Connecting the world…

Firewalling

Cisco IOS Security

The first session I attended is about Deploying IOS Security. The session is about using the Cisco IOS as firewall to protect branch offices. We discussed normal classic firewalling and zone-based firewalling. I normally use classing firewalling, but I guess I have to try zone-based firewalling in the future. The advantage of zone-based firewalling is that you can add more than one interface into a zone and create policies between the zones. This is useful when configuring a branch router where the users need Internet access or when configuring a wired and wireless configuration with bridging.

A configuration example of zone-based firewalling is shown below:

class-map type inspect match-all web-dmz
  match protocol http
  match access-group 199

!

access-list 199 permit tcp any host 192.168.10.3
!
policy-map type inspect firewall-policy
  class type inspect web-dmz
    Inspect

!

zone security private
zone security public
zone security dmz

!

zone-pair security zone-policy source public destination dmz
  service-policy type inspect firewall-policy
!
interface fastethernet 0
description public interface
zone-member security public

!

interface fastethernet 1
description dmz interface
zone-member security dmz

The Cisco IOS has also capabilities to be used for IPS (Intrusion Prevention System). When configuring IPS the use of Cisco SDM comes in handy. More tools for configuring routers could be Cisco Configuration Professional or Cisco Security Manager.

The session was very useful and I am sure that I will try some configuration examples in the near future, which I, of course, will post on the blog.