We know that there are four types of firewalls: integrated firewall capabilities of the router, integrated firewall capabilities of the proxy server, a dedicated software firewall and dedicated hardware and software combined with the firewall. Cisco's firewall solution includes the first and fourth of the four types: the integrated firewall feature router and the dedicated hardware and software combination firewall.
One, integrated in the router's firewall technology
1. ACL technology in router iOS standard equipment
ACLs, access control Lis T (Access controls list), referred to as access list, are the basis of the following iOS Firewall Feature set It is also part of the standard configuration of iOS (Internet Operation system, inter-network operating system) of the operating system of the Cisco full Router unified interface. This means that after the router is purchased, the ACL function is available and no extra money is needed to buy it.
2, iOS Firewall Feature Set (iOS firewall package)
The iOS Firewall Feature set is a further boost to security control based on ACLs, known as a set of add-on packages specifically for firewall functionality, which can be obtained via iOS upgrades and can be loaded onto multiple Cisco router platforms.
Currently, the firewall package is suitable for the router platform including Cisco 1600, 1700, 2500, 2600 and 3600, are in the low-end series. It can meet the needs of many small and medium-sized users who are inclined to use "All-in-one solution" (Integrated solutions) and strive to simplify management. The reason for not implementing integrated firewall functionality on high-end devices is to avoid the core work of the backbone routers that affect large networks-data forwarding. In such a network, you should use a dedicated firewall device.
Cisco iOS firewall features:
• Context-based access control (CBAC) provides application-based security filtering for advanced applications and supports the latest protocols
L Java can prevent the download of the small application of the motive is not pure
• Added denial of service detection and prevention capabilities based on existing functionality to increase protection
L can send alerts and system logging error messages to the central management console in real time after detection of suspicious behavior
L TCP/UDP transaction Records track user access by source/destination address and port
L Configuration and management features work in close collaboration with existing management applications
Order Information
Cisco 1600 series Cisco IOS firewall features
Ip/firewall cd16-bw/ew/ch-11.3=
Ip/firewall cd16-by/ey/ch-11.3=
Ip/ipx/firewall Plus cd16-c/bhp-11.3=
Cisco 2500 series Cisco IOS firewall features
Ip/firewall cd25ch-11.2=
Ip/ipx/at/dec/firewall Plus cd25-bhp-11.2=
Second, the special firewall--pix
PIX (Private Internet eXchange) is the fourth of a four-class firewall-a hardware-software-combination firewall designed to meet high levels of security requirements and provide a rigorous, robust security guard against better performance-price ratios. In addition to the common features of the fourth firewall, it includes the functionality of the iOS Firewall Feature set.
PIX has been a history of Cisco's flagship product in the field of network security, and its hardware and software structure has undergone a great development. The PIX now has 515 and 5,202 models (520 series capacity greater than 515 series), from the original support only two 10M Ethernet interface, to 10/100m Ethernet, Token Ring network and FDDI Multi Media, multiport (up to 4) applications Its dedicated operating system, starting with v5.0, provides support for the standard tunneling technology of IPSec, enabling PIX to build standards-based VPN connections together with more other devices.
Cisco's PIX firewall can support more than 16,000 TCP conversations at the same time and support tens of thousands of users without impacting user performance, under rated load, the PIX firewall runs at 45Mbps and supports T3 speed, which is 10 times times faster than a unix-based firewall.
Main Features:
L Protection solution based on Adaptive Security Algorithm (ASA) provides maximum security that no other firewall can provide
L The patented "cut-in Agent" feature delivers high-performance, unmatched by traditional proxy servers
L simple installation, easy maintenance, thus reducing the acquisition cost
L Support 64-way simultaneous connection, enterprise development can expand to 16000 road
• Transparently supports all universal TCP/IP Internet services, such as the World Wide Web (WWW) File Transfer Protocol (FTP), Telnet, Archie, Gopher, and Rlogin
L Support multimedia data types, including the Steamworks,white Pines Company of Real audio,xing Technology of progressive network company 腃 Useeme,vocal te Company's Internet Phone, VDOnet Company's Vdolive,microsoft Company's NetShow and Uxtreme's Web Theater 2
L Support H323 compliant videoconferencing applications, including Intel's Internet video phone and Microsoft NetMeeting
L do not need to stop running because of installation
L No need to upgrade a host or router
L can completely access the external Internet from an internal host that has never been registered
L can interoperate with Cisco IOS based routers
Order Information
64-Way PIX pix-64-a-ch with 2 10/100baset NICs
1024-Way Pix Pix1k-a-ch with 2 10/100baset NICs
16K-Way (unlimited) PIX pixur-a-ch with 2 10/100baset NICs
64-way 200MHZ PIX pix64-b-ch with 2 10/100baset NICs
1024-Way 200MHZ PIX pix1k-b-ch with 2 10/100baset NICs
16K-Way 200MHZ PIX pixur-b-ch with 2 10/100baset NICs
10/100m bps Ethernet interface, RJ45 pix-1fe=
4/16mbps Token Ring Network interface pix-1tr=
PIX Software Version Upgrade swpix-ver=
Comparison of two kinds of firewall technology
IOS FIREWALL FEATURE SET PIX FIREWALL
Network size small and medium sized network, less than 250 nodes of the application. Large networks that can support more than 500 user applications