Cisco Systems MC-607 manual Triple Data Encryption Standard, Firewall, MC-624

Configuring Subscriber-End Broadband Access Router Features

Subscriber-End Broadband Access Router Security Features

Triple Data Encryption Standard

DES is a standard cryptographic algorithm developed by the United States National Bureau of Standards. The Triple DES (3DES) Cisco IOS software release images increase the security from the standard 56-bit IPSec encryption to 168-bit encryption, which is used for highly sensitive and confidential information such as financial transactions and medical records.

Firewall

Cisco uBR900 series cable access routers act as buffers between any connected public and private networks. In firewall mode, Cisco cable access routers use access lists and other methods to ensure the security of the private network.

Cisco IOS firewall-specific security features include the following:

•Context-based Access Control (CBAC). This intelligently filters TCP and UDP packets based on the application-layer protocol. Java applets can be blocked completely, or allowed only from known and trusted sources.

•Detection and prevention of the most common denial of service (DoS) attacks such as ICMP and UDP echo packet flooding, SYN packet flooding, half-open or other unusual TCP connections, and deliberate misfragmentation of IP packets.

•Support for a broad range of commonly used protocols, including H.323 and NetMeeting, FTP, HTTP, MS Netshow, RPC, SMTP, SQL*Net, and TFTP.

•Authentication Proxy for authentication and authorization of web clients on a per-user basis.

•Dynamic Port Mapping. Maps the default port numbers for well-known applications to other port numbers. This can be done on a host-by-host basis or for an entire subnet, providing a large degree of control over which users can access different applications.

•Intrusion Detection System (IDS) that recognizes the signatures of 59 common attack profiles. When an intrusion is detected, IDS can either send an alarm to a syslog server or to a NetRanger Director, drop the packet, or reset the TCP connection.

•User-configurable audit rules.

•Configurable real-time alerts and audit trail logs.

For additional information, see the Cisco IOS Firewall Feature Set description in the Cisco Product Catalog, or refer to the sections on traffic filtering and firewalls in the Cisco IOS Security Configuration Guide and Cisco IOS Security Command Reference available on CCO and the Documentation CD-ROM.

NetRanger Support—Cisco IOS Intrusion Detection

NetRanger is an Intrusion Detection System (IDS) composed of the following three parts:

•A management console (director), used to view the alarms and to manage the sensors.

•A sensor that monitors traffic. This traffic is matched against a list of known signatures to detect misuse of the network. This is usually in the form of scanning for vulnerabilities or for attacking systems. When a signature is matched, the sensor can track certain actions. In the case of the appliance sensor, it can reset (via TCP/rst) sessions, or enable “shuns” of further traffic. In the case of the IOS-IDS, it can drop traffic. In all cases, the sensor can send alarms to the director.

•Communications through automated report generation of standardized and customizable reports and QoS/CoS monitoring capabilities.

Cisco IOS Multiservice Applications Configuration Guide

MC-624