Which Firewall Features Should I Use?

Discussion in 'Cisco' started by mike, Jun 19, 2006.

  1. mike

    mike Guest

    I have an application server that I need to make available to the Internet.
    For simplicity's sake, let's say it's a web server.

    I understand how to use a basic access list to allow only tcp port 80 to
    this server from the Internet. That's all I want. I want to make the http
    server available to anyone, but nothing else should be allowed in.

    However, I thought it might be a good idea to use some sort of beefed-up
    level of security, so I bought the firewall feature set IOS for my router.

    Now that I'm reading up on it, it appears that CBAC is the main security
    feature of the firewall feature set, but everything about CBAC seems to be
    geared towards traffic going from inside out, not outside in.

    Is setting up CBAC inspection useful in my situation? Are there any other
    features besides a basic access list should I consider using on this router?

    Thank you
     
    mike, Jun 19, 2006
    #1
    1. Advertising

  2. mike

    Guest

    mike wrote:
    > I have an application server that I need to make available to the Internet.
    > For simplicity's sake, let's say it's a web server.
    >
    > I understand how to use a basic access list to allow only tcp port 80 to
    > this server from the Internet. That's all I want. I want to make the http
    > server available to anyone, but nothing else should be allowed in.
    >
    > However, I thought it might be a good idea to use some sort of beefed-up
    > level of security, so I bought the firewall feature set IOS for my router.
    >
    > Now that I'm reading up on it, it appears that CBAC is the main security
    > feature of the firewall feature set, but everything about CBAC seems to be
    > geared towards traffic going from inside out, not outside in.

    It works either way I beleive.

    > Is setting up CBAC inspection useful in my situation? Are there any other
    > features besides a basic access list should I consider using on this router?


    If you use basic ACLs you will need to allow

    Inbound
    permit tcp any host webserver eq 80

    Outbound
    permit tcp host webserver eq 80 any [established]

    You could consider reflexive acess lists
    which causes the router to create the opposite
    (mirror image) ACLs automatically.
    Reflexive as in Reflecting.

    Inspect is a stateful inspection firewall.

    In this case you would use:-

    Inbound
    permit tcp any host webserver eq 80

    Then use Inbound inspect to inspect the
    inbound tcp traffic.
    I do not recall the syntax exactly.

    ip inspect Any.Old.Name tcp
    interface Internet.Side.One
    inspect Any.Old.Name inbound

    This will automatically allow the appropriate
    outbound traffic but /only/ when recent inbound
    traffic has been detected.


    Be /aware/.
    ip inspect Any.Old.Name http

    does /not/ do what I might expect.
    It blocks all java code downloads which breaks a
    lot of web pages.

    There are also the IPS intrusion protection commands.
     
    , Jun 21, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andree Toonk

    which Modem should I use?

    Andree Toonk, Nov 10, 2003, in forum: Cisco
    Replies:
    2
    Views:
    419
    Aaron Leonard
    Nov 11, 2003
  2. BOB
    Replies:
    10
    Views:
    1,089
    RichardS
    Apr 16, 2006
  3. Steve
    Replies:
    12
    Views:
    751
    Dan Shea
    Feb 29, 2004
  4. M Wayne

    what features should i look for?

    M Wayne, Mar 1, 2005, in forum: Digital Photography
    Replies:
    4
    Views:
    277
    Stewy
    Mar 2, 2005
  5. Lawrence D'Oliveiro

    10 Linux features Windows should have by default

    Lawrence D'Oliveiro, Dec 8, 2009, in forum: NZ Computing
    Replies:
    33
    Views:
    1,063
    Lawrence D'Oliveiro
    Dec 9, 2009
Loading...

Share This Page