Cisco IOS Firewall
The Cisco IOS Firewall is a stateful packet filter that is built in to Cisco IOS
security images. Some of its features include the ability to dynamically alter
router access control lists (ACL) to permit return traffic for sessions originated
on the inside, the ability to track TCP sequence numbers and permit
only expected TCP traffic, and the ability to mitigate some types of TCPbased
and IP fragmentation-based denial-of-service (DoS) attacks.
TCP Handling in the Cisco IOS Firewall
When a router running the Cisco IOS Firewall detects an outbound TCP
packet, it tracks the source and destination IP addresses, source and destination
TCP port numbers, the TCP flags, and the SYN/ACK numbers associated
with the session. Only inbound packets whose packet headers match the
expected parameters for a legitimate response to the session are permitted.
UDP Handling in the Cisco IOS Firewall
Because UDP packets do not have the same kind of state information as
TCP packets (that is, there are no TCP flags or SYN/ACK numbers), UDP
return packets are permitted based on matching source/destination IP
addresses and port numbers and a configurable timeout interval. If the UDP
return packet arrives outside the timeout window, or with unexpected packet
headers, it is dropped.
Alerts and Audit Trails
The Cisco IOS Firewall can trigger, based on configurable parameters,
syslog alerts and log audit information about firewall sessions to a syslog
server.
Cisco IOS Authentication Proxy
The Cisco IOS Firewall can authenticate HTTP, HTTPS, Telnet, and FTP
sessions against local username/password databases or against TACACS+ or
RADIUS security servers. Therefore, an administrator can define specific
access policies for each user rather than generic policies for entire subnets or
interfaces.
Configuring Cisco IOS Firewalls
To configure the Cisco IOS Firewall, follow these five steps:
Step 1. Define external and internal interfaces.
Step 2. Configure access lists on the interfaces.
Step 3. Define inspection rules.
Step 4. Apply inspection rules to interfaces.
Step 5. Test and verify the configuration.
Defining External and Internal Interfaces
The external interface is the one connected to the “outside” network,
whereas the internal interface is the one connected to the inside, protected
network. For example, the external address might be connected to an
Internet service provider (ISP), whereas the internal interface might be
connected to your corporate LAN. Traffic arriving on the external interface
is considered less trusted than traffic arriving on the internal interface. The
most common type of firewall configuration is to allow outside traffic to
pass the external interface only if it is a response to a legitimate session that
was originated from the inside.