The Cisco IOS (Internet Operating System) FireWall is a
commercial FireWall Product that comes as a security specific option
with the Cisco IOS Software. Unlike other FireWalls a dedicated
appliance is not needed for this FireWall. It could be installed on the
router itself. Since most of the routers in the Web employ Cisco IOS
software for security purposes(such as authentication ,encryption etc)
addition of Cisco IOS FireWall to the set yields better results.
It integrates robust firewall functionality and intrusion
detection for every network perimeter and enriches existing Cisco IOS
security capabilities. It adds greater depth and flexibility to
existing Cisco IOS security solutionsâ€such as authentication,
encryption, and failoverâ€by delivering state-of-the-art security
features such as stateful, application-based filtering; dynamic per-
user authentication and authorization; defense against network attacks;
Java blocking; and real-time alerts.
The Cisco IOS Firewall, provides robust, integrated firewall
and intrusion detection functionality for every perimeter of the
network. Available for a wide range of Cisco IOS software-based
routers, the Cisco IOS Firewall offers sophisticated security and
policy enforcement for connections within an organization (intranet)
and between partner networks (extranets), as well as for securing
Internet connectivity for remote and branch offices.
A security-specific, value-add option for Cisco IOS Software,
the Cisco IOS Firewall enhances existing Cisco IOS security
capabilities, such as authentication, encryption, and failover, with
state-of-the-art security features, such as stateful, application-based
filtering (context-based access control), defense against network
attacks, per user authentication and authorization, and real-time
The Cisco IOS Firewall is configurable via Cisco ConfigMaker
software, an easy-to-use Microsoft Windows 95, 98, NT 4.0 based
Definition Of FireWall
A FireWall is a network security device that ensures that all
communications attempting to cross it meet an organizationâ„¢s security
policy.FireWalls track and control communications deciding whether to
allow ,reject or encrypt communications.
FireWalls are used to connect a corporateâ„¢s local network to
the Internet and also within networks.In otherwords they stand in
between the trusted network and the untrusted network.
Design and Implementation issues
Basic Design Decisions in a FireWall
The first and most important decision reflects the policy of
how your company or organization wants to operate the system. Is the
firewall in place to explicitly deny all services except those critical
to the mission of connecting to the net, or is the firewall is in place
to provide a metered and audited method of ËœQueuingâ„¢ access in a non-
threatening manner. The second is what level of monitoring, reducing
and control do you want? Having established the acceptable risk level
you can form a checklist of what should be monitored, permitted and
denied. The third issue is financial.
Two basic methods to implement a firewall are
1.As a Screening Router:
A screening router is a special computer or an electronic
device that screens (filters out) specific packets based on the
criteria that is defined. Almost all current screening routers operate
in the following manner.
a. Packet Filter criteria must be stored for the ports of the
packet filter device. The packet filter criteria are called packet
b. When the packets arrive at the port, the packet header is
parsed. Most packet filters examine the fields in only the IP, TCP and
c. The packet filter rules are stored in a specific order. Each
rule is applied to the packet in the order in which the packet filter
d. If the rule blocks the transmission or reception of a packet
the packet is not allowed.
e. If the rule allows the transmission or reception of a packet
the packet is allowed.
f. If a packet does not satisfy any rule it is blocked.
2. As a Proxy Server:
A Proxy Server is an application that mediates traffic between
a protected network and the Internet. Proxies are often used instead of
router-based traffic controls, to prevent traffic from passing directly
between networks. Proxy servers are application specific. In order to
support a new protocol via a proxy, a proxy must be developed for it.
Here there is no direct connection between the local network and the
untrusted network. The Proxy Server transfers an isolated copy of each
approved packet from one network to the other network. No information
about the local network is available to untrusted networks.
Realization of FireWall
1. Buying an off-the shell firewall product:
A commercial firewall product is brought and configured to meet
an organizationâ„¢s security policy. Some products are available as free
,others may cost up to $100000.
2.Building a custom firewall:
Organizations that have programming talent and financial
resources often prefer to use a Ëœroll your ownâ„¢ approach. This involves
building custom firewall solution to protect the organizations network.
If implemented properly this is the most effective approach.
CISCO IOS FIREWALL
As network security becomes increasingly critical to securing
business transactions, businesses must integrate security into the
network design and infrastructure itself. Security policy enforcement
is most effective when it is an inherent component of the network.
The Cisco IOS Firewall is a security-specific option for Cisco
IOS Software. It integrates robust firewall functionality and intrusion
detection for every network perimeter. It adds greater depth and
flexibility to existing Cisco IOS security solutions (i.e.,
authentication, encryption, and failover), by delivering state-of-the-
art security features: stateful, application-based filtering; dynamic
per-user authentication and authorization; URL Filtering and others.
When combined with Cisco IOS IPSec and Cisco IOS Technologies such as
L2TP tunneling and Quality of Service (QoS), Cisco IOS Firewall
provides a complete, integrated virtual private network (VPN) solution.
Router-Based Firewall Functionality
Cisco IOS Firewall is available on a wide range of Cisco IOS
Software releases. It offers sophisticated security and policy
enforcement for connections within an organization (intranet) and
between partner networks (extranets), as well as for securing Internet
connectivity for remote and branch offices.The Cisco IOS Firewall is
the best choice for integrating multiprotocol routing with security
policy enforcement and enabling managers to configure a Cisco router as
a firewall. It scales to allow customers to choose a router platform
based on bandwidth, LAN/WAN density, and multiservice requirements;
simultaneously, it benefits from advanced security.
The Cisco IOS Firewall interoperates seamlessly with Cisco IOS
Software, providing outstanding value and benefits:
Â¢ Flexibilityâ€Installed on a Cisco router, Cisco IOS Firewall is
an all-in-one, scalable solution that performs multiprotocol routing,
perimeter security, intrusion detection, VPN functionality, and per-
user authentication and authorization.
Â¢ Investment protectionâ€Integrating firewall functionality into a
multiprotocol router leverages an existing router investment, without
the cost and learning curve associated with a new platform.
Â¢ VPN supportâ€Deploying Cisco IOS Firewall with Cisco IOS
encryption and QoS VPN features enables secure, low-cost transmissions
over public networks. It ensures that mission-critical application
traffic receives high-priority delivery.
Â¢ Scalable deploymentâ€ Cisco IOS Firewall is available for a wide
variety of router platforms. It scales to meet the bandwidth and
performance requirements of any network.
Â¢ Easier provisioningâ€Combining the Cisco IE2100 and the Cisco
IOS XML application enables a network administrator to drop ship any
Cisco router with little or no pre-configuration to a given
destination. The router pulls the most current Cisco IOS Software
release router configuration and its security policy configuration for
the Firewall when it is connected to the Internet.
Cisco IOS Firewall is supported on a majority of Cisco routers
platforms, thus delivering important benefits that include multiservice
integration (data/voice/video/dial), advanced security for dialup
connections. On the Cisco 7100, 7200 and 7400 Series Routers,
additional benefits include integrated routing and security at the
Internet gateway for large enterprises and service provider customer
premise equipment (CPE).
Cisco IOS Firewall Highlights
Â¢ Stateful IOS Firewall inspection engineâ€provides internal users
with secure, per-application-based access control for all traffic
across perimeters, such as perimeters between private enterprise
networks and the Internet. Also known as Context-Based Access Control
Â¢ Intrusion Detectionâ€Inline deep packet inspection service that
provides real-time monitoring, interception, and response to network
misuse with a broad set of the most common attack and information-
gathering intrusion detection signatures. Now supports 102 signatures!
Â¢ Firewall Voice Traversalâ€Provided by application-level
intelligence of the protocol as to the call flow and associated
channels that are opened. Voice protocols that are currently supported
are H.323v2 and SIP (Q1CY03).
Â¢ ICMP Inspectionâ€Allow responses to ICMP packets (i.e., ping and
traceroute) originating from inside the Firewall, while still denying
other ICMP traffic. Available in Q1 of 2003.
Â¢ Authentication Proxyâ€Enables dynamic, per-user authentication
and authorization for LAN-based, http and dial-in communications;
authenticates users against industry-standard. Support of SSL secured
userid and passwords for http (HTTPS) provides greater confidentiality.
TACACS+ and RADIUS authentication protocols enable network
administrators to set individual, per-user security policies. HTTPS
(SSL secured http) will be supported in Q1 of 2003.
Â¢ Destination URL Policy Managementâ€Several mechanisms that
support local caching of previous requests, predetermined static URL
permission and denial tables, as well as use of external server
databases provided by Websense Inc. and N2H2 Inc. This is better known
as URL Filtering. This will be available on all platforms after Q1 of
Â¢ Per User Firewallsâ€Enables Service Providers to provide a
managed Firewall solution in the broadband market by downloading unique
Firewall, ACLs, and other settings on a per user basis, using the AAA
server profile storage after authentication.
Â¢ Cisco IOS Router and Firewall Provisioningâ€Zero (0) touch
provisioning of the router, versioning and security policies such as
Â¢ Denial of Service Detection and Preventionâ€Defends and protects
router resources against common attacks, checks packet headers, and
drops suspicious packets.
Â¢ Dynamic Port Mappingâ€Allows Firewall-supported applications on
Â¢ Java Applet Blockingâ€Defends against unidentified, malicious
Â¢ VPNs, IPSec Encryption, and QoS Supportâ€
o Operates with Cisco IOS Software encryption, tunneling, and QoS
features to secure VPNs
o Provide scalable encrypted tunnels on the router while
integrating strong perimeter security, advanced bandwidth management,
intrusion detection, and service-level validation
o Standards based for interoperability
Â¢ Real-Time Alertsâ€Log alerts for denial-of-service attacks or
other pre-configured conditions. This is now configurable on a per-
application, per-feature basis.
Â¢ Audit Trailâ€Details transactions, and records time stamp,
source host, destination host, ports, duration and total number of
bytes transmitted for detailed reporting. This is now configurable on a
per-application, per-feature basis.
Â¢ Integration with Cisco IOS Softwareâ€Interoperates with Cisco
IOS Software features, integrating security policy enforcement into the
Â¢ Basic and Advanced Traffic Filteringâ€
o Standard and extended access control lists (ACLs)â€apply access
controls to specific network segments and define which traffic passes
through a network segment.
o Lock and Keyâ€dynamic ACLs grant temporary access through
firewalls upon user identification (username/password).
Â¢ Policy-Based Multi-Interface Supportâ€Provides ability to
control user access by IP address and interface, as determined by the
Â¢ Network Address Translation (NAT)â€Hides internal network from
the outside for enhanced security.
Â¢ Time-Based Access Listsâ€Defines security policy based on the
time of day and day of week.
Â¢ Peer Router Authenticationâ€Ensures that routers receive
reliable routing information from trusted sources.
CISCO IOS FIREWALL FEATURE SET
New Firewall Features and Benefits
New Feature Description
Context-based access control (CBAC) Provides internal users secure,
per-application-based access control for all traffic across perimeters,
e.g. between private enterprise networks and the Internet
Java blocking Protects against unidentified, malicious Java applets
Denial of Service detection/prevention Defends and protects router
resources against common attacks; checks packet headers and drops
Audit trail Details transactions; records time stamp, source host,
destination host, ports, duration and total number of bytes transmitted
RealTime alerts Logs alerts in case of denial-of-service attacks or
other pre-configured conditions.
ConfigMaker support A Win95/WinNTâ€Wizard based network
configuration tool that offers step-by-step guidance through network
design, addressing and Firewall feature set implementation.
Previously released Cisco IOS firewall features are:
Â¢ Basic and Advanced Traffic Filtering
o Standard and Extended Access Control Lists (ACLs): apply
controls over access to specific network segments, and defines which
traffic passes through a network segment
o Lock and Keyâ€Dynamic ACLs: grant temporary access through
firewalls upon user identification (username/password)
Â¢ Policy-based Multi-interface Support: provides ability to
control user access by IP address and interface as determined by the
Â¢ Network Address Translation (NAT): enhances network privacy by
hiding internal addresses from public view; also reduces cost of
Internet access by enabling conservation of registered IP addresses
Â¢ Peer Router Authentication: ensures that routers receive
reliable routing information from trusted sources
Â¢ Event Logging: allows administrators to track potential
security breaches or other nonstandard activities on a real-time basis
by logging output from system error messages to a console terminal or
syslog server, setting severity levels, and recording other parameters
Â¢ Virtual Private Networks (VPNs): provide secure data transfer
over public lines (such as the Internet); reduce implementation and
management costs for remote branch offices and extranets; enhance
quality of service and reliability; standards-based for
interoperability, using any of the following protocols:
o Generic Routing Encapsulation (GRE) Tunneling
o Layer 2 Forwarding (L2F)
o Layer 2 Tunneling Protocol (L2TP): when it becomes available
o Quality of Service (QoS) controls: prioritize applications and
allocate network resources to ensure delivery of mission-critical
Â¢ Cisco encryption technology: a network-layer encryption
capability that prevents eavesdropping or tampering with data across
the network during transmission
1. Corporate Internet Perimeter
Corporations deploy Cisco IOS Firewall-enabled routers at the
perimeter of their networks. The firewall is configured to protect
against unauthorized access from the untrusted Internet to the
corporation's private network, and to prevent unauthorized access from
the internal private network to untrusted sites. As part of their
business, many corporations need to administer their own Web, file
transfer, mail, and DNS services, and to make those services available
over the Internet. Because of the dangers of running servers inside
private networks, a Demilitarized Zone (DMZ) network is deployed as
part of the corporate network infrastructure to provide a safe,
relatively neutral "drop area" for communication between inside and
outside systems. A firewall policy is created to deny connections from
the untrusted Internet to the private network. Internet users can
connect to servers on the DMZ network to access public corporate
information and all other services that the corporation wishes to offer
to outside users. Outgoing connections from the DMZ network into the
private network and the Internet are also prohibited by the firewall
policy. This restriction prevents attackers from penetrating the DMZ
server and using it as a tool to cause damage to internal services and
to attack other public sites.
Authentication, Authorization, and Accounting
With the Cisco IOS Firewall authentication proxy feature,
connections can be made based on the security policies configured for
each user. A per-user policy is downloaded dynamically to the router
from an authentication, authorization, and accounting (AAA) server when
the user attempts to make a connection to the Internet, DMZ network, or
the internal network. Access will be granted only when the user has the
appropriate access privilege based on his or her individual security
profile. Besides using the authentication proxy, the administrator of
the corporate network can use the accounting capability of the AAA
server for security, billing, resource allocation, and management of
any users who use the authentication proxy service. See Figure 1 for an
illustration of a corporate Internet perimeter deployment scenario.
Figure 1 Corporate Internet Perimeter Deployment Scenario
Destination URL Policy Management
Corporations can also manage resources and avoid productivity
drains with Destination URL Policy Management, a key feature of the
Cisco IOS Firewall. With Destination URL Policy Management, system
administrators of the corporate network decide the allowable URL
categories, users that have access to content, as well as when that
content can be accessed. The Cisco IOS Firewall-enabled router
maintains a local list of URL policies to be managed, granting or
denying permission to URL connection requests. For additional policies
not available on the router, it forwards HTTP requests for a URL
destination to the external policy management server in order to get
permission. Currently, Cisco supports two URL Policy Management server
implementations, WebSense Inc. and N2H2 Inc.
Event Monitoring and Logging
When suspicious activity is detected on the corporate network,
real-time alerts send syslog error messages to the central management
console, allowing administrators to track and respond to potential
security breaches or other undesirable events in real time.
A corporation typically has many departments that are each
responsible for different pieces of mission-critical information.
Employees working for various organizations within a corporation do not
have equal access privileges to all corporate information and services.
The corporate intranet deployment scenario offers protection of
mission-critical servers such as human resource (HR), enterprise
resource planning (ERP), customer relationship management (CRM), and
accounting systems against security breaches from within the
organization. It also effectively manages internal resources to help
The firewall policy for the corporate intranet is designed to
restrict traffic and access to information between various departments
within the corporation. Employees are subject to authentication and
authorization before they are granted access to servers and services on
the corporate network. Destination URL Policy Management also controls
access to internal Web site and Web applications. In addition,
suspicious activities are monitored by administrators with real-time
alerts and log messages. See Figure 2 for an illustration.
Figure 2 Corporate Intranet Scenario
3. Regional/Branch Office Perimeter
Regional or branch offices can also deploy a Cisco IOS
Firewall-enabled router at the perimeter of their network. Data and
voice traffic between the regional or branch office and the corporate
headquarters is transported via the virtual private network (VPN)
connection. A separate, direct connection to the Internet from the
regional or branch location is also available for access to public
servers and information available on the Web. With this firewall
deployment scenario, the firewall policy created for the corporate
internet perimeter deployment scenario works in conjunction with the
firewall policy at the regional or branch office perimeter. No
connections are permitted from the untrusted Internet to the regional
or branch office network; instead, Internet users connect to servers on
the corporate DMZ network to access public corporate information. The
DMZ network provides all the services that the corporation wishes to
offer to outside users.
To better manage individual access from the regional office
location to the Internet and internal resources, AAA and URL Policy
Management servers are deployed at the regional location. Access to
services and resources will be granted to employees only when they have
the appropriate access privilege based on their individual security
profiles. A syslog server is also made available for the regional
office administrator to track and respond to potential attacks and
nonstandard activities. For smaller branch office locations without
system administration resources, centralized firewall policy management
can be provided remotely by the resources on the main corporate
Figure 3 Regional/Branch Office Perimeter
4. Telecommuter/Home Office
Corporate telecommuters and home office workers similarly
maintain a LAN network in the home with several computers connected to
it (Figure 4). Both worker types subscribe to an ISP service that
provides connectivity to the Internet. The home office worker,
typically an independent contractor or an individual who runs a
business out of a home, is always connected to an ISP. The home office
worker relies on the ISP for services such as Web hosting, domain
service, e-mail, and DNS. In a slightly different scenario, the
telecommuter network is an extension of the corporate network. A
telecommuter's access to work resources and shared information is
subject to the corporate firewall security profile created for the
individual. Similar to the branch office deployment scenario, a
telecommuter is connected to the corporate network via a VPN tunnel for
data and voice communication. The telecommuter can also directly access
the Internet via an ISP. Business resources for the telecommuter such
as e-mail, confidential information, server access, and more, reside on
the corporate network.
Because business resources reside on a network external to
home, the telecommuter and home office worker need not accept any
incoming connections from the Internet to the home office LAN. The
Cisco IOS Firewall enabled router at the perimeter of a
telecommuter/home office permits only outgoing connections. The
computers on the home LAN can connect to the Internet via the ISP
network, but the firewall policy does not allow outside initiated
sessions to the private LAN. The work-at-home individual can view Web
pages, send e-mail, pick up incoming e-mail from a corporate network or
ISP, retrieve software via FTP, connect remotely using Telnet, and join
in multimedia conferences, all without exposing any services on his or
her own LAN network.
Authentication proxy service and URL Policy management with the
Cisco IOS Firewall are not necessary for a telecommuter or home office.
Once again, the telecommuter, when on the corporate network, is subject
to the firewall policy created for the individual. A syslog server can
be deployed if the work-at-home individual is willing to act as the
system administrator and be notified immediately when there is a
potential intrusion of the private network.
Figure 4 Telecommuter/Home Office Scenario
5. Corporate Extranet
As corporations establish tighter relationships with their
business partners, the need to share resources among companies
increases. Sometimes, access to the partner's internal networks is
necessary to improve productivity and efficiency. A Cisco IOS Firewall
deployed at the perimeter of the corporate network and partner network
can help to restrict confidential information access to the few
With authentication proxy, a user entering the corporate
network and the partner network from the expected source network is
authenticated before access is granted. A security policy for the
individual is dynamically downloaded from the AAA server, allowing the
user only the services permitted by the security profile. Syslog
servers are maintained at both ends of the network to track alarming
activities. (See Figure 5.)
Figure 5 Corporate extranet
CISCO FIREWALL FAMILY
The Cisco PIX Firewall and Cisco IOS Firewall
The Cisco PIX Firewall is the worldâ„¢s leading dedicated
firewall appliance. It has received the highest level of security
certification granted to any firewall product. The Cisco PIX Firewall
is a turnkey appliance with unmatched performance and unparalleled
features. Integration of third-party content solutions, such as
NetPartnerâ„¢s WebSENSE URL management software, further enhances the
industry-leading capabilities of the Cisco PIX Firewall. For IP-based
network security, the Cisco PIX Firewall is the clear choice for those
requiring dedicated firewall appliances. When combined with IP Security
(IPsec), Cisco PIX Firewall provides an integrated virtual private
network (VPN) solution.The Cisco IOS Firewall integrates robust
firewall and intrusion detection technology into the Cisco IOS
Software. The Cisco IOS Firewall enhances existing Cisco IOS Software
by including stateful, application-based filtering, dynamic per-user
authentication and authorization, and real-time alerts. When combined
with Cisco IOS IPsec software, the Cisco IOS Firewall provides an
integrated VPN solution.
Available with a wide range of Cisco routers, the Cisco IOS
Firewall is the best choice for integrating multiprotocol routing with
security policy enforcement.
The figure below shows an application that employs both types
Leading-Edge Capabilities of Cisco PIX Firewalls and Cisco IOS
Both the Cisco PIX Firewall Series and the Cisco IOS Firewall
incorporate leading-edge firewall technology. Table 1 outlines advanced
features common to both firewalls.
Although both firewalls provide excellent security solutions,
each excels in different environments and at sites with distinct
requirements. Table 2 describes when to choose the Cisco PIX Firewall
and Table 3 describes when to choose the Cisco IOS Firewall. In many
instances, the best security solution is a combination of both.
The Cisco IOS Firewall offers integrated network security
through Cisco IOS software. A robust security policy entails more than
perimeter control or firewall setup and managementâ€security policy
enforcement must be an inherent component of the network. Cisco IOS
Software, with many advanced security features such as a firewall,
firewall-IDS, IPSec/VPN, and quality of service (QoS) is an ideal
vehicle for implementing a global security policy. Building an end-to-
end Cisco solution allows managers to enforce security policies
throughput the network as they grow.
a. Internet Firewalls and network security
by Karanjit siyan,Chris Hare
b. Building Internet Firewalls
by D.Brent Chapman and Elizabeth D
I express my sincere gratitude to Prof. M.N Agnisarman
Namboothiri ( Head Of Department ,Information Technology ) and Mr.
Zaheer P.C, Ms. Deepa ( Staff in charge ) for their kind cooperation
for the seminars presentation.
I am also grateful to all other faculty members of
Information Technology Department and my colleagues for their guidance
and encouragement .
II. FireWall Basics
Â¢ Definition of FireWall.
Â¢ Design and Implementation issues.
Â¢ Realization of FireWall.
III. Cisco IOS FireWall
Â¢ Router based FireWall Functionality
Â¢ Key Benefits
IV. Feature set
Â¢ New FireWall Features
Â¢ Previously released features
V. Application Overviews
Â¢ Corporate Internet Perimeter
Â¢ Corporate Intranet
Â¢ Regional/Branch office Perimeter
Â¢ Telecommuter/Home Office
Â¢ Corporate Extranet
VI. Cisco FireWall Family
Â¢ Cisco PIX FireWall
Â¢ Comparisons between PIX and IOS
VII. Summary 28
VIII. References 29