Today, network security has become a top priority for every organization connected to the Internet, and firewalls have come to serve as the main security mechanism. While vendors have been pushing toward dedicated “firewall appliances”—and I don’t argue that these are excellent solutions—such appliances can also be very costly for small to medium-size businesses. For example, a Cisco PIX Firewall can cost thousands of dollars.
However, there is an inexpensive and effective firewall solution that you may have overlooked. Most companies that connect to the Internet use a standard router to do so. If you use a Cisco router, you should know that the Cisco IOS has a built-in feature set for creating a firewall and intrusion detection system. Using this solution, you don’t need a separate firewall box—it can all be done inside your current Cisco router. I like to call this a "poor man’s firewall.”
An excellent source for the proper recommendations and precautions for Cisco routers is the National Security Agency's executive summary for Cisco router security. This is the best single list of recommendations I have found for implementing strong security on Cisco routers.
Getting the proper IOS
The first step is to get the proper IOS for your Cisco router. If you are interested in only the most basic form of a firewall (allowing only the required IP addresses/ports and blocking the others), it’s likely that your existing Cisco router can do this by configuring extended IP access control lists. However, if you want many of the same features available in today’s more powerful firewalls, you need the firewall/intrusion detection system (FW/IDS) feature set.
You can get the IOS with the FW/IDS feature set by using the Cisco IOS Upgrade Planner. You must be a registered user on the Cisco site to access this. Using the IOS Upgrade Planner, you can select the model of router you have, the IOS version you would like (preferably one of the most recent), and the software features you're looking for. Make sure that you choose one with the FW/IDS feature set. (You may need to pay a small licensing fee to use this feature set.) Then, download the IOS, update your router to the new version, and reboot.
Next, you’ll need to properly configure the firewall and IDS features. As I mentioned earlier, the most basic firewall is configured with extended IP access control lists. This will also be the place we start when configuring a more advanced firewall.
Because many companies use network address translation (NAT) and private internal TCP/IP addresses, we'll build that part of the access list first. One common NAT scenario is for a router to have a serial connection to the Internet and an Ethernet connection to the local network. In this case, NAT enables the use of private TCP/IP addresses on the internal network, which provides additional privacy and security for internal systems and keeps you from having to change your internal addresses if you change your Internet Service Provider (ISP).
The configuration on your Cisco router might look something like this:
description Internet connection – external
ip address 184.108.40.206 255.255.255.0 !real Internet network
no ip proxy-arp
ip nat outside
description Local Network Ethernet Connection - internal
ip address 10.253.2.2 255.255.0.0 !local private network
no ip proxy-arp
ip nat inside
ip nat inside source static 10.253.1.1 220.127.116.11 ! Web server
ip nat inside source static 10.253.1.2 18.104.22.168 ! Email server
ip route 0.0.0.0 0.0.0.0 22.214.171.124
Note that the IP address of the local Web server is now 10.253.1.1, and the IP address of the local mail server is now 10.253.1.2. Before implementing the firewall, these two systems were sitting unprotected on the Internet with their two public Internet addresses, 126.96.36.199 (Web server) and 188.8.131.52 (mail server). Now, these two servers have internal IPs. Their external IPs, which stay the same, are terminated at the firewall; they're then translated to the internal IPs.
Also, all of the other internal and external addresses are translated, and anything that isn’t on the local 10.x.x.x network is sent out the serial interface with a default route. That takes care of NAT and internal addressing.
Configuring access lists
Now, for some network security, let's configure the access lists. If you wanted to allow only the HTTP protocol for the Web server and SMTP protocol for the mail server, the list would look like this:
access-list 100 remark Begin — IP .1 10.253.1.1 Web Server
access-list 100 permit tcp any eq www host 184.108.40.206
access-list 100 remark End —————————————————
access-list 100 remark Begin — IP .2 10.253.1.2 Email Server
access-list 100 permit tcp any eq smtp host 220.127.116.11 gt 1023
access-list 100 permit tcp any host 18.104.22.168 eq smtp
access-list 100 remark End —————————————————
You would then apply it to the serial (Internet) interface with the following commands:
ip access-group 100 in
Since this is going to be an important point of network security, you would want a log of the types of data being denied by your firewall. Although there is an implicit deny at the end of every access list, those denies aren’t logged. I would suggest running a syslog server on your network and telling the router to log, on the syslog server, all packets that are denied by your firewall. In this example, if the Web server were also your syslog server, you would add the following commands:
access-list 100 deny ip any any log
Working with NBAR
So far, we really haven’t tapped into the FW/IDS feature set. Now we'll configure Network-Based Application Recognition (NBAR), which is one of the firewall features. Basically, NBAR recognizes “applications,” such as HTTP, MIME, PCAnywhere, Microsoft SQL server, and many others, and takes action on them—most likely to discard the traffic.
For a simple example, let's use Cisco’s article on blocking the Code Red worm with NBAR. First, create a class-map that defines the traffic, in this case, applications and names of files that you want to block:
class-map match-any http-hacks
match protocol http url "*cmd.exe*"
match protocol http url "*root.exe*"
Next, use a policy map to mark packets with these characteristics:
set ip dscp 1
Then, apply the policy map to the serial (Internet) interface:
service-policy input mark-inbound-http-hacks
NBAR is useful for blocking all types of worms that are slithering around the Internet or even just known trouble-making executables that are distributed through e-mail or via downloading from a Web page. NBAR is just one of the many features in the firewall feature set; the others can be found in this Cisco configuration guide.
Using IDS features and other options
The other important aspect of network security is an intrusion detection system, or IDS. The Cisco IDS will recognize “signatures,” or what I call "attack patterns." One example is spamming a mail server. The IDS can recognize this is occurring and take whatever actions you specify (drop packets, notify you, etc.).
I could write an entire article on configuring Cisco’s IDS. Since IDS is an optional part of your firewall, I’ll save that configuration for another time and instead suggest you read Configuring Cisco IOS Firewall Intrusion Detection System before you begin such configuration.
A couple of other useful features in the firewall set are Context-Based Access Control (CBAC) and TCP Intercept. CBAC recognizes “content” in packets and creates a dynamic access list for that content.
An example is FTP traffic. If you wanted to allow users to FTP out of your network, you could use CBAC rather than have those ports open all the time in your access list. Normally, you would have the return FTP traffic denied back into your network. But CBAC will recognize that the FTP outbound traffic was initiated from your network and dynamically open up a port so that the traffic can return. This makes your network more secure because when that type of traffic is not occurring, there is no “hole” (open port) in your network that a hacker might be able to exploit.
TCP Intercept can prevent denial of service (DoS) attacks on your network. TCP Intercept will verify that a packet’s source is real before forwarding it on to its destination (your server). If the incoming packet’s source does not exist, the router drops it before it ever reaches your server and can chew up valuable processing time. This can stop DoS attacks in their tracks.
You can see what a variety of rich capabilities the Cisco IOS FW/IDS feature set offers. This all-in-one router and firewall has been a money-saving solution for my company, and perhaps it can be for yours as well. Although this article just scratched the surface of what you can do with the Cisco IOS firewall, it should get you off to a good start. The links below will also help you build and customize an IOS firewall to meet your needs.
Useful Cisco IOS firewall links
- Cisco IOS Upgrade Planner
- Cisco IOS Software
- Cisco IOS Security Configuration Guide, Release 12.2, Traffic Filtering and Firewalls Section
- Cisco IOS Firewall Overview
- Configuring Cisco IOS Firewall Intrusion Detection System
- Configuring TCP Intercept (Preventing Denial-of-Service Attacks)
- Configuring Context-Based Access Control
- Access Control Lists: Overview and Guidelines
- Cisco IOS Security Command Reference, Release 12.2, Traffic Filtering and Firewalls Section
- TCP Intercept Commands
- Context-Based Access Control Commands
- Cisco IOS Firewall Intrusion Detection System Commands
- Cisco - Security Technical Tips
- Cisco - Configuring Network Based Application Recognition (NBAR)
- Cisco - Using Network-Based Application Recognition and Access Control Lists for Blocking the Code Red Worm
- National Security Agency (NSA): Cisco Router Security Configuration Guide
- National Security Agency (NSA): Cisco Router Security Configuration Guide EXECUTIVE SUMMARY
- TechRepublic: “Cisco's hidden gem: The IOS firewall”
- TechRepublic: “Get secure with Cisco extended IP access control lists”
- CertCities: The NBAR Defense