ACE Design for Firewall Load Balancing

The dual ACE solution will be able to provide a 10 Gbps throughput for firewall load balancing, and the multiple FWSMs have to match this throughput. Figure 18-4 shows a high-level design of firewall load balancing using ACE. Using Single Context Dual ACE Solution Using Single Context Dual ACE Solution Single ACE Multiple Context Solution Single ACE Multiple Context Solution Trunk EtherChannel (FWSM CSM) State and Fai lover VLANs. VLAN 11 and VLAN 12 In this case, VLAN 13 is the client side...

Adding a Context

Now that the admin-context has been created and a way exists to administer the FWSM directly, additional contexts can be added. Each new context will now have the benefit of unique policies associated to control the flow of traffic, besides being able to be managed individually. New contexts are added with the following commands FWSM(config-ctx) allocate-interface vlan name_of_interface FWSM(config-ctx) allocate-interface vlan name_of_interface FWSM(config-ctx) config-url location_of_file...

Adding and Removing Contexts

The first step in adding contexts is to configure the FWSM for multiple-context mode using the following command WARNING This command will change the behavior of the device WARNING This command will initiate a Reboot Proceed with change mode confirm If you have a configuration worth saving, be sure to create a backup. The number of security contexts is based on the license key. To verify the number of supported contexts on the FWSM, use the following command Look for the line that indicates the...

Additional Support for Simple Network Management Protocol Management Information Base

Simple Network Management Protocol (SNMP) is used to get specific information from a device or to send it information for the purposes of configuration changes. Because the FWSM is a security device, you cannot send it information, but you can gather information for keeping track of interface statistics, packet counts, and so on. There have been two additions to the Management Information Base (MIB) ACL entries and hit counters located under CISCO-IP-PROTOCOL-FILTER-MIB Address Resolution...

Assessing Issues Logically

It is important for the troubleshooter to understand the issue and picture the logical design where the FWSM is a part. Follow these steps to identify and understand the problem Step 1 Define the problem It is very important to get the definition from the technical side and user impact. (b) Identify one stream with source and destination. (c) Verify whether all the packets are flowing through the FWSM, whether any one particular flow is impacted, or whether a few applications are impacted. (d)...

Asymmetric Routing Support in Active Standby Mode

For the network topology shown in Figure 17-5, the configuration for the outside interface of security context A and security context B will have ASR group 1 (it will belong in the same ASR group) enabled. The packet arrives at the outside interface of context B. Because the ASR group is the same for the two outside interfaces of contexts A and B, the packet will get redirected to context A's outside interface from context B's outside interface. The packet then flows through context A to reach...

Asymmetric Routing Without a Firewall

Figure 17-1 shows asymmetric routing without firewalls in the path from a source to a destination. The source is in 10.1.1.0 subnet, with a source IP address 10.1.1.100. The destination for the packet flow is 11.1.1.100. The Flow 1 depicts the flow from source to the destination. The host 11.1.1.100 receives the communication and transmits it back to the source 10.1.1.100 (in 10.1.1.0 subnet). In the return path, R1 routes the packet to R3. Note that the packet should have been forwarded to R2...

Asymmetric Traffic Flow in a Firewall Environment

In Figure 17-2, there are two FWSMs (for firewalls) added in both the Catalyst 6500 chassis. The asymmetric traffic flow is from 10.1.1.0 subnet to host 11.1.1.100. Figure 17-2 FWSM and Asymmetric Routing Based on the policy, the packet leaves the security domain. Figure 17-2 FWSM and Asymmetric Routing Based on the policy, the packet leaves the security domain. When the packet reaches the FWSM 2, the FWSM 2 checks the state information for communication between the two security domains. FWSM 2...

Being Mindful of Environmental Considerations

Although not directly related to security, proper heating, cooling, air cleanliness, and conditioned power play a significant role in the availability of the equipment. If the equipment is not working because of the environment, then there is no need to worry about good security. For more information on some of the environmental considerations for the FWSM and the appropriate documentation for the host-chassis, see Chapter 2. Be certain that the equipment operates well within the listed...

Comparing Security Protocols

The two prominent security protocols used in the industry are RADIUS and TACACS+. RADIUS is defined in RFC 2865 and TACACS+ is defined in RFC 1492. RADIUS uses User Datagram Protocol (UDP), whereas TACACS+ uses Transmission Control Protocol (TCP). As you may know, TCP offers reliable connection, which is not offered in RADIUS. RADIUS offers some level of reliability but lacks the built-in reliability available in TCP used by TACACS+. Also note that RADIUS encrypts only passwords in the...

Configuring ARP

Address Resolution Protocol (ARP) is a mechanism to find a device's hardware or MAC address from the IP address of the device. When these devices are on the same subnet (excluding proxy-ARP) and need to communicate using IP, each of them must know what the other's MAC address is. With this information, the devices now have the capability to communicate. From a security perspective, malicious attackers can exploit the ARP by sending an unsolicited ARP or gratuitous ARP to devices within the same...

Configuring Connection Limits

Controlling the number of connections allowed to a particular host or service can be configured by using either static NAT or through the use of the modular policy framework configuration. As described in Chapter 11, Modular Policy, modular policy framework is a method used to classify traffic and perform actions based on that specific traffic. In this section, the modular policy framework will be used to control connection limits. Static NAT has the capability to control the maximum number of...

Configuring EIGRP

EIGRP has been a long-awaited feature for the Firewall Services Module (FWSM). With EIGRP support, the FWSM can be integrated into an existing EIGRP network, minimizing the need to redistribute routing information into other routing protocols. This reduces the complexity of managing multiple routing processes and simplifies the network design, especially within the datacenter. Redistribution of routes between routing protocols can be difficult because each routing protocol exercises different...

Configuring FWSM

The FWSM has both IPv4 and IPv6 configured in the inside and outside security interfaces. Example 19-1 shows the FWSM configuration. enable password 8Ry2YjIyt7RRXU24 encrypted names configure the interface with IPv6 address and suppress RA message interface Vlan10 nameif outside security-level 0 ip address 10.1.1.2 255.255.255.0 ipv6 address 3ffe 500 10 1 2 64 ipv6 nd suppress-ra configure the interface with IPv6 address and suppress RA message interface Vlan11 nameif inside security-level 100...

Configuring IPv6 in FWSM

In Figure 19-2, the FWSM is configured for IPv4 and IPv6. The FWSM is configured in single context routed mode. The outside interface is VLAN 10 and the inside interface is VLAN 11. In the policy feature card (PFC), IPv4 and IPv6 static routes are defined for networks at the inside security zone of the FWSM, pointing to VLAN 10 at the outside interface address of the FWSM. The static route for IPv4 will point to the IPv4 address and the static route for IPv6 will point to the IPv6 address. From...

Configuring IPv6 Timers in FWSM

Table 19-2 describes the various timers that can be configured in IPv6 while configuring FWSM. Table 19-2 The Features and Syntax for IPv6 Support in FWSM Table 19-2 The Features and Syntax for IPv6 Support in FWSM Neighbor solicitation message interval This is to configure the time interval between IPv6 neighbor solicitation messages. The value argument ranges from 1000 to 3,600,000 milliseconds. The default value is 1000 milliseconds. This command is used when an interface is configured to...

Configuring PVLAN

The FWSM should have a 3.x code version or the preceding code, and the switch should have 12.2.18 SXFx version or the preceding code. Figure 23-10 shows the configuration of FWSM with PVLANs. Figure 23-10 Configuration of FWSM with PVLANs Figure 23-10 Configuration of FWSM with PVLANs Isolated VLAN 12 Community VLAN 13 Community VLAN 13 Isolated VLAN 12 Community VLAN 13 Community VLAN 13 VLAN 10 is the outside interface of the FWSM. VLAN 11 is the inside VLAN for the FWSM. It is also the...

Configuring Route Health Injection

The FWSM has limited support for dynamic routing protocols when using multiple-context mode. Route Health Injection (RHI) has the capability of propagating routing information from individual contexts in routed-mode, including static routes, connected networks, and Network Address Translation (NAT) pools into the routing-engine on the host-chassis. Because RHI has such a tight integration with the routing-engine, the minimum image needed on the Supervisor 720 and or Supervisor 32 is...

Configuring Service Policy

After configuring classification of the traffic and action on the classified traffic, the activation of the policy map is done through service-policy commands. This command can be applied globally, which is applicable to all interfaces or to a single interface. The single interface takes more precedence than the global policy map. Applying the service-policy command with the policy map is a single-step process. The service policy can be applied globally the actions will be applicable to all the...

Configuring the FWSM

This chapter takes you through the steps needed to configure the Firewall Services Module (FWSM). This chapter also covers the different FWSM mode configurations routed, transparent, single context, and multiple contexts. The FWSM is an inline module in the switch chassis. To configure the FWSM, switch configuration is a necessity because it relates the switch to the FWSM. The configuration of FWSM covers the details of firewall rules, policy, redundancy, and so on. The configuration of the...

Configuring the PFC

Follow the steps to configure Layer 3 segregation with multiple security domains on a single PFC. This configuration represents the PFC in Figure 23-2 Step 1 Defining a VRF for each security domain route-target export 1 110 route-target import 1 110 ip vrf out rd 1 1 route-target export 1 101 route-target import 1 101 Step 2 VLAN configuration on the switch 6504-E-1 show run interface vlan 10 Building configuration Current configuration 82 bytes interface Vlan10 ip vrf forwarding out ip address...

Configuring Timeouts

Two mechanisms control connection limits and timeouts global configuration parameters and modular policy framework. Modular policy framework discussed in the previous section provides a very granular approach to how connection limits and timeouts are controlled. The other option is to use global timeout parameters. These are specific to a particular protocol and can be configured using the timeout command in configuration mode. The following idle time parameters are configured using the timeout...

Connectivity Test of a Flow at the FWSM

Follow the next steps to troubleshoot the basic connectivity to the FWSM Step 1 Make sure the ping is successful from the inside next hop of the FWSM to the inside interface, and follow the same from other security zones. Step 2 Make sure from the FWSM that you are able to ping all the next hop addresses of the physical interfaces on the FWSM and of the static routes. Step 3 Based on the security policy, ping from the next hop of the inside interface to the next hop of the outside interface in...

Controlling Management Access

Methods for accessing the FWSM, include Telnet, Secure Shell (SSH), direct console access, access from the host-chassis, and Hypertext Transfer Protocol over Secure Sockets layer (HTTPS). If someone with malicious intent were to gain access to the FWSM using any of these methods, they could potentially gain unfiltered access to resources within your network. Access methods need to be highly controlled. This becomes even more significant when numerous individuals are accessing the same...

Controlling Physical Access

Anyone with physical access to the equipment has the ability to quickly perform a Denial of Service (DoS) attack by turning off the power, moving cables, removing line cards, and so on. It is critical to restrict access to individuals who cannot be trusted to behave appropriately. Equipment can be protected inside locked cabinets, equipment rooms with controlled access by using badge readers or keys, and securing physical cabling within conduit. Other mechanisms that may detour inappropriate...

Creating Redundancy in the FWSM

The two types of modes for redundancy in FWSM are as follows The sections that follow cover the two modes in detail. The firewall has an active unit and a nonactive unit. The active unit is called a primary firewall and the nonactive unit is called a secondary firewall. These two FWSM modules are symmetric to each other. All the traffic passes through the primary module and does not pass through the secondary module. The two symmetric modules can be in the same chassis or in a redundant...

Default Routes

A default route is a gateway of last resort, when no other more specific route exists in the routing table. It is configured with 0.0.0.0 0 representing the network address and the use of a valid Layer 3 next hop address. You can define a maximum of three default routes in the same security domain. If multiple default routes exist, the traffic is distributed based on the specified gateways. To configure a default route, enter the following command hostname(config) route if_name 0.0.0.0 0.0.0.0...

Design Principle for Monitoring Interfaces

To enable a complete failover solution, you need a monitor command on all the interfaces, in all contexts. The monitor command in FWSM in multiple context mode needs to follow the network symmetry. There are also scenarios where monitoring of all interfaces may cause failover issues, if the FWSM failover concept is not symmetric to the network. In certain deployments of multiple context mode, the interfaces across all the contexts in the primary and secondary FWSMs situated in two separate...

Design Scenario 1 for PVLAN in FWSM

In this scenario, as shown in Figure 23-8, the FWSM is in single context routed mode. The inside interface of the FWSM is in VLAN 11. VLAN 11 is primary for the PVLAN (promiscuous mode). VLAN 12 and VLAN 13 are isolated VLANs. The hosts in VLAN 12 and VLAN 13 do not communicate with each other. This results in isolation of the traffic between the two hosts. VLAN 12 and VLAN 13 communicate with the host in VLAN 10 or the outside security domain through VLAN 11. The FWSM will need to have VLAN 11...

Design Scenario 2 for PVLAN in FWSM

In this scenario, as shown in Figure 23-9, the FWSM is in single context routed mode. VLAN 11 is the primary VLAN. VLAN 12 is an isolated VLAN and communicates only with the primary VLAN 11. VLAN 13 is defined as a PVLAN community and has two hosts. These two hosts, HOST B and HOST C, can communicate with each other through the switch. Isolated VLAN 12 Community VLAN 13 Community VLAN 13 Isolated VLAN 12 Community VLAN 13 Community VLAN 13 The following points represent the communication in...

Designing a Network Infrastructure

Designing a network infrastructure is one of those topics that is subject to opinion. Previous experience, comfort level with different technologies, and feature likes and dislikes will all play a part in the outcome of a design. Although many solutions may exist, the ultimate goal is a reliable, manageable, cost-effective infrastructure that meets or exceeds the requirements of the project. A very important aspect of designing, not only with the Firewall Services Module (FWSM) but with all...

Determining Deployment Options

After collecting and compiling the information from Step 1, Step 2 is to determine the deployment options Should the FWSM be in single-context mode If a single organization maintains control over the FWSM and logical separation of multiple firewalls is not required, the answer could be yes. Another benefit of single-context mode is a greater rule limit. Refer to Chapter 2, Overview of the Firewall Services Module, for details. Native multicast and routing protocols are also supported in...

Determining Placement

Step 3 is where or how to logically place the FWSM. Given the flexibility in the configuration of the host-chassis and the FWSM, you can choose from many deployment options. Single-context routed-mode inside outside This option allows the FWSM to participate in the routing process and has the capability to support multiple interfaces. From a security perspective, having another process running creates additional vulnerabilities. Moving the routing process to the multilayer switch feature card...

Documenting the Process

Documenting the process is one of the most important aspects of creating a network design because it provides a record of the requirements, the scope of the project, and so on. This document should be very clearly written to avoid ambiguity and will provide a foundation for the entire plan. The project documentation should contain information such as the following What is the end goal A general mission project statement needs to define what you are attempting to accomplish. This could be...

Dynamic Host Configuration Protocol Option

Option 82 provides location information from the Dynamic Host Configuration Protocol (DHCP) relay agent in this case, the FWSM to the DHCP server. This information can be used to differentiate DHCP clients, consequently offering distinctive services on a client basis. You can use two commands to enable DHCP relay. The first command specifies the DHCP server IP address and the interface where it is located. Optionally, the dhcprelay server ip_address command can be configured under the outgoing...

Dynamic PAT

Dynamic Port Address Translation (PAT) is the process of NAT (changing the source address, destination address, or source and destination addresses of an IP packet) combined with changing the source port number, destination port number, or both the source and destination port numbers. PAT translates real inside addresses to a single outside address. This allows many users on the inside to access resources on the outside using only a single IP address, consequently reducing the number of...

E

EBGP (external BGP), 158 egress interface, 135 EIGRP (Enhanced Interior Gateway Routing Protocol) EIGRP and OSPF route redistribution, 470 single context mode, 469 embryonic connections, 61 enable password, 177 enabling timestamps, 362 Enhanced Interior Gateway Routing Protocol. See EIGRP ESMTP (Extended Simple Mail Transfer Protocol), 30 ESMTP policy map options, 481 EtherType access control lists (ACL), 35, 126 EtherType object groupings, 131 EXCLUDE List, 269 extended access list, 126...

Employing Additional Security Features

Autosecure is a good tool to set a baseline for securing the host-chassis. It will disable nonessential system services and enable some limited security best practices. 102 Chapter 6 Configuring and Securing the 6500 7600 Chassis NOTE Be sure to review the configuration changes that Autosecure makes and augment it with other practices outlined in this chapter. The Cisco AutoSecure White Paper can be found at the following location www.cisco.com Service password encryption will encrypt most...

Examining IPv6 Address Types

IPv6 addressing architecture is defined in RFC 3513. The three types of IPv6 addresses in the RFC are the following Unicast Communication is between a single source and a single receiver. Multicast Communication is between a single source and multiple receivers. Anycast Communication is between a single source and a group of receivers, where the destined traffic is forwarded to the nearest receiver (in the group) from the source. The predefined scopes contained in one single IPv6 address are as...

Exploring Routed Mode

In routed mode, the FWSM acts like a Layer 3 device, and all the interfaces in the FWSM need to have an Internet Protocol (IP) address. The interfaces can be in any security zone inside, outside, or demilitarized zone (DMZ). The firewall configuration is in routed mode and needs IP addresses and IP routing enabled on the interfaces. The routed mode can be in single context or multiple context mode. Figure 7-1 illustrates the high-level details of each mode. Figure 7-1 High-Level Topology View...

Exploring Transparent Mode

The firewall is not seen as a Layer 3 hop. The FWSM has a Layer 2 adjacency with the next hop devices. The firewall can be referred to as a bump in the wire. The transparent firewall also facilitates the flow of IP and non-IP traffic. To place the firewall between two Layer 3 devices, no IP readdressing is required. It is also easy to establish routing protocol adjacencies through a transparent firewall. Likewise, protocols such as Hot Standby Routing Protocol (HSRP) or Virtual Router...

Firewall Configuration

This section covers the basic firewall configuration, which allows packets to pass through the FWSM. No special configuration is needed in the FWSM for configuring a load-balancing solution. Step 1 MSFC configuration for FWSM. This covers the configuration of VLANs present in the FWSM firewall multiple-vlan-interfaces firewall module 3 vlan-group 3 firewall module 4 vlan-group 3 firewall vlan-group 3 10,11 Make sure VLAN 10 and VLAN 11 are configured in the switch data base. VLAN 11 does not...

Firewall Load Balancing

Firewall load balancing is commonly seen in data centers or Internet architecture of e-commerce networks, where there is a high volume of traffic traversing the firewall infrastructure. With firewall load balancing, multiple firewalls can be referenced by a single IP address defined in a load balancer. The load balancer can distribute the traffic load among firewalls, or multiple virtual IP addresses (VIP) in a load balancer can reference firewalls for different traffic profiles, to give...

Firewall Load Balancing Configuration Example

Figure 18-7 gives an example of load balancing through policy-based routing. The traffic sourced from 172.16.1.1 client to 10.2.100.1 server will pass through FWSM1, using OUT2IN policy. The return path from 10.2.100.1 server will be load balanced from IN2OUT policy and will pass through FWSM1 back to 172.16.1.1 client. This defines a complete session flow. Figure 18-7 High-Level Explanation of Firewall Load Balancing Using PBR Figure 18-7 High-Level Explanation of Firewall Load Balancing Using...

FWSM 4x Performance and Scalability Improvements

The release of the 4.x code train offers some major improvements in performance and scalability. Trusted Flow Acceleration allows flows to bypass the Firewall Services Module (FWSM), achieving line-rate performance. The combination of the FWSM along with the Programmable Intelligent Services Accelerator (PISA) adds a new level of traffic inspection. The change in memory provisioning for both partitions and rule allocation has greatly improved how resources can be divided. Access list...

How Do I Recover Passwords

Password recovery is common in any device. In the FWSM, the password recovery for the maintenance partition can be reset to default values. To reset the password to default values, use the following command FWSM clear mp-passwd Lockout situations can happen because of AAA settings. To reset the passwords and portions of AAA configuration to the default values, use the following steps in the maintenance partition Step 1 Check the current application boot partition using this command Router show...

How Do You Verify Whether the Traffic Is Forwarded to a Particular Interface in the FWSM

To verify whether the traffic is forwarded to a particular interface in the FWSM, use the show access-list command, as shown in Example 21-1. Example 21-1 show access-list Output Verifies Traffic Forwarding Information Notice the hit count for the access list. If the packet hit count is not increasing, verify the access list entry or use the capture command to note whether the packet is seen in the FWSM. The capture command is very useful for troubleshooting connectivity related issues. Using...

IN2OUT Policy Configuration

IN2OUT policy is configured on the Layer 3 device in Figure 18-7. VLAN 11 is the Layer 3 VLAN for the inside interfaces on both the FWSMs. The FWSMs are two separate units and are not in failover mode. The load-balancing technology will decide on the firewall to which the packet has to be forwarded. It is therefore very important to synchronize the inbound and outbound load-balancing policies to maintain the state of a flow through the firewall. Step 1 Policy routing IN2OUT configuration....

Info

Is this packet part of an existing session YES. Packet-inspection firewalls are generally much faster than application firewalls because they are not required to host client applications. Most of the packet-inspection firewalls today also offer very good application or deep-packet inspection. This process allows the firewall to dig into the data portion of the packet and match on protocol compliance, scan for viruses, and so on and still operate very quickly. A feature that is common among all...

Inspecting File Transfer Protocol

File Transfer Protocol (FTP) is a communication mechanism used to transfer data from one device to another using a command and control connection for the communication-specific commands and a data connection for the exchange of bulk information. FTP operates in active and passive modes. Using active mode, the client establishes a TCP connection to the host on port 21 (command and control), and the host connects to the client on a negotiated destination TCP port (data) sourcing from TCP port 20....

Inspecting Hypertext Transfer Protocol

Hypertext Transfer Protocol (HTTP) is a communication protocol used for the exchange of information (typically web pages) on the Internet or an intranet. The HTTP inspection engine can provide application inspection and control for the following Content protection and attack prevention Enforces HTTP-specific parameters, such as URL, Header, Cookie length, and so on, detection. Worm mitigation Filters on HTTP encoding mechanisms, content type, non-ASCII characters, and so on. Application access...

Interdomain Communication of Different Security Zones Through a Single FWSM

Interdomain communication between various security zones has become very common, especially when firewalls are integrated in the data center environment. Figure 23-4 illustrates a scenario in an enterprise network. The FWSM is configured for multiple context routed mode and VRF termination at the Layer 3 next hop to achieve zoning and routing segregations using the same device. In this scenario, consolidation is done when there is a requirement of a common security domain with multiple security...

Interface Configuration

You can configure IPv6 on an interface in multiple ways Autoconfig address By issuing this command, auto configuration is enabled on the interface for the IPv6 address. It receives the IPv6 address from RA messages. A link local address based on the extended unique identifier (EUI) interface ID is automatically generated by issuing the following command. FWSMB(config-if) ipv6 address autoconfig After issuing this command, enter a show ipv6 interface command to verify the interface configured...

Introducing Types of Access Lists

This section covers the three major types of access lists. Each type of access list plays an important role in enabling the functionality of specific features in the FWSM. The three main types of access lists are as follows Standard access list Standard access lists are used in commands to identify the destination IP addresses only. This is normally used in Open Shortest Path First (OSPF) protocol redistribution in FWSM. hostname(config) access-list access_list_name standard deny I permit any I...

IP Version

IP version 6 (IPv6) has come to prominence because of the extensive use of the Internet. The current address, IPv4, is predominantly deployed and extensively used throughout the world. When IPv4 was designed, Internet usage and growth to this extent was not predicted. The main feature of IPv6 that is driving adoption today is the larger address space addresses in IPv6 are 128 bits long compared to 32 bits in IPv4. The 32 bits in IPv4 have 232(4,294,967,296) unique IP addresses. In IPv6, the...

J

In this example, it has been determined that an attack is coming from a device on the outside with an IP address of 192.168.1.23 to a web server on the services interface. From the admin context, the following command would be issued to deny traffic from 192.168.1.23 (any port) to the translated destination address of 192.168.1.7 (172.17.1.7) on port 80 (www) associated with the virtual local-area network (VLAN) 5 interface. FWSM admin shun 192.168.1.23 192.168.1.7 0 80 vlan 5 Notice also that...

Managing and Monitoring the FWSM

You can choose from several options when managing or monitoring the Firewall Services Module (FWSM). Having a good understanding of the capabilities of each solution and how to use them to your best interest will make your job much easier. Although alternatives to the command-line interface (CLI) exist, and it certainly may be more difficult to use, it is highly recommended to have a good understanding of how to manage, monitor, and troubleshoot the FWSM using the CLI. Because the CLI is the...

Method 1 Layer 3 VPN Segregation with Layer 3 FWSM Multiple Context Mode

The design has three logical blocks These logical blocks are explained as follows Penultimate Hop Router This router removes the MPLS labels, in case MPLS Layer 3 VPNs are used for traffic segregation. This router maps VRF based on VLANs and communicates with the perimeter router. The traffic of each VRF will flow through the VLANs in the individual trunk. Mapping the untagged traffic to each VLAN will be sufficient to achieve the segregation between the penultimate hop router and perimeter...

Method 2 Layer 3 VPN Segregation with Layer 2 FWSM Multiple Context Mode

In Figure 23-7, the router RB RA represents a MPLS domain for the enterprise WAN campus, and the RC represents another MPLS domain for the inside security domain. This design aims to achieve this dynamic communication using the FWSM in transparent mode. RA and RB are in the MPLS domain (LDP neighbors). OSPF is used in RA, RB, and PFC for next hop reachability. The VRF custB and custA are transported through multiprotocol BGP (VPNv4) from RA to PFC. At the PFC, each VRF is terminated and is...

Monitoring Access List Resources

When a log message is enabled for ACE, every time the ACE is hit (the ACE is used here to deny a network), a log 106100 message is created. The FWSM has a maximum of 640,000 flows for ACE. To avoid the central processing unit (CPU) spikes on concurrent flows, the FWSM places a limit on the deny flow. The FWSM does not place a limit on the permit flows. The deny flows can be exploited by a Denial of Service (DoS) attack. Restricting the number of deny flows prevents unlimited consumption of...

Monitoring Analysis and Response System

The Monitoring Analysis and Response System (MARS) is an appliance-based threat-mitigation solution that provides the primary functions of rapid threat identification and mitigation, data correlation, and offers topology awareness. MARS has the capability to rapidly identify events through a receive process (push) and or it can gather information (pulls) from firewalls, such as the FWSM, IDS devices, switches, routers, and so on. The collection of Netflow and traffic analysis information also...

Multicast Stub Configuration

Multicast stub configuration does not participate in the PIM neighbor relationship the device just passes the IGMP messages. In a Layer 3 network world, this type of stub configuration is common in routers connecting to satellite links. In this case, the IGMP messages pass through the satellite unidirectional link using an IGMP helper address configuration or an IGMP unidirectional link configuration in the IOS. The FWSM can also be configured in stub mode. In stub configuration, the FWSM will...

NAT Bypass

There may be situations where NAT may be desirable for some hosts or applications and others where it is not, especially if NAT control has been enabled. There are three mechanisms to bypass the NAT function NAT 0 or identity NAT, static identity NAT, and NAT exemptions. NAT 0 allows for an individual or range of real IP addresses to be translated to a lower-level interface without translating the IP address. Sound strange This provides the capability to pass the NAT-control requirement but not...

NAT Control

The FWSM configured with an inbound access list will allow traffic to flow from a higherlevel to a lower-level interface. To force the FWSM to NAT traffic flows between these interfaces and provide additional security, the NAT control feature can be used. It requires real IP addresses to use a NAT function when traversing the FWSM from a higher-level interface to a lower-level interface. Traffic between same-level interfaces is permitted without NAT, assuming the same-security-traffic permit...

Open Shortest Path First

This section gives a basic snapshot of the Open Shortest Path First (OSPF) Protocol and configuring the OSPF Protocol on the FWSM. OSPF is a link state routing protocol developed by the Internet Engineering Task Force (IETF). An OSPF can operate within a hierarchy. An autonomous system (AS) is the largest entity within the hierarchy, which is a collection of networks under a common administration that share a common routing strategy. OSPF is an IGP routing protocol and uses the Dijsktra...

Optimizing ACL

Because memory space is a limited resource, and ACLs are the main contributor to the depletion of resources, the ACL optimization feature is a very welcome addition. As entries to access lists are added, removed, or modified, keeping track of all the changes and manually organizing them would be a management nightmare. Fortunately, the ACL optimization feature will review the existing ACLs and minimize the configuration, consequently saving memory resources. The configuration in Example 24-3...

Option 1 Symmetric Routing Through Firewalls

Make sure the routing flows through the desired symmetric architecture as shown in Figure 17-3. Figure 17-3 Symmetric Routing Through Firewalls Without Redundancy Based on the policy, the packet leaves the security domain. When the packet traverses back, the state is maintained in the FWSM and uses the same path to traverse back to a more secured security domain. Figure 17-3 Symmetric Routing Through Firewalls Without Redundancy In this example, the packet traverses through the Cat6k-1 and the...

Option 2 Firewall Redundancy and Routing Redundancy Symmetry

Figure 17-4 shows the failover capability of the firewall and the routing decision to follow the failover state of the firewall. This design has redundancy for the FWSM and Layer 3 portion of the network in each security domain. This is achieved by using the Layer 3 devices to point to the virtual IP address (VIP) of the active interface for a particular security domain. The FWSM points to the VIP address of the Hot Standby Router Protocol (HSRP) for the respective VLANs. In this case, the FWSM...

OSPF Design Example

As shown in Figure 9-4, in this example, the same OSPF process routes between the DMZ and the inside security domains. A separate OSPF process is used to route packets to the outside security domain. This example provides redistribution between the OSPF processes. The FWSM is in a single context routed mode. Note that only two OSPF processes can be configured in a single context routed mode. The configuration does not have MD5 enabled. It is a good practice to enable MD5 authentication. Example...

OUT2IN Policy Configuration

The OUT2IN policy configuration references the outside security domain. The incoming VLAN for packets has the PBR configured as shown Step 1 Policy routing OUT2IN configuration. route-map LB permit 10 match ip address 1 set ip next-hop 10.1.1.2 route-map LB permit 10 match ip address 1 set ip next-hop 10.1.1.2 This will be a virtual IP address of the FWSM, if redundancy is built route-map LB permit 20 match ip address 2 set ip next-hop 10.1.1.3 This will be a virtual IP address of the FWSM, if...

Packet Classifier in FWSM Context Mode

One of the modes in which FWSM can be deployed is the shared outside interface mode. The outside interface is shared between multiple contexts. This translates to one interface for all the contexts in the outside security zone. The packet destined to the outside interface must traverse to a specific context, which has the state information built into it. The traffic is not allowed to traverse the FWSM context if no state information exists. This is for the packets flowing from the lower...

PIM Interface Modes

The PIM interface mode defines the functionality of the interface in PIM protocol. There are three interface configuration modes for PIM PIM Dense mode Interface functions in PIM Dense mode specification. Refer to the PIM Dense mode section in this chapter for functionality details. PIM Sparse mode Interface functions in PIM Sparse mode specification. You will need to configure the RP for multicast delivery. Refer to the PIM Sparse mode section in this chapter for functionality details. PIM...

Preventing Network Attacks

Whether the motivation for a network attack is for monetary gain, revenge, or simply a challenge, it can potentially result in the same outcome if you are not prepared Denial of Service (DoS). Having a security infrastructure that is well thought out will certainly minimize the impact of an attack. The FWSM plays a critical role in an overall network security solution, but other devices also should be incorporated within the infrastructure these include network intrusion prevention systems...

Protecting Networks

Take an in-depth look at the resources you are trying to protect, and consider, from the attackers' perspective, how they may try to circumvent the security devices you currently have in place. To get a better idea of how to protect your network, consider these questions What do I need to protect and where are those resources located Would attacks predominately be from the outside, inside, or both Besides a firewall, what other devices can I take advantage of If I were going to attack this...

Protocol Independent Multicast

The multicast tree allows the multicast communication to be established between the source and the receiver. The multicast tree is built using protocol independent multicast (PIM). The communication to build the tree is not dependent on any protocol. It uses the routing protocol in the network to build the tree. Through this multicast tree, one-to-many or many-to-many communication is established. The following are the four modes of PIM PIM Dense mode The multicast source sends the traffic to...

PVLAN Configuration in FWSM

The PVLAN concept was introduced in FWSM from 3.x code version onward. It is important for the switch code to be above 12.2.18SXFx version to integrate the PVLAN concept with the FWSM. Here x defines the version number. The primary VLAN of the PVLAN should be configured in the FWSM. No other special VLAN configuration is needed for PVLANs at the FWSM. Using PVLANs achieves Layer 2 segregation. This can be used in smaller DMZ designs where the servers in the DMZ within a single subnet need...

References

RFC 742 NAME FINGER Protocol RFC 864 Character Generator Protocol RFC 951 Bootstrap Protocol RFC 1027 Using ARP to Implement Transparent Subnet Gateways RFC 1157 Simple Network Management Protocol (SNMP) RFC 1812 Requirements for IP Version 4 (IPv4) RFC 3411 Simple Network Management Protocol (SNMP) Version 3 RFC 3418 Simple Network Management Protocol (SNMP) Version 2 RFC 2131 Dynamic Host Configuration Protocol (DCHP)

RIP in FWSM

FWSM does not have a full implementation of RIP. It does not send the RIP updates to the directly connected interfaces. FWSM uses RIP in two modes Passive RIP FWSM listens to the RIP update from the neighbor but does not send the RIP updates. This helps the FWSM to learn about networks that are not directly connected to it in a particular security domain. Default Route Updates The FWSM sends a default route to the Layer 3 neighbors, which identifies the FWSM as the default route for the Layer 3...

Sample Configuration of Modular Policy in FWSM

The configuration in Example 11-1 adds a new user-defined classification and action to the existing global policy. This user-defined classification is represented in class maps TEST1 and TEST2. In class map TEST2, the TCP port range from 1 to 65535 is matched. The class map TEST1 matches the UDP port equivalent for SNMP. These two class maps are applied to the global policy and separate actions are specified for each of the classes. The global service policy inspects traffic at all interfaces....

Securing Access

To use Telnet in a secure manner, or other management tools from a location outside the FWSM, an encrypted tunnel can be established from a client running the Cisco Virtual Private Network (VPN) client software or to the VPN termination device, such as an Adaptive Security Appliance (ASA) Private Internet Exchange (PIX), Internetwork Operating System (IOS) router, or VPN concentrator. The connection provides encryption and authentication using Internet Protocol Security (IPsec). The FWSM...

Securing the 65007600 Host Chassis

The following section is intended to give you an overview of the features that need to be deployed to ensure a secure infrastructure. It is beyond the scope of this book to provide an in-depth understanding of each feature. You should refer to the appropriate switch router documentation for specific details. The National Security Agency (NSA) has a guide to securing routers that would be a good place to start (http www.nsa.gov snac routers cisco_scg-1.1b.pdf). You can secure the host-chassis in...

Shunning Attackers

After you have determined the source of the attack and that it is truly the attacker and not an attacker spoofing a legitimate source, the shun command is a handy option that will block any current or future connections based on the source IP address or the source IP address and port to the destination IP address and port number. Use caution when implementing the shun command, because you may cause a DoS to valid traffic. In multiple-context mode, the shun command can be configured in the admin...

Summary

This chapter covers the basics of IPv6 and the FWSM support for IPv6. The main change brought by IPv6 is a much larger address space that allows greater flexibility in assigning addresses. The FWSM has dual stacks, which means IPv4 and IPv6 configurations can coexist. In FWSM, the IPv6 features and forwarding are software based. After reading this chapter, you will know how to configure IPv6 in FWSM.

Supporting Asymmetric Routing in FWSM

The FWSM supports asymmetric traffic flow from the 3.x code version and later. The previous section covers the problems caused by routing while introducing firewalls in asymmetric routing and gives a solution with and without redundancy to avoid these problems in the network. The solution aligns the firewalls with the Layer 3 network to avoid asymmetric routing issues. Asymmetric routing problems can occur when traffic flows between multiple security domains and these security domains are...

Supporting Virtualized Networks

Many organizations have realized the benefits of traffic separation or network virtualization through the use of multiprotocol label switching (MPLS), multiple virtual routing and forwarding (multi-VRF), multitopology routing (MTR), virtual private LAN services (VPLS), and so on. These technologies leverage a single physical infrastructure while providing a logical mechanism for traffic separation. Rather than installing a unique physical firewall per virtual network, you can configure the FWSM...

Traffic Flow

Access lists (EtherType and extended) authentication, authorization, and accounting (AAA) control what traffic is initially allowed to flow through the FWSM. Network Access Translation (NAT) translates IP addresses, and application layer protocol inspection inspects the traffic. Consider the topology shown in Figure 3-4. Figure 3-4 Transparent Mode Example 1 Example 3-1 shows the (nondefault) simple configuration for the FWSM. Example 3-1 ACL Example from Inside to Outside Using Transparent...

Troubleshooting Flow Issues

It is good practice to ensure that the connectivity check is done before troubleshooting the flow issues to have a general baseline to work. Figure 21-1 shows a logical flow chart on how to troubleshoot the FWSM. Figure 21-1 Logical Flowchart to Troubleshoot the FWSM Figure 21-1 Logical Flowchart to Troubleshoot the FWSM Figure 21-2 shows an example of a sniffer capture that can be analyzed for flow or TCP timeout issues. Figure 21-2 Sniffer Capture for a Packet Flow Figure 21-2 Sniffer Capture...

Type 1 Configuring Single Context Routed Mode

This section covers the configuration of a single context routed mode. There are three main steps for configuring a single context routed mode in the FWSM. These are sequential steps that must be followed in the same order. Step 1 Configuring the PFC. This step covers the configuration of the switch in relation to the FWSM configuration. The following command is used to enable multiple SVIs in relation to FWSM This command is needed only if VLAN 9 and VLAN 10 have SVI interfaces in the PFC. If...

Types of Firewalls

By definition, a firewall is a single device used to enforce security policies within a network or between networks by controlling traffic flows. The Firewall Services Module (FWSM) is a very capable device that can be used to enforce those security policies. The FWSM was developed as a module or blade that resides in either a Catalyst 6500 series chassis or a 7600 series router chassis. The tight integration with a chassis offers increased flexibility, especially with network virtualization...

Understanding Access Control Entry

Access control entries (ACE) are defined in hardware for access list entries. An access list can be made up of one or more ACEs defined in the hardware. For each access list defined, each ACE is appended directly unless a line number is specified. The order of ACE is very important. When a packet arrives, the FWSM checks the packet against each ACE order to determine whether the packet can pass through. In the beginning of the order, if deny all is configured, all the packets will be denied...

Understanding Application Protocol Inspection

Application protocol inspection provides three primary functions It validates control traffic flows and or verifies for RFC compliance. It monitors sessions for embedded IP addressing in the data portion of the packet. It examines session information for secondary channels. Validation of control traffic flows may occur with protocols, such as Extended Simple Mail Transfer Protocol (ESMTP), where you want to allow only specific commands, such as DATA, HELO, QUIT, and so on. An example of RFC...

Understanding Classification of Traffic

The traffic can be classified into multiple classes (as configured). On these classes, you can perform specific actions. A class map identifies the traffic that needs a selective action. In the FWSM, by default 255 class maps are allowed in a single or in multiple context modes. Creating class maps is a two-step process FWSM(config) class-map class_map_name Step 2 This step defines the traffic that is classified in a class map. This can be done using any of the following methods Access-list An...

Understanding Connection Limits and Timeouts

The FWSM maintains information about all connections attempting to be established and all established sessions. When a client tries to make a TCP or UDP connection to a server through the FWSM, the FWSM tracks the state of the session. TCP session establishment requires that the client send an initial packet to the server with the Synchronize Sequence Number (SYN) flag set in the IP header and an Initial Sequence Number (ISN). The server responds with the SYN and acknowledgment (ACK) flags set...

Understanding Contexts

A context on a Firewall Services Module (FWSM) is analogous to a virtual machine in VMware or to a switch that supports multiple VLANs. Although you are using the same physical hardware, you can logically separate the firewall functionality into unique instances. This is also known as visualization. Each context has a unique set of interfaces, rules, and or policies applied. Mixed mode contexts are also allowed, which enables the support of transparent and routed mode contexts simultaneously....

Understanding Default Policy

The default policy map classifies and inspects the traffic for the following applications The default policy enabled in the FWSM is called the global policy, and it is applied to all the interfaces unless you have a user-configured policy map configured and applied to an interface. Using the show running-config commmand, the global policy can be seen as a default configuration policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect...

Understanding Fallback Support

Configuration practice dictates having fallback support for all AAA configurations on FWSM. The fallback support helps when the external server is not reachable. In this case, the user will not be able to access the FWSM or AAA functionality for other service types. With the fallback method, the last resort for the user to get access to the FWSM is at the local database of the FWSM. For external server redundancy, you can have more than one external server. More servers can be configured in the...

Understanding IPv6 Packet Header

There are 8 octets of 16 bits each, separated by . In IPv4, 4 octets are separated by IPv6 specifications are defined in RFC 2460. Figure 19-1 illustrates the header of an IPv6 packet. Table 19-1 IPv6 Header Field Description Table 19-1 IPv6 Header Field Description 4-bit Internet Protocol version number 6. 8-bit traffic class field. This is similar to IPv4 TOS bit. A 24-bit field is used to identify the flow of IPv6 packets. The flow in IPv4 is identified by...

Understanding Object Groups

Object groups allow the administrator to use access lists, based on a grouping that identifies the common use of a policy. With object grouping, you can classify elements of an access list in a group and can have multiple elements referenced in separate groups. These groups can be referenced in the access list for defining the security policy. The grouping can be done based on the following criteria The object group can be used with an extended access list statement. The resource limit of ACE...

Understanding the Interaction Between the Host Chassis and the FWSM

With the integration of the FWSM in a host-chassis, it becomes imperative to secure the host device. This is because the delineation of interfaces on the FWSM is associated with the virtual local-area network (VLAN) interfaces of the switch. The separation is logical not physical. If a misconfiguration occurs on the switch, traffic from a less secure interface (outside) may have uninhibited access to a more secure interface (inside). For this reason, you must consider the switch configuration...

Using Modular Policy in FWSM

Modular policy is used in FWSM similar to IOS quality of service (QoS). The configuration of modular policy is a three-step process (see Figure 11-1) Step 2 Define actions to the classified traffic. Figure 11-1 Description of Modular Policy Direction in which the Service Policy Is Applied to the Interface Direction in which the Service Policy Is Applied to the Interface In the FWSM, you can use the same concept of modular policy for inspection of protocols and TCP timeout connections. TCP...