FWSM not a best practice in data center?

Answered Question
Feb 14th, 2008

Hello. We are in the middle of building a data center at a co-location facility, and are planning on using FWSM modules in our redundant 6500' to "zone" the network there. Basically what we are being told is that each subnet in this new data center will be treated as a separate security zone, with each zone not being able to access the other except on specified ports.

Our server access layer will consist of 4 4948-10G switches (we think), trunked into the core 6500'. This will force traffic through the FWSM, allowing it to be policed.

All of a sudden the company has brought in a "senior" guy to oversee the entire project, and he tells us that it is not best practice to have the FWSM zoning the networks, because if the core switch/FWSM is hacked, the entire network is exposed. We are arguing that this is indeed the case with whatever FW you use.

This is only for the internal side of the network, as we will have a pair of checkpoint firewalls on the perimeter protecting us from public traffic. He has proposed an ASA 5510 instead of the FWSM, with each subnet being on a different DMZ/interface. This immediatley throws up two red flags, throughput and scalability. The ASA has a maximum of 8 ports, and we currently have 8 different subnets that need to be separated. Also, backups will run through this network, and having that amount of traffic traversing the ASA doesn't seem realistic.

Is there any merit in what he is saying? I've always been under the impression that the FWSM was designed almost for this exact situation.

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 8 years 8 months ago

To whoever rated this a 1. Could you try reading the Original poster's response to my answer. He found it helpful and it was to him that my answer was directed.

If you don't agree with what i have said try doing something a little more constructive and present a rational argument as to why.

The vast majority of people in these forums do a great job of helping people offering advice for free.

Sometimes i wonder why we bother


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2.2 (15 ratings)
cisco24x7 Thu, 02/14/2008 - 07:58

Throughput and connection will be the limitation

of ASA. ASA does NOT do Active/Active whereas

checkpoint firewall can cluster up to 32 nodes

(i.e 32 servers dual quad-core Intel processors)

where you can push an insane amount of traffics.

ASA is not designed for large scale datacenter.

Iamgine you can scale up to 32 servers in

Active/Active...32Active nodes.

Budget is another matter.

You may want to look at NGx R65 CoreXL. I've

used it and really like a lot.

abinjola Thu, 02/14/2008 - 08:05

checkpoint is not safe at all...it was designed in Isreal..and then once it got obsolete there it was distributed in all other countries...I haven't seen small soho checkpoints being used in data centres..

ASA can do active/active failover..if ASA 5510 is not coping up try high end models

cisco24x7 Thu, 02/14/2008 - 08:14

are you telling me that ASA can cluster 32

nodes together? ASA Active/Active is not

really active/active. Are you telling me that

ASA can do load sharing for let say network on both ASA right out of the box?

"checkpoint is not safe at all.."

Say who? If it is not safe then how come a lot

of government agencies including most financial

services use checkpoint?

poulid Thu, 02/14/2008 - 08:08

One requirement I did not mention was the need for different vendor firewalls protecting us from the Internet. On the outside we currently use clustered Nokia IP390's, therefore the thought was that since we already had the 6509' for the internal side, why not just add the FWSM, giving us the second vendor as required. I believe the FWSM has a firewalled throughput of 5Gb, way way over and above the ASA.

We are likely talking about hundreds of GB's of data that needs to be backed up weekly.

cisco24x7 Thu, 02/14/2008 - 10:21

"I haven't see checkpoint installed in any US govt agencies."

Perhaps you need to get out more and stop

putting on the Cisco blinder.

ISS, Verio and just about every MSSP uses

checkpoint. As far a US Gov. agencies, there

are many that use checkpoint. DOA, DOT and HHS,

just to name a few.

poulid Thu, 02/14/2008 - 10:54

Not sure what difference it makes where it was developed (hopefully you mean that differently than it sounds), and we are indeed a financial organization who uses Checkpoint.

Anyway, back to the issue at hand; any idea how much the 5580 costs?

abinjola Thu, 02/14/2008 - 11:18

checkpoint is cheap but unsecure., ISPs that uses it only use it on peripharies and not in core.

Coming back to your Query requester, you may check the price of ASA 5580 in pricing tool

cisco24x7 Thu, 02/14/2008 - 12:12

"checkpoint is cheap but unsecure"

I would like to know where you get the fact to backup your claims.

If cisco is so great and secure, then let me ask you this:

In Cisco Pix or ASA, BY DEFAULT, hosts residing behind higher security

level interface can traverse the firewall to communicate with hosts

residing behind lowever security level interface. That is a fact,


Based on that argument, if a host behind a higher security level

interface is infected with viruses, it can then infect other hosts

residing behind lower security level interfaces.

With Checkpoint, nothing is allowed between interfaces unless

it is EXPLICITLY allowed.

If checkpoint is cheap but un-secure, then why Gov. agencies and

financial organizations use checkpoint. These guys must be dumb right?

"ISPs that uses it only use it on peripharies and not in core."

You are right. They don't use checkpoint at the core. They do not

use Cisco either. They use Juniper.

Jon Marshall Thu, 02/14/2008 - 14:59


If you have multiple vlans within your 6500 and you want to firewall between them with a requirement for high throughput and flexible configuration then that is one of the main uses of the FWSM. To my thinking it makes perfect sense if you are merely looking to do internal firewalling between your server subnets.

If you use a standalone pair of ASA's and they are hacked then you have the same issue. Key thing here is all vlans are terminating on firewall interfaces whether that be FWSM or standalone ASA's so either way your firewall is hacked you are in trouble.

Perhaps this guy could go into a bit more detail as to why it is different with the FWSM than the ASA.

One thing that is worth bearing in mind is that the FWSM is only a firewall whereas ASA devices can do more, IPS etc. But this may not be an issue for you.



poulid Fri, 02/15/2008 - 02:53

OK, thanks Jon. That was what I was hoping to hear.

Maybe this other guy could also come back and explain a couple of his other comments as well.

clausonna Fri, 02/15/2008 - 17:58

I think the FWSMs are good for segmenting a specific portion of your data center and not every single subnet or host. Put them in front of your high-value servers (PCI, Finance databases, secret formula to Coca-Cola, plans to Area 51, whatever) where you don't want to have to go 'outside' your 6500's and where throughput isn't a factor.

Just my .02; don't want to get in the middle of a flame war :-)

Correct Answer
Jon Marshall Sat, 02/16/2008 - 12:35

To whoever rated this a 1. Could you try reading the Original poster's response to my answer. He found it helpful and it was to him that my answer was directed.

If you don't agree with what i have said try doing something a little more constructive and present a rational argument as to why.

The vast majority of people in these forums do a great job of helping people offering advice for free.

Sometimes i wonder why we bother


poulid Fri, 03/14/2008 - 06:06

Sorry to resurrect this conversation, but if a so-called expert came in and said it would be a great idea to change the pair of 6500's with FWSM modules, and put in a pair of ASA5520's instead, what would you say to this person? He says it will be fine to use the 5520 to zone the network, which will contain 60 servers to start. I really don't think the 5520 is designed for this, is it?

Jon Marshall Fri, 03/14/2008 - 08:07


If someone proposes to replace what is an expensive piece of hardware with another expensive piece of hardware, presumbaly expensive because you will need high end ASA for your throughput requirements, then they need to justify why they want to do it.

It might well be fine to use ASA's to firewall your internal network but why can't the FWSM's do the same thing. Is there additional functionality needed that is not supported by the FWSM's ?

Perhaps you could go into a bit more detail as to why your consultant thinks it is such a great idea ?


poulid Fri, 03/14/2008 - 08:21

The consultant is actually trying to replace two 6500's with two ASA 5520's, and is trying to tell management that it is the same thing. Cost seems to be the motivating factor for his argument, since the 6500 with the FWSM is about $50K, whereas the 5520 is only $8K. Essentially the 5520 becomes the 'core' of the network.

He is proposing that each zone would plug into a different interface on the 5520, allowing each network to be secured. Right off the bat I see scalability issues, since we will have at least 6 subnets to start off.

His idea just seems very mickey mouse to me.

Jon Marshall Fri, 03/14/2008 - 08:45

It is difficult to be specific and say one solution is right and one wrong without a full set of requirements. I have seen both extremes in my career

1) A completely overspecced solution with 4 6500's, multiple pix firewalls for approx 20 servers

2) A DC setup based around 3550 switches etc with gigabit throughput requirements/QOS/ACL's etc.

What does concern me is

1) An asa 5520 at core of a Data Centre network with servers moving large amounts of data. That is one of the main reasons for using an FWSM.

2) The lack of future scalability.

8k vs 50k may sound like a lot but in terms of a DC setup and often compared to the cost of servers/software licenses it is not. You should always allow extra capacity for future requirements in your design.

What i really find worrying is that it seems to be ASA 5520's vs 6500/FWSM's. Even if you chose not to go with the FWSM's i would still recommend using a pair of switches to connect up the 4948's and 6500's are the logical choice.

I don't know what your budget is, what proportion of the budget 50k accounts for, what the future plans are for the DC but presented with the details you have so far provided i would say

1) At the very least use a separate pair of switches to interconnect all your 4948 server switches

2) The FWSM is a reasonable choice and i wouldn't necessarily argue against it but there are other alternatives and you don't have to use the FWSM simply because you have a 6500 chassis.

A saving of 42k won't look that great if in 6 months time you find you need another 5 subnets and you can't get your backups completed in time.



poulid Fri, 03/14/2008 - 09:46

Thanks again Jon. Another idea I've been kicking around now that mangement seems to really be focusing on cost; what if we plugged all of our servers into a stack of 3750E's, and zoned the networks simply using VACL's? Would the 3750E be able to process the VLAN ACL's fast enough, or would this become the bottleneck. Is this even a reasonable alternative?

The stack could then uplink into a firewall device, at that point probably the 5520, or maybe a 5540. Throughput on the firewall would not be a concern, since server to server traffic would not traverse the firewall, it would stay local to the stack.


This Discussion