Cisco Expert – New IOS Firewall, IOS IPS and CCP

Posted by Ricardo Martins on July 17, 2008

I had some gold partner training at Cisco couple of weeks ago and I thought I could share some announcements and some slides given to me in the training.

I actually went for the security training, though my work has to do more with network. The training was mostly based on ASA 5580-40 for Data Centers. By the way, the ASA 5505 for small offices does not support IPS now, but in the near future will support IOS IPS and Wireless. ASA 5510, 5520, 5540 uses an IPS Module. ASA 5550, 5580-20 and 5580-40 do not support IPS because it would simply slow down the ASA. I was told in cisco that it could eventually support IPS in the future. Anyway, the bit I want to share is the new IOS Firewall, IOS IPS and CCP.

So far, CBAC has been the IOS Firewall around the block, but 12.4(6)T has introduced the “Cisco IOS Firewall” which uses a concept of zones. To be honest, I haven’t tried the new IOS firewall so I canty say much about it, I liked CBAC though.

The new IOS 12.4(20)T introduces also a different approach for access-lists that can be used in conjuction with object-groups, looks like a very cool feature.

The new IPS introduces some new features. To be honest I haven’t really played around much with IOS IPS, however used to be that to upgrade the signatures we had to download .sdf files from cisco, but in 12.4T everything could be dome using the GUI SDM downloading dome XML files, no more .sdf.

CCP (Cisco Configuration Professional) is the next generation of the SDM wizard, basically does everything that SDM 2.5 does plus introduces configuration wizards for Voice, wireless and so on. The drawback in my opinion, is that it is only supported on the newest cisco routers, 800, 1800, 2800, 3800…

Here bellow you can find some slides I was given in Cisco. Not quite sure if I am allowed to share them, but i was not told otherwise, so…

