Cisco IOS Threat Defenses
The router-hardening techniques discussed in Chapter 5, “Cisco Device
Hardening,” help to protect the router against many types of infrastructure
attacks. The Cisco IOS Firewall feature set enables you to integrate a stateful
firewall and an intrusion prevention system (IPS) to protect end stations
located behind the router.
DMZ Design Review
A demilitarized zone (DMZ) is an intermediate network between an organization’s
“inside” network and the “outside” world. Most organizations use a
DMZ to host their Internet-accessible devices, such as web servers or mail
servers. Some type of security system (for example, stateful firewall, filtering
router, application layer gateway) filters packets traveling between the
outside world and the systems in the DMZ, and between the DMZ and the
inside network. Depending on the design, there can be one filtering device
that performs both functions or two separate devices.
Traffic initiated from the outside world should be filtered so that all traffic to
nonessential services is dropped. If possible, the systems in the DMZ should
not be allowed to initiate conversations with systems on the inside; all
communications between the inside and the DMZ should be initiated from
the inside. This reduces the probability of a trust exploitation attack in the
event that an attacker compromises a DMZ system.