Manualshelf

System information

ManualsBrandsCisco ManualsComputer equipment857W - Integrated Services Router
12345678910
ISR Overview and Providing Secure Administrative Access 81
Foundation Topics
ISR Overview and Providing Secure Administrative
Access
This section begins by introducing the security features offered in the Cisco line of ISR
routers. Additional hardware options for these routers are also discussed. Then, with a
foundational understanding of the underlying hardware, you will learn a series of best
practices for security administrative access to a router. For example, a router can be
configured to give different privilege levels to different administrative logins.
IOS Security Features
Although they are not a replacement for dedicated security appliances in large enterprise
networks, modern Cisco routers, such as the ISR series, offer multiple integrated security
features. Table 3-2 provides examples of these features, which vary by IOS feature set.
Cisco Integrated Services Routers
Cisco offers a series of routers called Integrated Services Routers (ISR). As their name
suggests, these routers integrate various services (such as voice and security services) into
Table 3-2 IOS Security Features
Feature Description
Stateful firewall The Cisco IOS firewall feature allows an IOS router to perform
stateful inspection of traffic (using Context-Based Access
Control [CBAC]), in addition to basic traffic filtering using
access control lists (ACL).
Intrusion
Prevention System
The IOS Intrusion Prevention System (IPS) feature can detect
malicious network traffic inline and stop it before it reaches its
destination.
VPN Routing and
Forwarding-aware
(VRF-aware)
firewall
A VRF-aware firewall maintains a separate routing and
forwarding table for each VPN, which helps eliminate issues
that arise from more than one VPN using the same address
space.
Virtual private
networks
Cisco IOS routers can participate in virtual private networks
(VPN). For example, a router at a headquarters location and at a
branch office location could interconnect via an IPsec-protected
VPN. This approach would allow traffic to pass securely
between those sites, even if the VPN crossed an “untrusted”
network, such as the Internet.