Cisco IOS Security
The first session I attended is about Deploying IOS Security. The session is about using the Cisco IOS as firewall to protect branch offices. We discussed normal classic firewalling and zone-based firewalling. I normally use classing firewalling, but I guess I have to try zone-based firewalling in the future. The advantage of zone-based firewalling is that you can add more than one interface into a zone and create policies between the zones. This is useful when configuring a branch router where the users need Internet access or when configuring a wired and wireless configuration with bridging.
A configuration example of zone-based firewalling is shown below:
class-map type inspect match-all web-dmz
match protocol http
match access-group 199!
access-list 199 permit tcp any host 192.168.10.3
!
policy-map type inspect firewall-policy
class type inspect web-dmz
Inspect!
zone security private
zone security public
zone security dmz!
zone-pair security zone-policy source public destination dmz
service-policy type inspect firewall-policy
!
interface fastethernet 0
description public interface
zone-member security public!
interface fastethernet 1
description dmz interface
zone-member security dmz
The Cisco IOS has also capabilities to be used for IPS (Intrusion Prevention System). When configuring IPS the use of Cisco SDM comes in handy. More tools for configuring routers could be Cisco Configuration Professional or Cisco Security Manager.
The session was very useful and I am sure that I will try some configuration examples in the near future, which I, of course, will post on the blog.
René Jorissen
Latest posts by René Jorissen (see all)
- MacOS Big Sur and SSLKEYFILELOG - November 23, 2021
- ClearPass, Azure AD, SSO and Object ID - August 12, 2021
- ClearPass – custom MPSK - July 20, 2021