Introduction to Cisco IOS Firewall

Introduction to Cisco IOS Firewall

The Cisco IOS Firewall is a feature set option for Cisco IOS software, that is available for a wide range of Cisco routers and switches. It provides advanced firewall capabilities, as well as other security technologies such as intrusion detection and authentication.

The Cisco IOS Firewall is only one part of the growing Cisco Secure product family. It joins and integrates with other Cisco Secure products, such as Cisco Secure Access Control Server (ACS), Cisco Secure PIX Firewall devices, Cisco Secure Intrusion Detection System (IDS), Cisco Secure Scanner, and Cisco Secure Policy Manager (CSPM), plus a variety of consulting and training services options. As key components of Cisco AVVID strategy, Cisco Secure network security solutions improve the network’s capability to support mission-critical Internet applications.

Cisco IOS software firewall feature set provides an extensive array of security tools, enabling the administrator to configure a firewall providing the appropriate level of functionality to meet security policy requirements. Whether as a stand-alone unit or working in tandem with a dedicated firewall device, the IOS firewall features provide flexible and reliable options to extend the security protection throughout the network.

Router-Based Firewall Functionality

Cisco IOS Firewall is available on the Cisco 800, uBR900, 1400, 1600, 1700, 2500, 2600, 3600, 7100, 7200, and 7500, as well as RSM series routers. By supporting such a wide variety of router platforms, the firewall features will scale to meet any network’s bandwidth, performance, and security requirements. The firewall features are also available on the Catalyst 5000 switch.

No absolute rules exist for choosing the right Cisco router for implementing the firewall and security features. While an organization’s size and security requirements must be factored in, the following general guidelines can be used as a starting point.

  • Small office/home offices (SOHO): Cisco 800, uBR900 series, 1600, and 1720 series

  • Branch and extranet implementations: Cisco 2500, 2600, and 3600 series

  • Central office or high-volume locations: Cisco 7100, 7200, 7500, and RSM series

Integration with Cisco IOS Software

The Cisco IOS Firewall feature set is an optional security solution integrated into the network through selecting the correct Cisco IOS software. The integration of the firewall features into the IOS means the organization security policy can be implemented and enforced throughout the network. Whether securing the links between departments or partner networks, or between the organization and the Internet, the IOS implementation allows for an end-to-end security solution that can grow and change with the organization.

The Cisco IOS Firewall is also completely interoperable with, and often enhances, other features, such as AAA, NAT, Cisco encryption technology (CET), and system logging, as well as standard and extended access control list features, such as Time-Based and Lock n Key.

VPN, IPSec Encryption, and QoS Support

When combined with Cisco IPSec technology, the Cisco IOS Firewall features provide integrated and enhanced virtual private network (VPN) functionality. VPNs are rapidly evolving as the standard for providing secure data communications over public networks like the Internet.

The firewall features work with the IOS encryption, tunneling, and quality of service (QoS) features to ensure timely and reliable delivery of data and provide robust perimeter security, while providing advanced bandwidth management, intrusion detection, and service-level validation. The Firewall Authentication Proxy feature can provide user authentication and authorization for Cisco VPN client software.

Several chapters are dedicated to IPSec and to VPN implementation and features, but it’s important to recognize that both the firewall and the IPSec features are separate IOS options that might be selected to match the objectives of the security policy. Figure 6-1 shows a sample of the Cisco IOS Upgrade Planner from the Cisco web site. Notice that the firewall features, identified as FW, and the IPSec features, IPSEC 56, are available in various combinations on different platforms. You can have either, both, or neither. Often memory and flash requirements will increase for each, as might the cost.

Click To expand
Figure 6-1: Cisco CCO IOS Upgrade Planner showing feature sets

Does the IOS Image Support Firewall and IPSec Features?

How do you tell if the IOS on a router supports the firewall or the IPSec features? Cisco and vendors who use Cisco IOS on their devices follow a naming convention for software images. The device IOS convention identifies the platform, the features of the image, and the area of memory used by the image at runtime. For the image c2600-jos56i-mz.120-4 .T.bin, the name is the portion up to the first period and everything else is version/release information. The three components of the name are separated by dashes. In the example,

  • The platform is a Cisco 2600 series router.

  • The o feature code indicates firewall features. The 56i indicates 56-bit IPSec encryption. The s indicates a group of features, such as NAT, ISL IBM, MMP, VPDN/L2F, VOIP, and ATM. The j indicates enterprise features.

  • The m indicates that the software runs from RAM, and the z indicates the image is zipped.

For more information on naming convention and version numbers, go to Naming is in Section 2.2. No CCO account is required to view this document.

Feature Summary

The Cisco IOS Firewall feature set adds the following security features to a broad selection of Cisco routers:

  • Intrusion detection

  • Authentication proxy

  • Context-Based Access Control (CBAC)

  • Dynamic port mapping

  • Java blocking

  • Denial of service (DoS) detection and prevention

  • Simple Mail Transfer Protocol (SMTP) attack detection and prevention

  • IP fragmentation attack prevention

  • Configurable real-time alerts and audit trail

  • Failover capabilities

  • Microsoft NetShow application support

The 800, UBR904, 1600, and 2500 series of routers support all the previous firewall features, except authentication proxy and intrusion detection. There’s no firewall feature set support for the 4000 series routers, but there is VPN support.

Part III: Virtual Private Networks (VPNs)