Transcription

Data SheetCisco Firewall Services Module for Cisco Catalyst6500 Series and Cisco 7600 SeriesFigure 1.Cisco Catalyst 6500 Series and 7600 Series Firewall Services Module The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series switches andCisco 7600 Series routers is a high-performance, integrated stateful inspection firewall withapplication and protocol inspection engines. It provides upto 5.5 Gbps of throughput, 100,000 newconnections per second, one million concurrent connections or 256,000 NAT translations and upto80,000 Access Control List Entries. Up to four FWSMs can be installed in a single chassis, providing scalability up to 20 Gbps per chassis. As an extension to the Cisco PIX /ASA family ofsecurity appliances, the FWSM provides large enterprises and service providers with superiorsecurity, performance, and reliability.Based on Cisco PIX/ASA firewall technology, the FWSM is a hardened, embedded system thateliminates security holes and performance-degrading overhead. The Cisco FWSM tracks thestate of all network communications and prevents unauthorized network access. It deliversstrong application-layer security through intelligent, application-aware inspection engines thatexamine network flows at Layers 4–7, including market-leading protection for voice over IP (VoIP),multimedia, instant messaging, and peer-to-peer applications.Flexible Management OptionsThe Cisco FWSM is managed by the integrated Cisco PIX Device Manager (PDM) for theCisco FWSM Software v2.3 or earlier, or by the Cisco Adaptive Security Device Manager (ASDM)for Cisco FWSM Software v3.1 or later for device and policy configuration, monitoring, andtroubleshooting of a single FWSM. Cisco PDM can be launched from the CiscoWorks CiscoViewDevice Manager (CVDM) for device provisioning of Cisco Catalyst switches and other servicesmodules. The Cisco FWSM can also be managed from centralized, scalable, multidevice policybased management tools, including CiscoWorks VPN/Security Management Solution (VMS);the Cisco Security Manager; and the Cisco Security Monitoring, Analysis, and Response System(MARS). Together with other security devices, these central management tools manage theFWSM throughout the network in a consistent manner to best expedite large security deployments. 2010 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.Page 1 of 12

Data SheetSecurity Services IntegrationThe Cisco FWSM can be combined with other Cisco security services modules such as theIntrusion Detection Services Module (IDSM-2), IP Security (IPSec) VPN Shared Port Adapter(SPA), Traffic Anomaly Detection Module (ADM), Anomaly Guard Module (AGM), and the NetworkAnalysis Module (NAM-1 and NAM-2). Together, these services modules provide a complete selfdefending network solution. Integration of service modules into one chassis allows for ease of useand support for network administrators. Role-based remote access controls fosters collaborationfor IT managers.With this modular approach, customers can use their existing switching and routing infrastructuresfor cost-effective deployment—and can do so while obtaining the highest performance available inthe industry and providing secured IP services along with multilayer LAN and WAN switching androuting capabilities.Firewall Services Module BenefitsIntegrated Module Enhances Security and Lowers Cost of OwnershipBesides protecting the perimeter of the corporate network from threats, the Cisco FWSM isinstalled inside a Cisco Catalyst 6500 Series switch or Cisco 7600 Series router, inspects trafficflows and prevents unauthorized users from accessing a particular subnet, workgroup, or LANwithin a corporate network. This intelligent network integration allows the FWSM to provide greaterinvestment protection, a lower total cost of ownership, and a reduced footprint where power andrack space are at a premium. Any physical port on the switch can be configured to operate withfirewall policy and protection, allowing for easy deployment without additional configuration andcabling, and providing firewall security inside the network infrastructure. The FWSM can bedeployed together with other Cisco Catalyst 6500 Series and Cisco 7600 Series securityservices modules, for a secure, multilayer defense-in-depth IP services solution.High Performance, High Scalability and Low Latency Ready for the FutureThe FWSM is based on high-speed network processors that provide high performance but retainthe flexibility of general-purpose CPUs. The Cisco FWSM provides industry-leading performanceof upto 100,000 new connections per second, 5.5 Gbps of throughput, and one million concurrentconnections per service module. This superior performance helps organizations meet futuregrowing requirements without requiring a system overhaul. Multiple FWSMs can be clusteredusing static VLAN configurations or the Catalyst 6500 IOS Policy-based Routing (PBR) fordirecting traffic to these FWSMs. Up to four FWSMs can be deployed in the same chassis for atotal of 20 Gbps throughput. A single FWSM can support up to 1000 virtual interfaces (maximum of100 per context), and a single chassis can scale up to a maximum of 4000 VLANs. In addition, twoCisco Application Control Engines (ACE) can be used within the Catalyst 6500 chassis to loadbalance three FWSMs for over 15Gbps of firewall throughput, over 150,000 connections persecond and two million concurrent connections.Full firewall protection is applied across the switch backplane, giving the lowest latency figures(30 microseconds for small frames) possible. This is important to secure latency-sensitiveapplications such as financial market data and voice over IP (VoIP). 2010 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.Page 2 of 12

Data SheetService Virtualization Reduces Cost and Complexity of ManagementThe Cisco FWSM provides service virtualization, which allows service providers and largeenterprises to implement separate policies for different customers or functional areas, such asmultiple demilitarized zones (DMZs), over the same physical infrastructure. Virtualization helpsreduce the cost and complexity of managing multiple devices, and makes it easier to add or deletesecurity contexts as subscribers grow. A single FWSM can be partitioned into a maximum of 250virtual firewalls (security contexts) in Cisco FWSM Software v3.1 or above. FWSM virtualizationincludes support for Transparent Mode (Layer 2) and Routed Mode (Layer 3). All policies,monitoring and logging are supported in FWSM virtualization which includes Network AddressTranslation (NAT), access control lists (ACLs), inspection engines, Simple Network ManagementProtocol (SNMP), syslog, and Dynamic Host Control Protocol (DHCP), and more.The FWSM Resource Manager helps ensure high availability by limiting resource usageallocated to each security context at any time. This can prevent certain contexts from consumingall resources and denying those resources to other contexts. These resources include number ofconnections, local hosts, NATs, ACLs, bandwidth, inspection rates, and syslog rates. Role-basedmanagement allows multiple IT owners to configure and manage network-and application-layersecurity policies. Used at the Internet edge, the FWSM can be configured to map virtual firewallsto virtual routing and forwarding instances (VRFs) to provide complete traffic separation andsecurity on the campus network. With the default FWSM software, up to two security contextsand an additional special administrative context are provided. For more security contexts, a licensemust be purchased.Ease of Deployment with Transparent (Layer 2) FirewallThe transparent firewall feature configures the FWSM to act as a Layer 2 bridging firewall andrequires minimal changes to the network topology. The use of a transparent firewall reduces boththe configuration and deployment time. There are no IP addresses except for the managementinterface; no subnetting or configuration updates are required with transparent firewalls. Thetransparent firewall feature greatly simplifies deployment in the data center for protecting hosts.The transparent firewalls also fit into existing networks with no Layer 3 changes and transparentlypass Layer 3 traffic from routers, allowing interoperability with IP services such as Hot StandbyRouter Protocol (HSRP), Virtual Router Redundancy Protocol (VRRP), Gateway Load BalancingProtocol (GLBP), Multicast, and non-IP traffic such as Internetwork Packet Exchange (IPX),Multiprotocol Label Switching (MPLS), and bridge protocol data units (BPDUs). The transparentfirewall is also supported for multiple virtual firewalls. With the release of Cisco FWSM Softwarev3.1, a mixture of transparent firewall and routed firewall can also be implemented on the sameFWSM, providing the most flexible network deployment options. All Layer 3 firewall features aresupported with transparent firewall, including NAT and PAT in Cisco FWSM Software v3.2.High AvailabilityFor network resilience, the Cisco FWSM supports high-speed failover between modules within asingle Cisco Catalyst 6500 or Cisco 7600 chassis (intrachassis) and between modules in separatechassis (interchassis), offering customers complete flexibility in their firewall deployments. CiscoFWSM Software v3.1 adds Active-Active stateful failover support in multiple context mode inaddition to Active-Standby stateful failover. 2010 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.Page 3 of 12

Data SheetRobust Stateful Inspection and Application-Layer SecurityThe Cisco FWSM is based on the Cisco PIX firewall technology, also known as the AdaptiveSecurity Algorithm (ASA). The FWSM offers rich stateful inspection firewall services, tracking thestate of all network communications, applying security policy, and preventing Denial of Serviceattacks and unauthorized network access. The FWSM creates a connection table entry for asession flow based on the source and destination addresses, randomized TCP sequencenumbers, port numbers, and additional TCP flags, and applies security policy to theseconnections.Building upon the network-based firewall services, the FWSM also delivers strong application-layersecurity through intelligent, application-aware inspection engines that examine network flowsat Layers 4–7. To defend networks from application-layer attacks, these inspection enginesincorporate extensive application and protocol knowledge, and employ security enforcementtechnologies that include standards conformance checking, protocol anomaly detection,application and protocol state tracking, bidirectional NAT services, bidirectional ACLs, PortAddress Translation (PAT), and attack detection and mitigation techniques such asapplication/protocol command filtering, content verification, URL obfuscation, and URL filtering.These inspection engines give businesses control over instant messaging, peer-to-peer filesharing, and tunneling applications. In addition, the FWSM provides market-leading protection fora wide range of VoIP and other multimedia standards.Cisco FWSM Platform Performance and CapacitiesTable 1 provides information on the performance and capacity of the Cisco FWSM.Table 1.Cisco FWSM Platform Performance and CapacitiesCapacitiesPerformance 5.5 Gbps throughput per service module Up to 4 FWSMs (20 Gbps) per Catalyst 6500 chassis with static VLANor IOS Policy-based Routing 2.8 Mpps 1 million concurrent connections 100,000 connection setups and teardowns per second 256,000 concurrent NAT or PAT translations Jumbo Ethernet packets (8500 bytes) supportedVLAN Interfaces 1000 total per service module 256 VLANs per security context in routed mode 8 VLAN pairs per security context in transparent modeAccess Lists Up to 80,000 Access Control Entries in single context mode Note: the FWSM implements Layer 3 and 4 access control securitychecks in hardware with virtually no performance impact using nonupgradeable high-speed memoryVirtual Firewalls (Security Contexts) 20, 50, 100, 250 Virtual Firewall licenses 2 Virtual Firewalls and 1 administrative context are provided for testingpurposes. 2010 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.Page 4 of 12

Data SheetFWSM Overall Feature SummaryTable 2 provides an overall feature summary of the Cisco FWSM.Table 2.FWSM Overall Feature SummaryFeaturesSummaryScalable Architecture to SupportUp to 20 Gbps of FirewallServices within the Catalyst 6KInfrastructure A variety of industry proven clustering techniques deliver a seamless methodto scale firewall performance to 20 Gbps and beyond.Visibility into Encrypted Threats Leveraging SSL decryption capabilities within the Catalyst 6K infrastructure,the FWSM has the ability to gain visibility into encrypted policy violations towhich traditional firewalls have no visibility.Intelligent Network Services Layer 2 Firewall (transparent mode) with NAT and PAT support Layer 2 Firewall (transparent mode) with NAT and PAT support Layer 3 Firewall (route and/or NAT mode) Mixed Layer 2 and Lyer 3 firewall per FWSM Dynamic/static NAT and PAT Policy-based NAT VRF-aware NAT Destination NAT for Multicast Static routing support in signle- and multiple security content mode Dynamic routing in single security context mode: Open Shortest Path First(OSPF). Routing Initiation Protocol (RIP) v1 and v2, PIM Sparse Mode v2multicast routing, Internet Group Management Protocol (IGMP) v2. Dynamic routing in single and virtual security context mode using stub iBGP(Licensed feature) Transparent mode supports static routing only Private VLAN for L2 and L3 firewall enables firewall security policies betweenisolated ports. Asymmetric routing supporting without redundancy by using asymmetricrouting groups IPv6 networking and management access using IPv6 HTTPS, Secure ShellProtocol (SSH) v1 and v2, and TelnetCore Stateful Firewall NAT Translate bypass enhances scalability by not creating NATtranslate entries when no NAT-control or NAT except is used Selective TCP State Bypass on a per flow basis Timeout on a per flow for TCP and non-TCP flows ACLs: Extended ACL for IP traffic, Ethertype ACL for non-IP traffic, standardACL for OSPF route distribution, per-user Cisco Secure Access Control Server(ACS)-based ACLs, per-user ACL override, object fgrouping for ACLs, timebased ACLs Cisco Modular Policy Framework (MPF) with flow-based security policies Cut-through user authentication proxy with local database and externalAAA server support: TCP, HTTP, FTP, HTTPS, and others URL filtering: Filter HTTP, HTTPS, and FTP requests by Websense Enterpriseor HTTP filtering by N2H2 (now part of Secure Computing Corporation) Same security-level communication between VLANs (without NAT/staticpolicies) and per-host maximum connection limit Protection from denial of service (DoS) attacks: DNS Guard, Flood Defender,Flood Guard, TCP Intercept with SYN cookies organization, Unicast ReversePath Forwarding (uRPF), Mail Guard, FragGuard and Virtual Reassembly,Internet Control Message Protocol (ICMP) stateful inspection, User DatagramProtocol (UDP) rate control, TCP stream re-assembly and deobfuscationengine, TCP traffic normalization services for attack detection Address Resolution Protocol (ARP) inspection in transparent firewall mode DHCP server, DHCP relay to upstream router with per interface configuration 2010 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.Page 5 of 12

Data SheetFeaturesService Virtualization(Multiple Security Context Mode)Summary Transparent Routed Mode NAT/PAT ACL Protocol Inspection SNMP Syslog DHCP Resource management controls resource usage per security contextInspection Engines Application policy enforcement Protocol conformance checking Protocol state tracking Security checks NAT/PAT support Dynamic port allocation Core internet protocols: HTTP, FTP, Trivial File Transfer Protocol (TFTP),Simple Mail Transfer Protocol (SMTP), Extended SMTP (ESMTP), DNS,Extended DNS (EDNS), ICMP, TCP, UDP Database/OS services: Internet Locator Services/Lightweight Directory AccessProtocol (ISL/LDAP), Oracle/SQL*Net v1 and v2, NetBIOS over IP, NFS,Remote Shell Protocol (RSH), sUNrpc/nis , XWindows (SDMCP), RegistrationAdmission and Status (RAS) v2 Multimedia/VoIP: H.323 v1–4, H.323 Gatekeeper Cluster GUP messagesupport, Session Initiation Protocol (SIP), SCCP (Skinny), Skinny Video,GPRS Tunneling Protocol (GTP) v0 and v1 (3G Mobile Wireless), MediaGateway Control Protocol (MGCP) v0.1 and v1.0, Real-Time StreamingProtocol (RTSP), Telephony Application Programming Interface (TAPI) andJava TAPI (JTAPI) T.38 Fax over IP, Gatekeeper Routed Control Signaling(GKRCS), fragmented and segmented multimedia stream inspection Specific applications: Microsoft Windows Messenger, Microsoft NetMeeting,Real Player, Cisco IP phones, Cisco SoftPhone Security services: Point-to-Point Tuneling Protocol (PPTP)High Availability Intrachassis and interchassis Active-Standby stateful failover Active-Active stateful failover support in multiple context mode Asymmetric routing support with Active-Active redundancyApplication Inspection Control Advanced HTTP inspection services: RFC compliance checking for protocolanomaly detection, HTTP command filtering, MIME type filtering contentvalidation, Uniform Resource Identifier (URI) length enforcement, and more Tunneling application control: AOL Instant Messenger, Microsoft Messenger,Yahoo Messenger, peer-to-peer applications (such as KaZaA and Gnutella),and other applications (such as GoToMyPC)System Management Console to command-line interface (CLI): Session from switch, Cisco IOSSoftware-like CLI parser Telnet to the inside interface of FWSM Telnet over IPSec to the outside interface of FWSM SSH v1 and v2 to CLI Web GUI-based single device manager (HTTP, HTTPS): Cisco ASDM v5.2Ffor FWSM 3.2; Cisco ASDM v5.0F for FWSM Software 3.1; Cisco PIX DeviceManager 4.1 for FWSM Software 2.3; Web GUI-based multiple device manager: Cisco Security Manager v3.0 orabove for FWSM Software 2.3 or later; CiscoWorks VMS Management Centerv1.3 for FWSM Software 2.3 or earlier Web GUI-based CiscoView Device Manager v1.0 for Cisco Catalyst 6500to configure FWSM Software 2.3 or earlier and launch Cisco PIX DeviceManager Web GUI-based multiple device manager: CiscoWorks VMS ManagementCenter v1.3 for FWSM Software 2.3 or earlier; Cisco Security Manager forFWSM Software 2.3 SNMP v2c MIBs and traps Authenticaiton, authorization, and accounting (AAA): TACACS and RADIUSsupport Role-based administrative access Online upgrade Dedicated out-of-band management interface 2010 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.Page 6 of 12

Data SheetFeaturesLogging/MonitoringSummary Syslog: External servers, up to 16 servers (4 per context) FTP, URL, ACL logging SNMP v2c Multiplatform real-time monitoring, analysis and reporting with Cisco SecurityMonitoring, Analysis and Response System (MARS) v4.2 for FWSM Software2.3 or laterNote:Cisco FWSM Software versions 3.2, 3.1, 2.3, and 2.2 incorporate many of the featuresfrom Cisco PIX Security Appliance Software versions 7.0, 6.3, and 6.2, respectively.Example FWSM DeploymentsThe Cisco FWSM can be deployed in topologies serving enterprise campuses, data centers,or service providers. The FWSM maximizes capital investment by providing the best priceperformance ratio in a firewall.Today’s enterprises need more than just perimeter security—they need to connect businesspartners and provide campus security domains that serve multiple groups within theseorganizations. The Cisco FWSM provides a flexible, cost-effective, and performance-basedsolution that allows users and administrators to establish security d