Cisco Secure Firewall Services Module (FWSM)

Best practices for securing networks with FWSM Understand the differences between PIX/ASA firewall and FWSM deployments Review practical design and configuration advice for FWSM deployments Maximize FWSM security features and reduce deployment time Learn from coverage of the latest features and common installation best practices The Firewall Services Module (FWSM) is a high-performance stateful-inspection firewall that integrates into the Cisco 6500 switch and 7600 router chassis. It monitors traffic flows using application inspection engines to provide a strong level of network security. The FWSM defines the security parameter and enables the enforcement of security policies through authentication, access-control lists, and protocol inspection. This is a key component to anyone deploying network security. Many customers have been deploying the firewall services module without specific knowledge on how it functions. They have taken their experience with the PIX firewall and applied it to the FWSM, but there are significant differences between the two products. Cisco Secure Firewall Services Module (FWSM) is designed to help  understand how the FWSM functions and the differences between it and the PIX. It also helps you through the design, configuration, implementation, and administration of the FWSM by providing practical examples using best security practices.

Table of Contents:
Introduction Part I Introduction Chapter 1 Types of Firewalls Understanding Packet-Filtering Firewalls 5     Advantages 5     Caveats 6 Understanding Application/Proxy Firewalls 7     Advantages 8     Caveats 8 Understanding Reverse-Proxy Firewalls     Advantages     Caveats Utilizing Packet Inspection Reusing IP Addresses     NAT     PAT Summary Chapter 2 Overview of the Firewall Services Module Specifications Installation Performance Virtualization Comparing the FWSM to Other Security Devices     IOS FW     PIX     ASA Hardware Architecture Software Architecture Summary Chapter 3 Examining Modes of Operation Working with Transparent Mode     Advantages     Disadvantages     Traffic Flow     Multiple Bridge Groups Working with Routed Mode     Advantages     Disadvantages     Traffic Flow Summary References Chapter 4 Understanding Security Levels Traffic Flow Between Interfaces Network Address Translation/Port Address Translation     Static NAT         Number of Simultaneous TCP Connections         Number of Embryonic Connections     DNS     Norandomseq     TCP     UDP     Static PAT     Dynamic NAT     Dynamic PAT     NAT Control     NAT Bypass         NAT 0 or Identity NAT         Static Identity NAT Summary References Chapter 5 Understanding Contexts Benefits of Multiple Contexts     Separating Security Policies     Leveraging the Hardware Investment Disadvantages of Multiple Contexts Adding and Removing Contexts     Adding a Context     Removing a Context         Storing Configuration Files     Changing Between Contexts Understanding Resource Management     Memory Partitions Summary Part II Initial Configuration Chapter 6 Configuring and Securing the 6500/7600 Chassis Understanding the Interaction Between the Host-Chassis and the FWSM Assigning Interfaces Securing the 6500/7600 (Host-Chassis)     Controlling Physical Access     Being Mindful of Environmental Considerations     Controlling Management Access     Disabling Unnecessary Services     Controlling Access Using Port-Based Security     Controlling Spanning Tree     Leveraging Access Control Lists     Securing Layer 3     Leveraging Control Plane Policing     Protecting a Network Using Quality of Service     Employing Additional Security Features Summary References Chapter 7 Configuring the FWSM Configuring FWSM in the Switch Exploring Routed Mode Exploring Transparent Mode Using Multiple Context Mode for FWSM     Context Configurations     System Context Configurations     Admin Context Configurations     Packet Classifier in FWSM Context Mode     Understanding Resource Management in Contexts Configuration Steps for Firewall Services Module     Type 1: Configuring Single Context Routed Mode     Type 2: Configuring Single Context Transparent Mode     Type 3: Configuring Multiple Context Mixed Mode Summary Chapter 8 Access Control Lists Introducing Types of Access Lists     Understanding Access Control Entry     Understanding Access List Commit Understanding Object Groups Monitoring Access List Resources Configuring Object Groups and Access Lists     Working with Protocol Type     Working with Network Type     Working with Service Type     Working with Nesting Type     Working with EtherType Summary Chapter 9 Configuring Routing Protocols Supporting Routing Methods     Static Routes     Default Routes     Open Shortest Path First         SPF Algorithm         OSPF Network Types         Concept of Areas         OSPF Link State Advertisement         Types of Stub Area in OSPF     OSPF in FWSM     OSPF Configuration in FWSM         Interface-Based Configuration for OSPF Parameters         Summarization         Stub Configuration         NSSA Configuration         Default Route Information         Timers     OSPF Design Example 1     OSPF Design Example 2     Routing Information Protocol     RIP in FWSM         Configuration Example of RIP on FWSM     Border Gateway Protocol     BGP in FWSM     BGP Topology with FWSM Summary Chapter 10 AAA Overview Understanding AAA Components     Authentication in FWSM     Authorization in FWSM     Accounting in FWSM Comparing Security Protocols Understanding Two-Step Authentication Understanding Fallback Support     Configuring Fallback Authentication     Configuring Local Authorization Understanding Cut-Through Proxy in FWSM     Configuring Custom Login Prompts     Using MAC Addresses to Exempt Traffic from Authentication and Authorization Summary Chapter 11 Modular Policy Using Modular Policy in FWSM Understanding Classification of Traffic     Understanding Application Engines Defining Policy Maps     Configuring Global Policy Configuring Service Policy Understanding Default Policy Map Sample Configuration of Modular Policy in FWSM Summary Part III Advanced Configuration Chapter 12 Understanding Failover in FWSM Creating Redundancy in the FWSM     Understanding Active/Standby Mode     Understanding Active/Active Mode Understanding Failover Link and State Link Requirements for Failover Synchronizing the Primary and Secondary Firewalls Monitoring Interfaces Configuring Poll Intervals Design Principle for Monitoring Interfaces Configuring Single Context FWSM Failover Configuring Multiple Context FWSM Failover Summary Chapter 13 Understanding Application Protocol Inspection Inspecting Hypertext Transfer Protocol Inspecting File Transfer Protocol Working with Supported Applications Configuring ARP     Inspecting ARP     Configuring Parameters for ARP         Configuring MAC Entries         Adding Static Entries Summary References Chapter 14 Filtering Working with URLs and FTP Configuring ActiveX and Java Summary References Chapter 15 Managing and Monitoring the FWSM Using Telnet Using Secure Shell Using Adaptive Security Device Manager     Configuring the FWSM Using ASDM     Managing the FWSM from the Client Securing Access     Configuring the FWSM for VPN Termination     Configuring the VPN Client Working with Simple Network Management Protocol Examining Syslog Working with Cisco Security Manager Monitoring Analysis and Response System Summary References Chapter 16 Multicast Protocol Independent Multicast Understanding Rendezvous Point PIM Interface Modes IGMP Protocol Multicast Stub Configuration Multicast Traffic Across Firewalls     FWSM 1.x and 2.x Code Releases     FWSM 3.x Code Release Configuration Methods     Method 1: Configuration Example for Multicast Through Firewall in Single Context Routed Mode     Method 2: Configuration Example for Multicast Through Firewall via GRE     Method 3: Configuration Example for Multicast Through Transparent Firewall in Multiple Context Mode Summary Chapter 17 Asymmetric Routing Asymmetric Routing Without a Firewall Asymmetric Traffic Flow in a Firewall Environment Avoiding Asymmetric Routing Through Firewalls     Option 1: Symmetric Routing Through Firewalls     Option 2: Firewall Redundancy and Routing Redundancy Symmetry Supporting Asymmetric Routing in FWSM     Asymmetric Routing Support in Active/Standby Mode     Asymmetric Routing Support in Active/Active Mode Configuring ASR in FWSM Summary Chapter 18 Firewall Load Balancing Reasons for Load Balancing Firewalls Design Requirements for Firewall Load Balancing Firewall Load-Balancing Solutions     Firewall Load Balancing with Policy-Based Routing     Firewall Load Balancing with Content Switch Module         Configuring the CSM         Snapshot Configuration for CSM Supporting Firewall Load Balancing     Firewall Load Balancing Using the Application Control Engine         ACE Design for Firewall Load Balancing Firewall Load Balancing Configuration Example     OUT2IN Policy Configuration     Firewall Configuration     IN2OUT Policy Configuration Summary Chapter 19 IP Version 6 Understanding IPv6 Packet Header Examining IPv6 Address Types     Neighbor Discovery Protocol IPv6 in FWSM     Configuring Multiple Features of IPv6 in FWSM         Interface Configuration         Router Advertisement         Duplicate Address Detection         Timer for Duplicate Address Detection         Configuring Access Lists         Configuring Static Routes         Configuring IPv6 Timers in FWSM     Configuring IPv6 in FWSM         Configuring PFC (Layer 3 Device) on the Outside Security Domain         Configuring FWSM         Configuring a Layer 3 Device on the Inside Security Domain         Verify the Functionality of FWSM         Working with the showCommand for IPv6 in FWSM Summary Chapter 20 Preventing Network Attacks Protecting Networks Shunning Attackers Spoofing Understanding Connection Limits and Timeouts     Configuring Connection Limits     Configuring Timeouts Summary References Chapter 21 Troubleshooting the FWSM Understanding Troubleshooting Logic Assessing Issues Logically Connectivity Test of a Flow at the FWSM     Troubleshooting Flow Issues FAQs for Troubleshooting     How Do You Verify Whether the Traffic Is Forwarded to a Particular Interface in the FWSM?     How Do I Verify ACL Resource Limits?     How Do I Verify the Connectivity and Packet Flow Through the Firewall?     What Is Network Analysis Module?     What Are Some Useful Management and Monitoring Tools?     How Do I Recover Passwords? Summary Part IV Design Guidelines and Configuration Examples Chapter 22 Designing a Network Infrastructure Determining Design Considerations     Documenting the Process Determining Deployment Options     Determining Placement     Working with FWSM and the Enterprise Perimeter     FWSM in the Datacenter         Throughput         Flexibility         Availability     Supporting Virtualized Networks Summary Reference Chapter 23 Design Scenarios Layer 3 VPN (VRF) Terminations at FWSM     Configuring the PFC     Configuring the FWSM Failover Configuration in Mixed Mode Interdomain Communication of Different Security Zones Through a Single FWSM     Configuring the PFC     FWSM Configuration Dynamic Learning of Routes with FWSM     Single Box Solution with OSPF Data Center Environment with the FWSM     Method 1: Layer 3 VPN Segregation with Layer 3 FWSM (Multiple Context Mode)     Method 2: Layer 3 VPN Segregation with Layer 2 FWSM (Multiple Context Mode) PVLAN and FWSM     PVLAN Configuration in FWSM     Design Scenario 1 for PVLAN in FWSM     Design Scenario 2 for PVLAN in FWSM     Configuring PVLAN Summary Part V FWSM 4.x Chapter 24 FWSM 4.x Performance and Scalability Improvements Increasing Performance by Leveraging the Supervisor Using the PISA for Enhanced Traffic Detection Improving Memory     Partitioning Memory     Reallocating Rules     Optimizing ACL Summary Chapter 25 Understanding FWSM 4.x Routing and Feature Enhancements Configuring EIGRP Configuring Route Health Injection Understanding Application Support     Configuring Regular Expressions     Understanding Application Inspection Improvements Additional Support for Simple Network Management Protocol Management Information Base Miscellaneous Security Features     Dynamic Host Configuration Protocol Option 82     Smartfilter HTTPS Support Summary References     1587053535   TOC   8/12/2008

About the Author :
Ray Blair is a consulting systems architect and has been with Cisco Systems for more than eight years, working primarily on security and large network designs. He has 20 years of experience with designing, implementing, and maintaining networks that have included nearly all networking technologies. His first four years in the high-technology industry started with designing industrial computer systems for process monitoring. Mr. Blair maintains three Cisco Certified Internetwork Expert (CCIE) certifications in Routing and Switching, Security, and Service Provider. He also is a Certified Novell Engineer (CNE) and a Certified Information Systems Security Professional (CISSP).   Arvind Durai is an advanced services technical leader for Cisco Systems. His primary responsibility has been in supporting major Cisco customers in the Enterprise sector, some of which includes Financial, Manufacturing, E-commerce, State Government, and Health Care sectors. One of his focuses has been on security, and he has authored several white papers and design guides in various technologies. Mr. Durai maintains two Cisco Certified Internetwork Expert (CCIE) certifications in Routing and Switching and Security. Mr. Durai holds a Bachelor of Science degree in Electronics and Communication, a Master’s degree in Electrical Engineering (MS), and Master’s degree in Business Administration (MBA).