• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1222
  • Last Modified:

Cisco Advanced Security K9 IOS as packet inspection firewall

Hi, I have a 2811 router running the latest K9 IOS. The router terminates a 3mbit MLPPP circuit and acts as a router / NAT device serving a single internal subnet with around 100 users. It also acts as vpn endpoint with a PIX506 at a remote location. What are the security functions of this advanced IOS that I can use? How can I activate packet inspection etc. and use this device as a stateful firewall that detects anomalies within traffic and warns me etc.?
0
eggster34
Asked:
eggster34
  • 3
  • 2
1 Solution
 
packetguyCommented:
The 2811 doesn't have enough horsepower to do deep packet inspection for 100 users if they're average web browsers and all online simultaneously. It doesn't have enough RAM to maintain a very big connection table (about 5000 entries I think), and you'll find it becomes a bottleneck when its connection table fills. It's not a bandwidth issue, it's purely connection count. A random port scan from a single outside or inside compromised host can end up knocking you offline.

The Cisco router IOS was never designed for modern intrusion detection and prevention methods, so everything firewall-related is a giant kluge. The PIX as well is an obsolete device that belongs back in the 1900s. You're really much better off getting a  modern firewall, such as a Cisco ASA or Sonicwall NSA-240, rather than trying to make this old stuff go. Unless your time is worth nothing.

 -mel
0
 
eggster34Author Commented:
Thanks for the info, but if I were to make this old device go, what would be the commands / options to activate this function in the device, even though it may cause it to crash?
0
 
packetguyCommented:
It takes about 100 lines of IOS code to properly configure a router's firewall features, and those are highly dependnt on your environment. You can fund cisco confit guides at cisco.com. It's extremely complex.
0
 
eggster34Author Commented:
Well if you could give me some URLs , I would be happy to award you the points, otherwise the help you have given me so far does not deserve any credit since you did not provide me any real answers :(
0
 
packetguyCommented:
OK, I searched around, but much of the documentation on Cisco's site consists of dead links. I was able to find the following from various sources, which should get you started.

Here's an online book you can read for free with a trial OReilly Safari Books Online subscription:
Cisco Firewall Technologies; Section 2 has a description of Cisco IOS Firewall
http://my.safaribooksonline.com/9781587053290

Here's a video entiled "Secure Your Router with ACLs" to help you learn Access Control Lists, the core of the IOS Firewall:
http://happyrouter.com/happyrouter/free-video-harden-your-cisco-router-with-ios-acls

Cisco IOS Firewall Overview
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scffirwl.htm

Cisco IOS Firewall Q&A
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/prod_qas09186a008010a40e.html

Cisco IOS Firewall Design Guide (lots os sample configs in here that you might mutate)
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/product_implementation_design_guide09186a00800fd670.html

Granular Protocol Inspection guide
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtgpinsp.html

Troubleshooting Cisco IOS Firewall Configurations
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094112.shtml
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now