A

AAA (authentication, authorization, and accounting) accounting, 172 authentication, 171 authorization, 172 cut-through proxy, 178 fallback authentication, 175 fallback support, 175 local authorization, 177 MAC address authentication, 181 overview, 171 two step authentication, 175 ABRs (Area Backbone Routers), 140 access control lists. See ACLs, access-list command, 126 ACE (application control engine), 313 ACEs (access control entries), 127 acknowledgement (ACK) flag, 350 ACLs (access control...

AAA Overview

In access control, the admin controls the user's access into the node, controls what the user can access in the node, and also monitors the actions made by the user in the node. Authentication, authorization, and accounting (AAA) is a framework through which you can achieve this control to access the node. It is important to understand each component of AAA and its uses. This type of access to the network security nodes and access to the resources in the node gives a profile to the user. Each...

Access Control Lists

Access control lists (ACL) filter traffic for a function. The function can be to deny or permit the traffic, to classify the traffic for network address translation (NAT), or to set the traffic to a particular queue, based on quality of service (QoS). ACLs are used in Cisco IOS and firewalls to filter traffic. Security rules to permit or deny networks or any users are defined by an ACL on a Firewall Services Module (FWSM). The FWSM does not allow any traffic unless it is specified (this is...

ACE Design for Firewall Load Balancing

The dual ACE solution will be able to provide a 10 Gbps throughput for firewall load balancing, and the multiple FWSMs have to match this throughput. Figure 18-4 shows a high-level design of firewall load balancing using ACE. Using Single Context Dual ACE Solution Using Single Context Dual ACE Solution Single ACE Multiple Context Solution Single ACE Multiple Context Solution Trunk EtherChannel (FWSM CSM) State and Fai lover VLANs. VLAN 11 and VLAN 12 In this case, VLAN 13 is the client side...

Adding a Context

Now that the admin-context has been created and a way exists to administer the FWSM directly, additional contexts can be added. Each new context will now have the benefit of unique policies associated to control the flow of traffic, besides being able to be managed individually. New contexts are added with the following commands FWSM(config-ctx) allocate-interface vlan name_of_interface FWSM(config-ctx) allocate-interface vlan name_of_interface FWSM(config-ctx) config-url location_of_file...

Adding and Removing Contexts

The first step in adding contexts is to configure the FWSM for multiple-context mode using the following command WARNING This command will change the behavior of the device WARNING This command will initiate a Reboot Proceed with change mode confirm If you have a configuration worth saving, be sure to create a backup. The number of security contexts is based on the license key. To verify the number of supported contexts on the FWSM, use the following command Look for the line that indicates the...

Additional Support for Simple Network Management Protocol Management Information Base

Simple Network Management Protocol (SNMP) is used to get specific information from a device or to send it information for the purposes of configuration changes. Because the FWSM is a security device, you cannot send it information, but you can gather information for keeping track of interface statistics, packet counts, and so on. There have been two additions to the Management Information Base (MIB) ACL entries and hit counters located under CISCO-IP-PROTOCOL-FILTER-MIB Address Resolution...

Advantages

The two primary advantages of using routed mode are the capability to support multiple interfaces and the capability to route between those interfaces. As shown previously in Figure 3-8, multiple interfaces provide the capability to connect multiple networks at Layer 3 and apply security policies that permit or deny particular traffic flows. With the FWSM configured as a device supporting dynamic routing, routing updates can be exchanged dynamically between devices on multiple subnets. In the...

Assessing Issues Logically

It is important for the troubleshooter to understand the issue and picture the logical design where the FWSM is a part. Follow these steps to identify and understand the problem Step 1 Define the problem It is very important to get the definition from the technical side and user impact. (b) Identify one stream with source and destination. (c) Verify whether all the packets are flowing through the FWSM, whether any one particular flow is impacted, or whether a few applications are impacted. (d)...

Asymmetric Routing

This chapter provides an overview of asymmetric routing prevalent in the enterprise network. You will learn how the placement of a firewall in a network breaks an asymmetric flow. This chapter also includes designs for symmetric routing with firewalls and covers the FWSM feature that supports asymmetric routing. In asymmetric routing, the packet traverses from a source to a destination in one path and takes a different path when it returns to the source. Asymmetric routing is not a problem by...

Asymmetric Routing Support in Active Standby Mode

For the network topology shown in Figure 17-5, the configuration for the outside interface of security context A and security context B will have ASR group 1 (it will belong in the same ASR group) enabled. The packet arrives at the outside interface of context B. Because the ASR group is the same for the two outside interfaces of contexts A and B, the packet will get redirected to context A's outside interface from context B's outside interface. The packet then flows through context A to reach...

Asymmetric Routing Without a Firewall

Figure 17-1 shows asymmetric routing without firewalls in the path from a source to a destination. The source is in 10.1.1.0 subnet, with a source IP address 10.1.1.100. The destination for the packet flow is 11.1.1.100. The Flow 1 depicts the flow from source to the destination. The host 11.1.1.100 receives the communication and transmits it back to the source 10.1.1.100 (in 10.1.1.0 subnet). In the return path, R1 routes the packet to R3. Note that the packet should have been forwarded to R2...

Asymmetric Traffic Flow in a Firewall Environment

In Figure 17-2, there are two FWSMs (for firewalls) added in both the Catalyst 6500 chassis. The asymmetric traffic flow is from 10.1.1.0 subnet to host 11.1.1.100. Figure 17-2 FWSM and Asymmetric Routing Based on the policy, the packet leaves the security domain. Figure 17-2 FWSM and Asymmetric Routing Based on the policy, the packet leaves the security domain. When the packet reaches the FWSM 2, the FWSM 2 checks the state information for communication between the two security domains. FWSM 2...

Being Mindful of Environmental Considerations

Although not directly related to security, proper heating, cooling, air cleanliness, and conditioned power play a significant role in the availability of the equipment. If the equipment is not working because of the environment, then there is no need to worry about good security. For more information on some of the environmental considerations for the FWSM and the appropriate documentation for the host-chassis, see Chapter 2. Be certain that the equipment operates well within the listed...

Changing Between Contexts

Changing between contexts is a very simple process. The changeto command has two options changing to the system execution space using the following command or changing to a user-defined context, including the admin-context, with the following command (the context name is case sensitive) To change between contexts, you must have initially connected to the admin context or the system execution space from the switch. If command authorization has been configured on the target context and adequate...

Comparing Security Protocols

The two prominent security protocols used in the industry are RADIUS and TACACS+. RADIUS is defined in RFC 2865 and TACACS+ is defined in RFC 1492. RADIUS uses User Datagram Protocol (UDP), whereas TACACS+ uses Transmission Control Protocol (TCP). As you may know, TCP offers reliable connection, which is not offered in RADIUS. RADIUS offers some level of reliability but lacks the built-in reliability available in TCP used by TACACS+. Also note that RADIUS encrypts only passwords in the...

Configuring Access Lists

The syntax for the access list is similar to IPv4 FWSM(config) ipv6 access-list id line num permit I deny protocol source src_port destination dst_port For ICMP traffic, the access list needs to have ICMP specified. The details of the fields used in IPv6 are as follows id The name of the access list. This is similar to the IPv4 access list. This field is referenced in the IP access group command. line num When adding an entry to an access list, this field specifies the order in which the entry...

Configuring ActiveX and Java

ActiveX controls and Java applets are similar in functionality, but the ActiveX control has additional capabilities because it can run with the same privileges as the user running the application. With either of these applications, a potential risk for malicious use always exists. Because the FWSM has the capability of removing ActiveX objects and or Java applets contained within HTTP traffic, you have options. Filtering ActiveX replaces the object and applet tags with comments. The filter...

Configuring ARP

Address Resolution Protocol (ARP) is a mechanism to find a device's hardware or MAC address from the IP address of the device. When these devices are on the same subnet (excluding proxy-ARP) and need to communicate using IP, each of them must know what the other's MAC address is. With this information, the devices now have the capability to communicate. From a security perspective, malicious attackers can exploit the ARP by sending an unsolicited ARP or gratuitous ARP to devices within the same...

Configuring Connection Limits

Controlling the number of connections allowed to a particular host or service can be configured by using either static NAT or through the use of the modular policy framework configuration. As described in Chapter 11, Modular Policy, modular policy framework is a method used to classify traffic and perform actions based on that specific traffic. In this section, the modular policy framework will be used to control connection limits. Static NAT has the capability to control the maximum number of...

Configuring EIGRP

EIGRP has been a long-awaited feature for the Firewall Services Module (FWSM). With EIGRP support, the FWSM can be integrated into an existing EIGRP network, minimizing the need to redistribute routing information into other routing protocols. This reduces the complexity of managing multiple routing processes and simplifies the network design, especially within the datacenter. Redistribution of routes between routing protocols can be difficult because each routing protocol exercises different...

Configuring FWSM

The FWSM has both IPv4 and IPv6 configured in the inside and outside security interfaces. Example 19-1 shows the FWSM configuration. enable password 8Ry2YjIyt7RRXU24 encrypted names configure the interface with IPv6 address and suppress RA message interface Vlan10 nameif outside security-level 0 ip address 10.1.1.2 255.255.255.0 ipv6 address 3ffe 500 10 1 2 64 ipv6 nd suppress-ra configure the interface with IPv6 address and suppress RA message interface Vlan11 nameif inside security-level 100...

Configuring IPv6 in FWSM

In Figure 19-2, the FWSM is configured for IPv4 and IPv6. The FWSM is configured in single context routed mode. The outside interface is VLAN 10 and the inside interface is VLAN 11. In the policy feature card (PFC), IPv4 and IPv6 static routes are defined for networks at the inside security zone of the FWSM, pointing to VLAN 10 at the outside interface address of the FWSM. The static route for IPv4 will point to the IPv4 address and the static route for IPv6 will point to the IPv6 address. From...

Configuring IPv6 Timers in FWSM

Table 19-2 describes the various timers that can be configured in IPv6 while configuring FWSM. Table 19-2 The Features and Syntax for IPv6 Support in FWSM Table 19-2 The Features and Syntax for IPv6 Support in FWSM Neighbor solicitation message interval This is to configure the time interval between IPv6 neighbor solicitation messages. The value argument ranges from 1000 to 3,600,000 milliseconds. The default value is 1000 milliseconds. This command is used when an interface is configured to...

Configuring PFC Layer 3 Device on the Outside Security Domain

Follow these steps to configure the PFC Step 2 Configure the interface that connects to the outside interface of the FWSM. ip address 10.1.1.1 255.255.255.0 ipv6 address 3FFE 500 10 1 1 64 Step 3 Configure a static route for IPv6. ipv6 route 3FFE 400 32 3ffe 500 10 1 2 64 Note that the inside IPv6 address is 3FFE 400 32 and the FWSM outside interface address is 3FFE 500 10 1 2.

Configuring Poll Intervals

The FWSM monitors the unit and interface health for failover through hellos. The hello timer can be tweaked, both for unit and for interface. Decreasing the timer allows the failure detection to be faster. The poll interval can be configured using the CLI commands for FWSM, using the following command To change the interface polling time, issue the following command in global configuration mode The default poll interface for failover is 15 seconds and is used for both unit and interface health...

Configuring PVLAN

The FWSM should have a 3.x code version or the preceding code, and the switch should have 12.2.18 SXFx version or the preceding code. Figure 23-10 shows the configuration of FWSM with PVLANs. Figure 23-10 Configuration of FWSM with PVLANs Figure 23-10 Configuration of FWSM with PVLANs Isolated VLAN 12 Community VLAN 13 Community VLAN 13 Isolated VLAN 12 Community VLAN 13 Community VLAN 13 VLAN 10 is the outside interface of the FWSM. VLAN 11 is the inside VLAN for the FWSM. It is also the...

Configuring Route Health Injection

The FWSM has limited support for dynamic routing protocols when using multiple-context mode. Route Health Injection (RHI) has the capability of propagating routing information from individual contexts in routed-mode, including static routes, connected networks, and Network Address Translation (NAT) pools into the routing-engine on the host-chassis. Because RHI has such a tight integration with the routing-engine, the minimum image needed on the Supervisor 720 and or Supervisor 32 is...

Configuring Routing Protocols

This chapter gives a snapshot of routing protocol concepts and their support on the Firewall Services Module (FWSM). It also covers configuration of each routing protocol on the FWSM with design examples. Packet flow to and from the firewall depends on the routing of the packets from one security domain to the other. It is important to have symmetry in routing between the firewall and the Layer 3 device in each security domain. This helps in aligning and placing the firewalls at various...

Configuring Service Policy

After configuring classification of the traffic and action on the classified traffic, the activation of the policy map is done through service-policy commands. This command can be applied globally, which is applicable to all interfaces or to a single interface. The single interface takes more precedence than the global policy map. Applying the service-policy command with the policy map is a single-step process. The service policy can be applied globally the actions will be applicable to all the...

Configuring the FWSM

This chapter takes you through the steps needed to configure the Firewall Services Module (FWSM). This chapter also covers the different FWSM mode configurations routed, transparent, single context, and multiple contexts. The FWSM is an inline module in the switch chassis. To configure the FWSM, switch configuration is a necessity because it relates the switch to the FWSM. The configuration of FWSM covers the details of firewall rules, policy, redundancy, and so on. The configuration of the...

Configuring the PFC

Follow the steps to configure Layer 3 segregation with multiple security domains on a single PFC. This configuration represents the PFC in Figure 23-2 Step 1 Defining a VRF for each security domain route-target export 1 110 route-target import 1 110 ip vrf out rd 1 1 route-target export 1 101 route-target import 1 101 Step 2 VLAN configuration on the switch 6504-E-1 show run interface vlan 10 Building configuration Current configuration 82 bytes interface Vlan10 ip vrf forwarding out ip address...

Configuring Timeouts

Two mechanisms control connection limits and timeouts global configuration parameters and modular policy framework. Modular policy framework discussed in the previous section provides a very granular approach to how connection limits and timeouts are controlled. The other option is to use global timeout parameters. These are specific to a particular protocol and can be configured using the timeout command in configuration mode. The following idle time parameters are configured using the timeout...

Connectivity Test of a Flow at the FWSM

Follow the next steps to troubleshoot the basic connectivity to the FWSM Step 1 Make sure the ping is successful from the inside next hop of the FWSM to the inside interface, and follow the same from other security zones. Step 2 Make sure from the FWSM that you are able to ping all the next hop addresses of the physical interfaces on the FWSM and of the static routes. Step 3 Based on the security policy, ping from the next hop of the inside interface to the next hop of the outside interface in...

Context Configurations

A context has the configuration of the security policy for a specific security domain in the firewall. Administrators can configure all options as a standalone device. A context will have interfaces (VLANs), and each interface is in a security zone based on the rule set. A context is like a physical firewall with separate interfaces and separate security policy in a virtual environment. In the FWSM, in multiple context mode, you can have multiple contexts with different firewall...

Controlling Access Using Port Based Security

Vendors, partners, consultants, employees, and so on bringing in unauthorized devices might need access to resources on your network or to use your network as a transit to the Internet. These individuals may not always be inclined to ask permission before making a connecting to your network. If they have an opportunity to connect, there is a potential to spread malicious software (malware), either intentionally or unintentionally, and or allow them the opportunity for other harmful activities....

Controlling Management Access

Methods for accessing the FWSM, include Telnet, Secure Shell (SSH), direct console access, access from the host-chassis, and Hypertext Transfer Protocol over Secure Sockets layer (HTTPS). If someone with malicious intent were to gain access to the FWSM using any of these methods, they could potentially gain unfiltered access to resources within your network. Access methods need to be highly controlled. This becomes even more significant when numerous individuals are accessing the same...

Controlling Physical Access

Anyone with physical access to the equipment has the ability to quickly perform a Denial of Service (DoS) attack by turning off the power, moving cables, removing line cards, and so on. It is critical to restrict access to individuals who cannot be trusted to behave appropriately. Equipment can be protected inside locked cabinets, equipment rooms with controlled access by using badge readers or keys, and securing physical cabling within conduit. Other mechanisms that may detour inappropriate...

Controlling Spanning Tree

Spanning tree is a Layer 2 protocol used to prevent loops within the network. Several flavors of spanning tree exhibit different characteristics and require special attention. The use of spanning tree as a method for high availability is a controversial issue, but years of experience troubleshooting spanning-tree problems and the difficulties associated with it determine that it is best to avoid using spanning tree as a mechanism for failover, especially given the complexities with running Per...

Creating Redundancy in the FWSM

The two types of modes for redundancy in FWSM are as follows The sections that follow cover the two modes in detail. The firewall has an active unit and a nonactive unit. The active unit is called a primary firewall and the nonactive unit is called a secondary firewall. These two FWSM modules are symmetric to each other. All the traffic passes through the primary module and does not pass through the secondary module. The two symmetric modules can be in the same chassis or in a redundant...

Data Center Environment with the FWSM

The concepts covered in the previous sections change the perspective of the design principles for designing a data center. This brings the concept of virtualization through Layer 3 VPNs and the FWSM used together as a design solution. In an enterprise customer environment, the current trend is consolidation of network infrastructure primarily to have reductions in the total cost of operation. Consolidation of the wide-area network (WAN) infrastructure is accomplished using Layer 3 VPNs. This...

Default Routes

A default route is a gateway of last resort, when no other more specific route exists in the routing table. It is configured with 0.0.0.0 0 representing the network address and the use of a valid Layer 3 next hop address. You can define a maximum of three default routes in the same security domain. If multiple default routes exist, the traffic is distributed based on the specified gateways. To configure a default route, enter the following command hostname(config) route if_name 0.0.0.0 0.0.0.0...

Defining Policy Maps

To take action on the classified traffic, a policy map is used with a service policy statement. Multiple class maps are defined in a policy map. In a policy map, you can have actions for each class map. In this way, through policy map, multiple actions can be defined for the traffic flow. The packet can match only one feature type, and the subsequent action by FWSM will be performed in a class map. A packet can match one feature type of TCP connection or other feature type of application...

Design Principle for Monitoring Interfaces

To enable a complete failover solution, you need a monitor command on all the interfaces, in all contexts. The monitor command in FWSM in multiple context mode needs to follow the network symmetry. There are also scenarios where monitoring of all interfaces may cause failover issues, if the FWSM failover concept is not symmetric to the network. In certain deployments of multiple context mode, the interfaces across all the contexts in the primary and secondary FWSMs situated in two separate...

Design Requirements for Firewall Load Balancing

Some of the design criteria to be considered for firewall load balancing are as follows Business need for firewall load-balancing solution Based on the reasons shown in the previous section, you need to define and determine the need for a firewall load-balancing solution and then design or deploy it. Application requirements It is important to understand the application requirements to select a load-balancing solution. The two key types of application requirements are server location and...

Design Scenario 1 for PVLAN in FWSM

In this scenario, as shown in Figure 23-8, the FWSM is in single context routed mode. The inside interface of the FWSM is in VLAN 11. VLAN 11 is primary for the PVLAN (promiscuous mode). VLAN 12 and VLAN 13 are isolated VLANs. The hosts in VLAN 12 and VLAN 13 do not communicate with each other. This results in isolation of the traffic between the two hosts. VLAN 12 and VLAN 13 communicate with the host in VLAN 10 or the outside security domain through VLAN 11. The FWSM will need to have VLAN 11...

Design Scenario 2 for PVLAN in FWSM

In this scenario, as shown in Figure 23-9, the FWSM is in single context routed mode. VLAN 11 is the primary VLAN. VLAN 12 is an isolated VLAN and communicates only with the primary VLAN 11. VLAN 13 is defined as a PVLAN community and has two hosts. These two hosts, HOST B and HOST C, can communicate with each other through the switch. Isolated VLAN 12 Community VLAN 13 Community VLAN 13 Isolated VLAN 12 Community VLAN 13 Community VLAN 13 The following points represent the communication in...

Design Scenarios

This chapter covers advanced design concepts using multiple features of FWSM and other networking technologies. These design scenarios help increase the availability and redundancy of the FWSM aligned with the network environment. NOTE The features of network virtualization with Layer 3 VPN technology are not covered in this chapter. The reader should know the concept of Layer 3 VPNs and routing protocols prior to reading this chapter. Network virtualization is an efficient utilization of...

Designing a Network Infrastructure

Designing a network infrastructure is one of those topics that is subject to opinion. Previous experience, comfort level with different technologies, and feature likes and dislikes will all play a part in the outcome of a design. Although many solutions may exist, the ultimate goal is a reliable, manageable, cost-effective infrastructure that meets or exceeds the requirements of the project. A very important aspect of designing, not only with the Firewall Services Module (FWSM) but with all...

Determining Deployment Options

After collecting and compiling the information from Step 1, Step 2 is to determine the deployment options Should the FWSM be in single-context mode If a single organization maintains control over the FWSM and logical separation of multiple firewalls is not required, the answer could be yes. Another benefit of single-context mode is a greater rule limit. Refer to Chapter 2, Overview of the Firewall Services Module, for details. Native multicast and routing protocols are also supported in...

Determining Design Considerations

In the process of a network design, the first step is to determine exactly what you are attempting to accomplish and document that information. Yes, this should go without mentioning, but most people miss the documentation part. Why is the documentation so important It sets expectations for all parties involved and minimizes any negative impact in your direction. This gives you documentation to refer to when scope creep becomes an issue, and it provides you with ammunition against the You said...

Determining Placement

Step 3 is where or how to logically place the FWSM. Given the flexibility in the configuration of the host-chassis and the FWSM, you can choose from many deployment options. Single-context routed-mode inside outside This option allows the FWSM to participate in the routing process and has the capability to support multiple interfaces. From a security perspective, having another process running creates additional vulnerabilities. Moving the routing process to the multilayer switch feature card...

Disabling Unnecessary Services

The following services may not be needed. Before you make any changes to a live network, be sure you know what the results will be. Cisco Discovery Protocol (CDP) is a Layer 2 protocol that is used to provide information about other CDP devices that are directly attached. It is a tremendous tool for troubleshooting but should be disabled on interfaces that have only host devices attached. Finger is used to gather information about users logged into a host and is rarely used on an IOS-based...

Disadvantages

The primary disadvantages of using routed mode are the following Limited routing protocol choices exist when using multiple-context mode and single-routed mode. The configuration can become very complex. Multicast support is limited. If you plan to use multiple contexts, you can choose between static routes and BGP stub. Significant limitations to BGP stub exist (see Chapter 9, Configuring Routing Protocols, for details), and static routes do not have the capability to propagate routing changes...

Disadvantages of Multiple Contexts

With the previous section touting what an incredible device the FWSM is, you are probably ready to install several of them right now. If you can believe it, there are some limitations. These are throughput, being limited to 1 gigabit sec per flow, and the reduction in allocation of resources, because they are now shared. Fortunately, these issues will be addressed, at least to some degree, in Chapters 24, FWSM 4.x Performance and Scalability Improvements, and Chapter 25, Understanding FWSM 4.x...

Documenting the Process

Documenting the process is one of the most important aspects of creating a network design because it provides a record of the requirements, the scope of the project, and so on. This document should be very clearly written to avoid ambiguity and will provide a foundation for the entire plan. The project documentation should contain information such as the following What is the end goal A general mission project statement needs to define what you are attempting to accomplish. This could be...

Dynamic Host Configuration Protocol Option

Option 82 provides location information from the Dynamic Host Configuration Protocol (DHCP) relay agent in this case, the FWSM to the DHCP server. This information can be used to differentiate DHCP clients, consequently offering distinctive services on a client basis. You can use two commands to enable DHCP relay. The first command specifies the DHCP server IP address and the interface where it is located. Optionally, the dhcprelay server ip_address command can be configured under the outgoing...

Dynamic NAT

With dynamic NAT, a pool of IP addresses is created using the global command. The FWSM then allocates these addresses to devices allowed to use the address pool. The benefit of using a pool is that real IP addresses will be translated to global IP addresses on a one-to-one basis. This provides the capability to support applications that require an individual IP address assignment and also allows for oversubscription of the pool. When a device with a real IP address initiates a connection, the...

Dynamic PAT

Dynamic Port Address Translation (PAT) is the process of NAT (changing the source address, destination address, or source and destination addresses of an IP packet) combined with changing the source port number, destination port number, or both the source and destination port numbers. PAT translates real inside addresses to a single outside address. This allows many users on the inside to access resources on the outside using only a single IP address, consequently reducing the number of...

E

EBGP (external BGP), 158 egress interface, 135 EIGRP (Enhanced Interior Gateway Routing Protocol) EIGRP and OSPF route redistribution, 470 single context mode, 469 embryonic connections, 61 enable password, 177 enabling timestamps, 362 Enhanced Interior Gateway Routing Protocol. See EIGRP ESMTP (Extended Simple Mail Transfer Protocol), 30 ESMTP policy map options, 481 EtherType access control lists (ACL), 35, 126 EtherType object groupings, 131 EXCLUDE List, 269 extended access list, 126...

Employing Additional Security Features

Autosecure is a good tool to set a baseline for securing the host-chassis. It will disable nonessential system services and enable some limited security best practices. 102 Chapter 6 Configuring and Securing the 6500 7600 Chassis NOTE Be sure to review the configuration changes that Autosecure makes and augment it with other practices outlined in this chapter. The Cisco AutoSecure White Paper can be found at the following location www.cisco.com Service password encryption will encrypt most...

Examining IPv6 Address Types

IPv6 addressing architecture is defined in RFC 3513. The three types of IPv6 addresses in the RFC are the following Unicast Communication is between a single source and a single receiver. Multicast Communication is between a single source and multiple receivers. Anycast Communication is between a single source and a group of receivers, where the destined traffic is forwarded to the nearest receiver (in the group) from the source. The predefined scopes contained in one single IPv6 address are as...

Exploring Routed Mode

In routed mode, the FWSM acts like a Layer 3 device, and all the interfaces in the FWSM need to have an Internet Protocol (IP) address. The interfaces can be in any security zone inside, outside, or demilitarized zone (DMZ). The firewall configuration is in routed mode and needs IP addresses and IP routing enabled on the interfaces. The routed mode can be in single context or multiple context mode. Figure 7-1 illustrates the high-level details of each mode. Figure 7-1 High-Level Topology View...

Exploring Transparent Mode

The firewall is not seen as a Layer 3 hop. The FWSM has a Layer 2 adjacency with the next hop devices. The firewall can be referred to as a bump in the wire. The transparent firewall also facilitates the flow of IP and non-IP traffic. To place the firewall between two Layer 3 devices, no IP readdressing is required. It is also easy to establish routing protocol adjacencies through a transparent firewall. Likewise, protocols such as Hot Standby Routing Protocol (HSRP) or Virtual Router...

Firewall Configuration

This section covers the basic firewall configuration, which allows packets to pass through the FWSM. No special configuration is needed in the FWSM for configuring a load-balancing solution. Step 1 MSFC configuration for FWSM. This covers the configuration of VLANs present in the FWSM firewall multiple-vlan-interfaces firewall module 3 vlan-group 3 firewall module 4 vlan-group 3 firewall vlan-group 3 10,11 Make sure VLAN 10 and VLAN 11 are configured in the switch data base. VLAN 11 does not...

Firewall Load Balancing

Firewall load balancing is commonly seen in data centers or Internet architecture of e-commerce networks, where there is a high volume of traffic traversing the firewall infrastructure. With firewall load balancing, multiple firewalls can be referenced by a single IP address defined in a load balancer. The load balancer can distribute the traffic load among firewalls, or multiple virtual IP addresses (VIP) in a load balancer can reference firewalls for different traffic profiles, to give...

Firewall Load Balancing Configuration Example

Figure 18-7 gives an example of load balancing through policy-based routing. The traffic sourced from 172.16.1.1 client to 10.2.100.1 server will pass through FWSM1, using OUT2IN policy. The return path from 10.2.100.1 server will be load balanced from IN2OUT policy and will pass through FWSM1 back to 172.16.1.1 client. This defines a complete session flow. Figure 18-7 High-Level Explanation of Firewall Load Balancing Using PBR Figure 18-7 High-Level Explanation of Firewall Load Balancing Using...

Firewall Load Balancing Using the Application Control Engine

The application control engine (ACE) is the new load balancer from Cisco. The ACE can offer a max-throughput of 16 Gbps and 350,000 connections per second. It is another load balancer that you can use for greater throughput to load balance a firewall. ACE also supports virtualization similar to the FWSM. Instead of using the outside load balancer or the inside load balancer, you can use ACE as a single load balancer for outside and inside load balancers through virtualization. This is achieved...

Firewall Load Balancing with Content Switch Module

This is an inline module in the 7600 or 6500 devices. Content switch module (CSM) is a load-balancing product from Cisco. Its architecture can support 165,000 connections per second and 1 million concurrent connections. When you're designing the solution with a CSM, interfaces defined in the FWSM should have the next hop address defined at the CSM. The common subnet between the firewall and the CSM should not be defined in the multilayer switch feature card (MSFC) of the switch. The switch...

FWSM 4x Performance and Scalability Improvements

The release of the 4.x code train offers some major improvements in performance and scalability. Trusted Flow Acceleration allows flows to bypass the Firewall Services Module (FWSM), achieving line-rate performance. The combination of the FWSM along with the Programmable Intelligent Services Accelerator (PISA) adds a new level of traffic inspection. The change in memory provisioning for both partitions and rule allocation has greatly improved how resources can be divided. Access list...

FWSM Configuration

The configuration in Example 23-5 represents the FWSM in multiple context mode. Refer to Figure 23-4. Example 23-5 Configuration of the System Context FWSM Version 3.1(3)6 < system> resource acl-partition 12 hostname FWSMB enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted class default Example 23-5 Configuration of the System Context (Continued) limit-resource Mac-addresses 65535 limit-resource ASDM 5 limit-resource SSH 5 limit-resource Telnet 5 limit-resource All...

FWSM in the Datacenter

With the number of new applications that are being developed, the requirement to keep them secure and the expectation that they are always available can be difficult to accomplish. Having the flexibility to support these applications while providing uptime is paramount to providing services to your customers. The primary considerations for deploying an FWSM in the datacenter are throughput, flexibility, availability, and support for virtualization. Throughput requirements continue to grow as...

How Do I Recover Passwords

Password recovery is common in any device. In the FWSM, the password recovery for the maintenance partition can be reset to default values. To reset the password to default values, use the following command FWSM clear mp-passwd Lockout situations can happen because of AAA settings. To reset the passwords and portions of AAA configuration to the default values, use the following steps in the maintenance partition Step 1 Check the current application boot partition using this command Router show...

How Do I Verify the Connectivity and Packet Flow Through the Firewall

The two useful commands that you can use for troubleshooting are debug and ping debug Debug commands are a very useful troubleshooting tool. You should use debug commands very carefully during the troubleshooting process because these commands are assigned high priority in the CPU process and can render the system unusable. Recommended practice dictates using debug commands only if the problem is narrowed to a specific issue and if more information is required. ping To ping across the FWSM, it...

How Do You Verify Whether the Traffic Is Forwarded to a Particular Interface in the FWSM

To verify whether the traffic is forwarded to a particular interface in the FWSM, use the show access-list command, as shown in Example 21-1. Example 21-1 show access-list Output Verifies Traffic Forwarding Information Notice the hit count for the access list. If the packet hit count is not increasing, verify the access list entry or use the capture command to note whether the packet is seen in the FWSM. The capture command is very useful for troubleshooting connectivity related issues. Using...

IGMP Protocol

IGMP messages are used to allow hosts to communicate to the first hop Layer 3 router on a Layer 2 network, to receive multicast traffic. There are three types of IGMP versions IGMPv1, IGMPv2, and IGMPv3. IGMP Version 1 The two messages for IGMP version 1 (IGMPv1) are membership Queries and Reports. Queries are sent by the router to All-Hosts 224.0.0.1 address. This is done to solicit a multicast group address for active members. Reports are sent by hosts wanting to receive traffic for a...

IN2OUT Policy Configuration

IN2OUT policy is configured on the Layer 3 device in Figure 18-7. VLAN 11 is the Layer 3 VLAN for the inside interfaces on both the FWSMs. The FWSMs are two separate units and are not in failover mode. The load-balancing technology will decide on the firewall to which the packet has to be forwarded. It is therefore very important to synchronize the inbound and outbound load-balancing policies to maintain the state of a flow through the firewall. Step 1 Policy routing IN2OUT configuration....

Info

Is this packet part of an existing session YES. Packet-inspection firewalls are generally much faster than application firewalls because they are not required to host client applications. Most of the packet-inspection firewalls today also offer very good application or deep-packet inspection. This process allows the firewall to dig into the data portion of the packet and match on protocol compliance, scan for viruses, and so on and still operate very quickly. A feature that is common among all...

Inspecting File Transfer Protocol

File Transfer Protocol (FTP) is a communication mechanism used to transfer data from one device to another using a command and control connection for the communication-specific commands and a data connection for the exchange of bulk information. FTP operates in active and passive modes. Using active mode, the client establishes a TCP connection to the host on port 21 (command and control), and the host connects to the client on a negotiated destination TCP port (data) sourcing from TCP port 20....

Inspecting Hypertext Transfer Protocol

Hypertext Transfer Protocol (HTTP) is a communication protocol used for the exchange of information (typically web pages) on the Internet or an intranet. The HTTP inspection engine can provide application inspection and control for the following Content protection and attack prevention Enforces HTTP-specific parameters, such as URL, Header, Cookie length, and so on, detection. Worm mitigation Filters on HTTP encoding mechanisms, content type, non-ASCII characters, and so on. Application access...

Interdomain Communication of Different Security Zones Through a Single FWSM

Interdomain communication between various security zones has become very common, especially when firewalls are integrated in the data center environment. Figure 23-4 illustrates a scenario in an enterprise network. The FWSM is configured for multiple context routed mode and VRF termination at the Layer 3 next hop to achieve zoning and routing segregations using the same device. In this scenario, consolidation is done when there is a requirement of a common security domain with multiple security...

Interface Configuration

You can configure IPv6 on an interface in multiple ways Autoconfig address By issuing this command, auto configuration is enabled on the interface for the IPv6 address. It receives the IPv6 address from RA messages. A link local address based on the extended unique identifier (EUI) interface ID is automatically generated by issuing the following command. FWSMB(config-if) ipv6 address autoconfig After issuing this command, enter a show ipv6 interface command to verify the interface configured...

Introducing Types of Access Lists

This section covers the three major types of access lists. Each type of access list plays an important role in enabling the functionality of specific features in the FWSM. The three main types of access lists are as follows Standard access list Standard access lists are used in commands to identify the destination IP addresses only. This is normally used in Open Shortest Path First (OSPF) protocol redistribution in FWSM. hostname(config) access-list access_list_name standard deny I permit any I...

IP Version

IP version 6 (IPv6) has come to prominence because of the extensive use of the Internet. The current address, IPv4, is predominantly deployed and extensively used throughout the world. When IPv4 was designed, Internet usage and growth to this extent was not predicted. The main feature of IPv6 that is driving adoption today is the larger address space addresses in IPv6 are 128 bits long compared to 32 bits in IPv4. The 32 bits in IPv4 have 232(4,294,967,296) unique IP addresses. In IPv6, the...

J

In this example, it has been determined that an attack is coming from a device on the outside with an IP address of 192.168.1.23 to a web server on the services interface. From the admin context, the following command would be issued to deny traffic from 192.168.1.23 (any port) to the translated destination address of 192.168.1.7 (172.17.1.7) on port 80 (www) associated with the virtual local-area network (VLAN) 5 interface. FWSM admin shun 192.168.1.23 192.168.1.7 0 80 vlan 5 Notice also that...

Leveraging Access Control Lists

Access Control Lists (ACL) provide an additional level of protection by limiting specific types of traffic. The three types of ACLs are as follows VLAN Access Control Lists (VACL) are Layer 2 ACLs applied to a VLAN to control MAC-layer, IP, and Internet Packet Exchange (IPX) traffic. Routed-interface Access Control Lists (RACL) are traditional ACLs applied to a routed interface. Port Access Control Lists (PACL) control ingress traffic on Layer 2 ports. Although you would consider using ACLs...

Leveraging Control Plane Policing

Although both the 6500 and 7600 perform hardware-based forwarding, the first packet of a session is sent to the Route Processor (RP). If a significant number of new flows are being established, usually from malicious activity such as port scans or a DoS attack, the central processing unit (CPU) of the supervisor on the host-chassis can become overwhelmed. If this occurs, critical functions become impaired, and a loss of service occurs that may affect other devices in the network as well. These...

Leveraging the Hardware Investment

Rather than install a new firewall every time a new customer, department, agency, application, and so on is added, creating a new context is very simple and does not require any additional rack space. The footprint of a device is a huge concern in locations where customers lease space by the rack unit (RU). Multiple contexts do not require additional space. The green initiative is concerned with the impact on our environment. Reducing the amount of power consumed by leveraging multiple contexts...

M

MAC address authentication, 181 MAC entry configuration for ARP, 231 man-in-the-middle attacks, 229 MARS (Monitoring Analysis and Response System), 262 MD5 (Message Digest 5), 253 Media Gateway Control Protocol (MGCP), 30 memory allocation and partitioning, 458 MGCP (Media Gateway Control Protocol), 30 MIB (Management Information Base), 482 application engines, 187 default policy map, 190 description, 183 global policy configuration, 189 policy maps, 189 sample configuration, 191 service policy...

Managing and Monitoring the FWSM

You can choose from several options when managing or monitoring the Firewall Services Module (FWSM). Having a good understanding of the capabilities of each solution and how to use them to your best interest will make your job much easier. Although alternatives to the command-line interface (CLI) exist, and it certainly may be more difficult to use, it is highly recommended to have a good understanding of how to manage, monitor, and troubleshoot the FWSM using the CLI. Because the CLI is the...

Method 1 Layer 3 VPN Segregation with Layer 3 FWSM Multiple Context Mode

The design has three logical blocks These logical blocks are explained as follows Penultimate Hop Router This router removes the MPLS labels, in case MPLS Layer 3 VPNs are used for traffic segregation. This router maps VRF based on VLANs and communicates with the perimeter router. The traffic of each VRF will flow through the VLANs in the individual trunk. Mapping the untagged traffic to each VLAN will be sufficient to achieve the segregation between the penultimate hop router and perimeter...

Method 2 Layer 3 VPN Segregation with Layer 2 FWSM Multiple Context Mode

In Figure 23-7, the router RB RA represents a MPLS domain for the enterprise WAN campus, and the RC represents another MPLS domain for the inside security domain. This design aims to achieve this dynamic communication using the FWSM in transparent mode. RA and RB are in the MPLS domain (LDP neighbors). OSPF is used in RA, RB, and PFC for next hop reachability. The VRF custB and custA are transported through multiprotocol BGP (VPNv4) from RA to PFC. At the PFC, each VRF is terminated and is...

Modular Policy

This chapter describes how to use and configure application inspection on the Firewall Services Module (FWSM) with modular policy. The FWSM mechanisms used for stateful application inspection enforce a secure use of services offered in the network. This chapter covers the following topics Components of modular policy Configuration of modular policy Understanding application engines Modular policy is a three-step process classification, policy map, and service policy. In the first step,...

Monitoring Access List Resources

When a log message is enabled for ACE, every time the ACE is hit (the ACE is used here to deny a network), a log 106100 message is created. The FWSM has a maximum of 640,000 flows for ACE. To avoid the central processing unit (CPU) spikes on concurrent flows, the FWSM places a limit on the deny flow. The FWSM does not place a limit on the permit flows. The deny flows can be exploited by a Denial of Service (DoS) attack. Restricting the number of deny flows prevents unlimited consumption of...

Monitoring Analysis and Response System

The Monitoring Analysis and Response System (MARS) is an appliance-based threat-mitigation solution that provides the primary functions of rapid threat identification and mitigation, data correlation, and offers topology awareness. MARS has the capability to rapidly identify events through a receive process (push) and or it can gather information (pulls) from firewalls, such as the FWSM, IDS devices, switches, routers, and so on. The collection of Netflow and traffic analysis information also...

Monitoring Interfaces

The FWSM determines the health of the primary and secondary firewalls by monitoring the failover link. When a unit does not receive hello messages on the failover link, the unit sends an ARP request to all interfaces, including the failover interface. Interfaces in different security domains can also be monitored in the FWSM. In multiple context mode, use the monitor command to monitor interfaces in different contexts. The maximum number of monitored interfaces on the FWSM is 250, divided among...

Multicast Stub Configuration

Multicast stub configuration does not participate in the PIM neighbor relationship the device just passes the IGMP messages. In a Layer 3 network world, this type of stub configuration is common in routers connecting to satellite links. In this case, the IGMP messages pass through the satellite unidirectional link using an IGMP helper address configuration or an IGMP unidirectional link configuration in the IOS. The FWSM can also be configured in stub mode. In stub configuration, the FWSM will...

Multiple Bridge Groups

An efficient way to leverage the FWSM is through the use of multiple bridge groups. Bridge groups are Layer 2 firewall instances within a context. A maximum of eight bridge groups are supported on the FWSM in single context mode. Each bridge group is unique, having an individual inside and outside bridged connection. Figure 3-6 illustrates multiple bridge groups. Outside Outside Outside VLAN VLAN VLAN Outside Outside Outside Outside Outside VLAN VLAN VLAN VLAN VLAN Inside Inside Inside Inside...

N

NA (Neighbor Advertisement), 330 NAM (Network Analysis Module), 365 nameif command, 115 NAT (Network Address Translation) description, 13-14, 55 disabling for non-NAT, 57 dynamic NAT, 67 NAT 0 or identity NAT, 68 NAT bypass, 68 NAT control, 67 Static identity NAT, 68 static NAT, 58 NBAR (Network-based Application Recognition), 453 NBMA (Non-Broadcast Multi-access) network type, 138 NDP (Neighbor Discovery Protocol), 329 nesting type of object grouping, 130 NetBIOS (Network Basic Input Output...

NAT Bypass

There may be situations where NAT may be desirable for some hosts or applications and others where it is not, especially if NAT control has been enabled. There are three mechanisms to bypass the NAT function NAT 0 or identity NAT, static identity NAT, and NAT exemptions. NAT 0 allows for an individual or range of real IP addresses to be translated to a lower-level interface without translating the IP address. Sound strange This provides the capability to pass the NAT-control requirement but not...