larger cover

Add To My Wish List

Register your product to gain access to bonus material or receive a coupon.

Cisco Secure Firewall Services Module (FWSM)

eBook (Watermarked)

  • Your Price: $41.60
  • List Price: $52.00
  • About Watermarked eBooks
  • This PDF will be accessible from your Account page after purchase and requires the free Adobe® Reader® software to read it.

    The eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.

    Watermarked eBook FAQ

  • Description
  • Sample Content
  • Updates
  • Copyright 2009
  • Edition: 1st
  • eBook (Watermarked)
  • ISBN-10: 1-58705-606-2
  • ISBN-13: 978-1-58705-606-2

Cisco Secure Firewall Services Module (FWSM)

Best practices for securing networks with FWSM

Ray Blair, CCIE® No. 7050

Arvind Durai, CCIE No. 7016

The Firewall Services Module (FWSM) is a high-performance stateful-inspection firewall that integrates into the Cisco® 6500 switch and 7600 router chassis. The FWSM monitors traffic flows using application inspection engines to provide a strong level of network security. The FWSM defines the security parameter and enables the enforcement of security policies through authentication, access control lists, and protocol inspection. The FWSM is a key component to anyone deploying network security.

Cisco Secure Firewall Services Module (FWSM) covers all aspects of the FWSM. The book provides a detailed look at how the FWSM processes information, as well as installation advice, configuration details, recommendations for network integration, and reviews of operation and management. This book provides you with a single source that comprehensively answers how and why the FWSM functions as it does. This information enables you to successfully deploy the FWSM and gain the greatest functional benefit from your deployment. Practical examples throughout show you how other customers have successfully deployed the FWSM.

By reading this book, you will learn how the FWSM functions, the differences between the FWSM and the ASA Security Appliance, how to implement and maintain the FWSM, the latest features of the FWSM, and how to configure common installations.

Ray Blair, CCIE® No. 7050, is a consulting systems architect who has been with Cisco for more than 8 years, working primarily on security and large network designs. He has 20 years of experience in designing, implementing, and maintaining networks that have included nearly all networking technologies. Mr. Blair maintains three CCIE certifications in Routing and Switching, Security, and Service Provider. He is also a CNE and a CISSP.

Arvind Durai, CCIE No. 7016, is an advanced services technical leader for Cisco. His primary responsibility has been in supporting major Cisco customers in the enterprise sector. One of his focuses has been on security, and he has authored several white papers and design guides in various technologies. Mr. Durai maintains two CCIE certifications, in Routing and Switching and Security.

  • Understand modes of operation, security levels, and contexts for the FWSM
  • Configure routing protocols and the host-chassis to support the FWSM
  • Deploy ACLs and Authentication, Authorization, and Accounting (AAA)
  • Apply class and policy maps
  • Configure multiple FWSMs for failover support
  • Configure application and protocol inspection
  • Filter traffic using filter servers, ActiveX, and Java filtering functions
  • Learn how IP multicast and the FWSM interact
  • Increase performance with firewall load balancing
  • Configure IPv6 and asymmetric routing
  • Mitigate network attacks using shunning, anti-spoofing, connection limits, and timeouts
  • Examine network design, management, and troubleshooting best practices

This security book is part of the Cisco Press® Networking Technology series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.

Category: Networking: Security

Covers: Firewall security

Table of Contents


Part I Introduction

Chapter 1 Types of Firewalls

Understanding Packet-Filtering Firewalls 5

    Advantages 5

    Caveats 6

Understanding Application/Proxy Firewalls 7

    Advantages 8

    Caveats 8

Understanding Reverse-Proxy Firewalls



Utilizing Packet Inspection

Reusing IP Addresses




Chapter 2 Overview of the Firewall Services Module





Comparing the FWSM to Other Security Devices

    IOS FW



Hardware Architecture

Software Architecture


Chapter 3 Examining Modes of Operation

Working with Transparent Mode



    Traffic Flow

    Multiple Bridge Groups

Working with Routed Mode



    Traffic Flow



Chapter 4 Understanding Security Levels

Traffic Flow Between Interfaces

Network Address Translation/Port Address Translation

    Static NAT

        Number of Simultaneous TCP Connections

        Number of Embryonic Connections





    Static PAT

    Dynamic NAT

    Dynamic PAT

    NAT Control

    NAT Bypass

        NAT 0 or Identity NAT

        Static Identity NAT



Chapter 5 Understanding Contexts

Benefits of Multiple Contexts

    Separating Security Policies

    Leveraging the Hardware Investment

Disadvantages of Multiple Contexts

Adding and Removing Contexts

    Adding a Context

    Removing a Context

        Storing Configuration Files

    Changing Between Contexts

Understanding Resource Management

    Memory Partitions


Part II Initial Configuration

Chapter 6 Configuring and Securing the 6500/7600 Chassis

Understanding the Interaction Between the Host-Chassis and the FWSM

Assigning Interfaces

Securing the 6500/7600 (Host-Chassis)

    Controlling Physical Access

    Being Mindful of Environmental Considerations

    Controlling Management Access

    Disabling Unnecessary Services

    Controlling Access Using Port-Based Security

    Controlling Spanning Tree

    Leveraging Access Control Lists

    Securing Layer 3

    Leveraging Control Plane Policing

    Protecting a Network Using Quality of Service

    Employing Additional Security Features



Chapter 7 Configuring the FWSM

Configuring FWSM in the Switch

Exploring Routed Mode

Exploring Transparent Mode

Using Multiple Context Mode for FWSM

    Context Configurations

    System Context Configurations

    Admin Context Configurations

    Packet Classifier in FWSM Context Mode

    Understanding Resource Management in Contexts

Configuration Steps for Firewall Services Module

    Type 1: Configuring Single Context Routed Mode

    Type 2: Configuring Single Context Transparent Mode

    Type 3: Configuring Multiple Context Mixed Mode


Chapter 8 Access Control Lists

Introducing Types of Access Lists

    Understanding Access Control Entry

    Understanding Access List Commit

Understanding Object Groups

Monitoring Access List Resources

Configuring Object Groups and Access Lists

    Working with Protocol Type

    Working with Network Type

    Working with Service Type

    Working with Nesting Type

    Working with EtherType


Chapter 9 Configuring Routing Protocols

Supporting Routing Methods

    Static Routes

    Default Routes

    Open Shortest Path First

        SPF Algorithm

        OSPF Network Types

        Concept of Areas

        OSPF Link State Advertisement

        Types of Stub Area in OSPF

    OSPF in FWSM

    OSPF Configuration in FWSM

        Interface-Based Configuration for OSPF Parameters


        Stub Configuration

        NSSA Configuration

        Default Route Information


    OSPF Design Example 1

    OSPF Design Example 2

    Routing Information Protocol

    RIP in FWSM

        Configuration Example of RIP on FWSM

    Border Gateway Protocol

    BGP in FWSM

    BGP Topology with FWSM


Chapter 10 AAA Overview

Understanding AAA Components

    Authentication in FWSM

    Authorization in FWSM

    Accounting in FWSM

Comparing Security Protocols

Understanding Two-Step Authentication

Understanding Fallback Support

    Configuring Fallback Authentication

    Configuring Local Authorization

Understanding Cut-Through Proxy in FWSM

    Configuring Custom Login Prompts

    Using MAC Addresses to Exempt Traffic from Authentication and Authorization


Chapter 11 Modular Policy

Using Modular Policy in FWSM

Understanding Classification of Traffic

    Understanding Application Engines

Defining Policy Maps

    Configuring Global Policy

Configuring Service Policy

Understanding Default Policy Map

Sample Configuration of Modular Policy in FWSM


Part III Advanced Configuration

Chapter 12 Understanding Failover in FWSM

Creating Redundancy in the FWSM

    Understanding Active/Standby Mode

    Understanding Active/Active Mode

Understanding Failover Link and State Link

Requirements for Failover

Synchronizing the Primary and Secondary Firewalls

Monitoring Interfaces

Configuring Poll Intervals

Design Principle for Monitoring Interfaces

Configuring Single Context FWSM Failover

Configuring Multiple Context FWSM Failover


Chapter 13 Understanding Application Protocol Inspection

Inspecting Hypertext Transfer Protocol

Inspecting File Transfer Protocol

Working with Supported Applications

Configuring ARP

    Inspecting ARP

    Configuring Parameters for ARP

        Configuring MAC Entries

        Adding Static Entries



Chapter 14 Filtering

Working with URLs and FTP

Configuring ActiveX and Java



Chapter 15 Managing and Monitoring the FWSM

Using Telnet

Using Secure Shell

Using Adaptive Security Device Manager

    Configuring the FWSM Using ASDM

    Managing the FWSM from the Client

Securing Access

    Configuring the FWSM for VPN Termination

    Configuring the VPN Client

Working with Simple Network Management Protocol

Examining Syslog

Working with Cisco Security Manager

Monitoring Analysis and Response System



Chapter 16 Multicast

Protocol Independent Multicast

Understanding Rendezvous Point

PIM Interface Modes

IGMP Protocol

Multicast Stub Configuration

Multicast Traffic Across Firewalls

    FWSM 1.x and 2.x Code Releases

    FWSM 3.x Code Release

Configuration Methods

    Method 1: Configuration Example for Multicast Through Firewall in Single Context Routed Mode

    Method 2: Configuration Example for Multicast Through Firewall via GRE

    Method 3: Configuration Example for Multicast Through Transparent Firewall in Multiple Context Mode


Chapter 17 Asymmetric Routing

Asymmetric Routing Without a Firewall

Asymmetric Traffic Flow in a Firewall Environment

Avoiding Asymmetric Routing Through Firewalls

    Option 1: Symmetric Routing Through Firewalls

    Option 2: Firewall Redundancy and Routing Redundancy Symmetry

Supporting Asymmetric Routing in FWSM

    Asymmetric Routing Support in Active/Standby Mode

    Asymmetric Routing Support in Active/Active Mode

Configuring ASR in FWSM


Chapter 18 Firewall Load Balancing

Reasons for Load Balancing Firewalls

Design Requirements for Firewall Load Balancing

Firewall Load-Balancing Solutions

    Firewall Load Balancing with Policy-Based Routing

    Firewall Load Balancing with Content Switch Module

        Configuring the CSM

        Snapshot Configuration for CSM Supporting Firewall Load Balancing

    Firewall Load Balancing Using the Application Control Engine

        ACE Design for Firewall Load Balancing

Firewall Load Balancing Configuration Example

    OUT2IN Policy Configuration

    Firewall Configuration

    IN2OUT Policy Configuration


Chapter 19 IP Version 6

Understanding IPv6 Packet Header

Examining IPv6 Address Types

    Neighbor Discovery Protocol

IPv6 in FWSM

    Configuring Multiple Features of IPv6 in FWSM

        Interface Configuration

        Router Advertisement

        Duplicate Address Detection

        Timer for Duplicate Address Detection

        Configuring Access Lists

        Configuring Static Routes

        Configuring IPv6 Timers in FWSM

    Configuring IPv6 in FWSM

        Configuring PFC (Layer 3 Device) on the Outside Security Domain

        Configuring FWSM

        Configuring a Layer 3 Device on the Inside Security Domain

        Verify the Functionality of FWSM

        Working with the showCommand for IPv6 in FWSM


Chapter 20 Preventing Network Attacks

Protecting Networks

Shunning Attackers


Understanding Connection Limits and Timeouts

    Configuring Connection Limits

    Configuring Timeouts



Chapter 21 Troubleshooting the FWSM

Understanding Troubleshooting Logic

Assessing Issues Logically

Connectivity Test of a Flow at the FWSM

    Troubleshooting Flow Issues

FAQs for Troubleshooting

    How Do You Verify Whether the Traffic Is Forwarded to a Particular Interface in the FWSM?

    How Do I Verify ACL Resource Limits?

    How Do I Verify the Connectivity and Packet Flow Through the Firewall?

    What Is Network Analysis Module?

    What Are Some Useful Management and Monitoring Tools?

    How Do I Recover Passwords?


Part IV Design Guidelines and Configuration Examples

Chapter 22 Designing a Network Infrastructure

Determining Design Considerations

    Documenting the Process

Determining Deployment Options

    Determining Placement

    Working with FWSM and the Enterprise Perimeter

    FWSM in the Datacenter




    Supporting Virtualized Networks



Chapter 23 Design Scenarios

Layer 3 VPN (VRF) Terminations at FWSM

    Configuring the PFC

    Configuring the FWSM

Failover Configuration in Mixed Mode

Interdomain Communication of Different Security Zones Through a Single FWSM

    Configuring the PFC

    FWSM Configuration

Dynamic Learning of Routes with FWSM

    Single Box Solution with OSPF

Data Center Environment with the FWSM

    Method 1: Layer 3 VPN Segregation with Layer 3 FWSM (Multiple Context Mode)

    Method 2: Layer 3 VPN Segregation with Layer 2 FWSM (Multiple Context Mode)


    PVLAN Configuration in FWSM

    Design Scenario 1 for PVLAN in FWSM

    Design Scenario 2 for PVLAN in FWSM

    Configuring PVLAN


Part V FWSM 4.x

Chapter 24 FWSM 4.x Performance and Scalability Improvements

Increasing Performance by Leveraging the Supervisor

Using the PISA for Enhanced Traffic Detection

Improving Memory

    Partitioning Memory

    Reallocating Rules

    Optimizing ACL


Chapter 25 Understanding FWSM 4.x Routing and Feature Enhancements

Configuring EIGRP

Configuring Route Health Injection

Understanding Application Support

    Configuring Regular Expressions

    Understanding Application Inspection Improvements

Additional Support for Simple Network Management Protocol Management Information Base

Miscellaneous Security Features

    Dynamic Host Configuration Protocol Option 82

    Smartfilter HTTPS Support



1587053535   TOC   8/12/2008

Unlimited one-month access with your purchase
Free Safari Membership