Networks are exposed to an increasingly hostile environment when connected to the public Internet and private WAN. This can introduce security breaches, malware outbreaks, and unwanted application traffic, which can result in lost revenues, productivity, and damage to corporate reputation.
Today there is increased pressure to comply with industry regulations as well as state and federal regulations, created to enhance privacy, national security, and in many cases corporate accountability. Examples of these regulations include the Payment Card Industries (PCI) Data Security Standard, which affects all vendors who receive, store, or transmit cardholder data. In the United States, other examples include the Health Insurance Portability and Accountability Act (HIPAA) in the healthcare industry, the Gramm Leach Bliley Act (GLBA) in the financial services industry, and the Sarbanes-Oxley Act in the accounting field. The European Union's privacy legislation, called the Directive on Data Protection, requires that transfers of personal data to non-EU countries take place with only those organizations that provide acceptable levels of privacy protection. Fines, penalties, and lawsuits are just some of what a company might undergo if a security breach occurs and the company is out of compliance.
Cisco IOS® Firewall offers the threat defense required for today's changing threat environment. With more dangerous targeted attacks and the growth of the mobile workforce, the perception of network borders and where the office starts and stops has changed significantly to anywhere there is connectivity.
Deployed extensively at branch locations and home offices, Cisco IOS Firewall provides broad security coverage with deployment flexibility and the cost benefits that are fundamental to an integrated security approach (Figure 1).
It is the simple-to-use, certified, cost-effective firewall solution.
Figure 1. Typical Cisco IOS Firewall Deployment
Cisco IOS Firewall runs on the Cisco® integrated services router at the branch office and head office, protecting branch office resources and segmenting the network with security zone policies.
Cisco IOS Firewall Features and Benefits
The Cisco IOS Firewall is Common Criteria EAL4 certified and provides the following benefits:
• Application protection: Block unwanted applications such as instant messaging traffic, peer-to-peer file-sharing traffic, and HTTP-tunneling applications to reduce bandwidth usage and increase employee productivity.
• Network border enforcement: Recommended at all network entry points, secure the "front line," and prevent illegal access to sensitive resources.
• Unmatched return on investment: Perform routing, perimeter security, intrusion detection, VPN functionality, and per-user authentication and authorization on your router while addressing regulatory compliance.
• Easy provisioning and management: Enable rapid deployment of Cisco Technical Assistance Center (TAC)-approved firewall policies, monitor firewall activity, and dynamically configure mitigation policies with Cisco Configuration Professional, the Unified Firewall MIB, and Cisco Security Manager.
Table 1 describes Cisco IOS Firewall features.
Table 1. Feature and Benefits
Network zone segmentation
PCI Requirement 3: Protect stored cardholder data
Precise zone segmentation capabilities facilitate deploying security for internal, external and DMZ subgroups on the network to prevent unauthorized access.
Management options and flexibility
Enable management access from Cisco Configuration Professional, Cisco Security Manager, Unified Firewall MIB, and audit trail and logging.
Application traffic rate and session control
Policy-map policing applies rate limits to firewall policies to control network bandwidth usage. Session policing limits connection rates to network hosts and helps protect against denial-of-service (DoS) attacks.
Stateful Failover provides for active and standby failover between two routers for most TCP-based services. Firewall session state is maintained such that active sessions continue even during a router or circuit failure.
Virtual (VRF-aware) firewall
VRF-aware firewall functions offer virtual firewalls for isolated route space and overlapping addresses.
Authentication proxy PCI
Requirement 10: Track and monitor all access to network resources and cardholder data
Network administrators can authenticate and authorize each user's access to network resources with Cisco IOS Firewall Authentication Proxy using HTTP, Telnet, FTP, and HTTPS interfaces.
A transparent firewall facilitates insertion of a stateful Layer 2 firewall within an existing network, without readdressing statically defined devices. It provides the same Layer 3-7 filtering as "routed" mode, but offers the simplicity of bump-in-the-wire deployment.
Policy-map policing and session control
Policy-map policing applies rate limits to firewall policies to control network bandwidth usage. Session policing limits connection rates to network hosts and helps protect against DoS attacks.
Instant messenger blocking
Instant messenger blocking offers per-service control to block or allow MSN Messenger, Yahoo! Messenger, Windows Messenger and AOL Instant Messenger. It allows service restriction to text-chat only, blocking voice and video chat, and file transfer.
Peer-to-peer control individually blocks access to BitTorrent, Gnutella, KaZaA, and eDonkey file-sharing networks. Service-specific improvements were introduced in Cisco IOS Software Release 12.4(9)T to limit certain activities supported by certain peer-to-peer networks.
Protocol conformance checking
This feature enforces protocol conformance for HTTP, Simple Mail Transfer Protocol (SMTP), Extended SMTP (ESMTP), Internet Mail Access Protocol (IMAP), and Post Office Protocol 3 (POP3). It facilitates detection and prevention of unwanted traffic on desired application service ports. HTTP inspection offers Java applet filtering to block malicious content in HTTP traffic. Cisco IOS Software Release 12.4(9)T introduced capabilities to configure regular expression matching for policy enforcement, as well as a granular application inspection and control of various HTTP objects, such as HTTP methods, URLs and URIs, and header names; and values such as maximum URI length, maximum header length, maximum number of headers, maximum header-line length, non-ASCII headers, or duplicate header fields. This feature allows you to limit buffer overflows, HTTP header vulnerabilities, binary or non-ASCII character injections, and exploits such as Structured Query Language (SQL) injection, cross-site scripting, and worm attacks.
Integrates with Cisco IOS Software Intrusion Prevention System (IPS)
PCI Requirement 6: Develop and maintain secure systems and applications
Prevent application level attacks from flooding the network.
Integrates with Cisco IOS Software Content Filtering
Controls and blocks access to malicious and inappropriate websites.
* Current support for the Cisco 1841 Integrated Services Router, Cisco 2800 and 3800 Series Integrated Services Routers, Cisco 3700 Series Multiservice Access Routers, Cisco 7200 Series Routers, and the Cisco 7301 Router.
* Only on Classic IOS Firewall, not Zone Based Policy Firewall.
Beyond Data Threats: Securing Unified Communications
Voice and video are also targets of security attacks. Concerns such as toll fraud remain the same in the unified communications environment as in traditional telephone networks. Today's organizations also face increased regulatory requirements for conversation privacy, message confidentiality, and user and device authentication. Therefore, unified communications strategies must address the security aspects of Sarbanes-Oxley, GLB, HIPAA, PCI Data Security Standard, European Basel II, and other mandates affecting global organizations directly within the unified communications architecture. Integrating security within the underlying infrastructure also thwarts DoS attacks, worms, and other malicious activity that are usually aimed at the data network, but, when successful, have ramifications for the voice network, too.
Taking a comprehensive, systemic approach, incorporating all unified communications layers, means looking at applications, endpoints, call control, and the network infrastructure. Especially at branch offices, securing unified communications is easy to address because Cisco integrated services routers can incorporate voice as well as security functions, all in the same device. Table 2 describes specific support for securing unified communications.
Table 2. Features for Securing Unified Communications
SIP ALG inspection provides the ability to prevent unauthorized calls, call hijacking, and other SIP exploits and related DoS attacks. This protection helps ensure protocol conformance and application security, giving more granular control over what policies and security checks to apply to SIP traffic and what messages or users to filter out.
Voice protocol and media streams inspection support
Cisco IOS Firewall configured with Cisco Communications Manager Express offers granular local inspection support for all voice protocols such as skinny local inspection (Skinny Client Control Protocol [SCCP]), which requires Cisco IOS Software Release 12.4(20)T and higher. Cisco IOS Firewall also supports inspection for media streams such as MS NetMeeting, RealMedia , and MS Netshow.
H.323v3 and v4 support
Cisco IOS Firewall supports H.323v3 and v4 such as Annex E, Annex G, and Annex D; it also supports fax and call transfer.
Instant messaging voice control support
Cisco IOS Firewall supports permit, deny, and alert policies and logging operations within instant messaging, including general text chat, SIP Live Communication Server support, and other services such as file transfers and attachments, white boarding, application sharing, games, video and audio conferencing, URLs, advertisements, tickers, and pop-ups.
Trusted firewall control
Trusted firewall control builds intelligence into the firewall so that it can open a pinhole (a port that is opened through a firewall to allow a particular application access to the protected network) dynamically when it receives a Simple Traversal of User Datagram (STUN) Protocol request for a media flow. This request is authenticated/authorized by the firewall to make sure that it opens pinholes only for genuine calls.
Cisco IOS Firewall Management
Cisco Configuration Professional
Cisco Configuration Professional is a GUI device management tool for Cisco integrated services routers and Cisco 7200 Series and 7301 Routers running Cisco IOS Software. It offers smart wizards and advanced configuration support for LAN and WAN interfaces, Network Address Translation (NAT), and stateful and application firewall policy. The firewall wizard allows a single-step deployment of high, medium, or low firewall policy settings. Cisco Configuration Professional also offers a one-click router lockdown and an innovative security auditing capability to check and recommend changes to router configuration based on Cisco TAC recommendations. Figures 2 and 3 provide examples of the UI.
Figure 2. Defining Firewall Policies with Cisco Configuration Professional GUI
Cisco Security Manager
Cisco Security Manager is an enterprise-class management application that is Cisco device-independent designed to configure firewall, VPN, and IPS security services on Cisco network and security devices. It's a unified interface for managing firewall rules across different Cisco devices supporting the Cisco Firewall family of products, with its flexible rule specification methods for improved productivity and organization of rules; powerful toolset to identify configuration errors and optimize firewall rules.
Figure 3. Defining Firewall Policies with Cisco Security Manager GUI
Table 3. Firewall Services Support
User group firewall support
Intra-zone firewall support
Stateful inspection engine
Secure network posture by default
Packet tracer for debugging*
Packet capture capabilities for packet sniffing*
Independent inspection parameters on a per-flow basis
Please note the configuration examples and documentation demonstrates how IOS Firewall can secure and protect your network. The list of supported applications and protocols are intended to provide a general idea of the information that is needed to use and support IOS Firewall. For specific Cisco ISR platform performance and scalability concerns please contact a Cisco representative.