Home > Articles > Cisco Network Technology > General Networking > The Cisco IOS Firewall Feature Set

The Cisco IOS Firewall Feature Set

Article Description

Implementing network-wide security can be daunting, depending upon the size and the business of the company. The cost in ease of use and in resources to implement a network security policy must be weighed against the costs and possibility of network security breaches. Fortunately, the Cisco IOS Firewall Feature Set is designed for organizations that cannot use a traditional firewall due to financial constraints or implementation complexity. Anu Tewari tells how this feature set can help companies guard against security breaches.

Like this article? We recommend

Cisco Secure PIX Firewalls

Cisco Secure PIX Firewalls


Limitations of CBAC

Before implementing CBAC, it is important to weigh the limitations of CBAC against the business and engineering requirements of the organization. Administrators should also understand features that are not supported by the CBAC:

  • Protocol support—CBAC inspects only TCP and UDP packets. No other protocol is inspected.

  • ICMP support—CBAC discards all forms of ICMP packets.

  • Redundancy—CBAC doesn't provide stateful redundancy. If a router fails or traffic is routed around, all the CBAC session information is lost.

  • Asymmetry—Traffic patterns that do not take that same path in return are dropped by the CBAC inspection rule. These asymmetric traffic patterns are not supported by the IOS firewall.

  • FTP—CBAC allows FTP data channels with destination port range of 1,024 to 65,535. Also, CBAC does not permit third-party FTP connections.

  • SMTPEXPN and VRFY commands on SMTP connections are permitted in CBAC, even though they are considered dangerous by some administrators.

  • IPSec support—IPSec packets are not inspected by CBAC because CBAC inspects only TCP or UDP packets. IPSec can be used on a router running CBAC by applying the CBAC inspection rule on the interface that is different than the one being used for encrypting or decrypting IPSec traffic.

CBAC doesn't support Websense, reflexive access lists, or TCP Intercept.

4. Configuring CBAC | Next Section Previous Section