Solved

Cisco Advanced Security K9 IOS as packet inspection firewall

Posted on 2008-10-27
5
1,192 Views
Last Modified: 2012-06-21
Hi, I have a 2811 router running the latest K9 IOS. The router terminates a 3mbit MLPPP circuit and acts as a router / NAT device serving a single internal subnet with around 100 users. It also acts as vpn endpoint with a PIX506 at a remote location. What are the security functions of this advanced IOS that I can use? How can I activate packet inspection etc. and use this device as a stateful firewall that detects anomalies within traffic and warns me etc.?
0
Comment
Question by:eggster34
  • 3
  • 2
5 Comments
 
LVL 11

Expert Comment

by:packetguy
ID: 22819733
The 2811 doesn't have enough horsepower to do deep packet inspection for 100 users if they're average web browsers and all online simultaneously. It doesn't have enough RAM to maintain a very big connection table (about 5000 entries I think), and you'll find it becomes a bottleneck when its connection table fills. It's not a bandwidth issue, it's purely connection count. A random port scan from a single outside or inside compromised host can end up knocking you offline.

The Cisco router IOS was never designed for modern intrusion detection and prevention methods, so everything firewall-related is a giant kluge. The PIX as well is an obsolete device that belongs back in the 1900s. You're really much better off getting a  modern firewall, such as a Cisco ASA or Sonicwall NSA-240, rather than trying to make this old stuff go. Unless your time is worth nothing.

 -mel
0
 

Author Comment

by:eggster34
ID: 23145627
Thanks for the info, but if I were to make this old device go, what would be the commands / options to activate this function in the device, even though it may cause it to crash?
0
 
LVL 11

Expert Comment

by:packetguy
ID: 23146324
It takes about 100 lines of IOS code to properly configure a router's firewall features, and those are highly dependnt on your environment. You can fund cisco confit guides at cisco.com. It's extremely complex.
0
 

Author Comment

by:eggster34
ID: 23206713
Well if you could give me some URLs , I would be happy to award you the points, otherwise the help you have given me so far does not deserve any credit since you did not provide me any real answers :(
0
 
LVL 11

Accepted Solution

by:
packetguy earned 500 total points
ID: 23207452
OK, I searched around, but much of the documentation on Cisco's site consists of dead links. I was able to find the following from various sources, which should get you started.

Here's an online book you can read for free with a trial OReilly Safari Books Online subscription:
Cisco Firewall Technologies; Section 2 has a description of Cisco IOS Firewall
http://my.safaribooksonline.com/9781587053290

Here's a video entiled "Secure Your Router with ACLs" to help you learn Access Control Lists, the core of the IOS Firewall:
http://happyrouter.com/happyrouter/free-video-harden-your-cisco-router-with-ios-acls

Cisco IOS Firewall Overview
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scffirwl.htm

Cisco IOS Firewall Q&A
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/prod_qas09186a008010a40e.html

Cisco IOS Firewall Design Guide (lots os sample configs in here that you might mutate)
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/product_implementation_design_guide09186a00800fd670.html

Granular Protocol Inspection guide
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtgpinsp.html

Troubleshooting Cisco IOS Firewall Configurations
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094112.shtml
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now