Cisco Cisco IOS Software Release 12.2(4)YH
5
Release Notes for the SOHO 70 Series Routers and the Cisco 800 Series Routers for Cisco IOS Release 12.2(4)YH
New and Changed Information
or subnet. Now, users can be identified and authorized on the basis of their per-user policy, and access
privileges tailored on an individual basis are possible, as opposed to general policy applied across
multiple users.
privileges tailored on an individual basis are possible, as opposed to general policy applied across
multiple users.
With the authentication proxy feature, users can log into the network or access the Internet via HTTP,
and their specific access profiles are automatically retrieved and applied from a CiscoSecure ACS, or
other RADIUS, or TACACS+ authentication server. The user profiles are active only when there is active
traffic from the authenticated users.
and their specific access profiles are automatically retrieved and applied from a CiscoSecure ACS, or
other RADIUS, or TACACS+ authentication server. The user profiles are active only when there is active
traffic from the authenticated users.
The authentication proxy is compatible with other Cisco IOS security features such as Network Address
Translation (NAT), Context-based Access Control (CBAC), IP Security (IPSec) encryption, and VPN
client software.
Translation (NAT), Context-based Access Control (CBAC), IP Security (IPSec) encryption, and VPN
client software.
For instructions on configuring authentication proxy, refer to the Cisco IOS Security Configuration
Guide, Release 12.2. You can view this document at the following URL:
Guide, Release 12.2. You can view this document at the following URL:
Port to Application Mapping
Port to Application Mapping (PAM) is a feature of the Cisco IOS Firewall feature set. PAM allows you
to customize TCP or UDP port numbers for network services or applications. PAM uses this information
to support network environments that run services using ports that are different from the registered or
well-known ports associated with an application.
to customize TCP or UDP port numbers for network services or applications. PAM uses this information
to support network environments that run services using ports that are different from the registered or
well-known ports associated with an application.
Using the port information, PAM establishes a table of default port-to-application mapping information
at the firewall. The information in the PAM table enables Context-based Access Control (CBAC)
supported services to run on nonstandard ports. Previously, CBAC was limited to inspecting traffic using
only the well-known or registered ports associated with an application. Now, PAM allows network
administrators to customize network access control for specific applications and services.
at the firewall. The information in the PAM table enables Context-based Access Control (CBAC)
supported services to run on nonstandard ports. Previously, CBAC was limited to inspecting traffic using
only the well-known or registered ports associated with an application. Now, PAM allows network
administrators to customize network access control for specific applications and services.
PAM also supports host or subnet specific port mapping, which allows you to apply PAM to a single host
or subnet using standard access control lists (ACLs). Host or subnet specific port mapping is done using
standard ACLs.
or subnet using standard access control lists (ACLs). Host or subnet specific port mapping is done using
standard ACLs.
For instructions on configuring PAM, refer to the Cisco IOS Security Configuration Guide, Release 12.2.
You can view PAM configuration instructions at the following URL:
You can view PAM configuration instructions at the following URL:
CBAC Audit Trails and Alerts
Context-based access control (CBAC) is a security feature that enables the router to filter TCP and UDP
packets based on application-layer protocol session information and generate real-time alerts and audit
trails. Without CBAC, filtering can only be performed based on network layer and transport layer
information. Enhanced audit trail features use SYSLOG to track all network transactions; recording time
stamps, source host, destination host, ports used, and the total number of transmitted bytes, for advanced,
session-based reporting. Real-time alerts send SYSLOG error messages to central management consoles
upon detecting suspicious activity. Using CBAC inspection rules, you can configure alerts and audit trail
information on a per-application protocol basis. For example, if you want to generate audit trail
information for HTTP traffic, you can specify that in the CBAC rule covering HTTP inspection.
packets based on application-layer protocol session information and generate real-time alerts and audit
trails. Without CBAC, filtering can only be performed based on network layer and transport layer
information. Enhanced audit trail features use SYSLOG to track all network transactions; recording time
stamps, source host, destination host, ports used, and the total number of transmitted bytes, for advanced,
session-based reporting. Real-time alerts send SYSLOG error messages to central management consoles
upon detecting suspicious activity. Using CBAC inspection rules, you can configure alerts and audit trail
information on a per-application protocol basis. For example, if you want to generate audit trail
information for HTTP traffic, you can specify that in the CBAC rule covering HTTP inspection.
For instructions on configuring CBAC audit trails and alerts, refer to the Cisco IOS Security
Configuration Guide, Release 12.2. You can view CBAC configuration instructions at the following
URL:
Configuration Guide, Release 12.2. You can view CBAC configuration instructions at the following
URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/
scfcbac.htm
scfcbac.htm