OK, since Chris responded, I have to respond, the firewall feature set
that is currently available for Cisco IOS has the ability to do the
following:
The Cisco IOS Firewall CBAC engine provides secure, per-application access
control across network perimeters. CBAC enhances security for TCP and user
datagram protocol (UDP) applications that use well-known ports (such as
file transfer protocol (FTP) and e-mail traffic) by scrutinizing source
and destination
addresses. CBAC allows network administrators to implement firewall
intelligence as part of an integrated, single-box solution.
CBAC is a per-application control mechanism for IP traffic including
standard TCP and UDP Internet applications, multimedia applications
(including H.323 and
other video applications), and Oracle databases.
Intrusion detection-intrusion detection capability in the critical packet
path provides dynamic monitoring, interception, and reporting of network
attacks and misuse
Authentication proxy - LAN-based, dynamic, per-user authentication and
authorization via TACACS+ and RADIUS authentication servers enables
setting individual security policies
Dynamic port mapping - allows CBAC-supported applications to run on
non-standard ports
Configurable audit trail and alerts - Cisco IOS Firewall alerts and audit
trails are now configurable on a per-application basis. Java blocking is
also configurable on a modular basis.
The Cisco IOS Firewall feature set has been available in Cisco IOS as of
release 11.2(11)P
Chris Brenton <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
06/02/00 06:29 PM
Please respond to cbrenton
To: Steve Kalman <[EMAIL PROTECTED]>
cc: "Eric S. Hines" <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
Subject: Re: Cisco ACL v/s Firewall
Steve Kalman wrote:
>
> Others will give detailed lists, but let me start off with the obvious.
> ACL's can act on any field in the headers from Transport down. They do
not
> an cannot act on the contents of the packets.
Agreed, but show me one firewall on the market that implements layer 7
for more than maybe 5-6 protocols? White papers and product
implementations are two different things. Most of what you see on the
market today are plug gateways or stateful filters. With this in mind,
from a straight filtering ability, you don't get much more out of a high
end firewall. What you _do_ get is things like authentication, fail
over, etc. These are features that are not included in any router
product I'm aware of.
> Also, with the exception of
> monitoring syn/ack bits, they are not stateful. With a few exceptions
based
> on sequential packets to the same socket, every packet is treated as a
new
> case.
This info is a wee bit out of date (well over a year).
Cisco ACL's can be stateful and have had that ability since IOS 11.3
(current is 12.0.9+). Outbound packets are recorded to a state table.
Inbound packets are evaluated against this table and are not allowed
through unless there is a match. You can choose to do only static
filtering, but the ability to do stateful is there as well.
> Firewalls change this behavior. They can notice when DoS or even DDoS
> attacks are taking place.
Again, not quite. Keep an eye on Bugtraq. An up coming post will show at
least one example of when this is not always the case.
Also, can you give an example of one DoS or DDoS that a firewall can
detect and log but a Cisco router can not?
> They can examine the contents of packets looking
> for phrases such as the virus out last year with a woman's name,
Again, depends on the firewall and the implementation. IMO your better
off doing this on a dedicated relay which can check content, virus scan,
etc. Some firewalls have this ability as an add on but many do not. Even
if they do, you've now severely limited your product options and
possibly your functionality.
HTH,
Chris
--
**************************************
[EMAIL PROTECTED]
* Mastering Cisco Routers
http://www.amazon.com/exec/obidos/ASIN/078212643X/
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
