HostedDB - Dedicated UNIX Servers

index_184
Router Security Configuration Guide UNCLASSIFIED 184 UNCLASSIFIED Version 1.0g 5.3.  Using a Cisco Router as a Firewall This section describes how to use a Cisco router as a modest firewall, if it is running a version of IOS that has firewall capabilities.  To reach even a moderate level of effectiveness as a firewall, the router configuration must include good access lists; Section 4.3 describes access lists in detail. (Note: in mid-2000, Cisco renamed the IOS Firewall to “Cisco Secure Integrated Software.”   Much of the documentation still uses the old name, and that is what we will use below.  Current product catalogs and web pages use the new name.) 5.3.1.    Basic Concepts A network firewall is a network device that connects a protected internal network to some other untrusted, possibly hostile network.  As long as all traffic between the trusted and the untrusted network pass through the firewall, it can effectively enforce a number of network security capabilities.  Stateful inspection firewalls do this by inspecting each packet for compliance with the specified security policy.   Because routers connect networks together, many router vendors, include Cisco, provide a rudimentary firewall capability in their routers.  The Cisco IOS Firewall feature set Content-Based Access Control (CBAC) facility allows a router to act as a rudimentary stateful inspection firewall.  Configured together with good access lists, CBAC can provide modest firewall protection for a network without extra hardware.    Another important feature for firewalls is hiding network addresses and structure.   Cisco IOS provides full support for Network Address Translation (NAT).  Using NAT, a router can hide the structure of the trusted network, by transparently translating all IP addresses and coalescing distinct IP addresses into a single one.   This guide does not describe NAT; consult the Cisco IOS documentation for information about IOS NAT features. 5.3.2.    Configuring Cisco IOS Content Based Access Control The Cisco IOS Firewall feature set is designed to prevent unauthorized, external individuals from gaining access to your internal network, and to block attacks on your network, while at the same time allowing authorized users on the trusted network (the ‘inside’) access to services on the untrusted network (the ‘outside’).   Potential applications for using a Cisco router as a firewall include: a quick-and-dirty Internet firewall, a firewall between two different communities of interest, and a firewall between a main network and a compartmented enclave. The figure below shows the basic structure for a CBAC-based firewall setup.  The security policy for this setup is to permit users to take advantage of certain network services on the untrusted network, but to offer no such services in the other direction.