The first session I attended is about Deploying IOS Security. The session is about using the Cisco IOS as firewall to protect branch offices. We discussed normal classic firewalling and zone-based firewalling. I normally use classing firewalling, but I guess I have to try zone-based firewalling in the future. The advantage of zone-based firewalling is that you can add more than one interface into a zone and create policies between the zones. This is useful when configuring a branch router where the users need Internet access or when configuring a wired and wireless configuration with bridging.
A configuration example of zone-based firewalling is shown below:
class-map type inspect match-all web-dmz
match protocol http
match access-group 199
access-list 199 permit tcp any host 192.168.10.3
policy-map type inspect firewall-policy
class type inspect web-dmz
zone security private
zone security public
zone security dmz
zone-pair security zone-policy source public destination dmz
service-policy type inspect firewall-policy
interface fastethernet 0
description public interface
zone-member security public
interface fastethernet 1
description dmz interface
zone-member security dmz
The Cisco IOS has also capabilities to be used for IPS (Intrusion Prevention System). When configuring IPS the use of Cisco SDM comes in handy. More tools for configuring routers could be Cisco Configuration Professional or Cisco Security Manager.
The session was very useful and I am sure that I will try some configuration examples in the near future, which I, of course, will post on the blog.