Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192
Cisco has a very cool product called the
Adaptive Security Appliance
, or ASA. But there’s a
catch or two—it’s a pretty pricey little beauty that scales in cost depending on the modules you
choose (for example, intrusion prevention). Plus, the ASA is actually above the objectives of
this book. I just personally think is the best product on the market.
Cisco IOS software runs on upwards of 80 percent of the Internet backbone routers out there;
it’s probably the most critical part of network infrastructure. So, let’s just keep it real and use the
Cisco IOS’s software-based security, known as the
Cisco IOS Firewall
feature set, for our endto-
end Internet, intranet, and remote-access network security solutions. Let’s take a look.
Cisco’s IOS Firewall
Here’s where you’re going to find out how to mitigate some of the more common security
threats on the list I gave you earlier in this chapter by using these Cisco IOS Firewall features:
Stateful IOS Firewall inspection engine
This is your perimeter protection feature because it
gives your internal users secure access control on a per-application basis. People often call
it
Context-based Access Control
(CBAC).
Intrusion detection
A deep packet inspection tool that lets you monitor, intercept, and
respond to abuse in real time by referencing 102 of the most common attack and intrusion
detection signatures.
Firewall voice traversal
An application-level feature based on the protocol’s understanding
of call flow as well as the relevant open channels. It supports both the H.323v2 and Session
Initiation Protocol (SIP) voice protocols.
ICMP
inspection
Basically permits responses to ICMP packets like ping and traceroute that
come from inside your firewall while denying other ICMP traffic.
Authentication
proxy
A feature that makes users authenticate anytime they want to access
the network’s resources through HTTP, HTTPS, FTP, and Telnet. It keeps personal network
access profiles for users and automatically gets them for you from a RADIUS or TACACS+
server and applies them as well.
309
Destination
URL
policy
management
A buffet of features that’s commonly referred to as
URL Filtering
.
Per-user firewalls
Personalized, user-specific, downloadable firewalls obtained through service
providers. You can also get personalized ACLs and other settings via AAA server profile storage.
Cisco IOS router and firewall provisioning
Allows for no-touch router provisioning, version
updates, and security policies.
Denial of service (DoS) detection and prevention
A feature that checks packet headers and
drops any packets it finds suspicious.
Dynamic port mapping
A sort of adapter that permits applications supported by firewalls
on nonstandard ports.
Java applet blocking
Protects you from any strange, unrecognized Java applets.
Basic and Advanced Traffic Filtering
You can use standard, extended, even dynamic ACLs like Lock-and-Key traffic filtering with
Cisco’s IOS Firewall. And you get to apply access controls to any network segment you want.
Plus, you can specify the exact kind of traffic you want to allow to pass through any segment.
Policy-based, multi-interface support
Allows you to control user access by IP address and
interface depending on your security policy.
Network Address Translation (NAT)
Conceals the internal network from the outside,
increasing security.
Time-based access lists
Determine security policies based upon the exact time of day and the
particular day of the week.
Peer router authentication
Guarantees that routers are getting dependable routing information
from actual, trusted sources. (For this to work, you need a routing protocol that supports
authentication, like RIPv2, EIGRP, or OSPF.)
Now that you’ve been briefed on security threats, relevant features of the Cisco IOS Firewall,
and how to use that software to your advantage, let’s dive deep into the world of access
lists and learn how to use ACLs to mitigate security threats. They really are powerful tools, so
pay attention!
Exam Objectives
Remember the basic services that the Cisco IOS Firewall provides.
The Cisco IOS Firewall
provides at a minimum stateful IOS firewall inspection engine, intrusion detection, firewall
voice traversal, ICMP
inspection and authentication
proxy, among many other services.
No comments:
Post a Comment