© 2006 Cisco Systems, Inc. All rights reserved.SNRS v2.05-1 Adaptive Threat Defense Examining Cisco IOS Firewall. - презентация

1 © 2006 Cisco Systems, Inc. All rights reserved.SNRS v Adaptive Threat Defense Examining Cisco IOS Firewall

2 © 2006 Cisco Systems, Inc. All rights reserved.SNRS v Firewalls Router with Firewall Corporate Resources DMZ Corporate Headquarters Branch Office Research and Development Partner

3 © 2006 Cisco Systems, Inc. All rights reserved.SNRS v IOS Firewall Deploy: As an Internet Firewall Between groups on internal network As a VPN end point from branches Between partner network and corporate Features: Cisco IOS Software Stateful Packet Inspection Protection Against Attack Alerts and Audit Trails Authentication Proxy Support for NAT and Port-to-Application Mapping (PAM)

4 © 2006 Cisco Systems, Inc. All rights reserved.SNRS v Cisco IOS Firewall Feature Set Classic firewall Authentication proxy Cisco IOS IPS ACLs –Standard and extended –Lock-and-key (Dynamic ACLs) –Reflexive TCP Intercept PAM NAT Security server support –RADIUS, TACACS+, Kerberos User authentication and authorization

5 © 2006 Cisco Systems, Inc. All rights reserved.SNRS v Cisco IOS Classic Firewall Packets are inspected entering the firewall by Cisco IOS classic firewall if they are not specifically denied by an ACL. Cisco IOS classic firewall permits or denies specified TCP and UDP traffic through a firewall. A state table is maintained with session information. ACLs are dynamically created or deleted. Cisco IOS classic firewall protects against DoS attacks. TCP UDP Internet

6 © 2006 Cisco Systems, Inc. All rights reserved.SNRS v Cisco IOS Firewall Authentication Proxy HTTP, HTTPS, FTP, and Telnet authentication Provides dynamic, per-user authentication and authorization via TACACS+ and RADIUS protocols

7 © 2006 Cisco Systems, Inc. All rights reserved.SNRS v TCP UDP Internet Cisco IOS IPS Acts as an in-line Cisco IOS intrusion prevention sensor When a packet or packets match a signature, it can perform any of the following configurable actions: –Alarm: Send an alarm to a security device manager or syslog server –Drop: Drop the packet –Reset: Send TCP resets to terminate the session Identifies 1500-plus common attacks

8 © 2006 Cisco Systems, Inc. All rights reserved.SNRS v Summary Firewalls are networking devices that control access to network assets of your organization. The Cisco IOS Firewall feature set combines existing Cisco IOS Firewall technology and Cisco IOS Classic Firewall. The Cisco IOS Firewall is a security-specific option for Cisco IOS Software. Cisco IOS classic firewall intelligently filters TCP and UDP packets based on applicationlayer protocol session information. The Cisco IOS Firewall authentication proxy feature allows network administrators to apply specific security policies on a per- user basis. The Cisco IOS IPS acts as an in-line intrusion detection sensor.

9 © 2006 Cisco Systems, Inc. All rights reserved.SNRS v2.05-9