provided for other protocols, the support is
usually similar to the support for UDP. When a protocol flow is
initially permitted, all packets matching the flow are
permitted until an idle timer expires. Stateful Packet
Filter Handling of Dynamic Applications
Dynamic
applications, such as FTP, SQLnet, and many protocols that are
used for voice and video signaling and media transfer open a
channel on a well-known port and then negotiate additional
channels through the initial session. Stateful firewalls
support these dynamic applications through application
inspection features. The stateful packet filter snoops the
initial session and parses the application data to learn about
the additional negotiated channels. Then the stateful packet
filter usually enforces the policy that if the initial session
was permitted, any additional channels of that application
should be permitted as well.
Content 6.1
Introducing the Cisco IOS Firewall 6.1.5
Introducing the Cisco IOS Firewall Feature Set The Cisco
IOS Firewall Feature Set is a security-specific option for
Cisco IOS software that is available in select security Cisco
IOS images. The Cisco IOS Firewall Feature Set integrates
robust firewall functionality, authentication proxy, and
intrusion prevention for every network perimeter and enriches
existing Cisco IOS security capabilities. The feature set adds
more flexibility to existing Cisco IOS security solutions, such
as authentication, encryption, and failover, by delivering
application-based filtering, dynamic per-user authentication
and authorization, defense against network attacks, Java
blocking, and real-time alerts. When combined with Cisco IOS
IPsec software and other Cisco IOS software-based technologies,
such as Layer 2 Tunneling Protocol (L2TP) and quality of
service (QoS), the Cisco IOS Firewall provides a complete,
integrated virtual private network (VPN) solution. To create a
firewall customized to the security policy of your
organization, you must determine which Cisco IOS Firewall
features are appropriate and then configure those features.
Figure lists some of the IOS Firewall features to consider. The
next few subtopics discuss the three main features. Cisco
IOS Firewall
The Cisco IOS Firewall is the stateful
packet filtering engine of a Cisco IOS router. Cisco IOS
Firewall allows you to implement firewall intelligence as part
of an integrated, single-box solution. Figure summarizes how
the Cisco IOS Firewall works. For example, sessions with an
extranet partner that involve Internet applications, multimedia
applications, or Oracle databases no longer need to open a
network doorway that is accessible via weaknesses in the
network of a partner. The stateful engine enables tightly
secured networks to run the basic application traffic as well
as advanced applications, such as multimedia and
videoconferencing, securely through a router. Cisco IOS
Firewall intelligently filters TCP and UDP packets based on
application layer protocol session information. The firewall
inspects traffic for sessions that originate on any interface
of the router and manages state information for TCP and UDP
sessions. This state information is used to create temporary
openings in the ACLs to allow return traffic and additional
data connections for permissible sessions. Inspecting packets
at the application layer and maintaining TCP and UDP session
information helps prevent certain types of network attacks,
such as SYN flooding. Cisco IOS Firewall inspects packet
sequence numbers in TCP connections to see if the numbers are
within expected ranges and drops any suspicious packets.
Additionally, Cisco IOS Firewall can detect unusually high
rates of new connections and issue alert messages. The firewall
inspection can help protect against certain denial of service
(DoS) attacks that involve fragmented IP packets. Cisco IOS
Firewall Authentication Proxy
You can create specific
security policies for each user with Cisco IOS Firewall’s
dynamic, per-user authentication and authorization. Figure
lists the key features of the Cisco IOS Authentication Proxy.
Traditionally, user identity and related authorized access was
associated with a user IP address or a single security policy
was applied to an entire user group or subnet. Now, users can
be identified and authorized on the basis of the per-user
policy, and administrators can create access privileges that
are tailored on an individual basis as opposed to a general
policy to apply across multiple users. With the authentication
proxy feature, users can start an HTTP, HTTPS, FTP, or Telnet
session that traverses the router, and the router will
intercept that session and prompt the user for authentication,
as shown in Figure . User-specific access profiles are then
automatically retrieved from a Cisco Secure Access Control
Server (ACS) or other RADIUS or TACACS+ authentication server
and applied to the router interface. The user profiles are
active only when there is active traffic from the authenticated
users. The authentication proxy is compatible with other Cisco
IOS security features, such as NAT, IPsec, and VPN client
software. Cisco IOS Firewall IPS
An IPS provides a
level of protection beyond the firewall by protecting the
network from internal and external attacks and threats. Cisco
IOS Firewall IPS technology enhances perimeter firewall
protection on midrange and high-end router platforms by taking
appropriate actions on packets and flows that violate the
security policy or represent malicious network activity.
Figure summarizes how the Cisco IOS IPS feature works.
Note
Cisco IOS IPS technology combines IDS and IPS
features into one software solution. Cisco IOS Firewall IPS
capabilities are ideal for providing additional visibility at
intranet, extranet, and branch-office Internet perimeters. You
can now benefit from more robust protection against attacks on
the network and automatically respond to threats from internal
or external hosts. Cisco IOS Firewall IPS is especially suited
for locations where a router is deployed and additional
security between network segments is required. Cisco IOS
Firewall IPS can protect intranet and extranet connections
where additional security is mandated and branch-office sites
that connect to the corporate office or Internet. The Cisco IOS
Firewall IPS identifies more than 700 prepackaged common
attacks using signatures to detect patterns of misuse in
network traffic. In addition to the predefined signature
database, administrators can define their own custom
signatures. The intrusion prevention signatures of the Cisco
IOS Firewall IPS were chosen from a broad cross-section of
intrusion prevention signatures. The signatures represent
severe breaches of security and the most common network attacks
and information-gathering scans. You can configure the Cisco
IOS Firewall IPS to take one or more of the actions listed in
the Signature Actions table when Cisco IOS Firewall IPS
detects a match against a signature. Web Links Cisco
Secure Access Control Server (ACS)
http://cisco.com/en/US/products/sw/secursw/
ps2086/index.html
Content 6.1
Introducing the Cisco IOS Firewall 6.1.6 Cisco
IOS Firewall Functions First, we will review some basic
ACL concepts. An ACL provides packet filtering. An ACL has an
implied “deny all” at the end of the list, and if the ACL is
not configured, the ACL permits all connections. Without Cisco
IOS Firewall, traffic filtering is limited to ACL
implementations that examine packets at the network layer, or
at most, the transport layer. Figure describes the
characteristics of Cisco IOS ACLs.The static nature of classic
ACLs has severe security implications for applications that
dynamically negotiate additional communication channels. Such
dynamic channels must be statically permitted through the ACLs.
Attackers can misuse holes that appear in the ACLs for the
dynamic applications in order to inject malicious traffic into
the protected network. These shortcomings are addressed by the