Businesses face an increasingly hostile environment when data networks are connected to the public Internet, and network borders are opened to business partners through VPNs. Furthermore, the growing "inside" threats from malware such as worms, Trojan horses, unwanted application traffic, and other malicious agents that can infiltrate a network can cause costly security disruptions, downtime, and unwanted bandwidth consumption.
Cisco IOS® Firewall offers a threat defense foundation to deploy secure access policies at all network interfaces: Internet perimeter, remote-site connectivity, business-partner access, and telecommuter connections.
• Application inspection and control builds on the existing stateful inspection infrastructure to offer comprehensive protection for industry-standard services, as well as a framework to configure custom protocol support to meet business requirements.
• Improvements to the Cisco IOS Software Zone-Based Policy Firewall provide innovative control capabilities for Instant Messaging and peer-to-peer applications, granular application-level control for HTTP traffic, as well as firewall policy bandwidth shaping and session limits.
• Performance enhancements bring Cisco IOS Firewall connection capacities and throughput capabilities in line with business requirements to integrate network threat defense capabilities with other router features such as Network Address Translation (NAT), VPN, quality of service (QoS), and dynamic routing.
Key Benefits
The Cisco IOS Firewall interoperates with other Cisco IOS Software components, providing outstanding value and benefits:
• Application protection: Cisco IOS Firewall Application Inspection and Control minimizes threats on desirable network services such as web traffic and mail protocols by enforcing protocol conformance and blocking unwanted application activity. Network bandwidth and employee time waste is limited by Cisco IOS Firewall blocking unwanted applications such as Instant Messaging traffic, peer-to-peer file-sharing traffic, and HTTP tunneling applications.
• Integrated security: Common Criteria Evaluation Assurance Level 4 (EAL4)-certified firewall capability provides basic network protection through stateful inspection,
blocking undesired network activity and allowing business-critical application traffic. Traffic controls block malicious efforts against vulnerable hosts such as fragmentation and replay attacks, and denial-of-service (DoS) protection detects and mitigates unusual activity that characterizes network activity generated by worm-infected and zombie hosts.
• Network border enforcement: Cisco IOS Firewall secures the front line of network connectivity when deployed at network access points. Left unguarded, connections to the public Internet, VPN, and WAN access for remote sites, business-partner portals, and telecommuter VPN termination offer access points to sensitive resources. Cisco IOS Firewall offers a platform for application of secure network access policies to reduce the threat profile of connectivity points.
• Investment protection: Integrating firewall functions into a multiprotocol router takes full advantage of an existing router investment, without the cost and learning curve associated with a new platform. Cisco IOS Firewall on Cisco IOS Software routers is an all-in-one, scalable solution that performs multiprotocol routing, perimeter security, intrusion detection, VPN functions, and per-user authentication and authorization.
• Easy provisioning and management: Easy-to-use Cisco Router and Security Device Manager (SDM) facilitates rapid deployment of Cisco Technical Assistance Center (TAC)-approved default firewall policies (Figure 1) and real-time monitoring of firewall logs (Figure 2). The Unified Firewall MIB provides a Simple Network Management Protocol (SNMP) interface for monitoring firewall activity, and Cisco Security Monitoring, Analysis and Response System (Cisco Security MARS) dynamically configures mitigation policies to counter network security threats.
Figure 1. Defining Firewall Policies with Cisco SDM Intuitive GUI
Figure 2. Monitoring Cisco IOS Firewall Events with Cisco SDM
Cisco IOS Firewall Features
Table 1 lists the features and capabilities of Cisco IOS Firewall.
Table 1. Cisco IOS Firewall Features and Capabilities
Capability
Feature
Description
Advanced application inspection and control
Instant Messenger blocking
Instant Messenger blocking offers per-service control to block or allow MSN Messenger, Yahoo! Messenger, and AOL Instant Messenger. It allows service restriction to text-chat only, blocking voice and video chat and file transfer.
Peer-to-peer control
Peer-to-peer control individually blocks access to BitTorrent, Gnutella, KaZaA, and eDonkey file-sharing networks. Service-specific improvements were introduced in Cisco IOS Software 12.4(9)T to limit certain activities supported by certain peer-to-peer networks.
Protocol conformance checking
This feature enforces protocol conformance for HTTP, Simple Mail Transfer Protocol (SMTP), Extended SMTP (ESMTP), Internet Mail Access Protocol (IMAP), and Post Office Protocol 3 (POP3). It facilitates detection and prevention of unwanted traffic on desired application service ports. HTTP inspection offers Java Applet filtering to block malicious content in HTTP traffic. Cisco IOS Software Version 12.4(9)T introduced capabilities to configure Regular Expression matching for policy enforcement, as well a granular application inspection and control of various HTTP objects, such as HTTP methods, URLs and URIs, and header names; and values such as maximum URI length, maximum header length, maximum number of headers, maximum header-line length, non-ASCII headers, or duplicate header fields. This feature allows you to limit buffer overflows, HTTP header vulnerabilities, binary or non-ASCII character injections, exploits such as Structured Query Language (SQL) injection, cross-site scripting, and worm attacks. HTTP inspection also offers Java Applet filtering to block malicious content in HTTP traffic.
Stateful inspection
Zone-based policy firewall
Improved firewall policy configuration provides a clear interface for configuring firewall policies aligned with businesses' information security policies. Modular, granular firewall policies improve security by tightly controlling network service access and enforcement. The new configuration model changes router firewall behavior to an appliance-like default "deny-all" policy, removing dependence on access control lists. This firewall supports transparent ("bump-in-the-wire") operation and multiple Virtual Route Forwarding (VRF)-aware virtual firewalls per device.
Transparent firewall
A transparent firewall facilitates insertion of a stateful Layer 2 firewall within an existing network, without readdressing statically defined devices. It provides the same Layer 3-7 filtering as "routed" mode, but offers the simplicity of bump-in-the-wire deployment.
Firewall for secure unified communications
Cisco IOS Firewall transparently supports voice traffic, including application-level conformance of media protocol call flow and the associated open channels. It supports voice protocols such as H.323v2, v3, and v4, Skinny Client Control Protocol (SCCP), and Session Initiation Protocol (SIP) and assures protection of unified communications components such as Cisco Unified Communications Manager, Cisco Unified Border Element, and their endpoints.
Virtual (VRF-aware) firewall
VRF-Aware firewall functions offer virtual firewalls for isolated route space and overlapping addresses.
Destination URL policy management
This feature offers URL filtering support of Websense and N2H2 services, as well as a local black or white list in router configuration.
Authentication proxy
Network administrators can authenticate and authorize each user's access to network resources with Cisco IOS Firewall Authentication Proxy using HTTP, Telnet, FTP, and HTTPS interfaces.
Management provisioning alerts and logging
Cisco SDM
This web-based device-management tool improves network and security manager productivity, simplifies router security deployment, and monitors device status.
Cisco Security MARS
Cisco Security MARS collects statistics and correlates event activity, using audit-trail and event-logging activity carried in syslog and SNMP.
Audit trail and logging
This logging records time stamp, source host, destination host, ports, duration, and total number of bytes transmitted for detailed reporting. Security events are logged according to severity level, providing details for forensics or debugging.
Unified Firewall MIB
This MIB simplifies monitoring using any SNMP-based management system. It shares object definitions with other Cisco firewall products, so a uniform monitoring policy can be applied on all Cisco firewall devices.
Application traffic rate and session control
Policy-map policing
Policy-Map Policing applies rate limits to firewall policies to control network bandwidth usage. Session policing limits connection rates to network hosts and helps protect against DoS attacks.
High availability
Stateful Failover
Stateful Failover provides for active and standby failover between two routers for most TCP-based services. Firewall session state is maintained such that active sessions continue even during a router or circuit failure*.
* Current support for the Cisco 1841 Integrated Services Router, Cisco 2800 and 3800 Series Integrated Services Routers, Cisco 3700 Series Multiservice Access Routers, Cisco 7200 Series Routers, and the Cisco 7301 Router.
Support for Secure Unified Communications
As in data networks, a layered approach to security is recommended for unified communications. Taking a comprehensive, systemic approach - incorporating all unified communications layers - means looking at applications, endpoints, call control, and the network infrastructure. Unified communications security at branch offices is easily deployed because integrated services routers can incorporate unified communications functions as well as security functions, all in the same device.
Table 2 lists the Cisco IOS Firewall features designed to protect unified communications.
Table 2. Cisco IOS Firewall Voice Security Features
Feature*
Description
SIP Application Layer Gateway (ALG) Inspection
SIP ALG Inspection provides the ability to prevent unauthorized calls, call hijacking, and other SIP protocol exploits and related DoS attacks. This protection helps ensure protocol conformance and application security, giving more granular control over what policies and security checks to apply to SIP traffic and what messages or users to filter out.
Skinny local traffic support
Cisco IOS Firewall configured with Cisco Communications Manager Express offers granular SCCP local traffic support by acting as an endpoint for the SCCP control channel.
H.323v3 and v4 support
Cisco IOS Firewall supports H.323v3 and v4 such as Annex E, Annex G, and Annex D; it also supports fax and call transfer.
IM voice control support
Cisco IOS Firewall supports permit, deny, and alert policies and logging operations within IM, including general text-chat and other services such as file transfers and attachments, white boarding, application sharing, games, video and audio conferencing, URLs, advertisements, tickers, and pop-ups.
*Features available in Cisco IOS Software 12.4(20)T and later releases.
Platform Support
Cisco IOS Firewall is available in Advanced Security, Advanced Enterprise, and Advanced IP Services software Images for all currently supported access router platforms, Cisco 7200 Series Routers, the Cisco 7301, and Cisco aggregation services routers. The default security router bundle includes the appropriate software image, along with enough memory and storage to support firewall features and other threat defense capabilities. Table 3 lists feature availability information for Cisco IOS Firewall.
Cisco Unified Communications Services allows you to accelerate cost savings and productivity gains associated with deploying a secure, resilient Cisco Unified Communications solution. Delivered by Cisco and our certified partners, our portfolio of services is based on proven methodologies for unifying voice, video, data, and mobile applications on fixed and mobile networks. Our unique lifecycle approach to services enhances your technology experience to accelerate true business advantage.
