Security

Secure your router with Cisco's SDM Firewall Policy Wizard

By , June 21, 2007, 1:38 PM

  • Figure A

    Last year, I introduced you to Cisco's Security Device Manager (SDM), a free Web-based utility to help manage your routers that comes preinstalled on new Cisco routers ("Learn the benefits of Cisco's Security Device Manager (SDM)"). Since then, Cisco has made a number of improvements to SDM.

    One enhancement that you should know about is the Firewall Policy Wizard. You can use this wizard to create a firewall and edit access control lists (ACLs). Here's a closer look at how the Firewall Policy Wizard works.

    Any router between a LAN and the Internet needs to have a firewall enabled to protect the network from malicious attacks. On a Linksys (or another less expensive or feature-rich) router, that "firewall" could be as simple as a single radial button. For example, Figure A shows how to enable the firewall on my Linksys home router.

    This is pretty simple, but it doesn't offer any customization. And if you think about it, it probably doesn't make you feel too secure either.

  • Figure B

    A Cisco IOS router offers a great deal of configuration options when you enable the firewall. However, while this may offer a better sense of security, it can also be pretty overwhelming, thanks to the complexity of the configuration.

    But the SDM Firewall Policy Wizard can help make things easier. For example, let's configure a basic firewall using this wizard. For this demonstration, I'm using a Cisco 871W router with SDM version 2.4. I also have installed Cisco IOS Advanced Security version 12.4(11)T1.

    Using the Cisco SDM Firewall And ACL Task section, you can create new firewalls and ACLs as well as edit existing ones. SDM offers wizards to create either a Basic Firewall or Advanced Firewall. What's the difference? The Basic Firewall won't configure a DMZ for you, but the Advanced Firewall will.

    Because I wasn't interested in creating a DMZ, I chose the Basic Firewall option. Figure B shows a screenshot of the first screen I saw.

    This screen explains how the Basic Firewall Configuration Wizard applies its template policy to the inside and outside interfaces. The wizard will give you the opportunity to decide which interface is which. The new policy will inspect TCP, UDP, and other protocols that travel from the inside to the outside zone. It will block IM, P2P, MSN, Yahoo, and AOL IM traffic. It will also deny any unsolicited traffic coming into the outside interface.

  • Figure C

    Click Next, which will take you to the Basic Firewall Interface Configuration screen, as shown in Figure C. This is where you can select which interface will be the inside and which will be the outside.

  • Figure D

    After you've made your selections, click Next. This takes you to the Basic Firewall Security Configuration screen, as shown in Figure D. Choose the level of security for the firewall: High, Medium, or Low.

    I chose Medium Security and clicked the Preview Commands button to review the commands this setting would apply. Listing A displays this output.

    When you see the output, you'll be glad you didn't have to manually type all those commands.

  • Figure E

    Once you're satisfied with your security setting, click Next. This takes you to the Basic Firewall Domain Name Server Configuration screen, as shown in Figure E. Specify the primary DNS server, and click Next.

  • Figure F

    The Firewall Configuration Summary screen sums up our choices, as shown in Figure F. If you're happy with your choices, click Finish.

  • Figure G

    The wizard then applied 273 commands to the router, as shown in Figure G.

  • Figure H

    After the wizard applies the configuration, you can click the Edit Firewall Policy tab in SDM to review the changes, as shown in Figure H.

    One caveat: The Firewall Policy Wizard doesn't apply ACLs. Instead, it uses a new type of firewall configuration called Zone Policy Firewalls (ZPF). For more information about ZPFs, see Cisco's Configuring Zone Policy Firewalls documentation.

    David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.

    Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

Prev Next

Figure A

Last year, I introduced you to Cisco's Security Device Manager (SDM), a free Web-based utility to help manage your routers that comes preinstalled on new Cisco routers ("Learn the benefits of Cisco's Security Device Manager (SDM)"). Since then, Cisco has made a number of improvements to SDM.

One enhancement that you should know about is the Firewall Policy Wizard. You can use this wizard to create a firewall and edit access control lists (ACLs). Here's a closer look at how the Firewall Policy Wizard works.

Any router between a LAN and the Internet needs to have a firewall enabled to protect the network from malicious attacks. On a Linksys (or another less expensive or feature-rich) router, that "firewall" could be as simple as a single radial button. For example, Figure A shows how to enable the firewall on my Linksys home router.

This is pretty simple, but it doesn't offer any customization. And if you think about it, it probably doesn't make you feel too secure either.

7 comments
  Livefyre
Newest | Oldest
srjm
srjm

HI, I am trying to set up SDM on a 2801. When I get to Fig D medium and High are grayed out. How do I activate them?

estevaoberri
estevaoberri

How Can I disable firewall for msn and p2p?? I have a Cisco 877 with SDM 2.4

nmalik1664
nmalik1664

Can you download this program, and where would you download it from?

jkawyn
jkawyn

What dns server do i put in if im useing my router at home on roadrunner.

ddavis
ddavis

You would use your ISP's DNS Servers. Your PC or router will get this from DHCP, automatically, from the ISP (or at least you should). If your router does not, you can hook up your PC only, get the IP of the DNS server via DHCP, then connect the router and plug the IP in. I hope that helps! Thanks, David Davis Personal Website: www.HappyRouter.com

bstiff929
bstiff929

I see you did the walk-through on SDM 2.4, which defaults to Zone Firewall in the wizard (provided there's not already an 'ip inspect' firewall configured). Previous SDM versions included a firewall wizard, but they configured the classic FW. (SDM 2.4 was the first version to support the Zone-Based Policy Firewall). Many of the firewall configuration options must be found on the "additional tasks" section at the bottom of the left column. However, it beats configuring the Zone FW through the CLI...

Conversation powered by LiveFyre
Add your Comment