Cisco IOS Firewall Deployment Scenarios

Cisco IOS Firewall Common Deployment Scenarios

http://www cisco com/go/iosfirewall http://www.cisco.com/go/iosfirewall

Presentation_ID

© 2007 Cisco Systems, Inc. All rights reserved.

1

Cisco IOS Firewall Feature Overview Stateful firewall: Full Layer 3 through 7 deep packet inspection Flexible embedded application layer gateway (ALG) Dynamic (ALG): D i protocol t l and d application li ti engines i for seamless granular control Application inspection and control (AIC): Visibility into both control and data channels to help ensure protocol and application conformance Virtual firewall: Separation between virtual contexts, addressing overlapping IP addresses

Selected List of Recognized Protocols ƒ HTTP, HTTPS, and JAVA ƒ E-mail: POP, SMTP, ESMTP, IMAP ƒ P2P and IM ((AIM,, MSN,, and Yahoo!) ƒ FTP, TFTP, and Telnet

Transparent (Layer 2) firewall: Deploy in existing network without changing the statically defined IP addresses

ƒ Voice: H.323, SIP, and SCCP

Intuitive GUI management: Easy policy setup and refinement with CCP and CSM

ƒ Citrix: ICA and CitrixImaClient

Resiliency: R ili Hi h availability High il bilit ffor users and d applications with stateful firewall failover

ƒ IPSec VPN: GDOI and ISAKMP

Interfaces: Most WAN and LAN interfaces

ƒ Database: Oracle, SQL, and MYSQL ƒ Multimedia: Apple pp and RealAudio ƒ Microsoft: MSSQL and NetBIOS ƒ Tunneling: L2TP and PPTP

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

2

Cisco IOS Firewall Common Deployments Scenarios ƒ Internal firewall: branch or small office Example: Retail outlet IOS Firewall Fi ll segments t the th network t k for f compliance li requirements i t in i transparent t t or routed t d environments, wireless to wired segments

ƒ Internet connected location: branch or small office Example: p Retail store with wi-fi hotspot p IOS Firewall separates VPN traffic to corporate headquarters and Internet traffic

ƒ Virtual firewall: location with co-located partners Example: p retail location with co-located p photo kiosk or p pharmacy y IOS Firewall supports partners’ overlapping IP addresses and secures the shared WAN connection between business partners

ƒ Transparent p firewall: large g to medium sized branch office Example: branch office with many existing network nodes IOS Firewall provides network protection without disrupting the existing network scheme

ƒ Securing Unified Communications: branch location with unified communications i ti Example: any branch office with Voice over IP IOS Firewall enables trusted media control and helps to prevent impersonation attacks Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

3

Cisco IOS Firewall Deployment Scenario 1 Retail Outlet PoS Store Router

Private WAN

Local LAN Head Office

Cisco® Integrated Services Router

Mobile devices

ƒ PCI compliance requires firewalling of Point-of-Sale systems, wired and wireless network segments ƒ Cisco IOS Firewall creates separate security zones for Point-of-Sale (Server/Electronic Cash register), LAN and wireless LAN network segments ƒ Cisco has its retail design guide certified through a third party (CyberTrust) Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

4

Cisco IOS Firewall Deployment Scenario 2 Retail Outlet with Internet Hotspot p

POS

Store Router IPSec Tunnel

Local LAN

Internet

Wi-Fi Users Payment

Head Office

Cisco® Integrated Services Router

Devices

ƒ Internet Hotspot (Wi-Fi) services opens the network to additional risk ƒ Cisco IOS Firewall creates separate security zones for Point of Sale (Server/Electronic Cash register), LAN and wireless LAN ƒ Firewall policies segregate and protect the corporate vlans and the Internet Wi-Fi vlans

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

5

Cisco IOS Firewall Deployment Scenario 3 Virtual Firewall (VRF-aware (VRF aware Firewall) VRF A Photo kiosk

Store Router IPSec Tunnel

VRF B Internet

Point-of-Sales VRF C Pharmacy

Retail Store Head Office

Cisco® Integrated Services Router Partner – Photo Shop Head Office

ƒ Cisco IOS Firewall separates network segments and supports overlapping address space in environments where partners share the same physical location ƒ Each virtual firewall helps secure a partner’s Internet access and isolates risk factors such as a photo kiosk with media card slots ƒ PCI compliance requires retail stores to firewall wired and wireless network segments as well as Point-of-Sales (PoS) segments Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

6

Cisco IOS Firewall Deployment p y Scenario 4 Transparent Firewall Servers Branch Router IP WAN

Clients

Cisco® Integrated Services Router

Head Office

ƒ The Transparent Cisco IOS Firewall feature allows users to "drop" a Cisco IOS Firewall in front of their existing network without changing the statically defined IP addresses of their networkconnected devices ƒ Th The tedious t di and d costly tl overhead h d that th t iis required i d tto renumber b devices on the trusted network is eliminated Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

7

Cisco IOS Firewall Deployment Scenario 5 Unified Communications Trusted Firewall Shared secret configured in TRPs and FWs

CUCM

STUN/ICE message with crypto token

FW opens pinhole after verifying crypto token

IP WAN Endpoint

Cisco IOS Firewall Access with Trust Relay Point (TRP) Switch

Cisco IOS Firewall Access with TRP Switch

Endpoint

ƒ Cisco IOS Firewall enables trusted media control and helps to prevent impersonation attacks ƒ Trusted T t d Firewall Fi ll authenticates/authorizes th ti t / th i calls ll tto ensure pinholes i h l are only opened for legitimate calls ƒ Trusted Firewall is voice protocol version independent and it secures – encrypted signaling paths – asymmetric signaling and media paths Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

8

Cisco IOS Firewall Summary

Cisco IOS Firewall ƒ Helps meet PCI requirements by segmenting and protecting Point of Sale systems ƒS Segregates and defends f corporate networks from f Wi-Fi hotspots connected to the Internet ƒ Supports overlapping address space in environments where partners share the same physical location ƒ Provides network protection without disrupting the existing network scheme ƒ Secures Unified Communications

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

9

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

10