Can a 2600 router be used as a firewall when ACLs are applied

e24ohme24ohm Member Posts: 151
Folks:
Can I use my 2600 as a simple firewall if I configure a number of ACLs? I need a firewall; however, I do not have enough resources right now to purchase one, so for a time I want to know if this is possible, and if anyone can offer any ideas.

I have looked in to FreeBSD and the IPChains/IPtables; however, I am not that strong with Linux.

thanks.
E
Utini!

Comments

  • networker050184networker050184 Mod Posts: 11,962 Mod
    Sure, the ACLs can provide some protection as a low level firewall. You might be able to get some of the CBAC features on them also depending on IOS. The 2600 routers are extremely limited in throughput though. I'd definitely do some further research on your model.
    An expert is a man who has made all the mistakes which can be made.
  • DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
    as mentioned acs are a very low level / basic form of firewall. However they are very limited in the usage and adapatibility.

    your other option is to use an old pc/laptop running Linux (or indeed windows) and use that as your firewall.

    Look for the advanced security IOS images for cisco routers, there generaly have more of the "fire wall" features. If you can get CBAC features you have a resonable start to a fire wall. However the new cisco routers can run an IOS based fire wall that works on zones (groups on interfaces) and offer many of the firewall features you will find in a full blows stand alone firewall like the ASA models.


    IF you want a simple fire wall for pc internet access, you can put a single ACL on the outbound interfacce that is a "reflective ACL", whcih allows PC's to go out to the internet and come back in. But it is becomeing limited, as it relies on static port asignement, whcich can casue issues with some applications that assign dynamic ports. It is also not very secure, possible ok for some home firewall but I would not use it for a buisness or critical situaton.
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
  • MrAgentMrAgent Member Posts: 1,310 ■■■■■■■■□□
    You could also try going with ISA for Windows. Its not super complicated to set up.
  • e24ohme24ohm Member Posts: 151
    thanks gang for all the suggestions and help....cheers mates!!!
    Utini!
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    Standard / extended ACLs in IOS are static packet filters, while reflexive provides stateful filtering. It isn't stateful inspection, however, and I believe it takes more processing overhead than std / ext ACLs. If your expected throughput is low you can go with this. Just be sure to include no ip unreachables and no ip source-route (among others) in your config. You can use the auto secure command to lockdown the router as well.

    As others have mentioned, if your 2600 hardware is capable (flash and memory wise) to support the advanced security IOS with CBAC, etc., then that's a better choice.

    If you're not comfortable with Linux / BSD in setting up Netfilter (iptables) or pf, you can always use a Linux-based firewall distro to turn an Intel box into an "appliance." SmoothWall, pfSense, m0n0wall, etc.. Those will provide you a nice GUI to manage via web browser.

    I'm not a big fan of ISA, personally, although I haven't played with Forefront TMG yet. The idea of firewall software bolted on top of a bloated OS isn't my idea of security. With Linux, at least you're talking about an OS which can be really slimmed down and Netfilter is built into the kernel. Somehow, I doubt you could install ISA on top of Server Core. I run ISA 2006 at work as a web proxy for some groups, and while it somewhat reminds me of configuring Check Point, it still feels a little slow and the logging isn't up to par with my expectations. ISA should be pretty good at understanding all the proprietary Microsoft protocols, however, so if you intend to deal with MS-RPC stuff (such as between member servers within a domain), then it certainly is a viable option.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
Sign In or Register to comment.