Previous Page Next Page

Chapter 5. Cisco IOS Firewall

Security is no longer a straightforward product or technology enabler, but a core system in a network design. The innovative flagship Cisco IOS Software provides an array of security solutions including the flagship IOS Firewall feature set. This set provides integrated firewall and intrusion detection technology for the Cisco IOS Software. The Cisco IOS Firewall feature is a stateful-inspection software component of Cisco IOS Software.

The Cisco IOS Firewall feature set provides a single point of protection at the network perimeter, making security policy enforcement an inherent component of the network.

Cisco IOS Firewall consists of several major subsystems: an advanced firewall engine for stateful-packet inspection (SPI), Context-Based Access Control (CBAC), Zone-Based Policy Firewall (ZFW), Intrusion Prevention Systems (IPS), Authentication Proxy, Port-to-Application Mapping (PAM), Multi-VRF firewall, Transparent firewall, and several others.

This chapter focuses mainly on the SPI and Classic Firewall CBAC, illustrating fundamental concepts and functions of how stateful inspection works and a step-by-step process to configure the Cisco IOS Firewall in the classical CBAC format.

The chapter also highlights some of the Advanced IOS Firewall features introduced in the newer IOS Software versions.

The chapter also covers the new Zone-Based Policy Firewall (ZFW) model, providing an overview of the new zone-based concept and a configuration example that uses the new Cisco Policy Language (CPL) commands.

Router-Based Firewall Solution

The Cisco IOS Firewall feature set provides network security with integrated, inline security solutions. The IOS Firewall feature set is a suite of security services provisioning a single point of protection at the network perimeter. In addition, the IOS Firewall feature is widely available on a range of IOS software-based devices, thereby offering sophisticated security and policy enforcement for network connections.

The Cisco IOS Firewall feature is a stateful-inspection firewall engine with application-level intelligence. This provides dynamic control to permit or deny traffic flow, thereby providing enhanced security. In the simplest form, the principal function of a firewall is to monitor and filter traffic. Cisco routers can be configured with the IOS Firewall feature in one of the following deployment scenarios:

Cisco IOS Software provides an extensive set of security features to design customized firewall solutions to fit an organization's security policy. A Cisco networking device running Cisco IOS Software can be configured to function as a firewall by using several solutions available in the IOS Firewall feature set.

The Cisco IOS Firewall consists of several major subsystems:

Several other security solutions are available on Cisco IOS. These include Lock-and-Key, Reflexive access list, TCP Intercept, IPsec, and AAA support. This chapter focuses primarily on the CBAC and ZFW solutions available in the IOS Firewall feature set.

Previous Page Next Page