BGP between ScreenOS and IOS

There are some times where using static routing on firewalls is simply not scalable… As long as the routing is inside a trusted network, I do not see any reason to avoid dynamic routing. Juniper devices (Junos and ScreenOS) can even use virtual routers to split the routing domain into several domains. In the example here below, we will only show how to build a BGP peering between a ScreenOS cluster and two Cisco routers.

[Read more]

Zone-based IOS firewall

Starting with IOS 12.4(6)T Cisco introduced the Zone-Based Policy Firewall in all the IOS with an advanced feature set. This new configuration model allows the router’s administrator to define security zones, assign interfaces to zones, apply security policies between zones as he would have done on a Juniper firewall or on a Cisco ASA.

With CBAC stateful inspection was done on interface level. Now with zone-based firewalls, the inspection is done based on zone pairs (source and destination zones).

Here is an over-simplified exemple [Read more]

IPv6 Firewall with Linux

More and more server hoster have configured IPv6 on their network. And most of their Linux based servers come with a basic IPv6 configuration. Even if IPv6 is not used, it is there and widely open as the netfilter/iptables default policy is ACCEPT. [Read more]