HAPPY BOOKSGIVING
Use code BOOKSGIVING during checkout to save 40%-55% on books and eBooks. Shop now.
Register your product to gain access to bonus material or receive a coupon.
Cisco Secure Firewall Services Module (FWSM)
Best practices for securing networks with FWSM
Ray Blair, CCIE® No. 7050
Arvind Durai, CCIE No. 7016
The Firewall Services Module (FWSM) is a high-performance stateful-inspection firewall that integrates into the Cisco® 6500 switch and 7600 router chassis. The FWSM monitors traffic flows using application inspection engines to provide a strong level of network security. The FWSM defines the security parameter and enables the enforcement of security policies through authentication, access control lists, and protocol inspection. The FWSM is a key component to anyone deploying network security.
Cisco Secure Firewall Services Module (FWSM) covers all aspects of the FWSM. The book provides a detailed look at how the FWSM processes information, as well as installation advice, configuration details, recommendations for network integration, and reviews of operation and management. This book provides you with a single source that comprehensively answers how and why the FWSM functions as it does. This information enables you to successfully deploy the FWSM and gain the greatest functional benefit from your deployment. Practical examples throughout show you how other customers have successfully deployed the FWSM.
By reading this book, you will learn how the FWSM functions, the differences between the FWSM and the ASA Security Appliance, how to implement and maintain the FWSM, the latest features of the FWSM, and how to configure common installations.
Ray Blair, CCIE® No. 7050, is a consulting systems architect who has been with Cisco for more than 8 years, working primarily on security and large network designs. He has 20 years of experience in designing, implementing, and maintaining networks that have included nearly all networking technologies. Mr. Blair maintains three CCIE certifications in Routing and Switching, Security, and Service Provider. He is also a CNE and a CISSP.
Arvind Durai, CCIE No. 7016, is an advanced services technical leader for Cisco. His primary responsibility has been in supporting major Cisco customers in the enterprise sector. One of his focuses has been on security, and he has authored several white papers and design guides in various technologies. Mr. Durai maintains two CCIE certifications, in Routing and Switching and Security.
This security book is part of the Cisco Press® Networking Technology series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.
Category: Networking: Security
Covers: Firewall security
Network Security Inside and Out: An Interview with Arvind Durai and Ray Blair
Understanding Cisco Secure Firewall Services Module 4.x Routing and Feature Enhancements
Introduction
Part I Introduction
Chapter 1 Types of Firewalls
Understanding Packet-Filtering Firewalls 5
Advantages 5
Caveats 6
Understanding Application/Proxy Firewalls 7
Advantages 8
Caveats 8
Understanding Reverse-Proxy Firewalls
Advantages
Caveats
Utilizing Packet Inspection
Reusing IP Addresses
NAT
PAT
Summary
Chapter 2 Overview of the Firewall Services Module
Specifications
Installation
Performance
Virtualization
Comparing the FWSM to Other Security Devices
IOS FW
PIX
ASA
Hardware Architecture
Software Architecture
Summary
Chapter 3 Examining Modes of Operation
Working with Transparent Mode
Advantages
Disadvantages
Traffic Flow
Multiple Bridge Groups
Working with Routed Mode
Advantages
Disadvantages
Traffic Flow
Summary
References
Chapter 4 Understanding Security Levels
Traffic Flow Between Interfaces
Network Address Translation/Port Address Translation
Static NAT
Number of Simultaneous TCP Connections
Number of Embryonic Connections
DNS
Norandomseq
TCP
UDP
Static PAT
Dynamic NAT
Dynamic PAT
NAT Control
NAT Bypass
NAT 0 or Identity NAT
Static Identity NAT
Summary
References
Chapter 5 Understanding Contexts
Benefits of Multiple Contexts
Separating Security Policies
Leveraging the Hardware Investment
Disadvantages of Multiple Contexts
Adding and Removing Contexts
Adding a Context
Removing a Context
Storing Configuration Files
Changing Between Contexts
Understanding Resource Management
Memory Partitions
Summary
Part II Initial Configuration
Chapter 6 Configuring and Securing the 6500/7600 Chassis
Understanding the Interaction Between the Host-Chassis and the FWSM
Assigning Interfaces
Securing the 6500/7600 (Host-Chassis)
Controlling Physical Access
Being Mindful of Environmental Considerations
Controlling Management Access
Disabling Unnecessary Services
Controlling Access Using Port-Based Security
Controlling Spanning Tree
Leveraging Access Control Lists
Securing Layer 3
Leveraging Control Plane Policing
Protecting a Network Using Quality of Service
Employing Additional Security Features
Summary
References
Chapter 7 Configuring the FWSM
Configuring FWSM in the Switch
Exploring Routed Mode
Exploring Transparent Mode
Using Multiple Context Mode for FWSM
Context Configurations
System Context Configurations
Admin Context Configurations
Packet Classifier in FWSM Context Mode
Understanding Resource Management in Contexts
Configuration Steps for Firewall Services Module
Type 1: Configuring Single Context Routed Mode
Type 2: Configuring Single Context Transparent Mode
Type 3: Configuring Multiple Context Mixed Mode
Summary
Chapter 8 Access Control Lists
Introducing Types of Access Lists
Understanding Access Control Entry
Understanding Access List Commit
Understanding Object Groups
Monitoring Access List Resources
Configuring Object Groups and Access Lists
Working with Protocol Type
Working with Network Type
Working with Service Type
Working with Nesting Type
Working with EtherType
Summary
Chapter 9 Configuring Routing Protocols
Supporting Routing Methods
Static Routes
Default Routes
Open Shortest Path First
SPF Algorithm
OSPF Network Types
Concept of Areas
OSPF Link State Advertisement
Types of Stub Area in OSPF
OSPF in FWSM
OSPF Configuration in FWSM
Interface-Based Configuration for OSPF Parameters
Summarization
Stub Configuration
NSSA Configuration
Default Route Information
Timers
OSPF Design Example 1
OSPF Design Example 2
Routing Information Protocol
RIP in FWSM
Configuration Example of RIP on FWSM
Border Gateway Protocol
BGP in FWSM
BGP Topology with FWSM
Summary
Chapter 10 AAA Overview
Understanding AAA Components
Authentication in FWSM
Authorization in FWSM
Accounting in FWSM
Comparing Security Protocols
Understanding Two-Step Authentication
Understanding Fallback Support
Configuring Fallback Authentication
Configuring Local Authorization
Understanding Cut-Through Proxy in FWSM
Configuring Custom Login Prompts
Using MAC Addresses to Exempt Traffic from Authentication and Authorization
Summary
Chapter 11 Modular Policy
Using Modular Policy in FWSM
Understanding Classification of Traffic
Understanding Application Engines
Defining Policy Maps
Configuring Global Policy
Configuring Service Policy
Understanding Default Policy Map
Sample Configuration of Modular Policy in FWSM
Summary
Part III Advanced Configuration
Chapter 12 Understanding Failover in FWSM
Creating Redundancy in the FWSM
Understanding Active/Standby Mode
Understanding Active/Active Mode
Understanding Failover Link and State Link
Requirements for Failover
Synchronizing the Primary and Secondary Firewalls
Monitoring Interfaces
Configuring Poll Intervals
Design Principle for Monitoring Interfaces
Configuring Single Context FWSM Failover
Configuring Multiple Context FWSM Failover
Summary
Chapter 13 Understanding Application Protocol Inspection
Inspecting Hypertext Transfer Protocol
Inspecting File Transfer Protocol
Working with Supported Applications
Configuring ARP
Inspecting ARP
Configuring Parameters for ARP
Configuring MAC Entries
Adding Static Entries
Summary
References
Chapter 14 Filtering
Working with URLs and FTP
Configuring ActiveX and Java
Summary
References
Chapter 15 Managing and Monitoring the FWSM
Using Telnet
Using Secure Shell
Using Adaptive Security Device Manager
Configuring the FWSM Using ASDM
Managing the FWSM from the Client
Securing Access
Configuring the FWSM for VPN Termination
Configuring the VPN Client
Working with Simple Network Management Protocol
Examining Syslog
Working with Cisco Security Manager
Monitoring Analysis and Response System
Summary
References
Chapter 16 Multicast
Protocol Independent Multicast
Understanding Rendezvous Point
PIM Interface Modes
IGMP Protocol
Multicast Stub Configuration
Multicast Traffic Across Firewalls
FWSM 1.x and 2.x Code Releases
FWSM 3.x Code Release
Configuration Methods
Method 1: Configuration Example for Multicast Through Firewall in Single Context Routed Mode
Method 2: Configuration Example for Multicast Through Firewall via GRE
Method 3: Configuration Example for Multicast Through Transparent Firewall in Multiple Context Mode
Summary
Chapter 17 Asymmetric Routing
Asymmetric Routing Without a Firewall
Asymmetric Traffic Flow in a Firewall Environment
Avoiding Asymmetric Routing Through Firewalls
Option 1: Symmetric Routing Through Firewalls
Option 2: Firewall Redundancy and Routing Redundancy Symmetry
Supporting Asymmetric Routing in FWSM
Asymmetric Routing Support in Active/Standby Mode
Asymmetric Routing Support in Active/Active Mode
Configuring ASR in FWSM
Summary
Chapter 18 Firewall Load Balancing
Reasons for Load Balancing Firewalls
Design Requirements for Firewall Load Balancing
Firewall Load-Balancing Solutions
Firewall Load Balancing with Policy-Based Routing
Firewall Load Balancing with Content Switch Module
Configuring the CSM
Snapshot Configuration for CSM Supporting Firewall Load Balancing
Firewall Load Balancing Using the Application Control Engine
ACE Design for Firewall Load Balancing
Firewall Load Balancing Configuration Example
OUT2IN Policy Configuration
Firewall Configuration
IN2OUT Policy Configuration
Summary
Chapter 19 IP Version 6
Understanding IPv6 Packet Header
Examining IPv6 Address Types
Neighbor Discovery Protocol
IPv6 in FWSM
Configuring Multiple Features of IPv6 in FWSM
Interface Configuration
Router Advertisement
Duplicate Address Detection
Timer for Duplicate Address Detection
Configuring Access Lists
Configuring Static Routes
Configuring IPv6 Timers in FWSM
Configuring IPv6 in FWSM
Configuring PFC (Layer 3 Device) on the Outside Security Domain
Configuring FWSM
Configuring a Layer 3 Device on the Inside Security Domain
Verify the Functionality of FWSM
Working with the showCommand for IPv6 in FWSM
Summary
Chapter 20 Preventing Network Attacks
Protecting Networks
Shunning Attackers
Spoofing
Understanding Connection Limits and Timeouts
Configuring Connection Limits
Configuring Timeouts
Summary
References
Chapter 21 Troubleshooting the FWSM
Understanding Troubleshooting Logic
Assessing Issues Logically
Connectivity Test of a Flow at the FWSM
Troubleshooting Flow Issues
FAQs for Troubleshooting
How Do You Verify Whether the Traffic Is Forwarded to a Particular Interface in the FWSM?
How Do I Verify ACL Resource Limits?
How Do I Verify the Connectivity and Packet Flow Through the Firewall?
What Is Network Analysis Module?
What Are Some Useful Management and Monitoring Tools?
How Do I Recover Passwords?
Summary
Part IV Design Guidelines and Configuration Examples
Chapter 22 Designing a Network Infrastructure
Determining Design Considerations
Documenting the Process
Determining Deployment Options
Determining Placement
Working with FWSM and the Enterprise Perimeter
FWSM in the Datacenter
Throughput
Flexibility
Availability
Supporting Virtualized Networks
Summary
Reference
Chapter 23 Design Scenarios
Layer 3 VPN (VRF) Terminations at FWSM
Configuring the PFC
Configuring the FWSM
Failover Configuration in Mixed Mode
Interdomain Communication of Different Security Zones Through a Single FWSM
Configuring the PFC
FWSM Configuration
Dynamic Learning of Routes with FWSM
Single Box Solution with OSPF
Data Center Environment with the FWSM
Method 1: Layer 3 VPN Segregation with Layer 3 FWSM (Multiple Context Mode)
Method 2: Layer 3 VPN Segregation with Layer 2 FWSM (Multiple Context Mode)
PVLAN and FWSM
PVLAN Configuration in FWSM
Design Scenario 1 for PVLAN in FWSM
Design Scenario 2 for PVLAN in FWSM
Configuring PVLAN
Summary
Part V FWSM 4.x
Chapter 24 FWSM 4.x Performance and Scalability Improvements
Increasing Performance by Leveraging the Supervisor
Using the PISA for Enhanced Traffic Detection
Improving Memory
Partitioning Memory
Reallocating Rules
Optimizing ACL
Summary
Chapter 25 Understanding FWSM 4.x Routing and Feature Enhancements
Configuring EIGRP
Configuring Route Health Injection
Understanding Application Support
Configuring Regular Expressions
Understanding Application Inspection Improvements
Additional Support for Simple Network Management Protocol Management Information Base
Miscellaneous Security Features
Dynamic Host Configuration Protocol Option 82
Smartfilter HTTPS Support
Summary
References
1587053535 TOC 8/12/2008