index_184
Router Security Configuration Guide
UNCLASSIFIED
184
UNCLASSIFIED
Version 1.0g
5.3. Using a Cisco Router as a Firewall
This section describes how to use a Cisco router as a modest firewall, if it is running
a version of IOS that has firewall capabilities. To reach even a moderate level of
effectiveness as a firewall, the router configuration must include good access lists;
Section 4.3 describes access lists in detail. (Note: in mid-2000, Cisco renamed the
IOS Firewall to Cisco Secure Integrated Software. Much of the documentation
still uses the old name, and that is what we will use below. Current product catalogs
and web pages use the new name.)
5.3.1. Basic Concepts
A network firewall is a network device that connects a protected internal network to
some other untrusted, possibly hostile network. As long as all traffic between the
trusted and the untrusted network pass through the firewall, it can effectively enforce
a number of network security capabilities. Stateful inspection firewalls do this by
inspecting each packet for compliance with the specified security policy.
Because routers connect networks together, many router vendors, include Cisco,
provide a rudimentary firewall capability in their routers. The Cisco IOS Firewall
feature set Content-Based Access Control (CBAC) facility allows a router to act as a
rudimentary stateful inspection firewall. Configured together with good access lists,
CBAC can provide modest firewall protection for a network without extra hardware.
Another important feature for firewalls is hiding network addresses and structure.
Cisco IOS provides full support for Network Address Translation (NAT). Using
NAT, a router can hide the structure of the trusted network, by transparently
translating all IP addresses and coalescing distinct IP addresses into a single one.
This guide does not describe NAT; consult the Cisco IOS documentation for
information about IOS NAT features.
5.3.2. Configuring Cisco IOS Content Based Access Control
The Cisco IOS Firewall feature set is designed to prevent unauthorized, external
individuals from gaining access to your internal network, and to block attacks on
your network, while at the same time allowing authorized users on the trusted
network (the inside) access to services on the untrusted network (the outside).
Potential applications for using a Cisco router as a firewall include: a quick-and-dirty
Internet firewall, a firewall between two different communities of interest, and a
firewall between a main network and a compartmented enclave.
The figure below shows the basic structure for a CBAC-based firewall setup. The
security policy for this setup is to permit users to take advantage of certain network
services on the untrusted network, but to offer no such services in the other direction.