Cisco IOS Security Features
Although the primary purpose of an IOS router is to be a router, there are a number of built-in security features that can be leveraged such that the router takes its proper place in the Cisco Self-Defending Network. In this section, we look at typical deployment scenarios for an IOS router and examine some of the features of Cisco Integrated Services Routers (ISRs) at a high level.
Where Do You Deploy an IOS Router?
Before we get into the features of Cisco’s product portfolio, we should probably cover the question of where a router is deployed as part of the implementation of a comprehensive security policy. We discussed the “blurring of the perimeter” in Chapter 2, “Building a Secure Network Using Security Controls,” but it is typically at the perimeter, or edge, of a network where we deploy routers. They are often the first bastion of defense against attack because many enterprises, both large and small, use routers as their first connection to an Internet Service Provider’s IP cloud. The router might be a customer-managed solution, in which case the customer has at least partial control of the configuration and management of the router, or the equipment could be wholly owned, configured, and managed by the ISP. Of course, the size of the network, the customer, the assets they are trying to protect, and so on, will determine both the type and depth of defense implemented. A small office/home office (SOHO) user or a teleworker probably doesn’t need multiple layers of defenses and different zones of security that a large e-commerce site requires. Common sense dictates that all of these considerations will bear on both the scope of the solution as well as the capabilities of the router that will be required.
Refer to Figure 3.1 for three common examples of where a router might be deployed. Keep in mind that the firewall in Figure 3.1 is assumed to be a stateful firewall. The reason it is deployed instead of another router is that the firewall will be able to keep track of the state of connections that are built across it (both ingress and egress) and thereby afford an extra level of protection to the network. The firewall could very well be an IOS router firewall. IOS firewalls and types of firewalls in general are examined in Chapter 5, “Using Cisco IOS Firewalls to Implement a Network Security Policy.”
The following is a detailed explanation to the three deployment scenarios in Figure 3.1:
- Scenario 1—Single Perimeter. The router establishes the trusted network boundary at the Internet and protects a single LAN. This is a small business (but with growth aspirations!), and they need a solution that will grow with them.
- Scenario 2—Two Perimeters. Business is improving and the company has more need for protection of its assets, including intellectual property. The security policy grows with the business and dictates that a firewall is purchased to establish a second perimeter behind the router, thus providing an extra level of protection for the single LAN.
- Scenario 3—Screened Subnet. The company’s business needs dictate that an e-commerce site be implemented. Recalling that business needs are a big driver for security policies, the company uses industry best practices to change. A DMZ is established on the firewall where the organization’s e-commerce servers are deployed. The security policy dictates that another router be deployed inside the firewall to maintain two perimeters between the Internet and the LAN.
Cisco ISR Family and Features
According to Cisco, what makes an Integrated Services Router integrated are the following features:
- Integrated Security. 3DES and AES encryption; NAC.
- Unified Network Services. PVDM modules; media authentication and encryption with SRST.
- Mobility. 3G wireless WAN; wireless LAN services.
- Application Intelligence. Performance routing; Cisco WAAS.
- USB Port. USB eToken; USB flash support.
Figure 3.2 illustrates the Cisco ISR product spectrum. The Cisco ISR routers range from SOHO devices with the 800 series ISR, all the way up to a large branch office where the 3800 series ISR would be an appropriate solution. One of the main advantages of Cisco’s router solution is that they all share common configuration interfaces in the form of the Cisco command-line interface (CLI) for character-based terminal configuration and the Cisco Security Device Manager (SDM) as a web-based GUI. The user interface’s look and feel is close to identical from one device to another.
EXAM ALERT
A good way to remember the model number nomenclature is to realize that all these models have the number 800 in their series designation: 800, 1800, 2800, and 3800. Also, the larger the number, the more capable the ISR.
NOTE
For more information on the Integrated Services Routers, browse to this link:
http://www.cisco.com/en/US/prod/routers/networking_solutions_products_ genericcontent0900aecd806cab99.html.
Cisco also introduced a new series of high-performance routers, the 1000-series
Aggregation Services Routers (ASRs), in Q2 of 2008. Here’s a link to those devices: