HostedDB - Dedicated UNIX Servers
index_186
Router Security Configuration Guide UNCLASSIFIED 186 UNCLASSIFIED Version 1.0g protocols and services, such as ICMP, OSPF, or IPSec, must be separately permitted by the interface access lists if you need them. Steps in Setting Up a Cisco Router Firewall To set up a simple firewall using CBAC, follow these steps: 1.     Check that the router supports CBAC, if it does not, then install an IOS version that does (see Section 4.5.5). Example: IOS 12.0(9) with Firewall Feature Set 2.     Determine the list of services that users or hosts on the trusted network need  from the untrusted network.  Call this list the desired services list. Example: FTP, Web (HTTP), SMTP, POP3, RealAudio (RTSP) 3.     Set up an outbound access list on the outside interface, prohibiting all traffic that should not leave the trusted network but allowing traffic on the desired services list (see Section 4.3). 4.     Set up an inbound access list on the outside interface, permitting traffic that the router must process, but prohibiting other TCP and UDP traffic including the desired services list.  This is the access list that CBAC will be modifying on the fly. 5.     Create a CBAC inspection ruleset supporting the desired services list. 6.     Set the CBAC global timeouts.  These timeout values determine the duration of window of accessibility opened back through the firewall in response to a request from the trusted network; values that are too long can leave the trusted network vulnerable. 7.     Apply the CBAC inspection ruleset to an interface, usually the outside interface. 8.     Test the configuration from a host on the trusted network by running services, and test it from the untrusted network by running a network scanner (see Section 6). Step 1. Testing for CBAC Support on the Router Examine the router IOS installation to ensure it has the firewall feature set.  There is no simple, direct way to check whether a router has CBAC capability.  The easiest way to check is to execute a CBAC-related command, if the command fails, then CBAC is not supported.  The two examples below show a router without CBAC, Central, and a router with CBAC, South. Central# show ip inspect all                   ^ % Invalid input detected at ‘^’ marker.