Introduction to the Cisco IOS Firewall Feature Set

The IOS Firewall is a straightforward product. It is simply firewall services that you can enable on an IOS router. Cisco's idea was to take the functionality of the PIX Firewall and enable the PIX Firewall functions on an IOS router. This is the essence of the IOS Firewall, PIX Firewall functionality without the need for a PIX Firewall.

The IOS Firewall consists of three separate functional components : CBAC, intrusion detection, and authentication proxy. We briefly introduce intrusion detection and authentication proxy in this chapter, but fully discuss these features in chapters 6 and 7, respectively.

CBAC

As stated earlier, CBAC is an integral part of the Cisco IOS Firewall feature set and provides unidirectional as well as bidirectional filtering. CBAC provides traffic filtering using the following parameters:

• Source IP address

• Source port number

• Destination IP address

• Destination port number

On the flip side, CBAC does not work with applications that use negotiate ports dynamically. However, CBAC does inspect specific applications that use multiple ports such as FTP and H.323. Because the ports are opened permanently to allow traffic flows, there is a security vulnerability.

Intrusion Detection

The IOS intrusion detection system ( IDS ) performs similar functions, if not the exact same functions, as the Cisco IDS appliance and the Cisco IDS module. The basic concept of a Cisco IDS device is that it analyzes packets that pass through an interface. The IDS analyzes the packets against a set of predefined signatures that Cisco builds.

Authentication Proxy

Authentication proxy is a service that, in the most basic terms, authenticates users. After authentication, authentication proxy determines what resources a user is authorized to access. The key to understanding authentication proxy is that the IOS router communicates with a Terminal Access Controller Access Control System + (TACACS+) or Remote Authentication Dial-In User Service (RADIUS) server to retrieve user information. It is on the TACACS+ or RADIUS server that you configure the users along with their associated privileges that are used by the authentication proxy.