index_186
Router Security Configuration Guide
UNCLASSIFIED
186
UNCLASSIFIED
Version 1.0g
protocols and services, such as ICMP, OSPF, or IPSec, must be separately permitted
by the interface access lists if you need them.
Steps in Setting Up a Cisco Router Firewall
To set up a simple firewall using CBAC, follow these steps:
1. Check that the router supports CBAC, if it does not, then install an IOS
version that does (see Section 4.5.5).
Example: IOS 12.0(9) with Firewall Feature Set
2. Determine the list of services that users or hosts on the trusted network
need from the untrusted network. Call this list the desired services list.
Example: FTP, Web (HTTP), SMTP, POP3, RealAudio (RTSP)
3. Set up an outbound access list on the outside interface, prohibiting all
traffic that should not leave the trusted network but allowing traffic on
the desired services list (see Section 4.3).
4. Set up an inbound access list on the outside interface, permitting traffic
that the router must process, but prohibiting other TCP and UDP traffic
including the desired services list. This is the access list that CBAC will
be modifying on the fly.
5. Create a CBAC inspection ruleset supporting the desired services list.
6. Set the CBAC global timeouts. These timeout values determine the
duration of window of accessibility opened back through the firewall in
response to a request from the trusted network; values that are too long
can leave the trusted network vulnerable.
7. Apply the CBAC inspection ruleset to an interface, usually the outside
interface.
8. Test the configuration from a host on the trusted network by running
services, and test it from the untrusted network by running a network
scanner (see Section 6).
Step 1. Testing for CBAC Support on the Router
Examine the router IOS installation to ensure it has the firewall feature set. There is
no simple, direct way to check whether a router has CBAC capability. The easiest
way to check is to execute a CBAC-related command, if the command fails, then
CBAC is not supported. The two examples below show a router without CBAC,
Central, and a router with CBAC, South.
Central# show ip inspect all
^
% Invalid input detected at ^ marker.