spoofing by configuring input access lists at all interfaces to pass only traffic from expected source addresses, and to deny all other traffic.

You should also disable source routing. For IP, enter the no ip source-route global configuration command. Disabling source routing at all routers can also help prevent spoofing.

You should also disable minor services. For IP, enter the no service tcp-small-servers and no service udp-small-servers global configuration commands.

•

Prevent the firewall from being used as a relay by configuring access lists on any asynchronous Telnet ports.

•

Normally, you should disable directed broadcasts for all applicable protocols on your firewall and on all your other routers. For IP, use the no ip directed-broadcast command. Rarely, some IP networks do require directed broadcasts; if this is the case, do not disable directed broadcasts.

Directed broadcasts can be misused to multiply the power of denial-of-service attacks, because every denial-of-service packet sent is broadcast to every host on a subnet. Furthermore, some hosts have other intrinsic security risks present when handling broadcasts.

•

Configure the no ip proxy-arp command to prevent internal addresses from being revealed. (This is important to do if you do not already have NAT configured to prevent internal addresses from being revealed.)

Table Of Contents