A. A firewall is usually a networking device that protects networks by blocking unwanted traffic, and monitoring and controlling useful, desirable traffic. The firewall functions as a filter as traffic moves from one network to another. It blocks or allows specific protocols and data types, and inspects permitted traffic flow for networking protocol compliance as well as adherence to business' information systems usage policy. This ensures that network traffic acts in its intended function.
Firewall policies are usually statically defined by network administrative staff to minimize impact an organization's business objectives. The policies must be adjusted periodically so the firewall affords the appropriate level of protection. Policies can be based on user ID and password authentication, source address, destination address, protocol type, specific application activity, traffic connection rates, and other criteria.
Q. How does the router- and switch-based Cisco IOS® Firewall differ from the appliance-based Cisco® PIX® and Cisco ASA security appliances?
A. The Cisco IOS Firewall differs very little from Cisco PIX and ASA security appliances in terms of functional capability. The two product lines are somewhat similar in their configuration interfaces, both on the command-line interface (CLI) and graphical user interface (GUI). The major differentiators between Cisco IOS Firewall and Cisco PIX/ASA security appliances are additional non-firewall features versus performance, given a comparison between similarly priced platforms. The Cisco PIX and ASA products offer substantially higher performance for a given cost, reflecting the common appliance advantage, while Cisco IOS Firewall offers a broader feature set, reflecting the common routing-platform advantage.
Q. Why should I select a Cisco IOS Firewall over a Cisco PIX or ASA firewall, or vice versa?
A. Which would you prefer to have more of for a given cost: features or performance? In addition to the firewall itself, Cisco IOS Firewall offers the routing-platform advantages of broad quality of service (QoS), dynamic routing, virtual private networks (VPNs), and WAN flexibility. The appliance-based Cisco PIX and ASA firewalls offer higher levels of performance for a given price, but usually offer a less expansive breadth of features.
Q. What are the key benefits of Cisco IOS Firewall?
A. Cisco IOS Firewall complements the rest of the Cisco IOS Software feature set, providing outstanding value and benefits:
• Flexibility-Cisco IOS Firewall interoperates with other router-based capabilities, such as multiprotocol routing, perimeter security, intrusion detection, VPN, and per-user authentication and authorization.
• Investment protection-Integrating firewall capabilities into a multiprotocol router uses an existing router investment, without the cost and learning curve associated with a new platform.
• VPN support-Deploying Cisco IOS Firewall with Cisco IOS encryption and QoS VPN features enables secure, low-cost transmissions over public networks. It helps ensure that mission-critical application traffic receives high-priority delivery.
• Scalable deployment-Cisco IOS Firewall is available for all Cisco IOS Software router platforms. It scales to meet the bandwidth and performance requirements of most networks.
• Easier management-Cisco Router and Security Device Manager (SDM), the router-based GUI, offers an intutitive, simple-to-use configuration interface to manage individual routers. The CiscoWorks VPN/Security Management Solution (VMS) offers network-based management. Third-party partners such as Solsoft provider vendor-neutral or application-specific management systems.
• Easier provisioning-Combining the Cisco IE2100 and the Cisco IOS XML application enables a network administrator to drop ship any Cisco router with little pre-configuration to a given destination. The router pulls the most current Cisco IOS Software release router configuration and its security policy configuration for the firewall when it is connected to the Internet or a private network.
Q. What are the key benefits of a Cisco IOS Software-based integrated firewall?
A. Cisco IOS Firewall is available on a wide range of Cisco IOS Software releases. It offers sophisticated security and policy enforcement for connections within an organization (intranet) and between partner networks (extranets), as well as for securing Internet connectivity for remote/branch offices and smaller central-site offices.
Cisco IOS Firewall offers the best choice for integrating multiprotocol routing with security policy enforcement. It scales to allow customers to choose a router platform based on bandwidth, LAN/WAN density, and multiservice requirements. Higher-end router-based Cisco IOS firewalls offer the capability to divide a router up into virtual routing-forwarding (VRF) instances, so an organization can provide routing, Network Address Translation (NAT), VPN, firewall, and other networking services to multiple overlapping IP address spaces in one device.
Refer to these guidelines while choosing the right Cisco router for varied security environments:
• Small/home offices: Cisco 800, UBR900, and 1800 series routers
• Branch and extranet environments: Cisco 2800 and 3800 series routers
• VPN and WAN aggregation points or other high-throughput environments: Cisco 7200, 7400, and 7500 series routers; Cisco Catalyst® 6000 Series switches
CISCO IOS SOFTWARE FIREWALL FEATURES
Q. What are the primary features of Cisco IOS Firewall?
A. Cisco IOS Firewall provides advanced filtering capabilities to control network traffic. In addition to new features that will be described later, the supported features include:
• Stateful firewall packet inspection
• Application inspection and policy control
• Authentication Proxy
• Web URL filtering
• Java blocking
• Configurable, real-time alerts and audit trails
• Greater flexibility to balance network security against application accessibility
• Protocol conformance checks to help ensure legitimate use of frequently exploited service ports
Table 1 lists the newest features available in Cisco IOS Firewall (after Q1CY2003). Each of the feature descriptions includes a hyperlink to the feature documentation.
Table 1. Cisco IOS Software Firewall Features Added Since 12.3T
Provides inspection for specific protocols and services. This removes the requirement for an ACL to restrict application usage to only permitted services.
Integrated policies to block or rate limit peer-to-peer application traffic using dynamically updateable application definitions for newer P2p applications. KaZaA, Gnutella, BitTorrent, and eDonkey are currently supported.
Ingress Rate Policing
12.4(9)T
Firewall rate-limits traffic in addition to permit or deny, providing unprecedented control over network bandwidth consumed by applications
Zone-Based Policy Firewall
12.4(6)T
Clarifies firewall policy configuration by distilling ACLs and inspection policies for multiple interfaces into zone-to-zone policies. Changes default policy to "deny", reduces reliance on ACLs to define access. Increases policy granularity.
Unified Firewall MIB
12.4(6)T
Offers standards-based SNMP monitoring and statistics collection for all Cisco Firewall platforms: IOS Firewall, PIX, ASA, and Firewall Service Module
Stateful Failover
12.4(6)T
Introduces active/standby failover for most TCP traffic. Supported on 3700, 3800, and 7200
PLATFORM AND HARDWARE SUPPORT
Q. Which platforms support the Cisco IOS Firewall?
A. Cisco IOS Firewall is supported on Cisco 800, 900, 1700, 1800, 2600, 2800, 3600, 3700, 3800, and 7200 series. This breadth of supports enables Cisco IOS Firewall to deliver important benefits, including multiservice integration (data, voice, video, and dial) and advanced security for dialup connections.
Q. Do all of the router platforms support the same Cisco IOS Firewall functions?
A. No. Some capabilities are only available in specific product families.
Cisco 800, 900, 1700, 1800, 2600, 3600, 3700, 3800, and 7200 series routers support the full suite of new features described below, including the Cisco IOS Firewall features supported since 1998:
• Stateful packet inspection
• Java blocking
• Denial of service (DoS) detection and prevention
• Real-time alerts
• Audit trail
• Authentication Proxy (for dynamic, user-based authentication and authorization)
• Intrusion detection (described in other documents)
• Dynamic port mapping
• Simple Mail Transfer Protocol (SMTP) attack detection and prevention
• Configurable alerts and audit trail
• IP fragmentation attack prevention
• Microsoft-NetShow application support
New features may not be supported on legacy router platforms (some 800-series routers, 900, 1700, 2600, 3600), depending on the closure of development for the particular platforms. The new features are only available on ISRs (85x/87x, 1800, 2800, 3800), 3700, and 7200. These features include:
• Transparent firewall
• Application inspection services
• Per-VRF firewall for multi-VRF customer edge and Multiprotocol Label Switching (MPLS) provider edge routers (not available on 85x/87x).
• Zone-Based Policy Firewall
• Unified Firewall MIB
• ACL Bypass and Performance Enhancements
Q. How is the appropriate router platform selected?
A. There are many considerations involved with selecting a router platform, including performance and processing power. The platforms supporting the Cisco IOS Firewall vary greatly. Performance and processing power will vary depending on which Cisco IOS Software features are enabled on each platform.
Q. Are all of the Cisco IOS Firewall functions available in all Cisco IOS Software Release trains?
A. No. Most Cisco IOS Firewall capabilities are only available in Mainline and Technology (T) trains. S train does not include many important performance and capability enhancements. The Cisco Catalyst 6000 and 7600 switches do not offer most of the Firewall Feature Set, and substantially better firewall capability and performance is realized with application of the Firewall Service Module.
Q. Can I use Cisco IOS Firewall on the Supervisor blade on my Catalyst 6000 or 7600 switch, instead of purchasing a Firewall Service Module?
A. Cisco recommends that you only use Cisco IOS Firewall capability to inspect traffic to and from the Supervisor blade itself. Cisco IOS Firewall features in the Supervisor engine's image does not offer sufficient performance or capability to control production traffic traveling through the switch.
For additional information, visit the Performance Characteristics per Platform at: http://www.cisco.com
THE CISCO IOS FIREWALL ENGINE
Basic Information
Q. What is the Cisco IOS Firewall engine and what does it do?
A. Cisco IOS Firewall is a per-application control mechanism for IP traffic, including standard TCP and UDP Internet applications, multimedia applications, and Oracle database protocols. It tracks the state and context of network connections to secure traffic flow. Users may define one or more ACLs to define security policy.
Working in tandem with packet-filtering capabilities of Cisco IOS Software, Cisco IOS Firewall inspects allowed traffic and enables returning traffic or data channels to flow through by generating temporary ACL entries. Without this feature, packet contents would not be inspected and users would have to define ACLs that potentially open the router to a wide range of addresses or ports, or deny service altogether.
Q. Why is an integrated firewall necessary?
A. Cisco IOS Firewall is the next level of security support for networks that require per-application monitoring. It enables return traffic within each session-as a result, firewall integrity is maintained, while users enjoy greater access to advanced application traffic. This includes standard TCP and UDP Internet applications such as e-mail, FTP, and Telnet; multimedia applications, including H.323 applications, CU-SeeME, VDOLive, and Streamworks; and Oracle databases.
Q. How much memory does Cisco IOS Firewall use?
A. Memory and performance impact are estimated at less than 600 bytes per connection. For each connection, Cisco IOS Firewall tracks and allocates memory for the state table and dynamic ACLs. When only one ACL group is configured in a given direction, the memory consumption of the engine is less than 600 bytes per connection (across all platforms).
Note: An application session could consist of multiple TCP/UDP connections; for instance, a NetMeeting session consists of up to seven TCP/UDP connections.
Q. Does Cisco IOS Firewall work with fast switching?
A. Yes. Cisco IOS Firewall works with all high-performance switching modes that the platform supports, including Cisco Express Forwarding flow, fast, and process switching modes.
Q. If Cisco Express Forwarding is disabled on a device, and inspection rules are subsequently assigned to the outbound traffic, will the inspection rules function? Is it similar to ACL filtering, which disables the filtering on outbound traffic when Cisco Express Forwarding is enabled?
A. Cisco IOS Firewall should function similarly in both fast and Cisco Express Forwarding paths. Under certain circumstances, it will handle the packet in lower-performance fast path or process path as necessary. Typically this occurs when particalized packets appear, or when more advanced inspection required that is not yet supported in CEF. Fast- or process-switching will not affect Cisco IOS Firewall capabilities; it should function similarly in all switching paths.
One important change in Cisco IOS Firewall is that the HTTP inspection (for Java applets) is now particle-aware. This is not, however, included in Cisco IOS Software Release 12.2(12)T. As a result, the HTTP connections are inspected in the Cisco Express Forwarding path itself, even upon receipt of particalized packets.
Q. Does Cisco IOS Firewall work with Channelized T1 by applying distinct policies to different channel groups?
A. Yes. The same is true when distinct policies are applied to different Frame Relay sub-interfaces.
Q. Is Cisco IOS Firewall interoperable with NAT and other key Cisco IOS Software features?
A. Yes. Cisco IOS Firewall is interoperable with both static IP NAT and NAT Overloading.
Q. Does Cisco IOS Firewall support Oracle's application proxy, SQLNet?
A. Yes. SQLNet is a multichannel protocol with the client and the server. From a quick look, the interactions are as follows.
1. Client connects to the TNS Listener on port 1521 (TCP).
2. We look for the REDIRECT message and extract the following.
host ip: ip addr of the server
protocol (tcp/udp)
port: port which the server will use
client ip, (client port range) ----> host ip extracted, port, protocol
This requires more a detailed understanding of application activity. The port is opened from client to a host IP, rather than the destination IP address. This indicates that the destination (TNS Listener) and the Oracle server could be on different machines.
Q. Does Cisco IOS Firewall support VLANs?
A. Yes. This is a critical component of the Transparent Firewall, which was introduced in Cisco IOS Software Release 12.3(7)T. Transparent Firewall extends the Cisco IOS Firewall to apply inspection capabilities on bridged traffic, which is switched at Layer 2 from one network segment to another. Prior to Transparent Firewall, a router needed to route (switch at Layer 3) traffic to apply Cisco IOS Firewall Inspection.
Q. Is there a maximum number of interfaces Cisco IOS Firewall can support simultaneously?
A. There is no limit on how many interfaces Cisco IOS Firewall can support.
Q. Does Cisco IOS Firewall work on any type of router interface?
A. Cisco IOS Firewall can be applied on any type of router interface, including LAN and WAN interfaces and subinterfaces, and GRE and IPSec Virtual Tunnel Interfaces.
CISCO IOS ZONE-BASED POLICY FIREWALL
Q. How does Cisco IOS Zone-Based Policy Firewall benefit businesses?
A. Simplified firewall policy configuration means network administrators can more easily understand and configure firewall policies' affect on network traffic, simplifying firewall troubleshooting and ensuring greater accuracy for firewall policies. Modular, granular firewall policies improve security by tightly controlling network service access and enforcement.
Q. Does Cisco IOS Zone-Based Policy firewall change the way I configure my Cisco IOS Firewall?
A. Yes. Zone-Based Firewall introduces substantial changes to Command-Line Interface firewall configuration. Graphical User Interface-based configuration tools such as Cisco Security Device Manager (SDM) and network-based configuration tools such as Cisco Security Manager (CSM) will support the new configuration model later in 2006.
Q. What functional changes does Cisco IOS Zone-Based Policy Firewall offer as compared to the legacy IOS Firewall?
A. The new Cisco IOS Zone-Based Policy Firewall offers a number of benefits:
• The firewall offers a more "appliance-like" behavior, with a default deny-all policy. Network services are allowed through the firewall with modular policy definitions.
• Firewall policy definition and audit is much more simple
• Firewall policies can be configured to offer more granular control of network service access. Network service lists can be associated with a list of hosts and subnets to offer firewall policy configuration similar to PIX object groups.
Zone-Based Firewall is not dependent on Access-Control Lists to define access policies.
Q. How does Cisco IOS Zone-Based Policy Firewall simplify firewall policy configuration and audit?
A. Firewall policies are much clearer, as traffic encounters only one policy as it traverses from one zone to another. In the past, several inspection policies and access-control lists had to be correlated together to determine the policy that affected traffic flowing from one router interface to another.
Q. What platforms will support Cisco IOS Zone-Based Policy Firewall?
A. All Cisco IOS router product lines supporting 12.4T releases will introduce support for Zone-Based Policy Firewall:
• 851
• 871
• 1800
• 2800
• 3700
• 3800
• 7200
CISCO IOS FIREWALL HTTP INSPECTION
Q. What is HTTP inspection in Cisco IOS firewall?
A. Cisco IOS Software 12.4(9)T supports flexible application-layer inspection to examine network traffic to detect and take action against malicious or unwanted HTTP traffic. This release offers the following enhancements in this area:
1. User Definable and Extensible Policies-Policies may be defined based upon various HTTP Protocol objects like HTTP Methods, URLs, Header Names and Values such as maximum URL length, maximum header length, maximum number of headers, maximum header-line
length, non-ascii headers, or duplicate header fields. This allows the ability to limit buffer overflows, HTTP request smuggling, HTTP header vulnerabilities, binary or non-ascii character injections, exploits like SQL injection, cross site scripting and worms attacks.
2. Flexible CPL Based Configuration-Configuration and application is done using the Class-based Policy Language (CPL) to allow
user defined patterns for policy definitions. This enables a very flexible, powerful and granular approach to prevent against HTTP
attacks and vulnerabilities.
This support comes in addition to the existing HTTP Application Inspection that allows for extensive RFC (2616 and 2068) conformance checking to prevent malicious HTTP traffic.
CISCO IOS FIREWALL IP TELEPHONY INSPECTION
Q. Does Cisco IOS Firewall inspect traffic for IP telephony call negotiation?
A. Yes. Cisco IOS Firewall inspects IP telephony connections that are negotiated with Session Initiation Protocol (SIP) and Skinny signaling protocols.
Q. What is SIP?
A. SIP is an application-level voice over IP (VoIP) protocol that can establish, modify, and terminate multimedia calls. It is described in RFC 2543.
Q. What is inspection of SIP traffic?
A. SIP signaling uses port 5060 (which is user-configurable) to set up media channels for the call. The signaling channels' destination port defaults to 5060 with a random source port. Media streams are dynamically allocated according to negotiations on the signaling channel. SIP signaling sessions can be carried over User Datagram Protocol (UDP) or Transmission Control Protocol (TCP) (unicast or multicast). Currently, Cisco and Broadsoft proxy servers do not support the TCP mode; therefore, the Cisco implementation only supports UDP. Every SIP transaction that is sent over UDP is carried over a new UDP packet. The source port is random and difficult to move through the firewall-the number of responses for a specific SIP request is not predetermined.
There are currently two underlying media protocols: Real-Time Transport Protocol (RTP) or a combination of RTP and Real-Time Transport Control Protocol (RTCP) streams.
• RTP: A set of conventions that provide end-to-end network transport functions for transmitting real-time data over UDP, such as audio, video, or simulation data over multicast and unicast networks.
• RTCP: The control protocol designed to work in conjunction with RTP. It is standardized in RFCs 1889 and 1890. In an RTP session, participants periodically send RTCP packets to convey feedback on quality of data delivery and information of membership.
SIP signaling requests can traverse directly between gateways or through a series of proxies to the destination gateway or phone. The responses to the signaling requests can take the same path as the request or be sent directly to the destination gateways. These require the firewall to intelligently understand SIP messages and subsequently open the appropriate pinholes.
Skinny (SCCP)
Q. What is Skinny?
A. Skinny Client Control Protocol (SCCP), , is a Cisco Proprietary voice signaling protocol, offering call control for voice terminals supporting the H.323 media protocols. Used by Cisco IP phones for VoIP call signaling, the support of SCCP in Cisco IOS Firewall dynamically opens "pinholes" for media sessions and NAT-embedded IP addresses. SCCP supports IP telephony and can coexist in an H.323 environment.
H.323
Q. What is H.323?
A. H.323 is the International Telecommunications Union's standard describing a transport protocol for streaming audio, video, and data communication. The protocol defines data formatting and session negotiation between sources and destinations for the data streams, as well as communication behavior for intermediary devices that assist with the data communication. The current version of H.323 is version 4.
IM APPLICATION INSPECTION
Q. Which Instant Messaging Applications does Cisco IOS Firewall Application Inspection support?
A. Cisco IOS Firewall Application Inspection supports MSN Messenger, AOL Instant Messenger, and Yahoo! Messenger.
Q. Instant Messaging Traffic is notoriously difficult to detect and block. How does Cisco IOS Firewall Application Inspection identify and control IM traffic?
A. Cisco IOS Firewall Application Inspection uses a patented technology to resolve a user-defined list of Instant Messaging Server hostnames to their respective addresses, and subsequently controls the traffic to and from those server names.
Q. Are Cisco IOS Firewall Application Inspection's only options for IM traffic control to block or allow traffic?
A. No, Cisco IOS Firewall Application Inspection offers capability to limit IM traffic to text-chat only, blocking other service-specific capabilities such as file transfer, and voice and video chat.
P2P APPLICATION INSPECTION
Q. Which Peer-to-Peer protocols does Cisco IOS Firewall Application Inspection support?
A. Cisco IOS Firewall Application Inspection supports Gnutella, eDonkey, BitTorrent, and KaZaA.
Q. How does Cisco IOS Firewall Application Inspection identify and control peer-to-peer traffic?
A. Cisco IOS firewall leverages the capabilities of Cisco Network-Based Application Recognition (NBAR) to identify traffic, based on application behavior and traffic characteristics.
Q. Are Cisco IOS Firewall Application Inspection's only options for P2P traffic control to block or allow traffic?
A. No, Cisco IOS Firewall Application Inspection offers capabilities to limit P2P traffic to certain service-specific capabilities. Please consult product documentation to understand the per-service capability limitations.
ICMP INSPECTION
Q. What is Internet Control Message Protocol (ICMP)?
A. ICMP is a standard protocol used to report errors and information about a network. It can report errors on any IP datagram, other than on the ICMP message itself, to avoid infinite repetitions.
ICMP can also actively debug a network environment. For example, the "ping" application is used to discover network connectivity to/from a particular host. "ping" uses an ICMP echo/echo reply message to establish connectivity.
Q. Why inspect ICMP traffic?
A. Without ICMP Inspection, IOS Firewall could not provide adequate protection against network reconnaissance and ICMP-based attack activity, while maintaining the benenfit of application of legitimate ICMP traffic. The value of ICMP to the network drove the need to allow responses to ICMP packets (such as ping and traceroute) that originated inside the Cisco IOS Firewall, while still denying other ICMP traffic.
ICMP is invaluable to a network administrator in trying to debug network issues. Administrators use it to expose severed communications or existing packet paths, while intruders use ICMP to learn the topology of a private network. Network intruders also exploit existing weaknesses in certain ICMP implementations to damage the network site.
One way to restrict invasions into a private network is to block ICMP messages from entering, although this is not a desirable approach.
Q. How can Cisco IOS Firewall protect networks from malicious ICMP traffic?
A. Cisco IOS Firewall employs ACLs to block ICMP messages from the untrusted portion of the network. It uses stateful inspection to "trust" the ICMP messages generated within the private network, and to permit the associated ICMP replies. The firewall uses the existing architecture and user interface to inspect request/reply-type ICMP messages, and to allow ICMP traffic to flow. To complement the firewall inspection, access control lists (ACLs) can still allow unsolicited error messages.
HOW CISCO IOS FIREWALL WORKS
Q. Does Cisco IOS Firewall support ATM interfaces?
A. Yes. The type of encapsulation employed on the ATM connection dictates where Cisco IOS Firewall features are employed.
Generally, the rule is to apply the inspection policy to the sub-interface if the configuration employs a sub-interface.
Q. Does Cisco IOS Firewall support Point-to-Point Tunneling Protocol (PPTP)?
A. The following configuration must be completed to support PPTP:
1. Allow for TCP port 1723 from the PPTP client to the PPTP server
2. Allow for IP protocol 47 (generic routing encapsulation [GRE]) from the PPTP client to the PPTP server
Q. Does Cisco IOS Firewall support Internet Printing Protocol (IPP)?
A. IPP uses a single-channel TCP connection to default port 631. It achieves this using the HTTP URL format.
Cisco IOS Firewall should be able to support this with a simple TCP inspection:
ip inspect name tcp
Even if IPP occurs over SSL, the aforementioned inspection rule can support it.
Q. Can Cisco IOS Firewall and TCP Intercept be enabled at the same time?
A. No. They should not be enabled at the same time because TCP Intercept bypasses the firewall inspection process. TCP Intercept is not available in images that contain Cisco IOS Firewall.
Q. How does Cisco IOS Firewall work?
A. Cisco IOS Firewall incorporates several mechanisms to enforce controls.
• Packet inspection:
– Monitors control channels of packets
– Checks protocol compliance for some services
– Detects and prevents application-level attacks
• Packets that pass inspection are forwarded, and Cisco IOS Firewall creates a session table entry to track connection activity. Return traffic is only permitted through if a session table entry exists for that connection's traffic, which indicates the packet belongs to a valid session.
• When a TCP connection, UDP session, or ICMP traffic completes or times out, the session table entry is deleted.
• Cisco IOS Firewall selectively allows access back to the protected network based on the contents of the inspection session table. Early versions of Cisco IOS Firewall created and deleted dynamic ACL entries at each router interface, according to information in the session table. Cisco IOS Firewall's architecture was significantly changed in Cisco IOS Software Release 12.3.
Q. Can non-IP protocols be routed while using Cisco IOS Firewall?
A. Yes. Other protocols (Internetwork Packet Exchange [IPX] and AppleTalk, for example) can function alongside Cisco IOS Firewall, but the firewall will not inspect associated traffic.
Q. Does Cisco IOS Firewall work in environments with asymmetric routing?
A. No. Packets are not guaranteed to return through the same router. Cisco IOS Firewall tracks the state of TCP/UDP sessions, and a packet must depart and return from the same router for accurate maintenance of state information.
Q. What is the relationship between Cisco IOS Firewall inspection and ACLs?
A. Static ACLs in a router define the security authorization policy. Cisco IOS Firewall inspects traffic allowed by static ACLs and uses ACL Bypass to allow traffic "around" ACL's on inspected traffic's return path. In cases where services use subordinate channels for media connections or data, the firewall opens additional holes, based upon the state of a connection and the payload inspection.
Q. Which part of the packet does Cisco IOS Firewall inspect?
A. The inspected portion of the traffic varies with different services. Cisco IOS Firewall inspects the entire packet of supported applications, including IP, TCP/UDP headers, and payload.
Q. Do standard/extended ACLs have priority over Cisco IOS Firewall? If so, when does Cisco IOS Firewall have priority?
Cisco IOS Firewall inspects packets after input and output ACL checks as traffic moves from trusted to untrusted interfaces. When traffic arrives from the untrusted network, the inspection checks the session table for an existing session which matches the traffic. If a match is found, the traffic is allowed back to the trusted network without being processed in ACLs.
Q. Does Cisco IOS Firewall support Extended SMTP (ESMTP)?
A. Yes. Cisco IOS Firewall added ESMTP in Cisco IOS Software Release 12.3(7)T to complement the existing SMTP Inspection support, which had been available since Cisco IOS Software Release 12.1(5)T.
Q. What happens in Cisco IOS Firewall when an illegal command is detected in a Simple Mail Transfer Protocol (SMTP) transmission?
A. When the inspection rule is configured for SMTP or ESMTP inspection and activated on an interface, Cisco IOS Firewall inspects all commands in the SMTP/ESMTP header to ensure these commands are compliant with the SMTP or ESMTP protocol specification. When Cisco IOS Firewall detects illegal commands in a SMTP/ESMTP connection, it drops the connection immediately.
Q. Why can't TCP inspection be used for FTP?
A. FTP uses multiple channels to accomplish data transfer between client and server hosts; therefore, this type of application access requires application-level inspection.
Many multimedia applications have similar characteristics: an initiator (client) uses a "well-known" port to access a responder (server), and they negotiate different ports to transmit the media (data,video, or audio) in a channel that the firewall monitors. When the firewall extracts the port negotiation commands, it opens a "pinhole", allowing the media connection to pass. The additional ACL Bypass opening is removed immediately when the connection is terminated.
Q. Can Cisco IOS Firewall inspect applications on ports other than those set as default ports?
A. Yes. Granular Protocol Inspection (Cisco IOS Software Release 12.3(14)T) introduced interoperability between Port-Application Mapping and IOS Firewall. This includes support for a much larger list of protocols than was originally offered in Cisco IOS Firewall Stateful Inspection, and offers support for user-specified port numbers on application traffic.
Q. Does Cisco IOS Firewall continue to inspect the data content of the packets or does it only inspect the IP/TCP header fields, once the TCP session handshake has been completed? What per-packet inspection occurs during the data stream connection?
A. This depends on what inspection is enabled. Consider the following three scenarios:
• Only TCP inspection is enabled: Cisco IOS Firewall inspects the initial handshake. It then continues to monitor the sequence (SEQ) and acknowledgment (ACK) numbers of the packets, until the end of the connection. This ensures that the SEQ and ACK numbers fall in the proper range.
• Layer 7 protocol inspection (SMTP, HTTP, or FTP, for example) is enabled: Cisco IOS Firewall actually looks at the packet data, in addition to the header, to check for some attack signatures.
• Layer 7 protocol is a multichannel protocol (FTP or H.323, for example): Cisco IOS Firewall also inspects the packet data, in addition to the header, to look for negotiated ports for the secondary channel, so that it can open holes in ACLs to allow the negotiated secondary channels to pass.
CONFIGURING THE FIREWALL
Q. Is Cisco IOS Firewall configured on a per-router or per-interface basis?
A. Cisco IOS Firewall is configured on a per-interface basis if the legacy Stateful Inspection configuration model is used. If the newer Zone-Based Policy configuration model is used, interfaces are assigned to zones, then inspection policies are applied to traffic moving between zones.
Cisco IOS Firewall policies can be configured differently for each interface within the same router, or it can be deployed on some (but not all) interfaces.
Q. How is existing traffic affected by configuration of Cisco IOS Firewall and ACLs?
A. Adding or reconfiguring Cisco IOS Firewall and ACLs to firewall interfaces can be done while the router is in service, but this setup may block sessions established prior to reconfiguration. Cisco recommends configuring Cisco IOS Firewall during off-peak hours to minimize interruption of critical business applications.
Q. When do I use unidirectional versus bidirectional Cisco IOS Firewall applications?
A. Cisco IOS Firewall is configured on a per-interface basis. It may be configured to control traffic originating from either side of a firewall (bidirectional); however, most customers will apply it to traffic originating from one side only (unidirectional).
• Unidirectional: Configure Cisco IOS Firewall as a unidirectional control when client sessions are initiated from the internal network and must cross the firewall to access a host.
– Example: A branch office may need to access corporate servers across a WAN link or the Internet. Cisco IOS Firewall opens links on an as-needed (dynamic) basis, and monitors return traffic.
• Bidirectional: Cisco IOS Firewall is appropriate as a bidirectional solution when both sides of a firewall require protection.
– Example: When traffic moves between partner company networks and is restricted for certain applications in one direction, and for different applications in the other direction.
Q. What are the steps in configuring Cisco IOS Firewall?
A.
1. Configure the access list to open desired ports for applications authorized to cross the firewall, and deny everything else.
2. Apply these ACLs properly on the interfaces to provide secure access.
3. Configure the inspection rule(s) that specify inspection for each type of authorized application.
4. Apply inspection rules on interfaces in the direction of traffic initiation.
Q. How is load balancing with inspection configured?
A. On firewall interfaces that have activated load balancing, identical access group and inspection rule(s) for the Cisco IOS Firewall and ACL mechanisms must be applied to operate properly, and to prevent unwanted traffic.
Packets associated with the same session may flow through Cisco IOS Firewall at different interfaces. Identical ACLs and inspection rules on these interfaces help ensure that state information is on track, and that the Cisco IOS Firewall-generated ACLs are active on all load-balancing interfaces.
Q. How is Network File System (NFS) inspection configured?
A. To run NFS across Cisco IOS Firewall, remote-procedure call (RPC) inspection must be activated for the four program numbers that are associate with related daemons: NFS, mount, nlockmgr, and status.
Here are the appropriate commands:
nfs: ip inspect name nfs-rule rpc program-number 100003 wait-time 5
mount: ip inspect name nfs-rule rpc program-number 100005 wait-time 0
nlockmgr: ip inspect name nfs-rule rpc program-number 100021 wait-time 0
status: ip inspect name nfs-rule rpc program-number 100024 wait-time 0
Q. What is wait time, and how is it used?
A. Wait time is the number of minutes that Cisco IOS Firewall leaves sessions between hosts after the session is established.<
