Cisco Systems MC-607 manual Triple Data Encryption Standard, Firewall, MC-624

Page 18

Configuring Subscriber-End Broadband Access Router Features

Subscriber-End Broadband Access Router Security Features

Triple Data Encryption Standard

DES is a standard cryptographic algorithm developed by the United States National Bureau of Standards. The Triple DES (3DES) Cisco IOS software release images increase the security from the standard 56-bit IPSec encryption to 168-bit encryption, which is used for highly sensitive and confidential information such as financial transactions and medical records.

Firewall

Cisco uBR900 series cable access routers act as buffers between any connected public and private networks. In firewall mode, Cisco cable access routers use access lists and other methods to ensure the security of the private network.

Cisco IOS firewall-specific security features include the following:

Context-based Access Control (CBAC). This intelligently filters TCP and UDP packets based on the application-layer protocol. Java applets can be blocked completely, or allowed only from known and trusted sources.

Detection and prevention of the most common denial of service (DoS) attacks such as ICMP and UDP echo packet flooding, SYN packet flooding, half-open or other unusual TCP connections, and deliberate misfragmentation of IP packets.

Support for a broad range of commonly used protocols, including H.323 and NetMeeting, FTP, HTTP, MS Netshow, RPC, SMTP, SQL*Net, and TFTP.

Authentication Proxy for authentication and authorization of web clients on a per-user basis.

Dynamic Port Mapping. Maps the default port numbers for well-known applications to other port numbers. This can be done on a host-by-host basis or for an entire subnet, providing a large degree of control over which users can access different applications.

Intrusion Detection System (IDS) that recognizes the signatures of 59 common attack profiles. When an intrusion is detected, IDS can either send an alarm to a syslog server or to a NetRanger Director, drop the packet, or reset the TCP connection.

User-configurable audit rules.

Configurable real-time alerts and audit trail logs.

For additional information, see the Cisco IOS Firewall Feature Set description in the Cisco Product Catalog, or refer to the sections on traffic filtering and firewalls in the Cisco IOS Security Configuration Guide and Cisco IOS Security Command Reference available on CCO and the Documentation CD-ROM.

NetRanger Support—Cisco IOS Intrusion Detection

NetRanger is an Intrusion Detection System (IDS) composed of the following three parts:

A management console (director), used to view the alarms and to manage the sensors.

A sensor that monitors traffic. This traffic is matched against a list of known signatures to detect misuse of the network. This is usually in the form of scanning for vulnerabilities or for attacking systems. When a signature is matched, the sensor can track certain actions. In the case of the appliance sensor, it can reset (via TCP/rst) sessions, or enable “shuns” of further traffic. In the case of the IOS-IDS, it can drop traffic. In all cases, the sensor can send alarms to the director.

Communications through automated report generation of standardized and customizable reports and QoS/CoS monitoring capabilities.

Cisco IOS Multiservice Applications Configuration Guide

MC-624

Image 18
Contents Configuring Subscriber-End Broadband Access Router Features MC-607Cisco IOS Software Feature Sets Subscriber-end OverviewMC-608 Base IP Bridging Feature Set Home Office Easy IP Feature SetMC-609 Small Office Feature Set Telecommuter Feature SetMC-610 Operating Modes MC-611Data Specifications Description Downstream Values Upstream ValuesMC-612 Service Assignments MC-613Downstream and Upstream Data Transfer Bridging ApplicationsMC-614 Routing Applications MC-615Dhcp Server L2TP ProtocolEasy IP Network Address Translation and Port Address TranslationVoice over IP Operations MC-617MC-618 Simplified VoIP over Cable NetworkVoice Compression and Decompression MC-619Protocol Stack MC-620Metric Value Subscriber-End Broadband Access Router Voice SpecificationsSgcp Protocol Stack MC-621Backup Pots Connection MC-622Docsis Baseline Privacy IPSec Network SecurityMC-623 NetRanger Support-Cisco IOS Intrusion Detection Triple Data Encryption StandardFirewall MC-624Subscriber-End Broadband Access Router Configuration Options MC-625MC-626 Event Description MC-627Sequence Event Description MC-628MC-629 MC-630 Cable Modem Initialization Flowchart MC-631Subscriber-End Broadband Access Router Basic Troubleshooting MC-632MC-633 WaitforlinkupstateMC-634 UBR924# show controllers cable-modem 0 mac ?Event 1-Wait for the Link to Come Up Event 2-Scan for a Downstream Channel, then SynchronizeMC-635 Event 4-Start Ranging for Power Adjustments Event 3-Obtain Upstream ParametersMC-636 Event 5-Establish IP Connectivity MC-637Event 8-Transfer Operational Parameters Event 6-Establish the Time of DayEvent 7-Establish Security Event 9-Perform RegistrationEvent 11-Enter the Maintenance State Event 10-Comply with Baseline PrivacyMC-639 Subscriber-End Broadband Access Router Configuration Tasks MC-640Configuring a Host Name and Password Command PurposeMC-641 Configuring Ethernet and Cable Access Router Interfaces MC-642Configuring Routing MC-643Verifying Routing MC-644Configuring Bridging MC-645MC-646 Reestablishing DOCSIS-Compliant Bridging MC-647Verifying DOCSIS-Compliant Bridging MC-648Customizing the Cable Access Router Interface Using Multiple PCs with the Cable Access RouterMC-649 Basic Internet Access Bridging Configuration Example MC-650Basic Internet Access Routing Configuration Example MC-651IP Multicast Routing Configuration Example MC-652VoIP Bridging Using H.323v2 Configuration Example MC-653VoIP Routing Using H.323v2 Configuration Example MC-654NAT/PAT Configuration Example MC-655VoIP Bridging Using Sgcp Configuration Example MC-656IPSec Configuration Example MC-657L2TP Configuration Example MC-658MC-659 MC-660