Contact Us

0508 WATCHDOG

(0508 928 243)

Network Status

There are currently no known faults on the Watchdog network.
Who are we?
How do we make it safe?
Solutions
Specials
TXT Stream
Call Plus
CampusNet
Google Apps Help
Join up
Interesting stuff
Partners
Contact us
Terms & Conditions
Google Apps
Firewall Print

CampusNet’s firewall service is a managed service generally utilising a Cisco router installed in the school’s network.

This router could replace the school’s existing router or be added into the network, depending on the type of Internet connection at the school. The router is configured with the Cisco IOS firewall, details of which are as follows.


Cisco IOS firewall - Executive summary

Cisco IOS® Firewall is a stateful security software component of Cisco IOS Software. The benefits of integration into Cisco IOS routers include: leveraging a router's inherent capabilities, multi-topology interfaces, industry standard routing protocols, and multiple Layer 3 services. Cisco IOS Firewall works with other technologies, including Network Address Translation (NAT) and IPsec VPN to become one vital component of an end-to-end network security infrastructure.

Cisco IOS Firewall includes the Advanced Firewall Engine for stateful inspection of packets. This provides a per-application control mechanism for IP traffic, including standard TCP and UDP applications, voice and multimedia applications, as well as Oracle database protocols.


Benefits

  • Integrated Capabilities - Cisco IOS Firewall provides integrated, in-line security services. These enhance current Cisco IOS Software capabilities: Secure IP routing, multi-topology interfaces, industry standard routing protocols, NAT, and voice and video services.
  • Full Featured Firewall - Advanced Firewall Engine provides lock tight, stateful security and control for each protocol, and configurable protection from Denial of Service (DoS) attacks.
  • Scalable - Available on a wide variety of Cisco IOS platforms, Cisco IOS Firewall scales to meet any network's bandwidth and performance requirements.
  • Security in the Infrastructure - Enables sophisticated security and policy enforcement for connections within an organization (intranet), between an organization and its partner networks, as well as between the organization and the Internet.
  • Leverage investment in Cisco - IT managers can provide strong integrated security for their organizations without having to re-invest in the network infrastructure.

back to top



Technical highlights

Cisco IOS Firewall consists of two subsystems: an advanced firewall engine for stateful inspection, and Port-to-Application Mapping (PAM).

Cisco advanced firewall engine

The advanced firewall engine is the heart of Cisco IOS Firewall, providing a per-application control mechanism across network perimeters. It enhances security for TCP and UDP applications that use well-known ports, such as file transfer protocol (FTP) and e-mail traffic, by scrutinizing source and destination addresses. This engine tracks the state and context of network connections to secure traffic flow. When Simple Mail Transfer Protocol (SMTP) inspection is enabled, the engine will examine the data payload of the SMTP packets for invalid commands, thereby filtering for protocol abuses.

Resistance against TCP SYC denial of service attacks

Cisco advanced firewall engine provides DOS detection and prevention against popular attack modes, such as SYN (synchronize/start) flooding, port scans, and packet injection. When the router detects unusually high rates of new connections, it issues an alert message, and then drops half-open TCP connection state tables to prevent system resource depletion. When Cisco IOS Firewall detects a possible attack, it tracks user access by source or destination address and port pairs. It also details the transaction, creating an audit trail.

Alerts and audit trails

Cisco routers also generate real-time alerts and audit trails based on inputs from the Firewall Engine. Enhanced audit trail features use SYSLOG to track all network transactions for advanced, session-based reporting: recording time stamps, source host, destination host, ports used, and the total number of transmitted bytes.

Real-time alerts send SYSLOG error messages to central management consoles upon detecting suspicious activity. Using the Firewall Engine inspection rules, alerts and audit trail information can be configured on a per-application protocol basis. These configurable real-time alerts, audit trail, and logging events allow administrators to track potential security breaches and other nonstandard activities in real time.

Synergy with NAT and Port-to-Application Mapping (PAM)

The combination of Cisco IOS Firewall and NAT enable the firewall to perform stateful inspection, while still hiding the internal IP addresses from the outside world. Flexible, per-application port mapping (PAM) allows firewall-supported applications to be run on nonstandard ports. This feature allows network administrators to customize access control for specific applications and services to meet the distinct needs of their networks.

back to top



Is your current firewall suitable?

The MoE is keen for all schools to have a firewall but your current firewall may already be suitable.

A suitable firewall would be a unit that is designed to work with the type of network that you have at the school.

Some routers include basic firewall functions that may be suitable for a home installation but fall short of the requirements of a school that has their own mail server and remote server access, for example. Suitable firewalls for schools include but are not limited to the following:
  • Microsoft ISA Server
  • A Linux server configured correctly
  • Novell Border Manager
  • Cisco Routers such as 837, 831, and SOHO 90 series
  • Allied Telesyn routers such as AR240, AR320
  • Firewall appliances from companies such as Watchguard, Sonicwall, and Netscreen

Please note that a firewall must be configured correctly to be of most benefit to your school. Also note that a firewall that may be suitable for a school that has none of their own servers and has email accounts at their ISP may no longer be suitable if the school decides to set up their own servers and allow remote access to them.

CampusNet generally uses Cisco 837 and 831 routers as the firewall provided to the schools at no charge under the MoE contract and these units offer a state-of-the-art CBAC firewall that inspects incoming packets to determine if they are suitable or not. These units will be suitable for almost any installation required by a school and are owned and remotely managed by Watchdog.

If you are not sure about whether your firewall is suitable or if you require any further information, please phone Watchdog on 0508 WATCHDOG (0508 928 243) or email This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

back to top