Cisco IOS Firewall Features

The Cisco IOS Firewall feature set is a Cisco IOS add-on that provides enhanced security functions for your Cisco IOS device. It provides more features than a standard stateful firewall, setting it apart from small- or home-office firewall appliances. Basically, the Cisco IOS Firewall feature set enhances the router's security by including features in the Cisco IOS that allow it to perform the functions of an enterprise firewall, such as the Cisco PIX. Here are some of the features included in the Cisco IOS Firewall feature set:

  • CBAC? Provides stateful application layer filtering, including support for unorthodox protocols and multimedia applications. It can examine supported connections for embedded NAT and PAT information and perform the necessary translations. In addition, it can open additional stateful connections for supported applications, such as FTP and H.323.

  • Port mapping? Allows the mapping of ports so that CBAC can perform its application inspection correctly, such as assigning HTTP to port 8080 if your web server is processing traffic on this port.

  • Filtering of Java applets? Filters embedded Java applets on HTTP connections, allowing you to block known malicious sites (this is discussed in Chapter 10, "Filtering Web and Application Traffic").

  • DoS protection? Detects and prevents Denial of Service (DoS) attacks by limiting the number of connections that a device can set up (this is discussed in Chapter 17, "DoS Protection").

  • Authentication proxy? Authenticates and authorizes connection requests before permitting the traffic to enter or leave the network by prompting a user for a username and password (this is discussed in Chapter 14).

  • Intrusion-detection system? Detects and prevents, in real time, 100 of the most common kinds of attacks (this is discussed in Chapter 16).

  • Logging and auditing? Logs TCP and UDP transactions, and can provide real-time alerts of attacks, including packet and segment header information (this is discussed in Chapter 18, "Logging Events").

  • ACL compatibility? Offers backward compatibility with other ACL technologies, such as standard, extended, lock-and-key, and timed ACLs.

Of all these features, this chapter focuses only on CBAC.

Supported router platforms of the Cisco IOS Firewall feature set include the SOHO70, SOHO90, 800, uBR900, 1600, 1700, 2500, 2600, 3200, 3600, 3700, 7100, 7200, 7300, 7400, 7500, and 7600 series of routers. Supported switch platforms include the Catalyst 4000, 5000, 6000, and 8850 series of switches.