Cisco Secure Firewall Services Module FWSM

Ray Blair, CCIE No. 7050 Arvind Durai, CCIE No. 7016

Cisco Press

Cisco Press

800 East 96th Street

Indianapolis, IN 46240 USA

Cisco Secure Firewall Services Module (FWSM)

Ray Blair, Arvind Durai

Copyright© 2009 Cisco Systems, Inc.

Published by: Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA

All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review.

Printed in the United States of America

First Printing September 2008

Library of Congress Cataloging-in-Publication Data:

Blair, Ray, 1965-

Cisco secure firewall services module (FWSM) / Ray Blair, Arvind Durai. p. cm.

ISBN-13: 978-1-58705-353-5 (pbk.) ISBN-10: 1-58705-353-5 (pbk.)

1. Computer networks—Security measures. 2. Firewalls (Computer security) 3. Cisco Systems, Inc. I. Durai, Arvind. II. Title. TK5105.59.B563 2009 005.8—dc22 2008030575

ISBN-13: 978-1-58705-353-5 ISBN-10: 1-58705-353-5

Warning and Disclaimer

This book is designed to provide information about the Firewall Services Module, using practical design examples. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied.

The information is provided on an "as is" basis. The authors, Cisco Press, and Cisco Systems, Inc. shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it.

The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems, Inc.

Trademark Acknowledgments

All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Cisco Press or Cisco Systems, Inc., cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark.

Corporate and Government Sales

The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales, which may include electronic versions and/or custom covers and content particular to your business, training goals, marketing focus, and branding interests. For more information, please contact:

U.S. Corporate and Government Sales 1-800-382-3419 [email protected]

For sales outside the United States please contact:

International Sales [email protected]

Feedback Information

At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community.

Readers' feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through email at [email protected]. Please make sure to include the book title and ISBN in your message. We greatly appreciate your assistance.

Publisher

Associate Publisher

Cisco Representative

Cisco Press Program Manager

Executive Editor

Managing Editor

Development Editor

Senior Project Editor

Copy Editor

Technical Editors

Editorial Assistant

Designer

Composition

Indexer

Proofreader

Paul Boger Dave Dusthimer Anthony Wolfenden Jeff Brady Brett Bartow Patrick Kanouse Dan Young Tonya Simpson Barbara Hacha

Sunil Gul Wadwani, Bryan Osoro

Vanessa Evans

Louisa Adair

Mark Shirar

John Bickelhaupt

Kathy Ruiz illlillli

• * Americas Headquarters Asia Pacific Headquarters Europe Headquarters

£ I C £ Cisco Systems, Inc. Cisco Systems (USA) Pte. Ltd. Cisco Systems International BV

' ^ ^^ ™ San Jose, CA Singapore Amsterdam, The Netherlands

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.

CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, the Cisco logo, DCE, and Welcome to the Human Network are trademarks., Changing the Way We Work, Live, Play, and Learn is a service mark, and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP CCIE, CCIP CCNA, CCNP CCSP CCVP Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0805R)

About the Authors

Ray Blair is a consulting systems architect and has been with Cisco Systems for more than eight years, working primarily on security and large network designs. He has 20 years of experience with designing, implementing, and maintaining networks that have included nearly all networking technologies. His first four years in the high-technology industry started with designing industrial computer systems for process monitoring. Mr. Blair maintains three Cisco Certified Internetwork Expert (CCIE) certifications in Routing and Switching, Security, and Service Provider. He also is a Certified Novell Engineer (CNE) and a Certified Information Systems Security Professional (CISSP).

Arvind Durai is an advanced services technical leader for Cisco Systems. His primary responsibility has been in supporting major Cisco customers in the Enterprise sector, some of which includes Financial, Manufacturing, E-commerce, State Government, and Health Care sectors. One of his focuses has been on security, and he has authored several white papers and design guides in various technologies. Mr. Durai maintains two Cisco Certified Internetwork Expert (CCIE) certifications in Routing and Switching and Security. Mr. Durai holds a Bachelor of Science degree in Electronics and Communication, a Master's degree in Electrical Engineering (MS), and Master's degree in Business Administration (MBA).

About the Technical Reviewers

Sunil Wadwani, M.S, M.B.A, is a technical marketing engineer for the Security Technology Business Unit (STBU) at Cisco. Sunil is a 20-year veteran of the technology field with experiences in the design, development, and provisioning of networking products. His career in Cisco began in 1992, when he was part of a design team developing the first version of the Cisco 7200 router. Sunil's primary responsibiliy today as a technical marketing engineer requires him to advise customers and sales engineeers on some of the deployment aspects of security products such as VPN, firewall, and IPS. Sunil has an M.S in Computer Engineering from the University of California, Irvine, and an M.B.A from Santa Clara University. He lives in Saratoga, California with his wife Shalini and two sons, Shiv and Kunal.

Bryan Osoro, CCIE No. 8548, is a systems engineer with Cisco and has covered the small/medium business, large enterprise, and some service provider networks in the Pacific Northwest for the past five years. He also has spent time working in the TAC organization supporting a variety of technologies, including the PIX and VPN security devices. Mr. Osoro has been responsible for designing highly complex network environments with strict requirements for availability and reliability. He currently maintains four CCIE certifications in Routing/Switching, Security, Service Provider, and Voice. He is also a Certified Information Systems Security Professional (CISSP) and holds the Juniper Networks Certified Internet Specialist (JNCIS-M) certification.

Dedications

Ray Blair: As with everything in my life, I thank my Lord and Savior for his faithful leading that has brought me to this place. This book is dedicated to my wife, Sonya, and my children, Sam, Riley, Sophie, and Regan. You guys mean the world to me!

Arvind Durai: This book is dedicated to my wife, Monica, who pushed me in this endeavor, supported me during the long hours, and helped me achieve this goal—and to my son, Akhhill, who always gave me the extra energy that recharged me to work on this book.

To my parents, for providing me with values and opportunities.

To my brother and family, my parents-in-law, and brother-in-law and family for all their support and wishes.

Thank you, God!

Acknowledgments

Ray Blair:

This project was a significant undertaking, and without the support of those mentioned below as well as many others, this would not have been an achievable goal. I am very grateful for all your help and support in completing this book!

To my nontechnical wife, who was the initial reviewer, who suffered through reading technical material, finding errors and phrasing that didn't make sense, I will always remember your sacrifice and commitment to the success of this book—thank you!

Thanks to my children, Sam, Riley, Sophie, and Regan, for your patience in the many hours I spent working on this book and tolerating the "We'll do it after I get this book done" response. Let's go fishing!

Arvind, your excellent technical knowledge and the great working relationship that we have always enjoyed made writing this book a pleasure. I look forward to many more years as your colleague and friend.

Arvind Durai:

Thanks to my wife, who reviewed all my chapters several times during each stage of the book and gave me suggestions for improvement. She spent numerous late nights and early mornings working on the book review with me. I never felt alone. Thank you!

I would like to thank Andrew Maximow (director, Cisco Advanced Services), Uwe Fisher (manager, Advanced Services), and Naheed Alibhai (manager, Advanced Services) for supporting me in this effort. I also want to extend my thanks to all my peers with whom I worked on customer designs.

Ray, this book has been a great partnership. Your technical knowledge is awesome. You have been a great friend and colleague, and it is always a pleasure working with you.

Thanks to everyone who supported me directly or indirectly in every phase of the book. Without all your support, this book would not have been possible. Our special thanks to:

We are very grateful to Bryan Osoro and Sunil Gul Wadwani. Without the talent of these two technical reviewers, the book wouldn't have been possible.

A big thanks to the product, development, and test teams within Cisco that provided answers to questions and prereleased code for testing: Reza Saada, Chandra Modumudi, Donovan Williams, Muninder Sambi, Munawar Hossain, Christopher Paggen, and Ben Basler.

The Cisco Press team was very helpful in providing excellent feedback and direction; many thanks to Brett Bartow, Christopher Cleveland, Dan Young, and Tonya Simpson.

Thanks to all our customers with whom we have worked. Each customer scenario inspired us to write this book.

Contents at a Glance

Introduction xxi

Part I Introduction 3

Chapter 1 Types of Firewalls 5

Chapter 2 Overview of the Firewall Services Module 19

Chapter 3 Examining Modes of Operation 35

Chapter 4 Understanding Security Levels 53

Chapter 5 Understanding Contexts 73

Part II Initial Configuration 87

Chapter 6 Configuring and Securing the 6500/7600 Chassis 89

Chapter 7 Configuring the FWSM 105

Chapter 8 Access Control Lists 125

Chapter 9 Configuring Routing Protocols 135

Chapter 10 AAA Overview 171

Chapter 11 Modular Policy 183

Part III Advanced Configuration 195

Chapter 12 Understanding Failover in FWSM 197

Chapter 13 Understanding Application Protocol Inspection 219

Chapter 14 Filtering 235

Chapter 15 Managing and Monitoring the FWSM 245

Chapter 16 Multicast 265

Chapter 17 Asymmetric Routing 287

Chapter 18 Firewall Load Balancing 303

Chapter 19 IP Version 6 327

Chapter 20 Preventing Network Attacks 345

Chapter 21 Troubleshooting the FWSM 357

Part IV Design Guidelines and Configuration Examples 373

Chapter 22 Designing a Network Infrastructure 375

Chapter 23 Design Scenarios 401

Part V FWSM 4.x 447

Chapter 24 FWSM 4.x Performance and Scalability Improvements 449

Chapter 25 Understanding FWSM 4.x Routing and Feature Enhancements 469 Index 486

Contents

Introduction xxi Part I Introduction 3

Chapter 1 Types of Firewalls 5

Understanding Packet-Filtering Firewalls 5 Advantages 5 Caveats 6

Understanding Application/Proxy Firewalls 7 Advantages 8 Caveats 8

Understanding Reverse-Proxy Firewalls 10 Advantages 10 Caveats 12

Utilizing Packet Inspection 12

Reusing IP Addresses 13 NAT 14 PAT 15

Summary 16

Chapter 2 Overview of the Firewall Services Module 19

Specifications 19

Installation 20

Performance 22

Virtualization 23

Comparing the FWSM to Other Security Devices 24 IOS FW 25 PIX 25 ASA 25

Hardware Architecture 26

Software Architecture 29

Chapter 3 Examining Modes of Operation 35

Working with Transparent Mode 35 Advantages 37 Disadvantages 40 Traffic Flow 40 Multiple Bridge Groups 45

Working with Routed Mode 46 Advantages 48 Disadvantages 48 Traffic Flow 48

Summary 51

References 51 Chapter 4 Understanding Security Levels 53

Traffic Flow Between Interfaces 54

Network Address Translation/Port Address Translation 55 Static NAT 58

Number of Simultaneous TCP Connections 61 Number of Embryonic Connections 61 DNS 62 Norandomseq 62 TCP 63 UDP 63 Static PAT 64 Dynamic NAT 67 Dynamic PAT 67 NAT Control 67 NAT Bypass 68

NAT 0 or Identity NAT 68 Static Identity NAT 68

Summary 70

References 70 Chapter 5 Understanding Contexts 73

Benefits of Multiple Contexts 74 Separating Security Policies 74 Leveraging the Hardware Investment 74

Disadvantages of Multiple Contexts 74

Adding and Removing Contexts 75 Adding a Context 76 Removing a Context 77

Storing Configuration Files 77

Changing Between Contexts 78

Understanding Resource Management 79 Memory Partitions 80

Summary 85

Part II Initial Configuration 87

Chapter 6 Configuring and Securing the 6500/7600 Chassis 89

Understanding the Interaction Between the Host-Chassis and the FWSM 89

Assigning Interfaces 92

Securing the 6500/7600 (Host-Chassis) 94 Controlling Physical Access 95 Being Mindful of Environmental Considerations 95 Controlling Management Access 96 Disabling Unnecessary Services 97 Controlling Access Using Port-Based Security 99 Controlling Spanning Tree 99 Leveraging Access Control Lists 100 Securing Layer 3 100 Leveraging Control Plane Policing 101 Protecting a Network Using Quality of Service 101 Employing Additional Security Features 101

Summary 103

References 103

Chapter 7 Configuring the FWSM 105

Configuring FWSM in the Switch 105

Exploring Routed Mode 108

Exploring Transparent Mode 109

Using Multiple Context Mode for FWSM 111 Context Configurations 111 System Context Configurations 111 Admin Context Configurations 112 Packet Classifier in FWSM Context Mode 112 Understanding Resource Management in Contexts 113

Configuration Steps for Firewall Services Module 113 Type 1: Configuring Single Context Routed Mode 114 Type 2: Configuring Single Context Transparent Mode 116 Type 3: Configuring Multiple Context Mixed Mode 119

Summary 123 Chapter 8 Access Control Lists 125

Introducing Types of Access Lists 125 Understanding Access Control Entry 127 Understanding Access List Commit 128

Understanding Object Groups 128

Monitoring Access List Resources 129

Configuring Object Groups and Access Lists 129 Working with Protocol Type 129 Working with Network Type 130 Working with Service Type 130 Working with Nesting Type 130 Working with EtherType 131

Summary 132 Chapter 9 Configuring Routing Protocols 135

Supporting Routing Methods 136 Static Routes 136 Default Routes 137 Open Shortest Path First 137 SPF Algorithm 137 OSPF Network Types 138 Concept of Areas 139 OSPF Link State Advertisement 140 Types of Stub Area in OSPF 141 OSPF in FWSM 141 OSPF Configuration in FWSM 142

Interface-Based Configuration for OSPF Parameters 142 Summarization 143 Stub Configuration 143 NSSA Configuration 144 Default Route Information 144 Timers 144 OSPF Design Example 1 144

OSPF Design Example 2 149 Routing Information Protocol 154 RIP in FWSM 154

Configuration Example of RIP on FWSM 154 Border Gateway Protocol 158 BGP in FWSM 159 BGP Topology with FWSM 159

Summary 169 Chapter 10 AAA Overview 171

Understanding AAA Components 171 Authentication in FWSM 171 Authorization in FWSM 172 Accounting in FWSM 172

Comparing Security Protocols 173

Understanding Two-Step Authentication 175

Understanding Fallback Support 175

Configuring Fallback Authentication 175 Configuring Local Authorization 177

Understanding Cut-Through Proxy in FWSM 178 Configuring Custom Login Prompts 180 Using MAC Addresses to Exempt Traffic from Authentication and Authorization 181

Summary 181 Chapter 11 Modular Policy 183

Using Modular Policy in FWSM 183

Understanding Classification of Traffic 185 Understanding Application Engines 187

Defining Policy Maps 189

Configuring Global Policy 189

Configuring Service Policy 190

Understanding Default Policy Map 190

Sample Configuration of Modular Policy in FWSM 191

Part III Advanced Configuration 195

Chapter 12 Understanding Failover in FWSM 197

Creating Redundancy in the FWSM 197 Understanding Active/Standby Mode 197 Understanding Active/Active Mode 198

Understanding Failover Link and State Link 199

Requirements for Failover 201

Synchronizing the Primary and Secondary Firewalls 201

Monitoring Interfaces 202

Configuring Poll Intervals 203

Design Principle for Monitoring Interfaces 203

Configuring Single Context FWSM Failover 205

Configuring Multiple Context FWSM Failover 212

Summary 217

Chapter 13 Understanding Application Protocol Inspection 219

Inspecting Hypertext Transfer Protocol 220

Inspecting File Transfer Protocol 222

Working with Supported Applications 224

Configuring ARP 229 Inspecting ARP 230 Configuring Parameters for ARP 231 Configuring MAC Entries 231 Adding Static Entries 231

Summary 233

References 233

Chapter 14 Filtering 235

Working with URLs and FTP 235

Configuring ActiveX and Java 241

Summary 242

Chapter 15 Managing and Monitoring the FWSM 245

Using Telnet 245

Using Secure Shell 247

Using Adaptive Security Device Manager 249 Configuring the FWSM Using ASDM 249 Managing the FWSM from the Client 249

Securing Access 251

Configuring the FWSM for VPN Termination 252 Configuring the VPN Client 254

Working with Simple Network Management Protocol 257

Examining Syslog 258

Working with Cisco Security Manager 260

Monitoring Analysis and Response System 262

Summary 263

References 263

Chapter 16 Multicast 265

Protocol Independent Multicast 265

Understanding Rendezvous Point 267

PIM Interface Modes 268

IGMP Protocol 268

Multicast Stub Configuration 269

Multicast Traffic Across Firewalls 269 FWSM 1.x and 2.x Code Releases 269 FWSM 3.x Code Release 270

Configuration Methods 273

Method 1: Configuration Example for Multicast Through Firewall in Single Context Routed Mode 273

Method 2: Configuration Example for Multicast Through Firewall via GRE 276 Method 3: Configuration Example for Multicast Through Transparent Firewall in Multiple Context Mode 279

Chapter 17 Asymmetric Routing 287

Asymmetric Routing Without a Firewall 287

Asymmetric Traffic Flow in a Firewall Environment 289

Avoiding Asymmetric Routing Through Firewalls 290 Option 1: Symmetric Routing Through Firewalls 290 Option 2: Firewall Redundancy and Routing Redundancy Symmetry 292

Supporting Asymmetric Routing in FWSM 294

Asymmetric Routing Support in Active/Standby Mode 294 Asymmetric Routing Support in Active/Active Mode 295

Configuring ASR in FWSM 297

Summary 301 Chapter 18 Firewall Load Balancing 303

Reasons for Load Balancing Firewalls 303

Design Requirements for Firewall Load Balancing 304

Firewall Load-Balancing Solutions 305

Firewall Load Balancing with Policy-Based Routing 305 Firewall Load Balancing with Content Switch Module 307 Configuring the CSM 308

Snapshot Configuration for CSM Supporting Firewall Load Balancing 311 Firewall Load Balancing Using the Application Control Engine 313 ACE Design for Firewall Load Balancing 313

Firewall Load Balancing Configuration Example 318 OUT2IN Policy Configuration 319 Firewall Configuration 319 IN2OUT Policy Configuration 323

Summary 324 Chapter 19 IP Version 6 327

Understanding IPv6 Packet Header 327

Examining IPv6 Address Types 329 Neighbor Discovery Protocol 329

IPv6 in FWSM 330

Configuring Multiple Features of IPv6 in FWSM 331 Interface Configuration 331 Router Advertisement 333

Duplicate Address Detection 333 Timer for Duplicate Address Detection 333 Configuring Access Lists 334 Configuring Static Routes 334 Configuring IPv6 Timers in FWSM 334 Configuring IPv6 in FWSM 335

Configuring PFC (Layer 3 Device) on the Outside Security Domain 336 Configuring FWSM 337

Configuring a Layer 3 Device on the Inside Security Domain 338

Verify the Functionality of FWSM 339

Working with the show Command for IPv6 in FWSM 340

Summary 343

Chapter 20 Preventing Network Attacks 345

Protecting Networks 345

Shunning Attackers 347

Spoofing 349

Understanding Connection Limits and Timeouts 350 Configuring Connection Limits 351 Configuring Timeouts 352

Summary 354

References 354

Chapter 21 Troubleshooting the FWSM 357

Understanding Troubleshooting Logic 357

Assessing Issues Logically 357

Connectivity Test of a Flow at the FWSM 360 Troubleshooting Flow Issues 360

FAQs for Troubleshooting 363

How Do You Verify Whether the Traffic Is Forwarded to a Particular Interface in the FWSM? 363 How Do I Verify ACL Resource Limits? 364

How Do I Verify the Connectivity and Packet Flow Through the Firewall? 365

What Is Network Analysis Module? 365

What Are Some Useful Management and Monitoring Tools? 368

How Do I Recover Passwords? 369

Part IV Design Guidelines and Configuration Examples 373 Chapter 22 Designing a Network Infrastructure 375

Determining Design Considerations 375 Documenting the Process 376

Determining Deployment Options 377

Determining Placement 378

Working with FWSM and the Enterprise Perimeter 382 FWSM in the Datacenter 383 Throughput 383 Flexibility 383 Availability 384 Supporting Virtualized Networks 384

Summary 399

Reference 399 Chapter 23 Design Scenarios 401

Layer 3 VPN (VRF) Terminations at FWSM 401 Configuring the PFC 405 Configuring the FWSM 406

Failover Configuration in Mixed Mode 408

Interdomain Communication of Different Security Zones Through a Single FWSM 415 Configuring the PFC 416 FWSM Configuration 418

Dynamic Learning of Routes with FWSM 424 Single Box Solution with OSPF 425

Data Center Environment with the FWSM 430

Method 1: Layer 3 VPN Segregation with Layer 3 FWSM (Multiple Context Mode) 430

Method 2: Layer 3 VPN Segregation with Layer 2 FWSM (Multiple Context Mode) 432

PVLAN and FWSM 434

PVLAN Configuration in FWSM 435 Design Scenario 1 for PVLAN in FWSM 435 Design Scenario 2 for PVLAN in FWSM 436 Configuring PVLAN 438

Summary 444

Part V FWSM 4.x 447

Chapter 24 FWSM 4.x Performance and Scalability Improvements 449

Increasing Performance by Leveraging the Supervisor 449

Using the PISA for Enhanced Traffic Detection 453

Improving Memory 458 Partitioning Memory 459 Reallocating Rules 461 Optimizing ACL 464

Summary 466

Chapter 25 Understanding FWSM 4.x Routing and Feature Enhancements 469

Configuring EIGRP 469

Configuring Route Health Injection 473

Understanding Application Support 477 Configuring Regular Expressions 477 Understanding Application Inspection Improvements 481

Additional Support for Simple Network Management Protocol Management Information Base 482

Miscellaneous Security Features 484

Dynamic Host Configuration Protocol Option 82 484 Smartfilter HTTPS Support 485

Summary 485

References 485

Index 486

Icons Used in This Book

Router

Router

Switch

Route Switch Processor

Route Switch Processor i I

Multi-Switch Device

Bridge

Router with Firewall

Web Server

Switch

PIX Firewall Firewall Services Module i

Firewall

Ethernet Connection

Laptop

Laptop

Network Cloud

Serial Line Connection

Network Cloud

Server

Command Syntax Conventions

The conventions used to present command syntax in this book are the same conventions used in the IOS Command Reference. The Command Reference describes these conventions as follows:

• Boldface indicates commands and keywords that are entered literally as shown. In actual configuration examples and output (not general command syntax), boldface indicates commands that are manually input by the user (such as a show command).

• Italic indicates arguments for which you supply actual values.

• Vertical bars (|) separate alternative, mutually exclusive elements.

• Square brackets ([ ]) indicate an optional element.

• Braces within brackets ([{ }]) indicate a required choice within an optional element.

Introduction

Firewalls are one of the main components used in securing a network infrastructure, and having an in-depth understanding of how these devices function is paramount to maintaining a secure network. This book was written to provide an understanding of the functionality of the Firewall Services Module (FWSM), from both a hardware and software perspective and to be a practical design guide with configuration examples for the design, implementation, operation, and management of FWSM in various deployment scenarios.

Who Should Read This Book?

This book is targeted at individuals who would like an in-depth understanding of the FWSM. It is focused primarily for those who design, implement, or maintain the FWSM, such as security/network administrators. To get the most value from the material, the reader should have at least an intermediate knowledge of networking and security.

How This Book Is Organized

This book is organized into five sections that cover the basic introduction of firewalls, initial and advanced configurations, design guides and configuration examples, and features and functionality introduced in FWSM version 4.x code:

• Chapter 1, "Types of Firewalls": This chapter explains the functionality of the different types of firewalls.

• Chapter 2, "Overview of the Firewall Services Module": This chapter covers specifications, installation information, performance, and virtualization; shows a comparison of IOS FW, ASA, and FWSM; and also explains the hardware and software architecture.

• Chapter 3, "Examining Modes of Operation": This chapter examines the modes of operation (transparent/routed) and explains the advantages of each.

• Chapter 4, "Understanding Security Levels": This chapter explains how traffic flows between interfaces, using both NAT and PAT and routed and transparent modes.

• Chapter 5, "Understanding Contexts": This chapter provides an overview of the benefits of contexts and how to manage them.

• Chapter 6, "Configuring and Securing the 6500/7600 Chassis": This chapter explains how to configure the host chassis to support the FWSM.

• Chapter 7, "Configuring the FWSM": This chapter covers the initial configuration of the FWSM.

• Chapter 8, "Access Control Lists": This chapter examines the use of ACLs.

• Chapter 9, "Configuring Routing Protocols": This chapter explains the use of routing protocols on the FWSM.

• Chapter 10, "AAA Overview": This chapter covers the principles of using authentication, authorization, and accounting.

• Chapter 11, "Modular Policy": This chapter covers the use of class and policy maps.

• Chapter 12, "Understanding Failover in FWSM": This chapter explains the use and configuration of using multiple FWSMs for high availability.

• Chapter 13, "Understanding Application Protocol Inspection": This chapter covers the use and configuration of application and protocol inspection.

• Chapter 14, "Filtering": This chapter examines how traffic can be filtered using filter servers and how Active X and Java filtering function.

• Chapter 15, "Managing and Monitoring the FWSM": This chapter covers the different options of managing and monitoring the FWSM.

• Chapter 16, "Multicast": This chapter explains the interaction of multicast with the FWSM and provides some practical examples.

• Chapter 17, "Asymmetric Routing": This chapter provides an explanation of asymmetric routing and how it can be configured.

• Chapter 18, "Firewall Load Balancing": This chapter covers the options of how to increase performance using multiple FWSMs.

• Chapter 19, "IP Version 6": This chapter explains IPv6 and how it is configured on the FWSM.

• Chapter 20, "Preventing Network Attacks": This chapter examines how to mitigate network attacks, using shunning, antispoofing, connection limits, and timeouts.

• Chapter 21, "Troubleshooting the FWSM": This chapter explains how to leverage the appropriate tools to solve problems.

• Chapter 22, "Designing a Network Infrastructure": This chapter covers an overview on placement of the FWSM in the network.

• Chapter 23, "Design Scenarios": This chapter provides many practical examples of how the FWSM can be configured.

• Chapter 24, "FWSM 4.x Performance and Scalability Improvements": This chapter covers the performance improvements in 4.x code.

• Chapter 25, "Understanding FWSM 4.x Routing and Feature Enhancements": This chapter explains the use of commands introduced in 4.x code.

This page intentionally left blank

Part

0 0

Post a comment