Need a firewall but have no money in the budget for a new device? Do you have a Cisco router? The IOS IP Security feature set available for Cisco routers is an enhanced component of the Cisco IOS that provides routers with many of the features available to the PIX/ASA firewalls, thus extending to routers, functionality similar to that provided on a separate firewall device. When a Cisco router is configured with the Cisco IOS IP Security feature set, it is transformed into an effective, robust security device. The IOS IP Security feature set software has been designed with security services that include access controls, strong authentication services, encryption services, flexible packet matching, IPSec and SSLVPN’s and it maintains all of its fundamental market leading routing features. It is a value−added option for Cisco IOS software that enforces security policies while maintaining vital traffic flow requirements within the enterprise.  

The IOS IP Security feature set is currently available for all router platforms from the 800 series up to and including the 7200 series router platforms. Some of the key features of the IOS IP Security feature set are listed here: 

• Zone Based Firewalling provides secure IP traffic filtering for each unique session with regard to many applications.

• Transparent IOS Firewall allows you to quickly deploy a firewall with virtually no infrastructure reconfiguration.

• Java blocking protects against malicious Java applets, allowing only applets from identified and trusted sources.

• Denial−of−service (DoS) detection and prevention protects resources against common attacks. 

• Realtime alerts notify administrators during DoS attacks and certain other conditions.

• Audit trail mechanisms track sessions by time, source and destination address, ports, and total number of bytes transmitted. 

• IOS intrusion prevention provides realtime monitoring, interception, and response to network misuse with a set of common attack and probing intrusion detection signatures.

• Transparent IOS IPS allows you to quickly deploy an IPS sensor with virtually no infrastructure reconfiguration.

• Provides multiservice integration, advanced security for dialup connections as well as other connections such as CDMA and 3G as well as integrated routing and security at the Internet gateway. 

This only scratches the surface but as you can see, the IOS IP Security feature set has an extensive set of features that are designed to help secure an enterprise's network with robust, flexible functionality.

So in this post I want to examine how you can use the Cisco Router and Security Device Manager to enable one of IOS IP Security's key features, Zone Based Firewalling. There are actually two forms of firewalling a router can provide Context Based Access Control (aka legacy IOS firewall) and Zone Based Firewall (aka ZBF). We will not cover the legacy IOS firewall in this post, for detailed coverage of that topic please see Chapter 4 of my book, Cisco Network Security Little Black Book or visit the IOS Firewall home page on CCO. Now before we get started you will need to ensure that you have the SDM installed on your router, your PC or on both. In my case I have the SDM installed locally on my PC so I'm simply going to double-click it to connect to the router. Once it opens enter the IP Address of your router in the box and click 'Launch'. After you are connected to the router and the SDM loads you will need to click on 'Configure -> Firewall and ACL'. At this point you should see the following screen:

 

You are now presented with two Firewall options you can configure, a basic firewall and an advanced firewall. So what's the difference? Well basically the difference is that the advanced firewall option gives you the ability to configure a DMZ if one is needed...If you do not need to configure one then simply pick basic firewall. In our case we are going to pick basic firewall and then we click on the 'Launch the selected task' button. Once we click that button the 'Basic Firewall Configuration Wizard' window appears:

This wizard presents you with a simple step-by-step, intuitive interface which allows you to enable ZBF on your routers. So let's click on the next button to begin the actuall configuration of the router. Select 'Next' and the router now asks you to select the interfaces that you would like to define as the outside (untrusted) interface and the interface that is the inside (trusted) interface. If you have more than two interfaces listed you can select them as needed.

You also have the ability to select whether or not you want to allow secure SDM access to the router from the outside (untrusted) interface. If you do not select this option you will not be able to use SDM after the Firewall wizard is configured. SDM even notifies of this:

Notice that I have the FastEthernet0/0 defined as the outside interface in the figure above and SDM tells me that I will no longer be able launch SDM from that interface once this wizard completes. I select 'OK' in my case and the router moves me to the main ZBF configuration screen where it allows me to select the level of security I require by the simple slide of a bar up and down. I can choose between 3 choices of security High - Medium - Low.

 

Notice that for each level of security, the SDM provides to me a description pertaining to that level of security as well, it also gives me the ability to preview the associated commands for that security level. So let's look at each level in more detail. First lets examine the High security level. According to the description for the High security level, ZBF provides you the following:

• The router identifies inbound and outbound Instant Messaging and Peer-to-Peer traffic and drops it.
• The router checks inbound and outbound HTTP traffic and e-mail traffic for protocol compliance, and drops noncompliant traffic.
• Returns traffic for other TCP and UDP applications if the session was initiated inside the firewall.
• Choose this option if you want to prevent use of these applications on the network.

We can even preview the commands associated with the High security level.

 

I have provided these commands in a seperate file that you can view simply by clicking this link due to the length of the config. High Security Config. These are the actual commands the router would push to the router if you were to choose the high security level. Now lets examine the Medium security level. According to its description, the medium security level provides:

• The router identifies inbound and outbound Instant Messaging and Peer-to-Peer traffic, and checks inbound and outbound HTTP traffic and e-mail traffic for protocol compliance.
• Returns TCP and UDP traffic on sessions initiated inside the firewall.
• Choose this option if you want to track use of these applications on the network.

We can also preview the commands associated with the medium security level:

I have provided these commands in a seperate file that you can view simply by clicking this link due to the length of the config. Medium Security Config. These are the actual commands the router would push to the router if you were to choose the medium security level. Now lets examine the Low security level. According to its description, the Low security level provides:

• The router does not identify application-specific traffic. Returns TCP and UDP traffic on sessions initiated inside the firewall.
• Choose this option if you do not need to track use of these applications on the network.

We can also preview the commands associated with the Low security level:

I have provided these commands in a seperate file that you can view simply by clicking this link due to the length of the config. Low Security Config. These are the actual commands the router would push to the router if you were to choose the low security level. After selecting the security level that best meets our security needs, we need to click 'Next'. We are now presented with the following screen where we must define at least one DNS server for the proper operation of ZBF:

After defining my DNS servers I simply click 'Next' and the router presents me with the configuration summary screen as seen below:

After scrolling through the right hand window everything appears to be in order for me so I click the 'Finish' button. What happens next is that the IOS ZBF configuration is read by the router and compares that to it's existing configuration and notices an issue for me...In my case it notes that I actually have OSPF running on this router and that if I were to implement this configuration as it currently stands I would cut off my routing capabilites:

The SDM provides me the option to maintain routing functionality by configuring ZBF for simply via the click of a radio button :-) ... Since I'm running OSPF, the SDM selects that option for me automatically. The actual configuration commands the router will use for this are listed below:

ip access-list extended SDM_OSPF  remark SDM_ACL Category=1  permit ospf any any  exit ! class-map type inspect match-any SDM_OSPF  match access-group name SDM_OSPF  exit class-map type inspect match-any SDM_OSPF_TRAFFIC  match class-map SDM_OSPF  exit class-map type inspect match-all SDM_OSPF_PT  match class-map SDM_OSPF_TRAFFIC ! policy-map type inspect sdm-permit  class type inspect SDM_OSPF_PT   no drop   pass   exitWOW!!! All of that from that simple radio button ;-) now I simply click 'OK' and I am next taken to the Deliver Configuration to the Router screen. Here you can preview the complete configuration of the Firewall as well as save the running configuration to the startup configuration. You also have the ability to deliver the commands to the router right from the SDM or save the configuration to a file on your machine:

Because the configuration is quite long, I have included the complete configuration that you would see in the preview screen in a seperate file that you can view here: Complete ZBF Config. That pretty much concludes the configuration of the Basic IOS ZBF, in our next post post we will examine how we can use the SDM to fine tune many of the parameters of the ZBF.