*The Cisco IOS Firewall feature set is a
security-specific option for Cisco IOS
software.*
----------------------------------------------------------------------------
Feature Description
Context-Based Access Control Provides internal users secure,
(CBAC) per-application-based access control for
all traffic across perimeters such as
perimeters between private enterprise
networks and the Internet
Intrusion Detection Provides real-time monitoring,
interception, and response to network
misuse with a broad set of the most common
attack and information gathering intrusion
detection signatures
Authentication Proxy Dynamic, per user authentication and
authorization for LAN based and dial-in
communications; authenticates users
against industry standard TACACS+ and
RADIUS authentication protocols; network
administrators can set individual, per
user security policies
Denial of Service Detection and Defends and protects router resources
Prevention against common attacks; checks packet
headers, dropping suspicious packets
Dynamic Port Mapping Allows network administrators to run CBAC
supported applications on nonstandard
ports
Java Applet Blocking Protects against unidentified, malicious
Java applets
VPNs, IPSec Encryption, and QoS Operates with Cisco IOS software
Support encryption, tunneling, and QoS features to
secure VPNs
Provide scalable encrypted tunnels on the
router while integrating strong perimeter
security, advanced bandwidth management,
intrusion detection, and service level
validation
Standards based for interpretability
Real Time Alerts Log alerts for denial-of-service attacks
or other preconfigured conditions; now
configurable on a per application, per
feature basis
Audit Trail Details transactions; records time stamp,
source host, destination host, ports,
duration and total number of bytes
transmitted for detailed reporting; now
configurable on a per application, per
feature basis
Event Logging Allows administrators to track potential
security breaches or other nonstandard
activities in real time by logging system
error message output to a console terminal
or syslog server, setting severity levels,
and recording other parameters
Firewall Management Wizard based network configuration tool
offers step-by-step guidance through
network design, addressing, and Cisco IOS
Firewall security policy configuration;
available on Cisco 1600, 1720, 2500, 2600,
and 3600 routers; also supports NAT and
IPSec configurations
Integration with Cisco IOS Interoperates with Cisco IOS features,
Software integrating security policy enforcement
into the network
Basic and Advanced Traffic Standard and extended access control lists
Filtering (ACLs)--apply access controls to specific
network segments and define which traffic
passes through a network segment
Lock and Key dynamic ACLs grant temporary
access through firewalls upon user
identification (username / password)
Policy-Based Multi-Interface Provides ability to control user access by
Support IP address and interface as determined by
the security policy
Redundancy/Failover Automatically routes traffic to a backup
router if a failure occurs
Network Address Translation Hides internal network from the outside
for enhanced security
Time Based Access Lists Defines security policy by time of day and
day of week
Peer Router Authentication Ensures that routers receive reliable
routing information from trusted sources
Improved attack detection and New intrusion detection is designed
defense for e-mail servers specifically for SMTP-oriented attacks.
IOS Release and Supported Hardware
Cisco IOS software release 11.2(11)P and above supports 1600, 2500
platforms
OS 11.3(3)T and above supports 1600, 2500 IOS 12.0 1600, 2500
IOS 12.0(1)T and above supports 1600, 2500,2600, 3600
OS 12.0(1)XA supports 1720 only
IOS 12.0(2)T and above supports 1600, 1720, 2500, 2600, 3600
IOS 12.0(3)T and above supports 1600, 1720, 2500, 2600, 3600, 7200
IOS 12.0(4)T and above supports 800, uBR904, 1600, 1720, 2500, 2600,
3600,7200
IOS 12.0(4)XA supports 7100
IOS 12.0(5)T and above supports 800, 1600, 1720, 2500, 2600, 3600,
7100, 7200
Description
===========
The Cisco IOS Firewall feature set combines robust firewall functionality
and intrusion detection for the network, and enriches existing Cisco IOS
security capabilities. It compliments existing Cisco IOS security solutions
such as authentication, encryption, and failover by adding security features
such as stateful, application based filtering, dynamic per user
authentication and authorization, defense against network attacks, Java
blocking, and real-time alerts.
Cisco IOS Firewall provides a complete, integrated virtual private network
(VPN) solution when integrated with Cisco IOS IPSec software and other IOS
software based technologies.
The Cisco IOS Firewall scales to allow customers to choose a router platform
based on bandwidth, LAN and WAN density, and multiservice requirements,
while benefiting from advanced security.
----------------------------------------------------------------------------
| |
