Today , many small companies not able to buy expensive
security devices like Firewall , so fault increase randomly in network
security. The main issues here, how to increase the network security in small
companies. I am going to giving you introduction about it, also tell you that
how can you increase your company security by only making some enhancement in
Router.
In this article , I am going to cover below write topic...
1. Context Based Access Control (CBAC)
2. IOS URL Filtering
3. Zone Based Firewall
I hope that after read my this article you will be able to
build your company network smart.
Context
Based Access Control
CBAC works as a true stateful inspection for IOS Router .
Means CBAC used to protocol specific inspection in traffic flows going across
the router and dynamically open holes for returning traffic. Flow of the traffic is from Protected Network
(inside of company) to the Unprotected Network (outside of company). When any
packet of information gone inside to outside then it registered on the CBAC
table and when packet come back then CBAC check the table and then allow or
deny the return packet according to information of table . It's look like echo
and echo-reply.
For do this work in
better way, CBAC uses the Access Control List (ACL). However , we use the
Extended Access List with CBAC. CBAC can inspect generic TCP/UDP connections
just to check integrity and open a hole for returning traffic.
I am showing you FTP Application Traffic inspection
configuration:
R2(config)#ip inspect name INSPECT ftp
R2(config)#ip access-list INBOUND permit udp any any
eq rip
R2(config)#int f0/1
R2(config-if)#ip access-group INBOUND in
R2(config-if)#ip inspect INSPECT out
There many use of CBAC , this is only introduction.
IOS URL
FILTERING
Configure HTTP URL filtering for achieve below write goal…
1.Filter Java applet from http response.
2.Filter URL using Websense Server service.
3.Permit the DNS www.hackarde.com
to be accessed at any time.
We will filter URL by using CBAC inspect rule. We need a URL
filtering Server with CBAC configuration.
We will be blocking Java Applet
downloads from www.hackarde.com sites.
R2(config)# access-list 1 deny any
R2(config)#ip urlfilter server vendor websense
10.0.0.50
Going to activate Filtering:
R2(config)#ip inspect name INSPECT http java-list 1
urlfilter
R2(config)#ip urlfilter exclusive-domain permit
hackarde.com
R2(config)#ip urlfilter allow-mode on
Apply it on Router R2 outside interface f0/1:
R2(config)#int
f0/1
R2(config-if)#ip inspect INSPECT in
Zone
Based Firewall (ZFW)
Before the ZFW , the IOS firewall offered stateful
inspection using the CBAC Feature (Told you about it already). The problem with
CBAC is that traffic passing through the interface was subject to the same
inspection policy. In ZFW , inspection can now applied on Zone Based model
meant interface of IOS Router assigned to different Zone like INSIDE (Private
Zone), OUTSIDE (Public Zone), and DMZ zone.
In above picture, I am showing you that R2 Router works as IOS
Firewall and his interface Fa0/0 woks in PRIVATE ZONE , interface Fa0/1 works
in PUBLIC ZONE and interface Fa1/0 works in DMZ ZONE.
The following steps are required for configure ZFW in IOS
Firewall (R2)…
1. Define Zone
2. Define Zone Pair
3. Define Class Map for identify traffic
4. Define a Policy Map to apply action to the
traffic in a class map
5. Apply Policy Map
6. Assign interface of Firewall to zones
I hope that my new article helpful for you.
