下载
Cisco Firewall Services Module for Cisco Catalyst 6500 Series and Cisco 7600 Series
The Cisco® Firewall Services Module (FWSM) for Cisco Catalyst® 6500 Series switches and Cisco 7600 Series routers is a high-performance, integrated stateful inspection firewall with application and protocol inspection engines. It provides 5.5 Gbps of throughput, 100,000 connections per second, and one million concurrent connections. Up to four FWSMs can be installed in a single chassis, providing scalability up to 20 Gbps per chassis. As an extension to the Cisco PIX® family of security appliances, the FWSM provides large enterprises and service providers with superior security, performance, and reliability.
Figure 1. Cisco Catalyst 6500 Series Firewall Services Module
Based on Cisco PIX firewall technology, the FWSM is a hardened, embedded system that eliminates security holes and performance-degrading overhead. The Cisco FWSM tracks the state of all network communications and prevents unauthorized network access. It delivers strong application-layer security through intelligent, application-aware inspection engines that examine network flows at Layers 4-7, including market-leading protection for voice over IP (VoIP), multimedia, instant messaging, and peer-to-peer applications.
The Cisco FWSM is managed by the integrated Cisco PIX Device Manager (PDM) for the Cisco FWSM Software v2.3 or earlier, or by the Cisco Adaptive Security Device Manager (ASDM) for Cisco FWSM Software v3.1 for device and policy configuration, monitoring, and troubleshooting of a single FWSM. Cisco PDM can be launched from the CiscoWorks CiscoView Device Manager (CVDM) for device provisioning of Cisco Catalyst switches and other services modules. The Cisco FWSM can also be managed from centralized, scalable, multidevice policy-based management tools, including CiscoWorks VPN/Security Management Solution (VMS); the Cisco Security Manager; and the Cisco Security Monitoring, Analysis, and Response System (MARS). Together with other security devices, these central management tools manage the FWSM throughout the network in a consistent manner to best expedite large security deployments.
SECURITY SERVICES INTEGRATION
The Cisco FWSM can be combined with other Cisco security services modules such as the Intrusion Detection Services Module (IDSM-2), IP Security (IPSec) VPN Shared Port Adapter (SPA), SSL VPN Services Module (WEBVPNSM), Traffic Anomaly Detection Module (ADM), Anomaly Guard Module (AGM), and the Network Analysis Module (NAM-1 and NAM-2). Together, these services modules provide a complete self-defending network solution.
With this modular approach, customers can use their existing switching and routing infrastructures for cost-effective deployment-and can do so while obtaining the highest performance available in the industry and providing secured IP services along with multilayer LAN and WAN switching and routing capabilities.
FIREWALL SERVICES MODULE BENEFITS
Integrated Module Enhances Security provides Lower Cost of Ownership
Besides protecting the perimeter of the corporate network from threats, the Cisco FWSM is installed inside a Cisco Catalyst 6500 Series switch or Cisco 7600 Series router and prevents unauthorized users from accessing a particular subnet, workgroup, or LAN within a corporate network. This intelligent network integration allows the FWSM to provide greater investment protection, a lower total cost of ownership, and a reduced footprint where rack space is at a premium. Any physical port on the switch can be configured to operate with firewall policy and protection, allowing for easy deployment without additional configuration and cabling, and providing firewall security inside the network infrastructure. The FWSM can be deployed together with other Cisco Catalyst 6500 Series and Cisco 7600 Series security services modules, for a secure, multilayer defense-in-depth IP services solution.
High Performance and Scalability Ready for the Future
The Cisco FWSM provides industry-leading performance of 100,000 connections per second, 5.5 Gbps of throughput, and one million concurrent connections. This superior performance helps organizations meet future growing requirements without requiring a system overhaul. Up to four FWSMs can be deployed in the same chassis for a total of 20 Gbps throughput. A single FWSM can support up to 1000 virtual interfaces (256 per context), and a single chassis can scale up to a maximum of 4000 VLANs. Full firewall protection is applied across the switch backplane, giving the lowest latency figures (30 microseconds for small frames) possible. The FWSM is based on high-speed network processors that provide high performance but retain the flexibility of general-purpose CPUs.
Service Virtualization Reduces Cost and Complexity of Management
The Cisco FWSM provides service virtualization, which allows service providers and large enterprises to implement separate policies for different customers or functional areas, such as multiple demilitarized zones (DMZs), over the same physical infrastructure. Virtualization helps reduce the cost and complexity of managing multiple devices, and makes it easier to add or delete security contexts as subscribers grow. A single FWSM can be partitioned into a maximum of 250 virtual firewalls (security contexts) in Cisco FWSM Software v3.1. FWSM virtualization includes support for Transparent Mode (Layer 2) and Routed Mode (Layer 3). Virtualization of services includes Network Address Translation (NAT), access control lists (ACLs), inspection engines, Simple Network Management Protocol (SNMP), syslog, and Dynamic Host Control Protocol (DHCP), and more.
The FWSM Resource Manager helps ensure high availability by limiting resource usage allocated to each security context at any time. This can prevent certain contexts from grabbing all resources and denying those resources to other contexts. These resources include number of connections, local hosts, NATs, ACLs, bandwidth, inspection rates, and syslog rates. Role-based management allows multiple IT owners to configure and manage network- and application-layer security policies. Used at the Internet edge, the FWSM can be configured to map virtual firewalls to virtual routing and forwarding instances (VRFs) to provide complete traffic separation and security on the campus network. With the default FWSM software, up to two security contexts and an additional special administrative context are provided. For more security contexts, a license must be purchased.
Ease of Deployment with Transparent (Layer 2) Firewall
The transparent firewall feature configures the FWSM to act as a Layer 2 bridging firewall and requires minimal changes to the network topology. The use of a transparent firewall reduces both the configuration and deployment time. There are no IP addresses except for the management interface; no subnetting or configuration updates are required with transparent firewalls. The transparent firewall feature greatly simplifies deployment in the data center for protecting hosts. The transparent firewalls also fit into existing networks with no Layer 3 changes and transparently pass Layer 3 traffic from routers, allowing interoperability with IP services such as Hot Standby Router Protocol (HSRP), Virtual Router Redundancy Protocol (VRRP), Gateway Load Balancing Protocol (GLBP), Multicast, and non-IP traffic
such as Internetwork Packet Exchange (IPX), Multiprotocol Label Switching (MPLS), and bridge protocol data units (BPDUs). The transparent firewall is also supported for multiple virtual firewalls. With the release of Cisco FWSM Software v3.1, a mixture of transparent firewall and routed firewall can also be implemented on the same FWSM, providing the most flexible network deployment options.
High Availability
For network resilience, the Cisco FWSM supports high-speed failover between modules within a single Cisco Catalyst 6500 or Cisco 7600 chassis (intrachassis) and between modules in separate chassis (interchassis), offering customers complete flexibility in their firewall deployments. Cisco FWSM Software v3.1 adds Active-Active stateful failover support in addition to Active-Standby stateful failover.
Robust Stateful Inspection and Application-Layer Security
The Cisco FWSM is based on Cisco PIX firewall technology, also known as the Adaptive Security Algorithm (ASA). The FWSM offers rich stateful inspection firewall services, tracking the state of all network communications, applying security policy, and preventing unauthorized network access. The FWSM creates a connection table entry for a session flow based on the source and destination addresses, randomized TCP sequence numbers, port numbers, and additional TCP flags, and applies security policy to these connections.
Building upon the network-based firewall services, the FWSM also delivers strong application-layer security through intelligent, application-aware inspection engines that examine network flows at Layers 4-7. To defend networks from application-layer attacks, these inspection engines incorporate extensive application and protocol knowledge, and employ security enforcement technologies that include protocol anomaly detection, application and protocol state tracking, bidirectional NAT services, bidirectional ACLs, Port Address Translation (PAT), and attack detection and mitigation techniques such as application/protocol command filtering, content verification, URL obfuscation, and URL filtering. These inspection engines give businesses control over instant messaging, peer-to-peer file sharing, and tunneling applications. In addition, the FWSM provides market-leading protection for a wide range of VoIP and other multimedia standards.
CISCO FWSM PLATFORM PERFORMANCE AND CAPACITIES
Table 1 provides information on the performance and capacity of the Cisco FWSM.
Table 1. Cisco FWSM Platform Performance and Capacities
| |
Capacities
|
|
Performance
|
· 5.5 Gbps of throughput per FWSM
· Up to 4 FWSMs (20 Gbps) per Cisco Catalyst 6500 chassis
· 2.8 Mpps
· 1 million concurrent connections
· 100,000 connection setups and teardowns per second
· 256,000 concurrent NAT and 256,000 concurrent PAT translations
· Jumbo Ethernet packets (8500 bytes) supported
|
|
VLAN Interfaces
|
· 1000 total per FWSM
· 256 VLANs per security context in routed mode
· 8 VLAN pairs per security context in transparent mode`
|
|
ACLs
|
· Up to 80,000 ACLs
|
|
Virtual Firewalls (security contexts)
|
· 20, 50, 100, and 250 virtual firewall licenses
· 2 virtual firewalls and 1 administrative context are provided for testing purposes
|
FWSM OVERALL FEATURE SUMMARY
Table 2 provides an overall feature summary of the Cisco FWSM.
Table 2. FWSM Overall Feature Summary
|
Features
|
Summary
|
|
Intelligent Network Services
|
· Layer 2 Firewall (transparent mode)
· Layer 3 Firewall (route and/or NAT mode)
· Mixed Layer 2 and Layer 3 firewall per FWSM
· Dynamic/static NAT and PAT
· Policy-based NAT
· VRF-aware NAT
· Destination NAT for Multicast
· Static routing support in single- and multiple security context mode
· Dynamic routing in single security context mode: Open Shortest Path First (OSPF), Routing Initiation Protocol (RIP) v1 and v2, PIM Sparse Mode v2 multicast routing, Internet Group Management Protocol (IGMP) v2
· Transparent mode supports static routing only
· Private VLAN
· Asymmetric routing supporting without redundancy by using asymmetric routing groups
· IPv6 networking and management access using IPv6 HTTPS, Secure Shell Protocol (SSH) v1 and v2, and Telnet
|
|
Core Stateful Firewall Services
|
· ACLs: Extended ACL for IP traffic, Ethertype ACL for non-IP traffic, standard ACL for OSPF route distribution, per-user Cisco Secure Access Control Server (ACS)-based ACLs, per-user ACL override, object grouping for ACLs, time-based ACLs
· Cisco Modular Policy Framework (MPF) with flow-based security policies
· Cut-through user authentication proxy with local database and external AAA server support: TCP, HTTP, FTP, HTTPS, and others
· URL filtering: Filter HTTP, HTTPS, and FTP requests by Websense Enterprise or HTTP filtering by N2H2 (now part of Secure Computing Corporation)
· Same security-level communication between VLANs (without NAT/static policies) and per-host maximum connection limit
· Protection from denial of service (DoS) attacks: DNS Guard, Flood Defender, Flood Guard, TCP Intercept with SYN cookies optimization, Unicast Reverse Path Forwarding (uRPF), Mail Guard, FragGuard and Virtual Reassembly, Internet Control Message Protocol (ICMP) stateful inspection, User Datagram Protocol (UDP) rate control, TCP stream re-assembly and deobfuscation engine, TCP traffic normalization services for attack detection
· Address Resolution Protocol (ARP) inspection in transparent firewall mode
· DHCP server, DHCP relay to upstream router
|
|
Service Virtualization (Multiple Security Context Mode)
|
· Transparent mode
· Routed mode
· NAT/PAT
· ACL
· Protocol inspection
· SNMP
· Syslog
· DHCP
· Resource management controls resource usage per security context
|
|
Inspection Engines
|
· Application policy enforcement
· Protocol conformance checking
· Protocol state tracking
· Security checks
· NAT/PAT support
· Dynamic port allocation
· Core Internet protocols: HTTP, FTP, Trivial File Transfer Protocol (TFTP), Simple Mail Transfer Protocol (SMTP), Extended SMTP (ESMTP), DNS, Extended DNS (EDNS), ICMP, TCP, UDP
· Database/OS services: Internet Locater Service/Lightweight Directory Access Protocol (ILS/LDAP), Oracle/SQL*Net v1 and v2, NetBIOS over IP, NFS, Remote Shell Protocol (RSH), SunRPC/NIS+, XWindows (XDMCP), Registration Admission and Status (RAS) v2
· Multimedia/VoIP: H.323 v1-4, Session Initiation Protocol (SIP), SCCP (Skinny), Skinny Video, GPRS Tunneling Protocol (GTP) v0 and v1 (3G Mobile Wireless), Media Gateway Control Protocol (MGCP) v0.1 and v1.0, Real-Time Streaming Protocol (RTSP), Telephony Application Programming Interface (TAPI) and Java TAPI (JTAPI) T.38 Fax over IP, Gatekeeper Routed Control Signaling (GKRCS), fragmented and segmented multimedia stream inspection
· Specific applications: Microsoft Windows Messenger, Microsoft NetMeeting, Real Player, Cisco IP phones, Cisco SoftPhone
· Security services: Point-to-Point Tunneling Protocol (PPTP)
|
|
High Availability
|
· Intrachassis and interchassis
· Active-Standby stateful failover
· Active-Active stateful failover support in multiple context mode
· Asymmetric routing support with Active-Active redundancy
|
|
Application Inspection Control
|
· Advanced HTTP inspection services: RFC compliance checking for protocol anomaly detection, HTTP command filtering, MIME type filtering, content validation, Uniform Resource Identifier (URI) length enforcement, and more
· Tunneling application control: AOL Instant Messenger, Microsoft Messenger, Yahoo Messenger, peer-to-peer applications (such as KaZaA and Gnutella), and other applications (such as GoToMyPC)
|
|
System Management
|
· Console to command-line interface (CLI): Session from switch, Cisco IOS Software-like CLI parser
· Telnet to the inside interface of FWSM
· Telnet over IPSec to the outside interface of FWSM
· SSH v1 and v2 to CLI
· Web GUI-based single device manager (HTTP, HTTPS): Cisco ASDM v5.0F for FWSM Software 3.1; Cisco PIX Device Manager 4.1 for FWSM Software 2.3; and Cisco PIX Device Manager 4.0 for FWSM Software 2.2
· Web GUI-based CiscoView Device Manager v1.0 for Cisco Catalyst 6500 to configure FWSM Software 2.3 or earlier and launch Cisco PIX Device Manager
· Web GUI-based multiple device manager: CiscoWorks VMS Management Center v1.3 for FWSM Software 2.3 or earlier; Cisco Security Manager for FWSM Software 2.3
· SNMP v2c MIBs and traps
· Authentication, authorization, and accounting (AAA): TACACS+ and RADIUS support
· Role-based administrative access
· Online upgrade
· Dedicated out-of-band management interface
|
|
Logging/Monitoring
|
· Syslog: External servers, up to 16 servers (4 per context)
· FTP, URL, ACL logging
· SNMP v2c
· Multiplatform real-time monitoring, analysis, and reporting with Cisco Security MARS
|
Note: Cisco FWSM Software versions 3.1, 2.3, and 2.2 incorporate many of the features from Cisco PIX Security Appliance Software versions 7.0, 6.3, and 6.2, respectively.
EXAMPLE FWSM DEPLOYMENTS
The Cisco FWSM can be deployed in topologies serving enterprise campuses, data centers, or service providers.
Today’s enterprises need more than just perimeter security-they need to connect business partners and provide campus security domains that serve multiple groups within these organizations. The Cisco FWSM provides a flexible, cost-effective, and performance-based solution that allows users and administrators to establish security domains with different policies within the organization. Figure 2 shows a campus deployment using stateful filtering to establish separate VLAN-based security domains.
Figure 2. Campus Deployment
Using the Cisco FWSM, users can set appropriate policies for different VLANs.
Data centers also require stateful firewall security solutions to protect data while delivering gigabit performance at the lowest possible cost. Figure 3 shows a data center with redundant FWSMs protecting server data.
Figure 3. E-Commerce Data Center Deployment
The FWSM maximizes capital investment by providing the best price-performance ratio in a firewall, and allows customers to replace expensive multiple firewalls that require additional firewall load-balancer devices.
ORDERING INFORMATION
Table 3. Cisco Firewall Services Module Hardware and Software Part Numbers
|
Product Number
|
Description
|
|
Hardware
|
|
WS-SVC-FWM-1-K9
|
Firewall Services Module for Cisco Catalyst 6500 Series and Cisco 7600 Series
|
|
WS-SVC-FWM-1-K9=
|
Firewall Services Module for Cisco Catalyst 6500 Series and Cisco 7600 Series (spare)
|
|
Security Bundles
|
|
WS-C6503-E-FWM-K9
|
Cisco Catalyst 6503 Firewall Security System with Enhanced Chassis and Supervisor Engine 720
|
|
WS-C6506-E-FWM-K9
|
Cisco Catalyst 6506 Firewall Security System with Enhanced Chassis and Supervisor Engine 720
|
|
WS-C6509-E-FWM-K9
|
Cisco Catalyst 6509 Firewall Security System with Enhanced Chassis and Supervisor Engine 720
|
|
WS-C6513-FWM-K9
|
Cisco Catalyst 6513 Firewall Security System with Enhanced Chassis and Supervisor Engine 720
|
|
Software
|
|
|
SC-SVC-FWM-1.1-K9
|
Firewall Services Module Software 1.1 for Cisco Catalyst 6500 Series and Cisco 7600 Series
|
|
SC-SVC-FWM-1.1-K9=
|
Firewall Services Module Software 1.1 for Cisco Catalyst 6500 Series and Cisco 7600 Series (spare)
|
|
SC-SVC-FWM-2.2-K9
|
Firewall Services Module Software 2.2 for Cisco Catalyst 6500 Series and Cisco 7600 Series
|
|
SC-SVC-FWM-2.2-K9=
|
Firewall Services Module Software 2.2 for Cisco Catalyst 6500 Series and Cisco 7600 Series (spare)
|
|
SC-SVC-FWM-2.3-K9
|
Firewall Services Module Software 2.3 for Cisco Catalyst 6500 Series and Cisco 7600 Series
|
|
SC-SVC-FWM-2.3-K9=
|
Firewall Services Module Software 2.3 for Cisco Catalyst 6500 Series and Cisco 7600 Series (spare)
|
|
SC-SVC-FWM-3.1-K9
|
Firewall Services Module Software 3.1 for Cisco Catalyst 6500 Series and Cisco 7600 Series
|
|
SC-SVC-FWM-3.1-K9=
|
Firewall Services Module Software 3.1 for Cisco Catalyst 6500 Series and Cisco 7600 Series (spare)
|
Note: Cisco Firewall Services Module Software 1.1 has reached end-of-sale status. Customers are encouraged to upgrade or purchase FWSM Software 2.3 or 3.1.
LICENSING
Table 4 lists the part numbers that are needed when ordering virtual firewall (security context) licenses. To be able to order any of these license tiers, you must be running FWSM Software 2.2(1) or higher. No changes in hardware are required when upgrading from FWSM Software 1.1 to versions 2.2, 2.3 and 3.1.
Table 4. Context License Part Numbers
|
Part Number
|
Description
|
|
FR-SVC-FWM-VC-T1
|
20 virtual firewall licenses for Cisco FWSM Software 2.2 or above
|
|
FR-SVC-FWM-VC-T2
|
50 virtual firewall licenses for Cisco FWSM Software 2.2 or above
|
|
FR-SVC-FWM-VC-T3
|
100 virtual firewall licenses for Cisco FWSM Software 2.2 or above
|
|
FR-SVC-FWM-VC-T4
|
250 virtual firewall licenses for Cisco FWSM Software 3.1
|
|
FR-SVC-FWM-UPGR1
|
Upgrade from 20 to 50 virtual firewalls for Cisco FWSM Software 2.2 or above
|
|
FR-SVC-FWM-UPGR2
|
Upgrade from 50 to 100 virtual firewalls for Cisco FWSM Software 2.2 or above
|
|
FR-SVC-FWM-UPGR3
|
Upgrade from 100 to 250 virtual firewalls for Cisco FWSM Software 3.1
|
Table 5. GTP/GPRS Mobile Wireless Inspection Licenses
|
Part Number
|
Description
|
|
FR-SVC-FWM-GTP
|
GTP Protocol Inspection Engine license for Cisco FWSM Software 3.1
|
SYSTEM REQUIREMENTS
• Cisco Catalyst 6500 Series Supervisor Engine 2 with Multilayer Switch Feature Card 2 (MSFC2) or Cisco Catalyst 6500 Series Supervisor Engine 720.
• Native Cisco IOS Software Release 12.1(13)E or later. If you are running a Supervisor Engine 720, you will need Cisco IOS Software Release 12.2(14)SX or later. Cisco FWSM Software 3.1 will be supported by Cisco IOS Release 12.2(18)SXF and higher for Supervisor Engine 720 and Supervisor Engine 32, and 12.2(18)SXF2 and higher for Supervisor Engine 2.
• Hybrid Cisco Catalyst OS Release 7.5(1) or later. If you are using a Supervisor Engine 720, you will need a minimum of Cisco Catalyst OS Release 8.2. Cisco FWSM Software 3.1 will be supported by Cisco Catalyst OS Release 8.5.
• If you intend to use the multi-SVI feature, you will need Cisco IOS Software Release 12.2(14)SY or later for native Cisco IOS Software, and for Cisco Catalyst OS you will need Release 7.(6) or later.
• If you intend to use the autostate feature, you will need Cisco Catalyst OS Release 8.4(1) or later.
• The FWSM occupies one slot in a Cisco Catalyst 6500 Series switch or Cisco 7600 Series router.
• Up to four firewall modules may be deployed in the same chassis.
HARDWARE SPECIFICATION
• Weight: 10 lb
• Power Consumption: 171.78W
REGULATORY COMPLIANCE
Safety
• UL 1950
• CSA C22.2 No. 950-95
• EN60950
• EN60825-1
• TS001
• CE Marking
• IEC 60950
• AS/NZS3260
Telecommunications
• ITU-T G.610
• ITU-T G.703
• ITU-T G.707
• ITU-T G.783 Sections 9-10
• ITU-T G.784
• ITU-T G.803
• ITU-T G.813
• ITU-T G.825
• ITU-T G.826
• ITU-T G.841
• ITU-T G.957 Table 3
• ITU-T G.958
• ITU-T I.361
• ITU-T I.363
• ITU I.432
• ITU-T Q.2110
• ITU-T Q.2130
• ITU-T Q.2140
• ITU-T Q.2931
• ITU-T O.151
• ITU-T O.171
• ETSI ETS 300 417-1-1
• TAS SC BISDN (1998)
• ACA TS 026 (1997)
• BABT /TC/139 (Draft 1e)
EMI
• FCC Part 15 Class A
• ICES-003 Class A
• VCCI Class B
• EN55022 Class B
• CISPR22 Class B
• CE Marking
• AS/NZS3548 Class B
NEBS
• SR-3580-NEBS: Criteria Levels (Level 3 compliant)
• GR-63-CORE-NEBS: Physical Protection
• GR-1089-CORE-NEBS: EMC and Safety
ETSI
• ETS-300386-2 Switching Equipment |
所属分类:
最新评论