CCSP Cisco Secure PIX Firewall Advanced Exam Certification Guide, Second Edition [Electronic resources] نسخه متنی

Foundation and Supplemental Topics

Cisco Firewall Services Module Overview

The Cisco Firewall Services Module (FWSM) is a high-performance firewall solution, providing 5 gigabits per second (Gbps) of throughput from a single FWSM. Combining multiple modules in a single chassis enables you to scale this throughput to 20 Gbps. Some features of the FWSM include the following:

• Is fully virtual LAN (VLAN) aware

• Supports dynamic routing

• Integrates firewall functionality and switching in a single chassis

• Supports the entire Cisco PIX Firewall Version 6.0 feature set and some Version 6.2 features

• Allows up to 1 million concurrent connections

• Supports 5-Gbps throughout

• Enables multiple FWSMs per chassis

• Supports intrachassis and interchassis stateful failure

• Provides multiple management options

Initially, the FWSM provided several features that were not available with the PIX software. These included features such as Open Shortest Path First (OSPF) functionality and support for VLAN tagging. As of PIX Firewall Version 6.3, many of these features have been incorporated into the PIX software. Chapter 9, "Routing and the PIX Firewall."

Because the FWSM command set is derived from the PIX 6.0 feature set, many of the configuration tasks that you use to configure the FWSM are similar if not identical to the PIX configuration tasks. Therefore, this chapter focuses on the following aspects of the FWSM:

• Basic deployment scenarios

• Initializing the FWSM

• Using PIX Device Manager (PDM) with the FWSM

• Troubleshooting the FWSM

Basic Deployment Scenarios

Figure 19-1 shows a basic network configuration in which a central switch is used to connect various VLANs both at Layer 2 and at Layer 3. Protecting the perimeter of the network with a firewall is the first step in securing this network configuration. Securing the flow of traffic between multiple internal VLANs, however, can be a more difficult task.

Because the FWSM is tightly integrated with the switch, securing the traffic flowing between multiple VLANs on your network becomes an easier task to manage. When you place a FWSM in your central Catalyst 6500 switch, the configuration has the following characteristics:

• Each firewall interface is a Layer 3 interface that is associated with a VLAN, security level, and Internet Protocol (IP) address.

• Traffic from all nonfirewall VLANs in the switch (those not part of a firewall group) is routed through the Multilayer Switch Feature Card (MSFC) without being examined by the firewall.

• The MSFC may be configured as a connected router on any firewall interface.

• Traffic for all VLANs that are part of a firewall group is protected and controlled by the FWSM, whereas other VLANs are considered to be outside the firewall.

When integrating the FWSM into your network's security configuration, you need to decide on the location of the MSFC. The MSFC enables your switch to forward traffic between multiple VLANs because it performs routing or Layer 3 functionality. You can configure your MSFC in one of the following three configurations. Each is discussed in more detail in the following pages.

• MSFC as inside router

• MSFC as the outside router

• MSFC not directly connected to FWSM

Multilayer Switch Feature Card as the Inside Router

Figure 19-2 shows a FWSM configuration with the MSFC used as a router on the network inside the firewall. VLANs 100, 200, and 700 are configured as firewall VLANs. The MSFC is connected to VLAN 100 (which is a firewall-controlled VLAN). In this configuration, traffic between VLANs 300, 400, 500, and 800 is routed by the MSFC without passing through the FWSM. All other traffic is routed through the FWSM.

Note

The MSFC provides multiprotocol routing and multilayer switching for the Catalyst 6000 family of switches.

Multilayer Switch Feature Card as the Outside Router

Figure 19-3 shows a FWSM configuration with the MSFC used as a router on the network outside the firewall. All of the VLANs (except VLAN 600 and 700) are controlled by the FWSM. Therefore, only traffic from the Internet to VLAN 600 is handled by the MSFC. All other traffic is subject to the rules on the FWSM.

Multilayer Switch Feature Card Not Directly Connected to FWSM

Besides connecting the MSFC to either the inside or outside of the FWSM, you can also set up a configuration in which the MSFC is not directly connected to any of the FWSM interfaces. In this situation, there is no interaction between the MSFC and the FWSM.

Initializing the Firewall Services Module

When you configure a PIX Firewall, you can run the setup command and the firewall is ready to go. The FWSM, on the other hand, receives traffic directly from the Catalyst switch's backplane. This increases the initial configuration task required to make the FWSM operational. Initially configuring the FWSM involves the following tasks:

• Switch configuration

• Basic FWSM configuration

Switch Configuration

Before you can use the firewall functionality on your network traffic, you need to perform several configuration tasks on the switch. To configure the switch to operate with your FWSM, you need to perform the following steps:

Note

The switch configuration steps outlined in the following sections assume that your switch is running Cisco IOS software. If you are using the Catalyst operating system (CatOS), please refer to the documentation for the configuration steps.

Create Virtual LANs

Each interface on the FWSM receives traffic from specific VLAN(s) on your switch. To create VLANs on your switch you use the vlan command. The syntax for this command is as follows:

 vlan   vlan-number 

Next you need to be able to route traffic between VLANs using the MSFC. By default, routers route traffic between the networks to which they are physically connected. With the MSFC, you can create virtual interfaces connected to the various VLANs on your switch. These virtual interfaces enable your switch to control the flow of traffic between the different networks defined by the configured VLANs. To create a virtual interface for a VLAN, use the interface vlan command. The syntax for this command is as follows:

 interface vlan   vlan-number 

Define Firewall vlan-group

At a minimum, you need to specify two VLANs when configuring your FWSM. One of these VLANs represents the network being protected by the FWSM. All traffic for this VLAN will be sent through the FWSM for analysis before being sent to the actual devices on the VLAN. The other VLAN represents the network outside the FWSM.

Normally, the switch passes traffic to the MSFC, and the MSFC routes traffic between the various VLANs configured on the switch. When using the FWSM, however, you want certain traffic to be sent to the FWSM instead of to the MSFC. To accomplish this, you need to define a group of VLANs that will be controlled by the FWSM by using the firewall vlan-group command. The syntax for this command is as follows:

 firewall vlan-group   firewall-group vlan-range 

Table 19-3 describes the parameters associated with the firewall vlan-group command.

After the firewall vlan-group is defined, the switch will then send traffic for these VLANs to the FWSM instead of to the MSFC. This enables the FWSM to enforce security policy rules against the traffic from or to these VLANs.

Associate the vlan-group with the Module

Finally, you need to inform the switch in which switch slot the FWSM is located. You can have multiple FWSMs in a single switch, so this command is used to identify which blade will receive the traffic for a specific firewall vlan-group. This association is defined using the firewall module switch command, and its syntax is as follows:

 firewall module   module-number   vlan-group   firewall-group 

Table 19-4 describes the parameters associated with the firewall module command.

Assume that your FWSM is located in slot 5 on a switch that is running Cisco IOS software. Example 19-1 shows the switch configuration commands necessary to set up a FWSM configuration with the MSFC as the inside router (as shown in Figure 19-2).

Example 19-1. Configuring the MSFC on the Inside Interface

Switch#  configure terminal 
Switch(config)#  vlan 100 
Switch(config-vlan)  no shut 
Switch(config-vlan)  exit 
Switch(config)#  interface vlan100 
Switch(config-if)  ip address 10.10.10.1 255.255.255.0 
Switch(config-if)  no shut 
Switch(config-if)#  exit 
Switch(config)#  vlan 200 
Switch(config-vlan)  no shut 
Switch(config-vlan)  exit 
Switch(config)#  interface vlan200 
Switch(config-if)  ip address 10.20.10.1 255.255.255.0 
Switch(config-if)  no shut 
Switch(config-if)#  exit 
Switch(config)#  vlan 300 
Switch(config-vlan)  no shut 
Switch(config-vlan)  exit 
Switch(config)#  interface vlan300 
Switch(config-if)  ip address 10.30.10.1 255.255.255.0 
Switch(config-if)  no shut 
Switch(config-if)#  exit 
Switch(config)#  vlan 400 
Switch(config-vlan)  no shut 
Switch(config-vlan)  exit 
Switch(config)#  interface vlan400 
Switch(config-if)  ip address 10.40.10.1 255.255.255.0 
Switch(config-if)  no shut 
Switch(config-if)#  exit 
Switch(config)#  vlan 700 
Switch(config-vlan)  no shut 
Switch(config-vlan)  exit 
Switch(config)#  interface vlan700 
Switch(config-if)  ip address 10.70.10.1 255.255.255.0 
Switch(config-if)  no shut 
Switch(config-if)#  exit 
Switch(config)#  vlan 800 
Switch(config-vlan)  no shut 
Switch(config-vlan)  exit 
Switch(config)#  interface vlan800 
Switch(config-if)  ip address 10.80.10.1 255.255.255.0 
Switch(config-if)  no shut 
Switch(config-if)#  exit 
Switch(config)#  firewall vlan-group 10 100,200,700 
Switch(config)#  firewall module 5 vlan-group 10 
Switch(config)#  exit 

Basic Firewall Services Module Configuration

To initially set up the FWSM, perform the following tasks on it:

• Run the setup command

• Configure interfaces

• Define access lists

Because you are initially configuring the FWSM, you need to gain access to the command-line interface (CLI) on the FWSM from the switch CLI. The session slot command enables you to access the CLI on your various switch modules. The syntax for this command is as follows:

 session slot   module-number   processor   processor-id 

Note

When accessing the FWSM, you use a processor ID of 1.

If your FWSM is located in slot 3 on your switch, you would use the following command to connect to the FWSM CLI from the switch CLI:

 stat-6000#session slot 3 processor 1 
The default escape character is Ctrl-^, then x.
You can also type 'exit' at the remote prompt to end the session
Trying 127.0.0.31 ... Open
FWSM passwd:
Welcome to the FWSM firewall
Type help or '?' for a list of available commands.
FWSM>

At the passwd prompt, you need to enter the password for Telnet console access on the FWSM.

Note

The default password for Telnet console access is cisco . For security reasons, you should change the default password using the passwd command from the privileged mode on the FWSM.

Running the setup Command

Just like on the PIX Firewall, the setup command enables you to configure many of the basic parameters on the FWSM quickly, such as the following:

• Host name

• Domain name

• Enable password

Example 19-2 is a sample of the output and questions provided by the setup command:

Example 19-2.

FWSM(config)#  setup 
Pre-configure FWSM Firewall now through interactive prompts [yes]?
Enable password [<use current password>]:
Inside IP address [10.10.10.2]:
Inside network mask [255.255.255.0]:
Host name [FWSM]:  FWModule 
Domain name: cisco.com
IP address of host running FWSM Device Manager:  10.10.10.4 
The following configuration will be used:
Enable password: <current password>
Clock (UTC): 06:26:43 Feb 13 2004
Inside IP address: 10.10.10.2
Inside network mask: 255.255.255.0
Host name: FWModule
Domain name: cisco.com
IP address of host running FWSM Device Manager: 10.10.10.4
Use this configuration and write to flash?  yes 
Building configuration...
Cryptochecksum: dc097768 111d2643 5ec3f1a7 b9775f45
[OK]

Configuring the Interfaces

Unlike the PIX Firewall, the FWSM does not have a default inside and outside interface. Initially, you associate two or more VLANs with the FWSM (using the firewall vlan-group and firewall module switch commands). On the FWSM, however, you must assign each VLAN to a specific interface name and assign each interface an IP address. To assign a switch VLAN a specific interface name on the FWSM you use the nameif command. The syntax for this command is as follows:

 nameif   vlan-number interface-name security-level 

The parameters for the nameif interface commands are shown in Table 19-5.

After creating your FWSM interfaces by assigning an interface name to each interface, you need to specify an IP address for each interface. You use the ip address command to configure the FWSMs IP address; its syntax is as follows:

 ip address   interface-name ip-address netmask 

Table 19-6 shows the parameters for the ip address command. Besides the IP address, you need to provide a netmask that identifies the network portion of the IP address.

Note

The IP address and netmask for the inside interface are configured when you run the setup command.

Configuring the Access Lists

Traffic from the protected network through the PIX Firewall is allowed by default. The FWSM, on the other hand, explicitly defines access lists on all its interfaces. Therefore, even traffic from your protected network is denied unless you create an access list to allow it. To define access lists, you use the following two commands:

• access-list

• access-group

The access-list command defines the traffic that you want to allow. Then you use the access-group command to assign your access list to a specific interface. Chapter 7, "Configuring Access," explains the commands in more detail.

Using PIX Device Manager with the Firewall Services Module

Just like the PIX Firewall, you can manage the FWSM using the Cisco PDM. Before you can use PDM, however, you need to perform the following tasks:

• Perform initial preparation

• Install the PDM image

• Launch the PDM

Initial Preparation

The initial switch configuration tasks to use PDM include the same configuration tasks required to configure the FWSM initially, such as the following switch configuration:

• Configuring VLANs

• Configuring a firewall vlan-group

• Associating the firewall vlan-group with a module

You also need to perform the initial FWSM configuration tasks, which include the following:

• Running the setup command

• Defining interfaces

• Defining access lists

Running the setup command enables access to PDM from the host that you specify in response to the following prompt:

IP address of host running FWSM Device Manager:  10.10.10.4 

In addition, you must configure your access lists to enable traffic to reach the PDM web server (HTTP over SSL, or HTTPS) from the PDM client IP address.

Note

You also can enable Hypertext Transfer Protocol (HTTP) access using the http server command and define which systems have HTTP access to the FWSM using the http <local-ip> command.

Installing the PIX Device Manager Image

The FWSM (Version 1.1) does not come with PDM preinstalled. You need to place the PDM software image on your FWSM. The FWSM Version 1.1 requires PDM Version 2.1. To install the PDM software on your FWSM, you use the copy tftp command. The syntax for this command is as follows:

 copy tftp: // server-location/pathname   flash:pdm 

For instance, suppose that the following information matches the PDM image that you want to install on your FWSM:

• Trivial File Transfer Protocol (TFTP) server10.200.10.10

• PDM image file location/pdm/pdm-211.bin

The following command will install this image on your FWSM:

 copy tftp://10.200.10.10/pdm/pdm-211.bin flash:pdm 

You can verify that PDM is installed on your FWSM by using the show version command as shown in the following:

FWSM#  show version 
FWSM Firewall Version 1.1(2)
FWSM Device Manager Version 2.1(1)
Compiled on Tue 25-Mar-03 17:26 by awatiger
FWSM up 7 days 16 hours
Hardware: WS-SVC-FWM-1, 1024 MB RAM, CPU Pentium III 1000 MHz
Flash V1.01 SMART ATA FLASH DISK @ 0xc321, 20MB
0: gb-ethernet0: irq 5
1: gb-ethernet1: irq 7
2: ethernet0: irq 11
Licensed Features:
Failover:       Enabled
VPN-DES:        Enabled
VPN-3DES:       Enabled
Maximum Interfaces:     100
Cut-through Proxy:      Enabled
Guards:         Enabled
Websense:       Enabled
Throughput:     Unlimited
ISAKMP peers:   Unlimited
Serial Number: SAD072806ER
Configuration last modified by enable-15 at 06:05:16 Feb 13 2004
FWSM#

Launching PIX Device Manager

When accessing PDM to configure your FWSM, you use a secure HTTP connection (HTTPS). The address to which you connect is one of the IP addresses that you configured for one of the interfaces on the FWSM.

Note

The browser that you use to connect to PDM must have Java and JavaScript enabled. For complete details on the browser requirements, refer to the "Cisco PIX Device Manager Installation Guide."

Suppose the address of your FWSM is 10.10.10.1. To connect to PDM, you would enter in your browser a Uniform Resource Locator (URL) similar to the following:

https://10.10.10.1

Troubleshooting the Firewall Services Module

Besides the basic software troubleshooting commands available through the FWSM (similar to PIX debugging commands), you also can debug the operational status of the FWSM from the switch. These basic troubleshooting operations fall into the following categories:

• Switch commands

• FWSM status LED

Switch Commands

To troubleshoot the operation of your FWSM, you can use several switch commands. The switch commands to troubleshoot the operation of the FWSM fall into the following categories:

• Module status

• Memory test

• Resetting and rebooting

Module Status

To verify that the Catalyst 6500 switch correctly recognizes the FWSM, you can use the show module switch command. The syntax for this command is as follows:

 show module  [ module-number | all ]

By viewing the output of this command, you can verify that the switch recognizes the correct card type (Firewall Module) for the module number where you have installed the FWSM.

You also can check the FWSM status. Using the show module command without any arguments provides information on all of the modules on the switch, as shown in Example 19-3.

Example 19-3. Viewing Module Status

stat-6000# show module 
Mod Ports   Card Type                             Model               Serial No.
--- -----   ------------------------------------- ------------------- -----------
1    2    Catalyst 6000 supervisor 2 (Active)   WS-X6K-SUP2-2GE     SAL0605HFH7
2   48    48 port 10/100 mb RJ-45 ethernet      WS-X6248-RJ-45      SAD050504C1
4   48    48 port 10/100 mb RJ45                WS-X6348-RJ-45      SAD041606Y5
5    6    Firewall Module                       WS-SVC-FWM-1        SAD060300N9
6    6    Firewall Module                       WS-SVC-FWM-1        SAD0707016K
Mod MAC addresses                        Hw    Fw           Sw            Status
--- ----------------------------------- ------ ------------ ------------- -------
1  0006.d65a.9694 to 0006.d65a.9695    3.5   6.1(3)       7.5(0.6)HUB2  Ok
2  0001.c96d.64d0 to 0001.c96d.64ff    1.4   5.4(2)       7.5(0.6)HUB2  Ok
4  00d0.c0cd.86c8 to 00d0.c0cd.86f7    1.1   5.3(1)       7.5(0.6)HUB2  Ok
5  00e0.b0ff.3438 to 00e0.b0ff.343f    0.201 7.2(1)       2.2(0)6       Ok
6  0002.7ee4.f610 to 0002.7ee4.f617    1.1   7.2(1)       2.2(0)6       Ok
Mod Sub-Module                  Model            Serial           Hw      Status
--- --------------------------- ---------------  --------------- -------  ------
1 Policy Feature Card 2       WS-F6K-PFC2      SAL06100RH2      3.2     Ok
1 Cat6k MSFC 2 daughterboard  WS-F6K-MSFC2     SAL06090F5F      2.2     Ok
4 Inline Power Module         WS-F6K-PWR                        1.0     Ok
Mod Online Diag Status
--- ------------------
1 Pass
2 Pass
4 Pass
5 Pass
6 Pass
stat-6000#

Memory Test

By default, the FWSM performs only a partial memory test when the module boots up. You can change this behavior so that it performs a full memory test. When the FWSM is configured for a full memory test, it takes longer to boot. Table 19-7 shows the time required to perform full memory tests for two different memory sizes.

To configure a full memory test when using Cisco IOS software, you use the hw-module command with the following syntax:

 hw-module module   module-number   mem-test-full 

Note

The hw-module command is specific to Cisco IOS and is not available if your switch is running the Catalyst operating system (CatOS) software.

Resetting and Rebooting

If you cannot access the FWSM either through Telnet or the session command on the switch, you need to reset the module from the switch. For Cisco IOS software, the hw-module switch command resets individual modules. The syntax for this command when resetting a module is as follows:

 hw-module module   module-number   reset 

For instance, to reset the FWSM located in slot 4 you would use the following command on the switch:

 hw-module module 4 reset 

Note

You also can use the hw-module command to access the maintenance partition on the FWSM. To reboot the module into the maintenance partition, you use the following command:

 hw-module module   module-number   reset cf:1 

Note

The hw-module command is available only in Cisco IOS software. If you are using CatOS, you need to use the reset command to reset/reboot the FWSM from the switch command line or access the maintenance partition.

Firewall Services Module Status LED

Each FWSM has a status LED on its front panel that indicates its current operational state. Table 19-8 describes the different states the status LED indicates.