Guest

Cisco Catalyst 5000 Series Switches

Cisco IOS Software Release 12.1 for Catalyst 5000/RSM, No.1053

Product Bulletin, No. 1053

Cisco IOS Software Release 12.1 for Catalyst 5000/RSM

Cisco Secure Integrated Software (formerly known as Cisco IOS Firewall) for Catalyst 5000/RSM

Introduction

Cisco IOS® Release 12.1 for the Catalyst® 5000 Route Switch Module (RSM) brings firewall security features into the campus-switching environment. As security makes inroads from the edge to inside of the network, Cisco Secure Integrated Software (formerly known as Cisco IOS Firewall Feature Set) on Route Switch Module helps in implementing campus-wide enterprise security policy. The old security notion of bad guys outside and good guys inside has been replaced with the new notion of security everywhere. In fact security on the global Internet and on internal corporate intranets has become a significant concern for enterprises wishing to extend connectivity beyond closed private networks.

While there is an increasing need to provide customers, vendors, and ever more mobile employees access to a broader range of corporate information using public networks, confidential data and company resources across the whole network must be protected. In addition, the potential for online transactions and e-commerce will be realized only when a secure network infrastructure is in place and can be relied upon. As larger volumes of information are exchanged and as financial transactions begin to be conducted over these networks, a great deal needs to be secured. The loss of assets such as confidential company data is an obvious area of concern and needs protection with the help of technologies like RSM based firewall.

For the purposes of security on networks of computers or computing devices, security can be defined more specifically by three basic concepts. These are privacy (or confidentiality), authentication, and data integrity. These basic concepts transcend all the technologies, applications, and implementations related to network security and manifest themselves as corporate security policy. Security is an area of extreme importance to corporate users. Given the wide range of requirements, technologies, and implementations, as well as the ever changing nature of the complete security landscape on the Internet, enterprise network managers must implement a flexible but encompassing security infrastructure.

Cisco Secure Integrated Software not only helps in designing a comprehensive security policy in protecting the valuable internal resources but can respond to the threats in real time. Using trunking, virtual LANS (VLANs) can extend from the wiring closets to data center where RSM module can be located to provide the highly secure multiprotocol connectivity. Most of the port adapters, supported for Cisco 7500 and Cisco 7200 are supported for Cisco Secure Integrated Software on RSM.

The key firewall security features for Route Switch Module include:

  • Context-based Access Control (CBAC)

  • Intrusion Detection (59 signatures)

  • Authentication Proxy---Dynamic per user authentication and authorization supporting both TACACS+ and RADIUS.

  • Java Blocking

  • Real-time alerts and audit trail

  • Dynamic port mapping (PAM)

  • Configurable alerts and audit trail

  • Simple Mail Transfer Protocol (SMTP) attack detection and prevention

  • MS Netshow support

  • IPSec encryption

  • Tunneling Protocols

Key Benefits

Proven IOS Software

The major benefits of including firewall feature set in RSM entails the flexibility and robustness of the existing IOS feature sets along with the investment protection for the hardware. Cisco IOS Firewall as a software solution is ideal with its robust security features, low footprint requirement, and cost effectiveness.

Intranet Security with Policy Enforcement

Provides security infrastructure for enforcing a Enterprise-wide security policy for connections within an organization as well as between the organization and the rest of the corporate network. Cisco IOS software supports Terminal Access Controller Access Control System (TACACS+), Remote Access Dial-In User Service (RADIUS), IP Security (IPSec), Message Digest 5 (MD5), secure hash algorithm (SHA), Rivest, Shamir Aldeman algorithm (RSA), Data Encryption Standard (DES), Digital Signature Standard (DSS), Cisco encryption technology, and Kerberos.

Active Defense Against Distributed Denial of Service Attacks

Integrated Intrusion Detection system provides real time protection, interception, monitoring and reporting of the most common denial of service attacks. The Cisco IOS software-based intrusion-detection capabilities are an ideal complement to a full, Cisco Secure IDS as it provides additional visibility into the network on Cisco IOS software-based devices and communicates with the CSIDS Director security management system.

End to End Security

Cisco Secure Integrated Software helps in bringing intelligent network services for both Enterprise and Service providers from an End to End perspective. The security features like IPSec, Stateful Firewalling, Intrusion Detection, Network Address Translation, SSH, Application based user Authentication and Authorization secure the network along with delivering services like QoS, policy networking etc.

Functional Description

Context-Based Access Control (CBAC)

CBAC is a per-application control mechanism for IP traffic, including standard Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) Internet applications, multimedia applications (including H.323 and other video applications), and Oracle databases. CBAC inspects TCP and UDP packets and tracks their "state," or connection status. The Cisco IOS Firewall CBAC engine provides secure, per-application access control across network perimeters. CBAC enhances security for TCP and user datagram protocol (UDP) applications that use well-known ports by scrutinizing source and destination addresses. CBAC allows network administrators to implement firewall intelligence as part of an integrated, single-box solution.


Figure 1: Catalyst 5000 with RSM and Integrated IOS Firewall


CBAC adds inspection intelligence to access control list (ACL) capabilities by reading the entire packet for application status information. Using this information, CBAC creates a temporary, session-specific ACL entry, permitting return traffic into the trusted network. This temporary ACL effectively opens a door in the firewall. When a session times out or ends, the ACL entry is deleted and the door closes to additional traffic. Standard and extended ACLs cannot create temporary ACL entries, so, until now, administrators have been forced to weigh security risks against information access requirements. Advanced applications that select from multiple channels for return traffic have been difficult to secure using standard or extended ACLs.

Intrusion Detection System (IDS)

The Cisco Secure Integrated Software's IDS identifies 59 of the most common attacks using signatures to detect patterns of misuse in network traffic. The intrusion-detection signatures included in the new release of the Cisco Secure Integrated Software were chosen from a broad cross section of intrusion-detection signatures. The signatures represent suspicious packets and the most common network attacks and information-gathering scans.

Authentication Proxy

Network administrators can create specific security policies for each user with Cisco Secure Integrated Software per-user authentication and authorization. Previously, user identity and related authorized access was determined by a user's fixed IP address, or a single security policy had to be applied to an entire user group or subnet. Now, per-user policy can be downloaded dynamically to the router from a TACACS+ or RADIUS authentication server.

Ordering Information

Cisco IOS Release 12.1 for the Catalyst 5000 RSM is available immediately.

For More Information

To find out more about Cisco IOS security and the Cisco IOS Firewall feature set, please visit the Cisco Web site at:

http://www.cisco.com/warp/public/cc/cisco/mkt/security/

http://www.cisco.com/warp/public/cc/cisco/mkt/security/iosfw/prodlit/

For the list of the supported port adapters, please refer to:

http://www.cisco.com/warp/public/cc/cisco/mkt/switch/cat/c5000/prodlit/694_pp.htm

White paper on Cisco Secure Integrated Software

http://www.cisco.com/warp/public/cc/cisco/mkt/security/iosfw/tech/firew_wp.htm

Distributed Denial of Service News Flash:

http://www.cisco.com/warp/public/707/newsflash.html

Enterprise Network Security:

http://www.cisco.com/warp/public/779/largeent/issues/security/

Marketing Contacts

Andy Gallagher

408 526-7845

agallagh@cisco.com

Randy Hall

703 484-5557

rhall@cisco.com

John Lopez

408 853-6756

johlopez@cisco.com

Jocelyne Okrent

408 527-2041

jokrent@cisco.com

Ajay Gupta

408 525-3788

ajgupta@cisco.com