�The Cisco IOS has many powerful security features that enable network engineers to protect their internal network. The Cisco IOS is capable of intrusion detection, deep packet inspection, and stateful firewall features. Setting up IPS allows the admin to push intrusion detection to the network edge. The Cisco IPS feature set can scan for spyware, viruses, worms, Trojans, and network intrusions by receiving updated signature files from Cisco. If a packet or series of packets matches a particular signature the router can, send an alert, drop the packet, or reset the connection of the offending user. In this way the network engineer can better protect the network by acting on suspicious packets before they can pose a risk to the network infrastructure, another advantage of pushing IPS duties to the network edge is it allows offending packets to be dropped before they take up finite network resources. �In large networks as much as 10 percent of network resources could be consumed by packets that ultimately will be dropped for security reasons deeper in the network.

A lot of engineers prefer to use dedicated systems for network security such as Pix and ASA devices. However the Cisco recommended methodology is to filter packets as close to the egress point as possible thus saving network resources and enhancing security. In times past it was considered better to apply security features on dedicated devices deeper in the network while putting as few strains on the edge routers as possible. This methodology used to be a necessity as routers typically had much less horse power and a significant amount of CPU cycles and memory was used just routing and switching packets, add to that the wide spread use of Port address translation which requires a large amount of CPU cycles and memory to maintain the port translation state table and the situation was dire. It was not uncommon to see a branch office level router such as a 2500, or 2600 series overloaded by P2P programs which open up thousands of ports for connections. In these situations a single user could easily destabilize the network and cause the router to drop packets from the load. Cisco realizing the changing world of networking and the relative cheapness of CPU power released the XM series routers as a stopgap measure until the new integrated services platform routers were available such as the 2800 and 3800 series routers. These new routers are more powerful than ever and allow IPS, stateful firewall features, and deep packet inspection to be performed at the network edge thus enhancing security and availability of network resources.

Besides the IPS features the Cisco routers can also perform CBAC or Content Based Access Control. With CBAC the router can inspect TCP, UDP, and ICMP packets for fragments and irregularities. The IOS can also inspect sever layer 7 protocols, and with the latest 12.4 IOS and current generation of routers this list has expanded to many many layer 7 protocols. When using CBAC the router monitors the outgoing packets on an interface, and dynamically creates holes in the inbound access list to allow only packets that match up to the outgoing request. This means that CBAC enables the IOS to perform true stateful Firewalling.� In the 12.4 IOS CBAC uses deep packet inspection to determine the true protocol of the packet and better protect the network from intrusion. With deep packet inspection the router will recognize an FTP packet and scan it for known issues even if the packet arrives on a port other than the standard FTP control port. The IOS also uses access lists to secure interfaces and drop unwanted traffic at the network edge which will prevent network resources from being wasted.

I hope this brief overview of the Cisco IOS security methodology as it relates to packet filtering was informative. I will follow up later with a more technical article on how to configure CBAC stateful firewalling, and IPS signatures on the Cisco router.