Which Firewall Features Should I Use?

I have an application server that I need to make available to the Internet. For simplicity's sake, let's say it's a web server.

I understand how to use a basic access list to allow only tcp port 80 to this server from the Internet. That's all I want. I want to make the http server available to anyone, but nothing else should be allowed in.

However, I thought it might be a good idea to use some sort of beefed-up level of security, so I bought the firewall feature set IOS for my router.

Now that I'm reading up on it, it appears that CBAC is the main security feature of the firewall feature set, but everything about CBAC seems to be geared towards traffic going from inside out, not outside in.

Is setting up CBAC inspection useful in my situation? Are there any other features besides a basic access list should I consider using on this router?

Thank you

Reply to
Loading thread data ...

It works either way I beleive.

If you use basic ACLs you will need to allow

Inbound permit tcp any host webserver eq 80

Outbound permit tcp host webserver eq 80 any [established]

You could consider reflexive acess lists which causes the router to create the opposite (mirror image) ACLs automatically. Reflexive as in Reflecting.

Inspect is a stateful inspection firewall.

In this case you would use:-

Inbound permit tcp any host webserver eq 80

Then use Inbound inspect to inspect the inbound tcp traffic. I do not recall the syntax exactly.

ip inspect Any.Old.Name tcp interface Internet.Side.One inspect Any.Old.Name inbound

This will automatically allow the appropriate outbound traffic but /only/ when recent inbound traffic has been detected.

Be /aware/. ip inspect Any.Old.Name http

does /not/ do what I might expect. It blocks all java code downloads which breaks a lot of web pages.

There are also the IPS intrusion protection commands.

Reply to

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.