Cisco IOS Threat Defense Features. Lesson 1 - Introducing the Cisco IOS Firewall. Objectives. Explain the purpose of the Demilitarized Zone (DMZ). Describe various DMZ topologies and design options . Describe firewall operations and implementation technologies.
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Exposed public services are served on dedicated hostsinside the buffer network.
The DMZ may host an application gateway for outbound connectivity.
Three Separate DMZs
Each service can be hosted in a separate DMZ.
Damage is limited and attackerscontained if a service is compromised.
Primary VLANsPrivate VLAN
Secondary VLAN Ports
Host 2 (HTTP)
Host 3 (Admin)Promiscuous Port
Application layer gateway (ALG)
Stateful packet filtering
Router(config)# access-list 100 permit tcp any 220.127.116.11 0.0.0.255 establishedRouter(config)# access-list 100 deny ip any any logRouter(config)# interface Serial0/0Router(config-if)# ip access-group 100 inRouter(config-if)# end
Standard and extended ACLs
Cisco IOS Firewall
Cisco IOS Firewall IPS
Port-to-Application Mapping (PAM)
IPsec network security
User authentication and authorization
Alarm: Send an alarm to SDM or syslog server.
Drop: Drop the packet.
Reset: Send TCP resets to terminate the session.
Block: Block an attacker IP address or session for a specified time.
Source and destinationIP addresses
Source and destinationports
Ports opened permanentlyto allow traffic, creating a security vulnerability.
The ACLs do not work with applications that negotiate ports dynamically.
Regardless of the application layer protocol, Cisco IOS Firewall will inspect:
All TCP sessions
All UDP connections
Enhanced stateful inspection of application layer protocolsCisco IOS Firewall Supported Protocols
Outgoing requests to the Internet, and responses from the Internet are allowed.