Manualshelf

Specifications

ManualsBrandsCisco ManualsComputer equipment815-VPN/K9 - 815 Integrated Services Router
61626364656667686970
Configuring Security Features
Zone-Based Policy Firewall
5
Cisco 3900 Series, 2900 Series, and 1900 Series Integrated Services Routers Software Configuration Guide
OL-21850-01
Zone-Based Policy Firewall
The Cisco IOS Zone-Based Policy Firewall can be used to deploy security policies by assigning
interfaces to different zones and configuring a policy to inspect the traffic moving between these zones.
The policy specifies a set of actions to be applied on the defined traffic class.
For additional information about configuring zone-based policy firewall, see the “Zone-Based Policy
Firewall” section of Cisco IOS Security Configuration Guide: Securing the Data Plane, Release 12.4T
at:
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/12_4t/
sec_data_plane_12_4t_book.html.
Configuring Cisco IOS IPS
Cisco IOS Intrusion Prevention System (IPS) technology enhances perimeter firewall protection by
taking appropriate action on packets and flows that violate the security policy or represent malicious
network activity.
Cisco IOS IPS identifies attacks using “signatures” to detect patterns of misuse in network traffic.
Cisco IOS IPS acts as an in-line intrusion detection sensor, watching packets and sessions as they flow
through the router, scanning each to match currently active (loaded) attack signatures. When Cisco IOS
IPS detects suspicious activity, it responds before network security can be compromised, it logs the
event, and, depending on the action(s) configured to be taken for the detected signature(s), it does one
of the following:
Sends an alarm in syslog format or logs an alarm in Secure Device Event Exchange (SDEE) format
Drops suspicious packets
Resets the connection
Denies traffic from the source IP address of the attacker for a specified amount of time
Denies traffic on the connection for which the signature was seen for a specified amount of time
For additional information about configuring Cisco IOS IPS, see the “Cisco IOS IPS 5.x Signature
Format Support and Usability Enhancements” section of Cisco IOS Security Configuration Guide:
Securing the Data Plane, Release 12.4T at:
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/12_4t/
sec_data_plane_12_4t_book.html.
Content Filtering
Cisco 3900 series, 2900 series, and 1900 series ISRs provide category-based URL filtering. The user
provisions URL filtering on the ISR by selecting categories of websites to be permitted or blocked. An
external server, maintained by a third party, is used to check for URLs in each category. Permit and deny
policies are maintained on the ISR. The service is subscription based, and the URLs in each category are
maintained by the third party vendor.
For additional information about configuring URL filtering, see “Subscription-based Cisco IOS Content
Filtering” at: http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_url_filtering.html.