Cisco IOS Firewall Common Deployment Scenarios cisco com/go/iosfirewall
advertisement
Cisco IOS Firewall Common Deployment Scenarios http://www cisco com/go/iosfirewall http://www.cisco.com/go/iosfirewall Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. 1 Cisco IOS Firewall Feature Overview Stateful firewall: Full Layer 3 through 7 deep packet inspection Flexible embedded application layer gateway (ALG) Dynamic (ALG): D i protocol t l and d application li ti engines i for seamless granular control Application inspection and control (AIC): Visibility into both control and data channels to help ensure protocol and application conformance Virtual firewall: Separation between virtual contexts, addressing overlapping IP addresses Selected List of Recognized Protocols HTTP, HTTPS, and JAVA E-mail: POP, SMTP, ESMTP, IMAP P2P and IM ((AIM,, MSN,, and Yahoo!) FTP, TFTP, and Telnet Transparent (Layer 2) firewall: Deploy in existing network without changing the statically defined IP addresses Voice: H.323, SIP, and SCCP Intuitive GUI management: Easy policy setup and refinement with CCP and CSM Citrix: ICA and CitrixImaClient Resiliency: R ili Hi h availability High il bilit ffor users and d applications with stateful firewall failover IPSec VPN: GDOI and ISAKMP Interfaces: Most WAN and LAN interfaces Database: Oracle, SQL, and MYSQL Multimedia: Apple pp and RealAudio Microsoft: MSSQL and NetBIOS Tunneling: L2TP and PPTP Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2 Cisco IOS Firewall Common Deployments Scenarios Internal firewall: branch or small office Example: Retail outlet IOS Firewall Fi ll segments t the th network t k for f compliance li requirements i t in i transparent t t or routed t d environments, wireless to wired segments Internet connected location: branch or small office Example: p Retail store with wi-fi hotspot p IOS Firewall separates VPN traffic to corporate headquarters and Internet traffic Virtual firewall: location with co-located partners Example: p retail location with co-located p photo kiosk or p pharmacy y IOS Firewall supports partners’ overlapping IP addresses and secures the shared WAN connection between business partners Transparent p firewall: large g to medium sized branch office Example: branch office with many existing network nodes IOS Firewall provides network protection without disrupting the existing network scheme Securing Unified Communications: branch location with unified communications i ti Example: any branch office with Voice over IP IOS Firewall enables trusted media control and helps to prevent impersonation attacks Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3 Cisco IOS Firewall Deployment Scenario 1 Retail Outlet PoS Store Router Private WAN Local LAN Head Office Cisco® Integrated Services Router Mobile devices PCI compliance requires firewalling of Point-of-Sale systems, wired and wireless network segments Cisco IOS Firewall creates separate security zones for Point-of-Sale (Server/Electronic Cash register), LAN and wireless LAN network segments Cisco has its retail design guide certified through a third party (CyberTrust) Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4 Cisco IOS Firewall Deployment Scenario 2 Retail Outlet with Internet Hotspot p POS Store Router IPSec Tunnel Local LAN Internet Wi-Fi Users Payment Head Office Cisco® Integrated Services Router Devices Internet Hotspot (Wi-Fi) services opens the network to additional risk Cisco IOS Firewall creates separate security zones for Point of Sale (Server/Electronic Cash register), LAN and wireless LAN Firewall policies segregate and protect the corporate vlans and the Internet Wi-Fi vlans Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5 Cisco IOS Firewall Deployment Scenario 3 Virtual Firewall (VRF-aware (VRF aware Firewall) VRF A Photo kiosk Store Router IPSec Tunnel VRF B Internet Point-of-Sales VRF C Pharmacy Retail Store Head Office Cisco® Integrated Services Router Partner – Photo Shop Head Office Cisco IOS Firewall separates network segments and supports overlapping address space in environments where partners share the same physical location Each virtual firewall helps secure a partner’s Internet access and isolates risk factors such as a photo kiosk with media card slots PCI compliance requires retail stores to firewall wired and wireless network segments as well as Point-of-Sales (PoS) segments Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6 Cisco IOS Firewall Deployment p y Scenario 4 Transparent Firewall Servers Branch Router IP WAN Clients Cisco® Integrated Services Router Head Office The Transparent Cisco IOS Firewall feature allows users to "drop" a Cisco IOS Firewall in front of their existing network without changing the statically defined IP addresses of their networkconnected devices Th The tedious t di and d costly tl overhead h d that th t iis required i d tto renumber b devices on the trusted network is eliminated Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7 Cisco IOS Firewall Deployment Scenario 5 Unified Communications Trusted Firewall Shared secret configured in TRPs and FWs CUCM STUN/ICE message with crypto token FW opens pinhole after verifying crypto token IP WAN Endpoint Cisco IOS Firewall Access with Trust Relay Point (TRP) Switch Cisco IOS Firewall Access with TRP Switch Endpoint Cisco IOS Firewall enables trusted media control and helps to prevent impersonation attacks Trusted T t d Firewall Fi ll authenticates/authorizes th ti t / th i calls ll tto ensure pinholes i h l are only opened for legitimate calls Trusted Firewall is voice protocol version independent and it secures – encrypted signaling paths – asymmetric signaling and media paths Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8 Cisco IOS Firewall Summary Cisco IOS Firewall Helps meet PCI requirements by segmenting and protecting Point of Sale systems S Segregates and defends f corporate networks from f Wi-Fi hotspots connected to the Internet Supports overlapping address space in environments where partners share the same physical location Provides network protection without disrupting the existing network scheme Secures Unified Communications Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10
