Firewalls are a very important component of any network security framework, and it is no surprise that Cisco offers firewall solutions in different shapes and forms:

  • Cisco IOS Firewalls
  • Cisco PIX 500 Series of Firewalls
  • Cisco ASA 5500 series Adaptive Security Appliances
  • Cisco Firewall Services Module

The following sections describe these platforms in more detail.

Cisco IOS Firewalls

A Cisco IOS firewall is a specialized feature of Cisco IOS Software that runs on Cisco routers. It is a firewall product that is meant for small and medium-sized businesses as well as enterprise branch offices.

The earlier Cisco IOS firewall feature was called Context-Based Access Control (CBAC), which applied policies through inspect statements and configured access control lists (ACL) between interfaces. The Zone-Based Policy Firewall (ZBPFW) is the newer Cisco implementation of a router-based firewall that runs in Cisco IOS Software. It was introduced in IOS Release 12.4(6)T and takes advantage of many new features that make the configuration and implementation of a firewall easire than was available previously. The following are some of the important features of a Cisco IOS Firewall:

  • Zone-based policy framework for easy to understand policy management
  • Controlling traffic for Web, email, and other applications
  • Instant messenger and peer-to-peer application filtering
  • Controlling traffic for Voice over IP (VoIP) protocol
  • Wireless integration
  • Support for local URL whitelist and blacklist

A firewall is basically used to enforce an access policy between different security domains. With the ZBPFW feature, these different security domains are called security zones. With the earlier Context-Based Access Control (CBAC) feature, these security domains were simply router interfaces. So, one of the main differences between a firewall using CBAC and ZBPFW is the use of security zones. These zones separate the specific security areas within a network. A typical example would be a firewall that divides its universe into three main security zones:

  • Internal: Internal or private enterprise network
  • DMZ: Where publicly accessible servers are located
  • External: Includes all outside destinations

Figure 8-2 describes the three primary security zones.

Figure 8-2 Basic Zones in a Zone-Based Firewall 


Cisco PIX 500 Series Security Appliances

The Cisco PIX 500 series family of security appliances is an older series which consists of five models: the PIX 501, 506E, 515E, 525, and 535. These different models are designed to meet a range of requirements and network sizes. The Cisco PIX 500 series security appliance provides robust policy enforcement for users and applications, secure connectivity, and multivector attack protection. These appliances provide the following integrated security and networking services:

  • Firewall services with advanced application awareness
  • Voice over IP (VoIP) and multimedia security
  • Site-to-site and remote-access IPsec VPN connectivity
  • Intelligent networking services and flexible management model

In January 2008, Cisco announced the End-of-Life for the PIX products. However, there is a large install base and Cisco will still be supporting this product until July 2013. 

Cisco ASA 5500 Series Security Appliances

Cisco ASA 5500 series Adaptive Security Appliances integrate firewall, Cisco Unified Communications (voice and video) security, Secure Sockets Layer (SSL) and IPsec VPN, Intrusion Prevention System (IPS), and content security services in a flexible, modular product family. The ASA 5500 series appliances provide intelliget threat defense are secure communications services that stop attacks before they affect business continuity.

The Cisco ASA 5500 series appliances are available in five models: the Cisco ASA 5505, 5510, 5520, 5540, and 5550 in order to provide a scalable security solution to meet a range of requirements and network sizes.

Cisco Firewall Services Module

The Cisco Firewall Services Module (FWSM) is an integrated firewall module for high-end Cisco Catalyst 6500 switches and Cisco 7600 series routers used by large enterprises and service providers. You can install up to four FWSMs in a single switch chassis. Cisco FWSM is based on Cisco PIX firewall technology, and offers unmatched security, reliability, and performance. 

Firewall Best Practices

Best practice documents are a useful resource as they put together the composite effort and experiences of practitioners. Here is a generic list of best practices for your firewall security policy, which you can use as a starting point:

  • Firewalls are a core security device, but you should not rely only on a firewall for security.
  • Firewalls should be placed at key security boundaries.
  • Your firewall policy should deny all traffic by default and services that are needed should be explicitly permitted.
  • All physical access to the firewall device should be tightly controlled.
  • Firewall logs should be regularly monitored accordingly to a schedule to make sure anomalies are detected.
  • Proper change management procedures should be followed for firewall configuration changes, to ensure all changes are documented and no unauthorized changes take place to firewall configuration.
  • A firewall primarily is a perimeter device protecting from attacks originating from the outside. It cannot protect from attacks emanating from the inside.

Cisco Security Appliances & Applications

In addition to various flavors of firewalls we covered in the last few sections, Cisco also produces some other security appliances and applications to meet specific enterprise security needs.

  • Cisco IronPort Security Appliance
  • Cisco NAC Security Appliance
  • Cisco Security Agent

Cisco IronPort Security Appliances

Cisco IronPort security appliances protect enterprises against internet threats, with a focus on email and web security, which happen to be two of the main sources of endpoint threats.

The three major IronPort security appliances are:

  • IronPort C-series: Email security appliances
  • IronPort S-series: Web security appliance
  • IronPort M-series: Security management appliance 

Cisco NAC Security Appliances

The purpose of Cisco Network Access Control (NAC) is to allow only authorized and compliant systems to access the network and to enforce network security policy. In this way, Cisco NAC helps maintain network stability. NAC provides four key features:

  • Authentication and authorization
  • Evaluation of an incoming device against network policies
  • Isolating or quarantining non-compliant systems
  • Remeiation of non-compliant systems

The Cisco NAC appliance condenses the four key NAC functions just described into a single appliance form and provides a turnkey solution to control network access. This solution is a natural fir for medium-scale networks that require a self-contained, ready-to-use solution. Cisco NAC appliance is especially ideal for organizations that need simplified and integrated tracking of operating system and antivirus patches and vulnerability updates. Cisco NAC appliance does not require a Cisco network to operate.

The goal of Cisco NAC appliance is to admit to the network only those hosts that are authenticated and have had their security posture examined and approved. The net result of such a thorough examination before allowing connectivity is a tremendous reduction in total cost of ownership (TCO) because only known, secure machines are allowed to connecte. Therefore, laptops that have been on the road for weeks and have possibly been infected or were unable to receive current security updates cannot connect into the network and unleash a Denial of Service (DoS) attack.

Cisco NAC Appliance extends NAC to all network access methods, including access through LANs, remote-access gateways, and wireless access points. The Cisco NAC Appliance also supports posture assessment for guest users.

Cisco NAC Appliance provides the following benefits:

  • It recognizes users, their devices, and their roles in the network. This occurs at the point of authentication, before malicious code can cause damage.
  • It evaluates whether machines are compliant with security policies. Security policies can include specific antivirus or antispyware software, operating system updates, or patches. The Cisco NAC Appliance supports policies that vary by user type, device type, or operating system.
  • It enforces security policies by blocking and isolating non-compliant machines. A network administrator will be advised of the non-compliance and will proceed to repait the host.

Non-compliant machines are redirected into a quarantine area, where remediation occurs at the discretion of the administrator.

Cisco Security Agent

Cisco Security Agent is a host intrusion prevention system (HIPS) product. It is software that is installed on a server, desktop, or point-of service computing systems and provides endpoint security by its threat protection capabilities. A single management console of Cisco Security Agent can support upto 100,000 agents, so it is a highly scalable solution.

The Cisco Security Agent architecture consists of two components:

  • Management Center for Cisco Security Agents: Management Center for Cisco Security Agent enables you to divide network hosts into groups by function and security requirements, and then configure security policies for those groups. Management Center for Cisco Security Agent can maintain a log of security violations and send alerts by email.
  • Cisco Security Agent: The Cisco Security Agent component is installed on the host system and continuously monitors local system activity and analyzes the operations of that system. Cisco Security Agents takes proactive action to block attempted malicious activity and polls the Management Center for Cisco Security Agent at configurable intervals for policy updates. Obviously, the Management Center should also run CSA.

When an application needs access to system resources, it makes an operating system call to the kernel. Cisco Security Agent intercepts these operating system calls and compares them with the cached security policy. If the request does not violate the policy, it is passed to the kernel for execution.

However, if the request does violate the security policy, Cisco Security Agent blocks the request and takes the following actions:

  • An appropriate error message is passed back to the application.
  • An alert is generated and sent to the Management Center for Cisco Security Agent. 

Cisco Security Agent correlates this particular operating system call with the other calls made by that application or process, and correlates these events to detect malicious activity.