www.dbebooks.com - Free Books & magazines Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA Cisco Press Cisco Secure Firewall Services Module (FWSM) Ray Blair, CCIE No. 7050 Arvind Durai, CCIE No. 7016 ii Cisco Secure Firewall Services Module (FWSM) Ray Blair, Arvind Durai Copyright© 2009 Cisco Systems, Inc. Published by: Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without writ- ten permission from the publisher, except for the inclusion of brief quotations in a review. Printed in the United States of America First Printing September 2008 Library of Congress Cataloging-in-Publication Data: Blair, Ray, 1965- Cisco secure firewall services module (FWSM) / Ray Blair, Arvind Durai. p. cm. ISBN-13: 978-1-58705-353-5 (pbk.) ISBN-10: 1-58705-353-5 (pbk.) 1. Computer networks—Security measures. 2. Firewalls (Computer security) 3. Cisco Systems, Inc. I. Durai, Arvind. II. Title. TK5105.59.B563 2009 005.8—dc22 2008030575 ISBN-13: 978-1-58705-353-5 ISBN-10: 1-58705-353-5 Warning and Disclaimer This book is designed to provide information about the Firewall Services Module, using practical design examples. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information is provided on an “as is” basis. The authors, Cisco Press, and Cisco Systems, Inc. shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it. The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems, Inc. Trademark Acknowledgments All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capital- ized. Cisco Press or Cisco Systems, Inc., cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. iii Corporate and Government Sales The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales, which may include electronic versions and/or custom covers and content particular to your business, training goals, marketing focus, and branding interests. For more information, please contact: U.S. Corporate and Government Sales 1-800-382-3419 corpsales@pearsontechgroup.com For sales outside the United States please contact: International Sales international@pearsoned.com Feedback Information At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers’ feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through email at feedback@ciscopress.com. Please make sure to include the book title and ISBN in your message. We greatly appreciate your assistance. Publisher Paul Boger Associate Publisher Dave Dusthimer Cisco Representative Anthony Wolfenden Cisco Press Program Manager Jeff Brady Executive Editor Brett Bartow Managing Editor Patrick Kanouse Development Editor Dan Young Senior Project Editor Tonya Simpson Copy Editor Barbara Hacha Technical Editors Sunil Gul Wadwani, Bryan Osoro Editorial Assistant Vanessa Evans Designer Louisa Adair Composition Mark Shirar Indexer John Bickelhaupt Proofreader Kathy Ruiz Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices. CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, the Cisco logo, DCE, and Welcome to the Human Network are trademarks.; Changing the Way We Work, Live, Play, and Learn is a service mark ; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0805R) Americas Headquarters Cisco Systems, Inc. San Jose, CA Asia Pacific Headquarters Cisco Systems (USA) Pte. Ltd. Singapore Europe Headquarters Cisco Systems International BV Amsterdam, The Netherlands iv About the Authors Ray Blair is a consulting systems architect and has been with Cisco Systems for more than eight years, working primarily on security and large network designs. He has 20 years of experience with designing, implementing, and maintaining networks that have included nearly all networking technologies. His first four years in the high-technology industry started with designing industrial computer systems for process monitoring. Mr. Blair maintains three Cisco Certified Internetwork Expert (CCIE) certifications in Routing and Switching, Security, and Service Provider. He also is a Certified Novell Engineer (CNE) and a Certified Information Systems Security Professional (CISSP). Arvind Durai is an advanced services technical leader for Cisco Systems. His primary responsibility has been in supporting major Cisco customers in the Enterprise sector, some of which includes Financial, Manufacturing, E-commerce, State Government, and Health Care sectors. One of his focuses has been on security, and he has authored several white papers and design guides in various technologies. Mr. Durai maintains two Cisco Certified Internetwork Expert (CCIE) certifications in Routing and Switching and Security. Mr. Durai holds a Bachelor of Science degree in Electronics and Communication, a Master’s degree in Electrical Engineering (MS), and Master’s degree in Business Administration (MBA). About the Technical Reviewers Sunil Wadwani, M.S, M.B.A, is a technical marketing engineer for the Security Technology Business Unit (STBU) at Cisco. Sunil is a 20-year veteran of the technology field with experiences in the design, development, and provisioning of networking products. His career in Cisco began in 1992, when he was part of a design team developing the first version of the Cisco 7200 router. Sunil’s primary responsibiliy today as a technical marketing engineer requires him to advise customers and sales engineeers on some of the deployment aspects of security products such as VPN, firewall, and IPS. Sunil has an M.S in Computer Engineering from the University of California, Irvine, and an M.B.A from Santa Clara University. He lives in Saratoga, California with his wife Shalini and two sons, Shiv and Kunal. Bryan Osoro, CCIE No. 8548, is a systems engineer with Cisco and has covered the small/medium business, large enterprise, and some service provider networks in the Pacific Northwest for the past five years. He also has spent time working in the TAC organization supporting a variety of technologies, including the PIX and VPN security devices. Mr. Osoro has been responsible for designing highly com- plex network environments with strict requirements for availability and reliability. He currently main- tains four CCIE certifications in Routing/Switching, Security, Service Provider, and Voice. He is also a Certified Information Systems Security Professional (CISSP) and holds the Juniper Networks Certified Internet Specialist (JNCIS-M) certification. v Dedications Ray Blair: As with everything in my life, I thank my Lord and Savior for his faithful leading that has brought me to this place. This book is dedicated to my wife, Sonya, and my children, Sam, Riley, Sophie, and Regan. You guys mean the world to me! Arvind Durai: This book is dedicated to my wife, Monica, who pushed me in this endeavor, supported me during the long hours, and helped me achieve this goal—and to my son, Akhhill, who always gave me the extra energy that recharged me to work on this book. To my parents, for providing me with values and opportunities. To my brother and family, my parents-in-law, and brother-in-law and family for all their support and wishes. Thank you, God! vi Acknowledgments Ray Blair: This project was a significant undertaking, and without the support of those mentioned below as well as many others, this would not have been an achievable goal. I am very grateful for all your help and support in completing this book! To my nontechnical wife, who was the initial reviewer, who suffered through reading technical material, finding errors and phrasing that didn’t make sense, I will always remember your sacrifice and commit- ment to the success of this book—thank you! Thanks to my children, Sam, Riley, Sophie, and Regan, for your patience in the many hours I spent working on this book and tolerating the “We’ll do it after I get this book done” response. Let’s go fishing! Arvind, your excellent technical knowledge and the great working relationship that we have always enjoyed made writing this book a pleasure. I look forward to many more years as your colleague and friend. Arvind Durai: Thanks to my wife, who reviewed all my chapters several times during each stage of the book and gave me suggestions for improvement. She spent numerous late nights and early mornings working on the book review with me. I never felt alone. Thank you! I would like to thank Andrew Maximow (director, Cisco Advanced Services), Uwe Fisher (manager, Advanced Services), and Naheed Alibhai (manager, Advanced Services) for supporting me in this effort. I also want to extend my thanks to all my peers with whom I worked on customer designs. Ray, this book has been a great partnership. Your technical knowledge is awesome. You have been a great friend and colleague, and it is always a pleasure working with you. Thanks to everyone who supported me directly or indirectly in every phase of the book. Without all your support, this book would not have been possible. Our special thanks to: We are very grateful to Bryan Osoro and Sunil Gul Wadwani. Without the talent of these two technical reviewers, the book wouldn’t have been possible. A big thanks to the product, development, and test teams within Cisco that provided answers to ques- tions and prereleased code for testing: Reza Saada, Chandra Modumudi, Donovan Williams, Muninder Sambi, Munawar Hossain, Christopher Paggen, and Ben Basler. The Cisco Press team was very helpful in providing excellent feedback and direction; many thanks to Brett Bartow, Christopher Cleveland, Dan Young, and Tonya Simpson. Thanks to all our customers with whom we have worked. Each customer scenario inspired us to write this book. vii Contents at a Glance Introduction xxi Part I Introduction 3 Chapter 1 Types of Firewalls 5 Chapter 2 Overview of the Firewall Services Module 19 Chapter 3 Examining Modes of Operation 35 Chapter 4 Understanding Security Levels 53 Chapter 5 Understanding Contexts 73 Part II Initial Configuration 87 Chapter 6 Configuring and Securing the 6500/7600 Chassis 89 Chapter 7 Configuring the FWSM 105 Chapter 8 Access Control Lists 125 Chapter 9 Configuring Routing Protocols 135 Chapter 10 AAA Overview 171 Chapter 11 Modular Policy 183 Part III Advanced Configuration 195 Chapter 12 Understanding Failover in FWSM 197 Chapter 13 Understanding Application Protocol Inspection 219 Chapter 14 Filtering 235 Chapter 15 Managing and Monitoring the FWSM 245 Chapter 16 Multicast 265 Chapter 17 Asymmetric Routing 287 Chapter 18 Firewall Load Balancing 303 Chapter 19 IP Version 6 327 Chapter 20 Preventing Network Attacks 345 Chapter 21 Troubleshooting the FWSM 357 viii Part IV Design Guidelines and Configuration Examples 373 Chapter 22 Designing a Network Infrastructure 375 Chapter 23 Design Scenarios 401 Part V FWSM 4.x 447 Chapter 24 FWSM 4.x Performance and Scalability Improvements 449 Chapter 25 Understanding FWSM 4.x Routing and Feature Enhancements 469 Index 486 ix Contents Introduction xxi Part I Introduction 3 Chapter 1 Types of Firewalls 5 Understanding Packet-Filtering Firewalls 5 Advantages 5 Caveats 6 Understanding Application/Proxy Firewalls 7 Advantages 8 Caveats 8 Understanding Reverse-Proxy Firewalls 10 Advantages 10 Caveats 12 Utilizing Packet Inspection 12 Reusing IP Addresses 13 NAT 14 PAT 15 Summary 16 Chapter 2 Overview of the Firewall Services Module 19 Specifications 19 Installation 20 Performance 22 Virtualization 23 Comparing the FWSM to Other Security Devices 24 IOS FW 25 PIX 25 ASA 25 Hardware Architecture 26 Software Architecture 29 Summary 31 [...]... Summary Chapter 18 297 301 Firewall Load Balancing 303 Reasons for Load Balancing Firewalls 303 Design Requirements for Firewall Load Balancing 304 Firewall Load-Balancing Solutions 305 Firewall Load Balancing with Policy-Based Routing 305 Firewall Load Balancing with Content Switch Module 307 Configuring the CSM 308 Snapshot Configuration for CSM Supporting Firewall Load Balancing Firewall Load Balancing... Chapter 1 Types of Firewalls Chapter 2 Overview of the Firewall Services Module Chapter 3 Examining Modes of Operation Chapter 4 Understanding Security Levels Chapter 5 Understanding Contexts CHAPTER 1 Types of Firewalls By definition, a firewall is a single device used to enforce security policies within a network or between networks by controlling traffic flows The Firewall Services Module (FWSM) is a very... choice within an optional element xxi Introduction Firewalls are one of the main components used in securing a network infrastructure, and having an indepth understanding of how these devices function is paramount to maintaining a secure network This book was written to provide an understanding of the functionality of the Firewall Services Module (FWSM), from both a hardware and software perspective... 82 Smartfilter HTTPS Support 485 Summary References Index 486 485 485 484 xx Icons Used in This Book Router PIX Firewall Web Server Switch Firewall Services Module Ethernet Connection Route Switch Processor Multi-Switch Device Firewall PC Serial Line Connection Bridge Laptop Router with Firewall Server Network Cloud Command Syntax Conventions The conventions used to present command syntax in this book... Firewall in Multiple Context Mode 279 Summary 284 xvi Chapter 17 Asymmetric Routing 287 Asymmetric Routing Without a Firewall 287 Asymmetric Traffic Flow in a Firewall Environment 289 Avoiding Asymmetric Routing Through Firewalls 290 Option 1: Symmetric Routing Through Firewalls 290 Option 2: Firewall Redundancy and Routing Redundancy Symmetry 292 Supporting Asymmetric Routing in FWSM 294 Asymmetric Routing... configurations, design guides and configuration examples, and features and functionality introduced in FWSM version 4.x code: • Chapter 1, “Types of Firewalls”: This chapter explains the functionality of the different types of firewalls • Chapter 2, “Overview of the Firewall Services Module : This chapter covers specifications, installation information, performance, and virtualization; shows a comparison of IOS FW,... Configuration 269 Multicast Traffic Across Firewalls 269 FWSM 1.x and 2.x Code Releases 269 FWSM 3.x Code Release 270 Configuration Methods 273 Method 1: Configuration Example for Multicast Through Firewall in Single Context Routed Mode 273 Method 2: Configuration Example for Multicast Through Firewall via GRE 276 Method 3: Configuration Example for Multicast Through Transparent Firewall in Multiple Context Mode... System Context Configurations 111 Admin Context Configurations 112 Packet Classifier in FWSM Context Mode 112 Understanding Resource Management in Contexts 113 89 xii Configuration Steps for Firewall Services Module 113 Type 1: Configuring Single Context Routed Mode 114 Type 2: Configuring Single Context Transparent Mode 116 Type 3: Configuring Multiple Context Mixed Mode 119 Summary Chapter 8 123... 308 Snapshot Configuration for CSM Supporting Firewall Load Balancing Firewall Load Balancing Using the Application Control Engine 313 ACE Design for Firewall Load Balancing 313 Firewall Load Balancing Configuration Example OUT2IN Policy Configuration 319 Firewall Configuration 319 IN2OUT Policy Configuration 323 Summary Chapter 19 318 324 IP Version 6 327 Understanding IPv6 Packet Header 327 Examining... application layer of the OSI model These devices act on behalf of a client (aka proxy) for requested services For example, open a web browser and then pen a web page to www .cisco. com The request is sent to the proxy firewall, and then the proxy firewall acting on your behalf opens a web connection to www .cisco. com That information is then transmitted to your web browser for your viewing pleasure Advantages . magazines Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA Cisco Press Cisco Secure Firewall Services Module (FWSM) Ray Blair, CCIE No. 7050 Arvind Durai, CCIE No. 7016 ii Cisco Secure Firewall. CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration. Ruiz Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www .cisco. com/go/offices. CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco