One enhancement that you should know about is the Firewall Policy Wizard. You can use this wizard to create a firewall and edit access control lists (ACLs). Here's a closer look at how the Firewall Policy Wizard works.
Any router between a LAN and the Internet needs to have a firewall enabled to protect the network from malicious attacks. On a Linksys (or another less expensive or feature-rich) router, that "firewall" could be as simple as a single radial button. For example, Figure A shows how to enable the firewall on my Linksys home router.
This is pretty simple, but it doesn't offer any customization. And if you think about it, it probably doesn't make you feel too secure either.
A Cisco IOS router offers a great deal of configuration options when you enable the firewall. However, while this may offer a better sense of security, it can also be pretty overwhelming, thanks to the complexity of the configuration.
But the SDM Firewall Policy Wizard can help make things easier. For example, let's configure a basic firewall using this wizard. For this demonstration, I'm using a Cisco 871W router with SDM version 2.4. I also have installed Cisco IOS Advanced Security version 12.4(11)T1.
Using the Cisco SDM Firewall And ACL Task section, you can create new firewalls and ACLs as well as edit existing ones. SDM offers wizards to create either a Basic Firewall or Advanced Firewall. What's the difference? The Basic Firewall won't configure a DMZ for you, but the Advanced Firewall will.
Because I wasn't interested in creating a DMZ, I chose the Basic Firewall option. Figure B shows a screenshot of the first screen I saw.
This screen explains how the Basic Firewall Configuration Wizard applies its template policy to the inside and outside interfaces. The wizard will give you the opportunity to decide which interface is which. The new policy will inspect TCP, UDP, and other protocols that travel from the inside to the outside zone. It will block IM, P2P, MSN, Yahoo, and AOL IM traffic. It will also deny any unsolicited traffic coming into the outside interface.
Click Next, which will take you to the Basic Firewall Interface Configuration screen, as shown in Figure C. This is where you can select which interface will be the inside and which will be the outside.
After you've made your selections, click Next. This takes you to the Basic Firewall Security Configuration screen, as shown in Figure D. Choose the level of security for the firewall: High, Medium, or Low.
I chose Medium Security and clicked the Preview Commands button to review the commands this setting would apply. Listing A displays this output.
When you see the output, you'll be glad you didn't have to manually type all those commands.
Once you're satisfied with your security setting, click Next. This takes you to the Basic Firewall Domain Name Server Configuration screen, as shown in Figure E. Specify the primary DNS server, and click Next.
The Firewall Configuration Summary screen sums up our choices, as shown in Figure F. If you're happy with your choices, click Finish.
The wizard then applied 273 commands to the router, as shown in Figure G.
After the wizard applies the configuration, you can click the Edit Firewall Policy tab in SDM to review the changes, as shown in Figure H.
One caveat: The Firewall Policy Wizard doesn't apply ACLs. Instead, it uses a new type of firewall configuration called Zone Policy Firewalls (ZPF). For more information about ZPFs, see Cisco's Configuring Zone Policy Firewalls documentation.
David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.