Using a router for security

Posted on 2011-03-16
Medium Priority
Last Modified: 2012-05-11
I would like to know if I can use a router, to do the functions of ASA , IDS ? and also VPN.?
if so which router series and IOS are able to do the similar functions.

Question by:jskfan
  • 2
  • 2

Assisted Solution

zazagor earned 800 total points
ID: 35156132

Here is a link to "How to chose IOS":
I would suggest Cisco 1721.
The Cisco 1721 router is part of the end-to-end Cisco VPN solution. VPNs create secure connections via the Internet to connect geographically dispersed offices, business partners, and remote users while providing security, traffic prioritization, management, and reliability equal to that of private networks.

By supporting industry standards, IPSec, Layer 2 Tunneling Protocol (L2TP), and DES and 3DES, the Cisco 1721 router delivers robust VPN solutions to ensure data privacy, integrity, and authenticity.

The optional VPN hardware encryption module for the Cisco 1721 router further optimizes VPN encryption performance. By offloading encryption tasks to the VPN module, the router processor is freed to handle other operations. The VPN module accelerates the rate at which encryption occurs, speeding the process of transmitting secure data, a critical factor when using 3DES encryption.

The Cisco 1721 router offers integrated security features, including stateful inspection firewall functionality and IDS as an optional Cisco IOS Software feature. By deploying Cisco IOS Software firewall functionality, customers do not need to purchase or manage multiple devices, thus simplifying network management and reducing capital costs. Additionally, remote management applications, such as Cisco Security Device Manager (SDM), make it easier than ever to deploy and monitor Cisco IOS Firewall and VPN on your Cisco 1721 router.

Cisco IOS Software firewall security features include access control lists (ACLs), user Authentication, Authorization, and Accounting (such as Password Authentication Protocol/Challenge Handshake Authentication Protocol [PAP/CHAP], TACACS+, and Remote Access Dial-In User Service [RADIUS]). These security features provide the optimal level of firewall protection to customers.

The Cisco 1700 Series routers support the Cisco Easy VPN Remote feature that allows the routers to act as remote VPN clients. As such, these devices can receive predefined security policies from the headquarters' VPN head-end, thus minimizing configuration of VPN parameters at the remote locations. This solution makes deploying VPN simpler for remote offices with little IT support or for large deployments where it is impractical to individually configure multiple remote devices. While customers wishing to deploy and manage site-to-site VPN would benefit from Cisco Easy VPN Remote because of its simplification of VPN deployment and management, managed VPN service providers and enterprises who must deploy and manage numerous remote sites and branch offices with Cisco IOS routers for VPN will realize the greatest benefit.

The Cisco 1700 Series routers also support the Cisco Easy VPN Server feature that allows a Cisco 1700 router to act as a VPN head-end device. In site-to-site VPN environments, the Cisco 1700 router can terminate VPN tunnels initiated by the remote office routers using the Cisco Easy VPN Remote. Security policies can be pushed down to the remote office routers from the Cisco 1700 router. In addition to terminating site-to-site VPNs, a Cisco 1700 router running the Unified VPN Access Server can terminate remote access VPNs initiated by mobile and remote workers running Cisco VPN client software on PCs. This flexibility makes it possible for mobile and remote workers, such as sales people on the road, to access company intranet where critical data and applications exist.

LVL 28

Expert Comment

ID: 35158331
Any non-SOHO router with the security bundle should support firewall, VPN, and limited IDS functionality.

Configuration tasks are significantly different from the ASA, however.

Author Comment

ID: 35159929
<<Configuration tasks are significantly different from the ASA, however.>>

what do you mean by that?

do you mean the commands you type are different, but they achieve the same objectives ?
The router can be configured for security using SDM, but  I am not sure what you will miss if you use a router as for instance a firewall or IDS using SDM, instead of going with ASA?

LVL 28

Accepted Solution

asavener earned 1200 total points
ID: 35159967
Yes, you can achieve the same objectives, but the configuration method is very different.

There are a few other ways in which they differ.  SMTP mail guard on the ASA will filter out a lot of text in order to prevent fingerprinting, but the Cisco IOS does not, for example.

Author Closing Comment

ID: 35171367

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question