Router-Based Firewall Solution
The Cisco IOS Firewall affection set provides arrangement aegis with integrated, inline aegis solutions. The IOS
Firewall affection set is a apartment of aegis casework accessories a distinct point of aegis at the network
perimeter. In addition, the IOS Firewall affection is broadly accessible on a ambit of IOS software-based devices,
thereby alms adult aegis and action administration for arrangement connections.
The Cisco IOS Firewall affection is a stateful-inspection firewall agent with application-level intelligence. This
provides activating ascendancy to admittance or abjure cartage flow, thereby accouterment added security. In the simplest
form, the arch action of a firewall is to adviser and clarify traffic. Cisco routers can be configured with the
IOS Firewall affection in one of the afterward deployment scenarios:
A firewall router adverse the Internet.
A firewall router to assure the centralized arrangement from the alien network. An alien arrangement can be
any arrangement alfresco the alignment (for example, a chump or a accomplice network).
A firewall router amid groups of networks in the centralized network.
A firewall router that provides defended admission to or from alien or annex offices.
Cisco IOS Software provides an all-encompassing set of aegis appearance to architecture customized firewall solutions to fit
an organization's aegis policy. A Cisco networking accessory active Cisco IOS Software can be configured to
function as a firewall by application several solutions accessible in the IOS Firewall affection set.
The Cisco IOS Firewall consists of several above subsystems:
Cisco IOS Firewall stateful packet analysis (SPI): SPI provides accurate firewall capabilities to protect
networks adjoin crooked cartage and to ascendancy accepted business-critical data.
Context-Based Admission Ascendancy (CBAC): CBAC (now accepted as Archetypal Firewall) is a stateful-inspection
firewall agent that provides activating cartage clarification functionality.
Intrusion Prevention System (IOS IPS) (formerly accepted as IOS IDS): Cisco IOS IPS offers
integrated IPS functionality as allotment of the Cisco IOS Software. From IOS Version 12.3T, Cisco IOS IPS
replaces the antecedent IOS IDS functionality by implementing a ample allotment of archetypal sensor functionality as
part of the IOS-based device. IOS IPS is an inline advance apprehension sensor that scans packets and
sessions abounding through the router to analyze any of the Cisco IOS IPS signatures that assure the
network from centralized and alien threats.
Authentication proxy: The affidavit proxy affection (also accepted as Proxy Authentication) allows
security action administration on a per-user basis. Earlier, user admission and action administration was
associated with a user's IP abode or a distinct all-around action activated to an absolute user group. With the
authentication proxy feature, users can now be accurate and accustomed on a per-user action with
access ascendancy customized to an alone level.
Port-to-Application Mapping (PAM): PAM allows you to adapt TCP or User Datagram Protocol
(UDP) anchorage numbers for arrangement casework or applications to abnormal ports (for example, HTTP service
using TCP anchorage 8080 instead of the absence anchorage 80). CBAC analysis leverages this advice to
examine abnormal application-layer protocols.
Network Abode Translation (NAT): NAT hides centralized IP addresses from networks that are external
to the firewall. NAT was advised to accommodate IP abode attention and for centralized IP networks that use
the unregistered clandestine abode amplitude per RFC 1918. NAT translates these clandestine IP addresses into legal
registered addresses as packets bisect through the NAT device. This provides a basal low-level security
by finer ambuscade the centralized arrangement from the alfresco world.
Zone-Based Action Firewall (ZFW): ZFW is a new added aegis apparatus accessible in the Cisco IOS
Software-based firewall affection set. ZFW offers a absolutely revamped agreement syntax that offers
network aegis that uses automatic behavior and added granularity to ascendancy crooked network
access.
Several added aegis solutions are accessible on Cisco IOS. These accommodate Lock-and-Key, Reflexive admission list,
TCP Intercept, IPsec, and AAA support. This affiliate focuses primarily on the CBAC and ZFW solutions available
in the IOS Firewall affection set.