The IOS Firewall is a stateful firewall that inspects TCP and UDP packets at the application layer of the OSI model. It watches the outgoing requests (usually to the Internet) and opens reciprocal, inbound ports for the return traffic. As a stateful firewall, the IOS Firewall maintains the state of each of the TCP connections; it allows return traffic back if it allowed it out and if it matches the state information stored for that TCP packet.
The IOS Firewall recognizes many different types of common TCP and UDP traffic, including SMTP, TFTP, FTP, and others. This is important because, as you know, many of these types of traffic aren’t easy to write access control lists (ACLs) for. Those ACLs are open all the time unless you use the established keyword in your ACL. For example, FTP uses both ports 20 and 21 for data and control, and the IOS Firewall knows this.
The IOS Firewall offers these features:
- Traffic filtering:This isn’t only at the port level but also at the application level.
- Traffic inspection:Considered a core firewall feature, this keeps the state of the TCP connection and prevents unauthorized access.
- Alerts and audit trails:This offers real-time alerts and syslog audit trails.
- Intrusion prevention:It includes an intrusion detection system that covers 59 of the most common attack signatures — a very cool feature.
Why do I need an IOS Firewall if I have Cisco IOS ACLs?
Over the years, I’ve written a lot of articles about Cisco IOS ACLs. Every Cisco administrator out there needs to master ACLs because so many functions of the Cisco IOS use them.
In fact, to configure the IOS Firewall, you still need to understand how to use ACLs.
Configure the IOS Firewall
To begin, first make sure you have the proper IOS. If you have an IOS that includes the IOS Firewall, enter the ip inspect ? command at the Global Configuration Mode prompt, which will return a list of options, as shown in Figure A.
If the router returns the following, it means you don’t have the IOS Firewall:
% Unrecognized Command
Let’s configure the basic IOS Firewall traffic inspection and filtering. Please note that you should configure this first on a test system with test traffic — an improperly configured firewall can halt all network communications.
Follow these steps:
- Choose an interface.To protect your network from the Internet, choose the external WAN public interface.
- Configure and apply an ACL.(Here’s one reason why knowing how to work with ACLs is so important.) This ACL should blockeverything you want to permit with the IOS Firewall. Here’s the simplest example possible:
Router(config)# access-list 100 deny tcp any any Router(config)# access-list 100 deny udp any any Router(config)# access-list 100 deny ip any any
Next, apply this to the external interface in the inbound direction, as shown below:
Router(config)# interface FastEthernet4 Router(config-if)# ip access-group 100 in
- Create your firewall inspection rule.Now you need to define what protocols to inspect and monitor the statefulness of with your firewall.
Let’s say you want to monitor, inspect, and filter not only TCP and UDP but also Citrix ICA, Real Audio, and FTP. You would use these inspection rules:
Router(config)# ip inspect name myfirewall tcp Router(config)# ip inspect name myfirewall udp Router(config)# ip inspect name myfirewall ica Router(config)# ip inspect name myfirewall icabrowser Router(config)# ip inspect name myfirewall realaudio Router(config)# ip inspect name myfirewall ftp
Note: Some protocols use multiple port numbers, or the port numbers use a large range, which makes it more difficult when creating an ACL. However, because IOS Firewall works at the application layer, it can recognize these protocols much easier.
- Apply the inspection rule.Next you need to apply the inspection rule to your interface in the outdirection. This monitors the traffic that’s going out and dynamically creates inbound openings in your ACL, which would otherwise deny the traffic. Here’s an example:
Router(config-if)# ip inspect myfirewall out
At this point, your firewall should be active and working.
- Configure logging and auditing. Now you can configure logging and auditing of your firewall traffic. Assuming you’ve already configured logging, you could do something like this:
Router(config)# ip inspect audit-trail
- View the status of your firewall.Here are some of the commands you can use to verify the operation of the IOS Firewall:
- show ip access-lists(This should show you the dynamic ACL entries when the firewall is opening inbound ports for the return of outbound traffic.)
- show ip inspect name
- show ip inspect config
- show ip inspect interfaces
- show ip inspect all
Of course, the best way to really test your firewall is to perform a port scan from the outside (or Internet, in this case).
For more information on configuring the Cisco IOS Firewall, check out Cisco’s official documentation: Configuring Cisco IOS Firewall (IOS 12.4).
The IOS Firewall is a very powerful feature that may already be available on your router. While this may not be a solution for Internet protection at very large enterprises, the IOS firewall is an excellent firewall for small and midsize businesses. To make IOS Firewall configuration even easier, you can also configure it with a GUI using Cisco’s SDM Firewall Policy Wizard.