Secured Branch Router Configuration Example - Cisco 2800 Series Manual

Secured Branch Router Configuration Example

Contents
•
•
•
•
•
•
Introduction
This document provides a sample configuration for securing a branch router by implementing the
following features:
•
•
•
Corporate Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
Copyright © 2004 Cisco Systems, Inc. All rights reserved.
Introduction, page 1
Before You Begin, page 2
Configure, page 3
Verify, page 6
Troubleshoot, page 10
Related Information, page 11
Context-Based Access Control (CBAC)—CBAC creates temporary openings in access lists at
firewall interfaces. These openings are created when specified traffic exits your internal network
through the firewall. The openings allow returning traffic (that would normally be blocked) and
additional data channels to enter your internal network back through the firewall. The traffic is
allowed back through the firewall only if the traffic is part of the same session as the original traffic
that triggered CBAC when exiting through the firewall.
Cisco IOS Intrusion Prevention System (IPS)—The Cisco IOS IPS feature restructures the
existing Cisco IOS Intrusion Detection System (IDS), allowing customers to choose to load the
default, built-in signatures or to load a Signature Definition File (SDF) called attack-drop.sdf onto
the router. The attack-drop.sdf file contains 118 high-fidelity Intrusion Prevention System (IPS)
signatures, providing customers with the latest available detection of security threats.
Cisco IOS Firewall Authentication Proxy—Authentication proxy provides dynamic, per-user
authentication and authorization, authenticating users against industry standard TACACS+ and
RADIUS authentication protocols. Per-user authentication and authorization of connections provide
more robust protection against network attacks.