cisco ios firewall full report
TRANSCRIPT
Seminar Report ’03 Cisco IOS Firewall
Dept. of IT MESCE, Kuttippuram -1-
INTRODUCTION
The Cisco IOS Firewall, provides robust, integrated
firewall and intrusion detection functionality for every perimeter
of the network. Available for a wide range of Cisco IOS
software-based routers, the Cisco IOS Firewall offers
sophisticated security and policy enforcement for connections
within an organization (intranet) and between partner networks
(extranets), as well as for securing Internet connectivity for
remote and branch offices.
A security-specific, value-add option for Cisco IOS
Software, the Cisco IOS Firewall enhances existing Cisco IOS
security capabilities, such as authentication, encryption, and
failover, with state-of-the-art security features, such as stateful,
application-based filtering (context-based access control),
defense against network attacks, per user authentication and
authorization, and real-time alerts.
The Cisco IOS Firewall is configurable via Cisco
ConfigMaker software, an easy-to-use Microsoft Windows 95,
98, NT 4.0 based software tool.
Seminar Report ’03 Cisco IOS Firewall
Dept. of IT MESCE, Kuttippuram -2-
CHAPTER ONE
FIREWALL BASICS
Definition Of FireWall
A FireWall is a network security device that ensures that
all communications attempting to cross it meet an organization’s
security policy.FireWalls track and control communications
deciding whether to allow ,reject or encrypt communications.
FireWalls are used to connect a corporate’s local network
to the Internet and also within networks.In otherwords they
stand in between the trusted network and the untrusted
network.
Design and Implementation issues
Basic Design Decisions in a FireWall
The first and most important decision reflects the policy of
how your company or organization wants to operate the system.
Is the firewall in place to explicitly deny all services except those
critical to the mission of connecting to the net, or is the firewall
is in place to provide a metered and audited method of
‘Queuing’ access in a non-threatening manner. The second is
what level of monitoring, reducing and control do you want?
Having established the acceptable risk level you can form a
Seminar Report ’03 Cisco IOS Firewall
Dept. of IT MESCE, Kuttippuram -3-
checklist of what should be monitored, permitted and denied.
The third issue is financial.
Implementation methods
Two basic methods to implement a firewall are
1.As a Screening Router:
A screening router is a special computer or an electronic
device that screens (filters out) specific packets based on the
criteria that is defined. Almost all current screening routers
operate in the following manner.
a. Packet Filter criteria must be stored for the ports of the
packet filter device. The packet filter criteria are called
packet filter ruler.
b. When the packets arrive at the port, the packet header is
parsed. Most packet filters examine the fields in only the
IP, TCP and UDP headers.
c. The packet filter rules are stored in a specific order. Each
rule is applied to the packet in the order in which the
packet filter is stored.
d. If the rule blocks the transmission or reception of a packet
the packet is not allowed.
e. If the rule allows the transmission or reception of a packet
the packet is allowed.
f. If a packet does not satisfy any rule it is blocked.
Seminar Report ’03 Cisco IOS Firewall
Dept. of IT MESCE, Kuttippuram -4-
Seminar Report ’03 Cisco IOS Firewall
Dept. of IT MESCE, Kuttippuram -5-
2. As a Proxy Server:
A Proxy Server is an application that mediates traffic
between a protected network and the Internet. Proxies are often
used instead of router-based traffic controls, to prevent traffic
from passing directly between networks. Proxy servers are
application specific. In order to support a new protocol via a
proxy, a proxy must be developed for it. Here there is no direct
connection between the local network and the untrusted
network. The Proxy Server transfers an isolated copy of each
approved packet from one network to the other network. No
information about the local network is available to untrusted
networks.
Realization of FireWall
1. Buying an off-the shell firewall product:
A commercial firewall product is brought and configured
to meet an organization’s security policy. Some products are
available as free ,others may cost up to $100000.
2.Building a custom firewall:
Organizations that have programming talent and
financial resources often prefer to use a ‘roll your own’
approach. This involves building custom firewall solution to
protect the organizations network. If implemented properly this
is the most effective approach.
Seminar Report ’03 Cisco IOS Firewall
Dept. of IT MESCE, Kuttippuram -6-
CHAPTER TWO
CISCO IOS FIREWALL
As network security becomes increasingly critical to
securing business transactions, businesses must integrate
security into the network design and infrastructure itself.
Security policy enforcement is most effective when it is an
inherent component of the network.
The Cisco IOS Firewall is a security-specific option for
Cisco IOS Software. It integrates robust firewall functionality
and intrusion detection for every network perimeter. It adds
greater depth and flexibility to existing Cisco IOS security
solutions (i.e., authentication, encryption, and failover), by
delivering state-of-the-art security features: stateful, application-
based filtering; dynamic per-user authentication and
authorization; URL Filtering and others. When combined with
Cisco IOS IPSec and Cisco IOS Technologies such as L2TP
tunneling and Quality of Service (QoS), Cisco IOS Firewall
provides a complete, integrated virtual private network (VPN)
solution.
Router-Based Firewall Functionality
Cisco IOS Firewall is available on a wide range of Cisco
IOS Software releases. It offers sophisticated security and
Seminar Report ’03 Cisco IOS Firewall
Dept. of IT MESCE, Kuttippuram -7-
policy enforcement for connections within an organization
(intranet) and between partner networks (extranets), as well as
for securing Internet connectivity for remote and
branch offices.The Cisco IOS Firewall is the best choice for
integrating multiprotocol routing with security policy enforcement
and enabling managers to configure a Cisco router as a firewall.
It scales to allow customers to choose a router platform based
on bandwidth, LAN/WAN density, and multiservice
requirements; simultaneously, it benefits from advanced
security.
Key Benefits
The Cisco IOS Firewall interoperates seamlessly with
Cisco IOS Software, providing outstanding value and benefits:
Flexibility—Installed on a Cisco router, Cisco IOS Firewall is
an all-in-one, scalable solution that performs multiprotocol
routing, perimeter security, intrusion detection, VPN
functionality, and per-user authentication and authorization.
Investment protection—Integrating firewall functionality into
a multiprotocol router leverages an existing router
investment, without the cost and learning curve associated
with a new platform.
VPN support—Deploying Cisco IOS Firewall with Cisco IOS
encryption and QoS VPN features enables secure, low-cost
transmissions over public networks. It ensures that mission-
critical application traffic receives high-priority delivery.
Seminar Report ’03 Cisco IOS Firewall
Dept. of IT MESCE, Kuttippuram -8-
Scalable deployment— Cisco IOS Firewall is available for a
wide variety of router platforms. It scales to meet the
bandwidth and performance requirements of any network.
Easier provisioning—Combining the Cisco IE2100 and the
Cisco IOS XML application enables a network administrator
to drop ship any Cisco router with little or no pre-
configuration to a given destination. The router pulls the
most current Cisco IOS Software release router
configuration and its security policy configuration for the
Firewall when it is connected to the Internet.
Cisco IOS Firewall is supported on a majority of Cisco
routers platforms, thus delivering important benefits that include
multiservice integration (data/voice/video/dial), advanced
security for dialup connections. On the Cisco 7100, 7200 and
7400 Series Routers, additional benefits include integrated
routing and security at the Internet gateway for large enterprises
and service provider customer premise equipment (CPE).
Cisco IOS Firewall Highlights
Stateful IOS Firewall inspection engine—provides internal
users with secure, per-application-based access control for
all traffic across perimeters, such as perimeters between
private enterprise networks and the Internet. Also known as
Context-Based Access Control (CBAC).
Intrusion Detection—Inline deep packet inspection service
that provides real-time monitoring, interception, and
Seminar Report ’03 Cisco IOS Firewall
Dept. of IT MESCE, Kuttippuram -9-
response to network misuse with a broad set of the most
common attack and information-gathering intrusion
detection signatures. Now supports 102 signatures!
Firewall Voice Traversal—Provided by application-level
intelligence of the protocol as to the call flow and
associated channels that are opened. Voice protocols that
are currently supported are H.323v2 and SIP (Q1CY03).
ICMP Inspection—Allow responses to ICMP packets (i.e.,
ping and traceroute) originating from inside the Firewall,
while still denying other ICMP traffic. Available in Q1 of
2003.
Authentication Proxy—Enables dynamic, per-user
authentication and authorization for LAN-based, http and
dial-in communications; authenticates users against
industry-standard. Support of SSL secured userid and
passwords for http (HTTPS) provides greater
confidentiality. TACACS+ and RADIUS authentication
protocols enable network administrators to set individual,
per-user security policies. HTTPS (SSL secured http) will
be supported in Q1 of 2003.
Destination URL Policy Management—Several mechanisms
that support local caching of previous requests,
predetermined static URL permission and denial tables, as
well as use of external server databases provided by
Websense Inc. and N2H2 Inc. This is better known as URL
Filtering. This will be available on all platforms after Q1 of
2003.
Seminar Report ’03 Cisco IOS Firewall
Dept. of IT MESCE, Kuttippuram -10-
Per User Firewalls—Enables Service Providers to provide a
managed Firewall solution in the broadband market by
downloading unique Firewall, ACLs, and other settings on a
per user basis, using the AAA server profile storage after
authentication.
Cisco IOS Router and Firewall Provisioning—Zero (0) touch
provisioning of the router, versioning and security policies
such as Firewall rules.
Denial of Service Detection and Prevention—Defends and
protects router resources against common attacks, checks
packet headers, and drops suspicious packets.
Dynamic Port Mapping—Allows Firewall-supported
applications on nonstandard ports.
Java Applet Blocking—Defends against unidentified,
malicious Java applets.
VPNs, IPSec Encryption, and QoS Support—
o Operates with Cisco IOS Software encryption, tunneling,
and QoS features to secure VPNs
o Provide scalable encrypted tunnels on the router while
integrating strong perimeter security, advanced bandwidth
management, intrusion detection, and service-level
validation
o Standards based for interoperability
Real-Time Alerts—Log alerts for denial-of-service attacks or
other pre-configured conditions. This is now configurable on
a per-application, per-feature basis.
Audit Trail—Details transactions, and records time stamp,
source host, destination host, ports, duration and total
Seminar Report ’03 Cisco IOS Firewall
Dept. of IT MESCE, Kuttippuram -11-
number of bytes transmitted for detailed reporting. This is
now configurable on a per-application, per-feature basis.
Integration with Cisco IOS Software—Interoperates with
Cisco IOS Software features, integrating security policy
enforcement into the network.
Basic and Advanced Traffic Filtering—
o Standard and extended access control lists (ACLs)—apply
access controls to specific network segments and define
which traffic passes through a network segment.
o Lock and Key—dynamic ACLs grant temporary access
through firewalls upon user identification
(username/password).
Policy-Based Multi-Interface Support—Provides ability to
control user access by IP address and interface, as
determined by the security policy.
Network Address Translation (NAT)—Hides internal network
from the outside for enhanced security.
Time-Based Access Lists—Defines security policy based on
the time of day and day of week.
Peer Router Authentication—Ensures that routers receive
reliable routing information from trusted sources.
Seminar Report ’03 Cisco IOS Firewall
Dept. of IT MESCE, Kuttippuram -12-
CHAPTER THREE
CISCO IOS FIREWALL FEATURE SET
New Firewall Features and Benefits
New Feature Description
Context-based access control (CBAC)
Provides internal users secure, per-application-based access control for all traffic across perimeters, e.g. between private enterprise networks and the Internet
Java blocking Protects against unidentified, malicious Java applets
Denial of Service detection/prevention
Defends and protects router resources against common attacks; checks packet headers and drops suspicious packets
Audit trail Details transactions; records time stamp, source host, destination host, ports, duration and total number of bytes transmitted
RealTime alerts Logs alerts in case of denial-of-service attacks or other pre-configured conditions.
ConfigMaker support A Win95/WinNT—Wizard based network configuration tool that offers step-by-step guidance through network design, addressing and Firewall feature set implementation.
Seminar Report ’03 Cisco IOS Firewall
Dept. of IT MESCE, Kuttippuram -13-
Previously released Cisco IOS firewall features are:
Basic and Advanced Traffic Filtering
o Standard and Extended Access Control Lists (ACLs): apply
controls over access to specific network segments, and
defines which traffic passes through a network segment
o Lock and Key—Dynamic ACLs: grant temporary access
through firewalls upon user identification
(username/password)
Policy-based Multi-interface Support: provides ability to
control user access by IP address and interface as
determined by the security policy
Network Address Translation (NAT): enhances network
privacy by hiding internal addresses from public view; also
reduces cost of Internet access by enabling conservation of
registered IP addresses
Peer Router Authentication: ensures that routers receive
reliable routing information from trusted sources
Event Logging: allows administrators to track potential
security breaches or other nonstandard activities on a real-
time basis by logging output from system error messages to
a console terminal or syslog server, setting severity levels,
and recording other parameters
Virtual Private Networks (VPNs): provide secure data
transfer over public lines (such as the Internet); reduce
implementation and management costs for remote branch
offices and extranets; enhance quality of service and
Seminar Report ’03 Cisco IOS Firewall
Dept. of IT MESCE, Kuttippuram -14-
reliability; standards-based for interoperability, using any of
the following protocols:
o Generic Routing Encapsulation (GRE) Tunneling
o Layer 2 Forwarding (L2F)
o Layer 2 Tunneling Protocol (L2TP): when it becomes
available
o Quality of Service (QoS) controls: prioritize applications and
allocate network resources to ensure delivery of mission-
critical application traffic
Cisco encryption technology: a network-layer encryption
capability that prevents eavesdropping or tampering with
data across the network during transmission
Seminar Report ’03 Cisco IOS Firewall
Dept. of IT MESCE, Kuttippuram -15-
CHAPTER FOUR
APPLICATION OVERVIEWS
1. Corporate Internet Perimeter
Corporations deploy Cisco IOS Firewall-enabled routers
at the perimeter of their networks. The firewall is configured to
protect against unauthorized access from the untrusted Internet
to the corporation's private network, and to prevent
unauthorized access from the internal private network to
untrusted sites. As part of their business, many corporations
need to administer their own Web, file transfer, mail, and DNS
services, and to make those services available over the
Internet. Because of the dangers of running servers inside
private networks, a Demilitarized Zone (DMZ) network is
deployed as part of the corporate network infrastructure to
provide a safe, relatively neutral "drop area" for communication
between inside and outside systems. A firewall policy is created
to deny connections from the untrusted Internet to the private
network. Internet users can connect to servers on the DMZ
network to access public corporate information and all other
services that the corporation wishes to offer to outside users.
Outgoing connections from the DMZ network into the private
network and the Internet are also prohibited by the firewall
policy. This restriction prevents attackers from penetrating the
DMZ server and using it as a tool to cause damage to internal
services and to attack other public sites.
Seminar Report ’03 Cisco IOS Firewall
Dept. of IT MESCE, Kuttippuram -16-
Authentication, Authorization, and Accounting
With the Cisco IOS Firewall authentication proxy feature,
connections can be made based on the security policies
configured for each user. A per-user policy is downloaded
dynamically to the router from an authentication, authorization,
and accounting (AAA) server when the user attempts to make a
connection to the Internet, DMZ network, or the internal
network. Access will be granted only when the user has the
appropriate access privilege based on his or her individual
security profile. Besides using the authentication proxy, the
administrator of the corporate network can use the accounting
capability of the AAA server for security, billing, resource
allocation, and management of any users who use the
authentication proxy service. See Figure 1 for an illustration of a
corporate Internet perimeter deployment scenario.
Figure 1 Corporate Internet Perimeter Deployment Scenario
Seminar Report ’03 Cisco IOS Firewall
Dept. of IT MESCE, Kuttippuram -17-
Destination URL Policy Management
Corporations can also manage resources and avoid
productivity drains with Destination URL Policy Management, a
key feature of the Cisco IOS Firewall. With Destination URL
Policy Management, system administrators of the corporate
network decide the allowable URL categories, users that have
access to content, as well as when that content can be
accessed. The Cisco IOS Firewall-enabled router maintains a
local list of URL policies to be managed, granting or denying
permission to URL connection requests. For additional policies
not available on the router, it forwards HTTP requests for a URL
destination to the external policy management server in order to
get permission. Currently, Cisco supports two URL Policy
Management server implementations, WebSense Inc. and
N2H2 Inc.
Event Monitoring and Logging
When suspicious activity is detected on the corporate
network, real-time alerts send syslog error messages to the
central management console, allowing administrators to track
and respond to potential security breaches or other undesirable
events in real time.
Seminar Report ’03 Cisco IOS Firewall
Dept. of IT MESCE, Kuttippuram -18-
2.Corporate Intranet
A corporation typically has many departments that are
each responsible for different pieces of mission-critical
information. Employees working for various organizations within
a corporation do not have equal access privileges to all
corporate information and services. The corporate intranet
deployment scenario offers protection of mission-critical servers
such as human resource (HR), enterprise resource planning
(ERP), customer relationship management (CRM), and
accounting systems against security breaches from within the
organization. It also effectively manages internal resources to
help increase productivity.
The firewall policy for the corporate intranet is designed
to restrict traffic and access to information between various
departments within the corporation. Employees are subject to
authentication and authorization before they are granted access
to servers and services on the corporate network. Destination
URL Policy Management also controls access to internal Web
site and Web applications. In addition, suspicious activities are
monitored by administrators with real-time alerts and log
messages. See Figure 2 for an illustration.
Seminar Report ’03 Cisco IOS Firewall
Dept. of IT MESCE, Kuttippuram -19-
Figure 2 Corporate Intranet Scenario
3. Regional/Branch Office Perimeter
Regional or branch offices can also deploy a Cisco IOS
Firewall-enabled router at the perimeter of their network. Data
and voice traffic between the regional or branch office and the
corporate headquarters is transported via the virtual private
network (VPN) connection. A separate, direct connection to the
Internet from the regional or branch location is also available for
access to public servers and information available on the Web.
With this firewall deployment scenario, the firewall policy
created for the corporate internet perimeter deployment
scenario works in conjunction with the firewall policy at the
regional or branch office perimeter. No connections are
permitted from the untrusted Internet to the regional or branch
office network; instead, Internet users connect to servers on the
corporate DMZ network to access public corporate information.
The DMZ network provides all the services that the corporation
wishes to offer to outside users.
Seminar Report ’03 Cisco IOS Firewall
Dept. of IT MESCE, Kuttippuram -20-
To better manage individual access from the regional
office location to the Internet and internal resources, AAA and
URL Policy Management servers are deployed at the regional
location. Access to services and resources will be granted to
employees only when they have the appropriate access
privilege based on their individual security profiles. A syslog
server is also made available for the regional office
administrator to track and respond to potential attacks and
nonstandard activities. For smaller branch office locations
without system administration resources, centralized firewall
policy management can be provided remotely by the resources
on the main corporate network.
Figure 3 Regional/Branch Office Perimeter
Seminar Report ’03 Cisco IOS Firewall
Dept. of IT MESCE, Kuttippuram -21-
4. Telecommuter/Home Office
Corporate telecommuters and home office workers
similarly maintain a LAN network in the home with several
computers connected to it (Figure 4). Both worker types
subscribe to an ISP service that provides connectivity to the
Internet. The home office worker, typically an independent
contractor or an individual who runs a business out of a home,
is always connected to an ISP. The home office worker relies on
the ISP for services such as Web hosting, domain service, e-
mail, and DNS. In a slightly different scenario, the telecommuter
network is an extension of the corporate network. A
telecommuter's access to work resources and shared
information is subject to the corporate firewall security profile
created for the individual. Similar to the branch office
deployment scenario, a telecommuter is connected to the
corporate network via a VPN tunnel for data and voice
communication. The telecommuter can also directly access the
Internet via an ISP. Business resources for the telecommuter
such as e-mail, confidential information, server access, and
more, reside on the corporate network.
Because business resources reside on a network
external to home, the telecommuter and home office worker
need not accept any incoming connections from the Internet to
the home office LAN. The Cisco IOS Firewall enabled router at
the perimeter of a telecommuter/home office permits only
Seminar Report ’03 Cisco IOS Firewall
Dept. of IT MESCE, Kuttippuram -22-
outgoing connections. The computers on the home LAN can
connect to the Internet via the ISP network, but the firewall
policy does not allow outside initiated sessions to the private
LAN. The work-at-home individual can view Web pages, send
e-mail, pick up incoming e-mail from a corporate network or
ISP, retrieve software via FTP, connect remotely using Telnet,
and join in multimedia conferences, all without exposing any
services on his or her own LAN network.
Authentication proxy service and URL Policy
management with the Cisco IOS Firewall are not necessary for
a telecommuter or home office. Once again, the telecommuter,
when on the corporate network, is subject to the firewall policy
created for the individual. A syslog server can be deployed if the
work-at-home individual is willing to act as the system
administrator and be notified immediately when there is a
potential intrusion of the private network.
Seminar Report ’03 Cisco IOS Firewall
Dept. of IT MESCE, Kuttippuram -23-
Figure 4 Telecommuter/Home Office Scenario
5. Corporate Extranet
As corporations establish tighter relationships with their
business partners, the need to share resources among
companies increases. Sometimes, access to the partner's
internal networks is necessary to improve productivity and
efficiency. A Cisco IOS Firewall deployed at the perimeter of the
corporate network and partner network can help to restrict
confidential information access to the few privileged individuals.
Seminar Report ’03 Cisco IOS Firewall
Dept. of IT MESCE, Kuttippuram -24-
With authentication proxy, a user entering the corporate
network and the partner network from the expected source
network is authenticated before access is granted. A security
policy for the individual is dynamically downloaded from the
AAA server, allowing the user only the services permitted by the
security profile. Syslog servers are maintained at both ends of
the network to track alarming activities. (See Figure 5.)
Seminar Report ’03 Cisco IOS Firewall
Dept. of IT MESCE, Kuttippuram -25-
Figure 5 Corporate extranet
Seminar Report ’03 Cisco IOS Firewall
Dept. of IT MESCE, Kuttippuram -26-
CHAPTER FIVE
CISCO FIREWALL FAMILY
The Cisco PIX Firewall and Cisco IOS Firewall
The Cisco PIX Firewall is the world’s leading dedicated
firewall appliance. It has received the highest level of security
certification granted to any firewall product. The Cisco PIX
Firewall is a turnkey appliance with unmatched performance
and unparalleled features. Integration of third-party content
solutions, such as NetPartner’s WebSENSE URL management
software, further enhances the industry-leading capabilities of
the Cisco PIX Firewall. For IP-based network security, the Cisco
PIX Firewall is the clear choice for those requiring dedicated
firewall appliances. When combined with IP Security (IPsec),
Cisco PIX Firewall provides an integrated virtual private network
(VPN) solution.The Cisco IOS Firewall integrates robust firewall
and intrusion detection technology into the Cisco IOS Software.
The Cisco IOS Firewall enhances existing Cisco IOS Software
by including stateful, application-based filtering, dynamic per-
user authentication and authorization, and real-time alerts.
When combined with Cisco IOS IPsec software, the Cisco IOS
Firewall provides an integrated VPN solution.
Available with a wide range of Cisco routers, the Cisco
IOS Firewall is the best choice for integrating multiprotocol
routing with security policy enforcement.
Seminar Report ’03 Cisco IOS Firewall
Dept. of IT MESCE, Kuttippuram -27-
The figure below shows an application that employs both
types of firewall.
Seminar Report ’03 Cisco IOS Firewall
Dept. of IT MESCE, Kuttippuram -28-
Leading-Edge Capabilities of Cisco PIX Firewalls and Cisco
IOS Firewalls
Both the Cisco PIX Firewall Series and the Cisco IOS
Firewall incorporate leading-edge firewall technology. Table 1
outlines advanced features common to both firewalls.
Although both firewalls provide excellent security
solutions, each excels in different environments and at sites
with distinct requirements. Table 2 describes when to choose
the Cisco PIX Firewall and Table 3 describes when to choose
Seminar Report ’03 Cisco IOS Firewall
Dept. of IT MESCE, Kuttippuram -29-
the Cisco IOS Firewall. In many instances, the best security
solution is a combination of both.
Seminar Report ’03 Cisco IOS Firewall
Dept. of IT MESCE, Kuttippuram -30-
SUMMARY
The Cisco IOS Firewall offers integrated network security
through Cisco IOS software. A robust security policy entails
more than perimeter control or firewall setup and
management—security policy enforcement must be an inherent
component of the network. Cisco IOS Software, with many
advanced security features such as a firewall, firewall-IDS,
IPSec/VPN, and quality of service (QoS) is an ideal vehicle for
implementing a global security policy. Building an end-to-end
Cisco solution allows managers to enforce security policies
throughput the network as they grow.
Seminar Report ’03 Cisco IOS Firewall
Dept. of IT MESCE, Kuttippuram -31-
REFERENCES
a. Internet Firewalls and network security
by Karanjit siyan,Chris Hare
b. Building Internet Firewalls
by D.Brent Chapman and Elizabeth D
Seminar Report ’03 Cisco IOS Firewall
Dept. of IT MESCE, Kuttippuram -32-
ACKNOWLEDGMENT
I express my sincere gratitude to Prof. M.N Agnisarman
Namboothiri ( Head Of Department ,Information Technology ) and
Mr. Zaheer P.C, Ms. Deepa ( Staff in charge ) for their kind
cooperation for the seminar presentation.
I am also grateful to all other faculty members of
Information Technology Department and my colleagues for their
guidance and encouragement .
Seminar Report ’03 Cisco IOS Firewall
Dept. of IT MESCE, Kuttippuram -33-
ABSTRACT
The Cisco IOS (Internet Operating System) FireWall is a
commercial FireWall Product that comes as a security specific
option with the Cisco IOS Software. Unlike other FireWalls a
dedicated appliance is not needed for this FireWall. It could be
installed on the router itself. Since most of the routers in the Web
employ Cisco IOS software for security purposes(such as
authentication ,encryption etc)addition of Cisco IOS FireWall to the
set yields better results.
It integrates robust firewall functionality and intrusion
detection for every network perimeter and enriches existing Cisco
IOS security capabilities. It adds greater depth and flexibility to
existing Cisco IOS security solutions—such as authentication,
encryption, and failover—by delivering state-of-the-art security
features such as stateful, application-based filtering; dynamic per-
user authentication and authorization; defense against network
attacks; Java blocking; and real-time alerts.
Seminar Report ’03 Cisco IOS Firewall
Dept. of IT MESCE, Kuttippuram -34-
CONTENTS
I. Introduction 01
II. FireWall Basics 02
Definition of FireWall.
Design and Implementation issues.
Realization of FireWall.
III. Cisco IOS FireWall 05
Router based FireWall Functionality
Key Benefits
HighLights
IV. Feature set 11
New FireWall Features
Previously released features
V. Application Overviews 14
Corporate Internet Perimeter
Corporate Intranet
Regional/Branch office Perimeter
Telecommuter/Home Office
Corporate Extranet
VI. Cisco FireWall Family 24
Cisco PIX FireWall
Comparisons between PIX and IOS
VII. Summary 28
VIII. References 29