CCNA Security - Defending the perimeter

This section of the chapter excerpt from "CCNA Security Official Exam Certification Guide" introduces how to set up and administrate your router to defend your network perimeter.

This Content Component encountered an error

Solution provider takeaway: The CCNA Security Official Exam Ceritifcation Guide is a Cisco exam study guide that focuses specifically on the objectives of the CCNA Security IINS exam. This chapter of the book introduces router and perimeter security.

Download the .pdf of the chapter here.

In addition to Cisco firewall, virtual private network (VPN), and intrusion prevention system (IPS) appliances that can sit at the perimeter of a network, Cisco IOS routers offer perimeter-based security. For example, the Cisco Integrated Services Routers (ISR) can be equipped to provide high-performance security features, including firewall, VPN termination, and IPS features, in addition to other services such as voice and quality-of-service (QoS) services. This chapter introduces various ISR models.

Because perimeter routers can be attractive targets for attack, they should be configured to secure administrative access. Therefore this chapter also discusses specific approaches to "harden" administrative access to ISRs.

Configuring advanced ISR router features can be a complex process. Fortunately, many modern Cisco routers can be configured using the graphical Cisco Security Device Manager (SDM) interface. SDM contains multiple wizard-like configuration utilities, which are introduced in this chapter.

ISR Overview and Providing Secure Administrative Access

This section begins by introducing the security features offered in the Cisco line of ISR routers. Additional hardware options for these routers are also discussed. Then ,with a foundational understanding of the underlying hardware, you will learn a series of best practices for security administrative access to a router. For example, a router can be configured to give different privilege levels to different administrative logins.

IOS Security Features

Although they are not a replacement for dedicated security appliances in large enterprise networks, modern Cisco routers, such as the ISR series, offer multiple integrated security features. Table 3-2 provides examples of these features, which vary by IOS feature set.

Feature Description
Stateful firewall The Cisco IOS firewall feature allows an IOS router to perform
stateful inspection of traffic (using Context-Based Access
Control [CBAC]), in addition to basic traffic filtering using
access control lists (ACL).
Intrusion
Prevention System
The IOS Intrusion Prevention System (IPS) feature can detect
malicious network traffic inline and stop it before it reaches its
destination.
VPN Routing and
Forwarding-aware
(VRF-aware)
firewall
A VRF-aware firewall maintains a separate routing and
forwarding table for each VPN, which helps eliminate issues
that arise from more than one VPN using the same address
space.
Virtual private
networks
Cisco IOS routers can participate in virtual private networks
(VPN). For example, a router at a headquarters location and at a
branch office location could interconnect via an IPsec-protected
VPN. This approach would allow traffic to pass securely
between those sites, even if the VPN crossed an "untrusted"
network, such as the Internet.

Cisco Integrated Services Routers

Cisco offers a series of routers called Integrated Services Routers (ISR). As their name suggests, these routers integrate various services (such as voice and security services) into the router architecture. Although Cisco offers a wide range of router platforms, ISR models are easy to identify, because the last three digits of their model begin with the number 8. As shown in Figure 3-1, the ISR family of routers include the 800 series, 1800 series, 2800 series, and 3800 series.

Cisco 800 Series

The Cisco 800 series of ISRs is designed for teleworkers and small-office environments. These routers can connect to the Internet via a cable modem or DSL modem connection and offer secure connections over the Internet. Table 3-3 contrasts some of the features available in the Cisco 850 and 870 series of ISRs.

Feature Cisco 850 Series Cisco 870 Series
WAN technology
support
ADSL Annex A (Cisco 857) ADSL Annex B (Cisco 876),
ADSL Annex A (Cisco 877),
G.SHDSL (Cisco 878)
Built-in routed/WAN
Ethernet
One 10/100 WAN (Cisco
851)
One 10/100 WAN (Cisco
871)
Integrated
cryptographic
hardware
Yes Yes
Maximum flash
memory
20 MB 52 MB
Maximum SRAM 64 MB 256 MB
Support for Cisco
Security Device
Manager (SDM)
Yes Yes
Maximum number of
VPN tunnels
10 20
Stateful firewall
support
Yes Yes
Intrusion Prevention
System (IPS) support
No Yes

Cisco 1800 Series

The Cisco 1800 series of ISRs is designed for small businesses and smaller enterprise branch offices. These routers are designed for connectivity via cable modem/DSL, Metro Ethernet, and wireless technologies. Table 3-4 contrasts some of the features available in the Cisco 1800 and 1841 series of ISRs.

Feature Cisco 1800 Series (Fixed
Interface)
Cisco 1841 Series
(Modular)
WAN technology
support
ADSL Annex A (Cisco
1801), ADSL Annex B
(Cisco 1802), G.SHDSL
(Cisco 1803)
ADSL and optional
G.SHDSL WICs
Built-in routed/WAN
Ethernet
One 10/100 (Cisco 1801-
1803)
Two 10/100 (Cisco 1811,
1812)
Two 10/100
Integrated
cryptographic
hardware
Yes Yes
Maximum flash
memory
128 MB 128 MB
Maximum SRAM 384 MB 384 MB
Support for Cisco
Security Device
Manager (SDM)
Yes Yes
Maximum number of
VPN tunnels
50 800
Stateful firewall
support
Yes Yes
Intrusion Prevention
System (IPS) support
Yes Yes

Cisco 2800 Series

The Cisco 2800 series of ISRs is designed for small-to-medium businesses and enterprise branch offices. These routers can securely provide voice, data, and video services. Table 3-5 contrasts some of the features available in the Cisco 2801, 2811, 2821, and 2851 series of ISRs.

Feature Cisco 2801
Series
Cisco 2811
Series
Cisco 2821 Series Cisco 2851 Series
WAN technology
support
ADSL and
optional G.SHDSL
WICs
ADSL and
optional G.SHDSL
WICs
ADSL and optional
G.SHDSL WICs
ADSL and optional
G.SHDSL WICs
Built-in routed/WAN
Ethernet
Two 10/100 Two 10/100 Two 10/100/1000 Two 10/100/1000
Integrated
cryptographic
hardware
Yes Yes Yes Yes
Maximum flash
memory
128 MB 256 MB 256 MB 256 MB
Maximum SRAM 384 MB 769 MB 1024 MB 1024 MB
Support for Cisco
Security Device
Manager (SDM)
Yes Yes Yes Yes
Maximum number of
VPN tunnels
1500 1500 1500 1500
Stateful firewall
support
Yes Yes Yes Yes
Intrusion Prevention
System (IPS) support
Yes Yes Yes Yes

Cisco 3800 Series

The Cisco 3800 series of ISRs is designed for medium to large businesses and enterprise branch offices. These routers offer multiple security, IP telephony, video, network analysis, and web application features. Table 3-6 contrasts some of the features available in the Cisco 3825 and 3845 series of ISRs.

Feature Cisco 3825 Series Cisco 3845 Series
WAN technology
support
ADSL and optional
G.SHDSL WICs
ADSL and optional
G.SHDSL WICs
Built-in routed/WAN
Ethernet
Two 10/100/1000 Two 10/100/1000
Integrated
cryptographic
hardware
Yes Yes
Maximum flash
memory
256 MB 256 MB
Maximum SRAM 1024 MB 1024 MB
Support for Cisco
Security Device
Manager (SDM)
Yes Yes
Maximum number of
VPN tunnels
2000 2500
Stateful firewall
support
Yes Yes
Intrusion Prevention
System (IPS) support
Yes Yes

ISR Enhanced Features

Although traditional Cisco routers (that is, non-ISRs) offer features similar to those highlighted in the preceding tables, ISRs are unique in that they contain integrated hardware components (that vary by platform) to enhance performance. For example, most ISR models include the following enhancements:

  • Integrated VPN acceleration: By using dedicated hardware for VPN encryption, ISRs reduce the overhead placed on a router's processor, thereby increasing VPN performance and scalability. Specifically, the built-in VPN acceleration hardware supports 3DES and Advanced Encryption Standard (AES).
  • Dedicated voice hardware: IP telephony applications often use digital signal processors (DSP) to mix multiple voice streams in a conference. They also encrypt voice packets and convert between high-bandwidth and low-bandwidth codecs (that is, a coder/decoder, such as G.711 and G.729, which specify how voice samples are digitally represented in a voice packet). Voice traffic uses Real-time Transport Protocol (RTP), a Layer 4 protocol, to transport voice in a network. For increased security, Secure RTO (SRTP) can be used, which provides AES encryption for voice. However, because of the processor overhead required for SRTP's encryption, dedicated DSP hardware is required. Fortunately, ISRs can use packet voice DSP modules (PVDM) to take over the processing of such tasks.

The Cisco 2800 series of ISRs can use PVDM2 modules with onboard voice interface cards (VIC). Additionally, PVDM2 modules can be inserted into Cisco High-Density Analog (HDA) network modules and the Cisco Digital Extension Module for Voice and Fax, which can be inserted into the Cisco 2821, 2851, 3825, and 3845 ISR models.

  • Advanced Integration Modules: Cisco offers a variety of Advanced Integration Modules (AIM), which can offload processor-intensive tasks from a router's processor. For example, AIMs can be used for VPN processing, including a variety of standards for encryption, authentication, and data integrity. The following are some AIM models:
    • AIM-VPN/BPII-PLUS: Used in Cisco 1800 series ISRs, which can support a single AIM
    • AIM-VPN/EPII-PLUS: Used in Cisco 2800 series ISRs and the Cisco 3825 ISR, all of which can accommodate two AIMs
    • AIM-VPN/HPII-PLUS: Used in the Cisco 3845 ISR, which supports two AIMs
  • USB port: All Cisco ISRs, with the exception of the Cisco 850 ISR, include one or two Universal Serial Bus (USB) ports. These ports can be used with a USB flash drive to store IOS images or configuration files. Also, from a security perspective, a USB eToken containing a signed digital certification can be inserted for VPN use.

WAN connectivity network modules such as the WIC-2T, WIC-1B, and VWIC-1MFT offer flexibility in how various ISRs connect to the WAN. Here are some examples of other network modules supported on various ISR models:

  • Cisco HWIC-AP: An IEEE 802.11 wireless module supporting a variety of wireless standards.
  • Cisco IDS Network Module: Includes a hard drive containing multiple signatures of well-known attacks. Can be used to detect and subsequently prevent malicious traffic.
  • Cisco Content Engine: Includes either a 40-GB or 80-GB hard drive for caching web content. This makes it available for quick retrieval by local clients, as opposed to the client's having to retrieve all the information from the web.
  • Cisco Network Analysis Module (NAM): Provides a detailed analysis of traffic flow.

CCNA Security Official Exam Ceritifcation Guide
  Defending the perimeter
  Password-protecting a router
  Configuring privilege levels
  Cisco Security Device Manager overview

About the book

CCNA Security Official Exam Ceritifcation Guide is an exam prep book that focuses on the objectives for the CCNA Security IINS exam. Purchase the book from Prentice Hall.

Copyright 2008, Cisco Systems, Inc. Reproduced by permission of Pearson Education, Inc., 800 East 96th Street, Indianapolis, IN 46240. Written permission from Pearson Education, Inc. is required for all other uses.


This was first published in October 2008

Dig deeper on Network Planning and Design

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

MicroscopeUK

SearchCloudProvider

SearchSecurity

SearchStorage

SearchNetworking

SearchCloudComputing

SearchConsumerization

SearchDataManagement

SearchBusinessAnalytics

Close