Build Your Skills: Create a poor man's firewall with the Cisco IOS

Uncovers a little-known secret regarding a built-in feature set for creating a firewall and intrusion-detection system within the Cisco IOS router

Today, network security has become a top priority for every organization connected to the Internet, and firewalls have come to serve as the main security mechanism. While vendors have been pushing toward dedicated “firewall appliances”—and I don’t argue that these are excellent solutions—such appliances can also be very costly for small to medium-size businesses. For example, a Cisco PIX Firewall can cost thousands of dollars.

However, there is an inexpensive and effective firewall solution that you may have overlooked. Most companies that connect to the Internet use a standard router to do so. If you use a Cisco router, you should know that the Cisco IOS has a built-in feature set for creating a firewall and intrusion detection system. Using this solution, you don’t need a separate firewall box—it can all be done inside your current Cisco router. I like to call this a "poor man’s firewall.”

Security resource
An excellent source for the proper recommendations and precautions for Cisco routers is the National Security Agency's executive summary for Cisco router security. This is the best single list of recommendations I have found for implementing strong security on Cisco routers.

Getting the proper IOS
The first step is to get the proper IOS for your Cisco router. If you are interested in only the most basic form of a firewall (allowing only the required IP addresses/ports and blocking the others), it’s likely that your existing Cisco router can do this by configuring extended IP access control lists. However, if you want many of the same features available in today’s more powerful firewalls, you need the firewall/intrusion detection system (FW/IDS) feature set.

You can get the IOS with the FW/IDS feature set by using the Cisco IOS Upgrade Planner. You must be a registered user on the Cisco site to access this. Using the IOS Upgrade Planner, you can select the model of router you have, the IOS version you would like (preferably one of the most recent), and the software features you're looking for. Make sure that you choose one with the FW/IDS feature set. (You may need to pay a small licensing fee to use this feature set.) Then, download the IOS, update your router to the new version, and reboot.

Configuring NAT
Next, you’ll need to properly configure the firewall and IDS features. As I mentioned earlier, the most basic firewall is configured with extended IP access control lists. This will also be the place we start when configuring a more advanced firewall.

Because many companies use network address translation (NAT) and private internal TCP/IP addresses, we'll build that part of the access list first. One common NAT scenario is for a router to have a serial connection to the Internet and an Ethernet connection to the local network. In this case, NAT enables the use of private TCP/IP addresses on the internal network, which provides additional privacy and security for internal systems and keeps you from having to change your internal addresses if you change your Internet Service Provider (ISP).

The configuration on your Cisco router might look something like this:
interface Serial1/0
description Internet connection – external
ip address !real Internet network
no ip proxy-arp
ip nat outside
interface Ethernet1/1
description Local Network Ethernet Connection - internal
ip address !local private network
no ip proxy-arp
ip nat inside
ip nat inside source static ! Web server
ip nat inside source static ! Email server
ip route

Note that the IP address of the local Web server is now, and the IP address of the local mail server is now Before implementing the firewall, these two systems were sitting unprotected on the Internet with their two public Internet addresses, (Web server) and (mail server). Now, these two servers have internal IPs. Their external IPs, which stay the same, are terminated at the firewall; they're then translated to the internal IPs.

Also, all of the other internal and external addresses are translated, and anything that isn’t on the local 10.x.x.x network is sent out the serial interface with a default route. That takes care of NAT and internal addressing.

Configuring access lists
Now, for some network security, let's configure the access lists. If you wanted to allow only the HTTP protocol for the Web server and SMTP protocol for the mail server, the list would look like this:
access-list 100 remark Begin — IP .1 Web Server
access-list 100 permit tcp any eq www host
access-list 100 remark End —————————————————
access-list 100 remark Begin — IP .2 Email Server
access-list 100 permit tcp any eq smtp host gt 1023
access-list 100 permit tcp any host eq smtp
access-list 100 remark End —————————————————

You would then apply it to the serial (Internet) interface with the following commands:
interface Serial1/0
ip access-group 100 in

Since this is going to be an important point of network security, you would want a log of the types of data being denied by your firewall. Although there is an implicit deny at the end of every access list, those denies aren’t logged. I would suggest running a syslog server on your network and telling the router to log, on the syslog server, all packets that are denied by your firewall. In this example, if the Web server were also your syslog server, you would add the following commands:
access-list 100 deny ip any any log

Working with NBAR
So far, we really haven’t tapped into the FW/IDS feature set. Now we'll configure Network-Based Application Recognition (NBAR), which is one of the firewall features. Basically, NBAR recognizes “applications,” such as HTTP, MIME, PCAnywhere, Microsoft SQL server, and many others, and takes action on them—most likely to discard the traffic.

For a simple example, let's use Cisco’s article on blocking the Code Red worm with NBAR. First, create a class-map that defines the traffic, in this case, applications and names of files that you want to block:
class-map match-any http-hacks
match protocol http url "*cmd.exe*"
match protocol http url "*root.exe*"

Next, use a policy map to mark packets with these characteristics:
policy-map mark-inbound-http-hacks
class http-hacks
set ip dscp 1

Then, apply the policy map to the serial (Internet) interface:
interface Serial1/0
service-policy input mark-inbound-http-hacks

NBAR is useful for blocking all types of worms that are slithering around the Internet or even just known trouble-making executables that are distributed through e-mail or via downloading from a Web page. NBAR is just one of the many features in the firewall feature set; the others can be found in this Cisco configuration guide.

Using IDS features and other options
The other important aspect of network security is an intrusion detection system, or IDS. The Cisco IDS will recognize “signatures,” or what I call "attack patterns." One example is spamming a mail server. The IDS can recognize this is occurring and take whatever actions you specify (drop packets, notify you, etc.).

I could write an entire article on configuring Cisco’s IDS. Since IDS is an optional part of your firewall, I’ll save that configuration for another time and instead suggest you read Configuring Cisco IOS Firewall Intrusion Detection System before you begin such configuration.

A couple of other useful features in the firewall set are Context-Based Access Control (CBAC) and TCP Intercept. CBAC recognizes “content” in packets and creates a dynamic access list for that content.

An example is FTP traffic. If you wanted to allow users to FTP out of your network, you could use CBAC rather than have those ports open all the time in your access list. Normally, you would have the return FTP traffic denied back into your network. But CBAC will recognize that the FTP outbound traffic was initiated from your network and dynamically open up a port so that the traffic can return. This makes your network more secure because when that type of traffic is not occurring, there is no “hole” (open port) in your network that a hacker might be able to exploit.

TCP Intercept can prevent denial of service (DoS) attacks on your network. TCP Intercept will verify that a packet’s source is real before forwarding it on to its destination (your server). If the incoming packet’s source does not exist, the router drops it before it ever reaches your server and can chew up valuable processing time. This can stop DoS attacks in their tracks.

You can see what a variety of rich capabilities the Cisco IOS FW/IDS feature set offers. This all-in-one router and firewall has been a money-saving solution for my company, and perhaps it can be for yours as well. Although this article just scratched the surface of what you can do with the Cisco IOS firewall, it should get you off to a good start. The links below will also help you build and customize an IOS firewall to meet your needs.

Useful Cisco IOS firewall links


Editor's Picks