Do you have a firewall on every Internet-connected site in your organization? Tell the truth now, do you really? All right, I’m sure some of you can honestly answer yes, but I’m also sure a lot of you

can’t. Firewalls are expensive—expensive to buy, expensive to install, and expensive to maintain. People who configure them are expensive too!

And while it may be true that entities such as huge financial institutions and other large corporations with deep pockets are willing to pony up the kind of cash that it takes to have a firewall guarding every Internet connection in their enterprise, public school districts, non-technical businesses, small offices, and other organizations often don’t or can’t.

In this chapter I’m going to introduce you to the Cisco IOS Firewall. You’ll learn how it is configured so that you can work with the Cisco IOS Firewall both in your home and business, and save you some cash too. This chapter also explores Context-Based Access Control (CBAC) and explains the ways it can work for you within your internetwork. I’m going to show you how CBAC is both different and better at protecting your network than just running static ACLs.

Understanding the Cisco IOS Firewall

The Cisco IOS Firewall is a software firewall that runs on the IOS on your Cisco router—a feature you buy that augments the standard IOS and utilizes your existing hardware. You must, of course, have sufficient flash and RAM at your disposal for the IOS Firewall image. Some of you may be thinking that you can just use access control lists (ACLs) on your router and mimic a lot of the functionality of a firewall, and you’re right, you can—but only to a degree. The Cisco IOS Firewall consists of three main components:

Although I’m going to cover each one of these components with you, this chapter’s main focus will be on CBAC. Both the Authentication Proxy and Intrusion Detection System are topics you’ll study thoroughly in Chapter 6, “Cisco IOS Firewall Authentication and Intrusion Detection,” but for now, I’ll give you an overview of each of these powerful tools and then move right into CBAC.