Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

FW options for Cisco IOS

Hi!

Our company planning to delploy a corporate network with Cisco 3660 and PIX 515 in center. What we can lose, if order Cisco IOS for 3660 without FW options? I hear "standart" IP IOS already have some facilities for filtering? What addition features (over IP only IOS ) provide FW IOS options.

  • Other Security Subjects
5 REPLIES
New Member

Re: FW options for Cisco IOS

FW IOS is completely different that the standard IP IOS security features. With a state-full FW you can setup your router to accept only traffic from the Internet if the session has been initiated from the inside network. The router keeps track of a session and only valid traffic will be passed on. The router not only looks at the layer 3/4 information, but it will also use layer 7 information if required (FTP, H323,Realaudio, etc. I haven't even mentioned the (limited) Intrusion Detection System included in the software.

To be short, the Cisco IOS FW goes far beyond the traditionally ACL and is stronly recommended to use as a minimum level of network security (pix would be better).

New Member

Re: FW options for Cisco IOS

Thanks. But if we take also an pix, IP only IOS is enough to protect Cisco router themselves?

New Member

Re: FW options for Cisco IOS

The PIX will protect anything behind it. So if your router is outside, the PIX can’t protect it. Basic IP is fine even in this application though. For greater security on the outside router, don’t allow telnet access to the serial interface and number your DMZ (between the PIX and the router) 10-dot addresses (rfc1918). Of course you’ll have to put static routes in the router pointing back at the PIX for the NAT’d networks.

New Member

Re: FW options for Cisco IOS

I plan to purchase PIX 515 unrestricted and place DMZ on the third ethernet line in PIX.

New Member

Re: FW options for Cisco IOS

I wouldn't worry about security with the PIX behind the 3660 I would jsut built a Access list to keep people out of the router block Telnet and maybe ICMP

200
Views
0
Helpful
5
Replies
This widget could not be displayed.