FWSM implementation

Unanswered Question
May 21st, 2008

Hi,

The FWSM does not include any external physical interfaces

what are the risks ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (3 ratings)
Loading.
Jon Marshall Wed, 05/21/2008 - 02:05

The risks are primarily logical and configuration issues.

1) Logical. Because it is virtualised it can sometimes be quite difficult to visualise what you are trying to do. And if you do not visualise it correctly then there is a very good chance that you could setup it incorrectly and introduce security risks into your environment.

2) Configuration. Again because it is virtualised and uses vlans within the same chassis to create DMZ's a mistake in configuration can have inadvertant consequences. A good example is contained here from a recent discussion.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&topicID=.ee6e1fa&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc0a239

To be honest, although i'm sure there may be people doing this i would not feel comfortable using the FWSM as my primary firewall for connecting to the Internet. But if you have firewalling requirements within your data centre for example and you already have a 6500 infrastructure then the FWSM can be a very good choice.

Jon

tj.mitchell Wed, 05/21/2008 - 05:45

Typically I use the FWSM to firewall of servers from the internal network. Otherwise, for internet protection you'll need to L2 VLAN off your internet on your core switches which isn't the best idea.

The times that I have use the FWSM as a primary firewall, the client had another firewall in front of it for protection as well that wasn't NATting..

trombidz1 Wed, 05/21/2008 - 07:04

Dear both

many thanks for your comments.

What do you mean by " you'll need to L2 VLAN off your internet on your core switches " ?

thanks

tj.mitchell Wed, 05/21/2008 - 07:18

You can create a VLAN on the switches, if you don't create an interface for the VLAN it stays in a L2 state rather than creating a L3 interface for it. Once you type interface vlan 10 and put an ip address on this it creates a L3 interface, if you don't do that then the VLAN stays at L2 without a L3 interface, effectively staying at L2 rather than going to L3.

trombidz1 Wed, 05/21/2008 - 08:09

you'll need to L2 VLAN off your internet on your core switches .

Why it's not good ?

trombidz1 Wed, 05/21/2008 - 23:49

you'll need to L2 VLAN off your internet on your core switches .

Why it's not good ?

We use a FWSM for all connectivity to/from the internet. It's no different than a PIX or ASA if you implement it correctly.

One of the tricks we used was to create a VRF on the 'outside' of the FWSM. Placing the serial interface from the provider and the VLAN that becomes your 'outside' interface. We used the same techniques for the DMZs and Inside Interface. We also have a number of customer circuits riding Frame PVCs into our router (it's in a 7609). We also create VRFs for those customers and place the PVC/VLAN into the VRF. This ensures complete isolation.

I look at it as a PIX/ASA with up to 255 Interfaces this way. Each VRF becomes a 'bastion' router for each in/out interface on the firewall. This simplifies routing and subnetting.

I feel, after configuring as we have, we are using a more versatile and managable router than I ever had with a PIX. The risks are mitigated to a very low level using it the way we have (VRFs are your friend). If you have the capability to use it in this way, you'll see the benefits as well.

BTW, a 6500 does not support VRFs. It must be in a 7600 chassis to work in the manner I have implemented.

HTH

Jim

trombidz1 Wed, 05/21/2008 - 23:49

you'll need to L2 VLAN off your internet on your core switches .

Why it's not good ?

dinesh.das Thu, 05/22/2008 - 00:39

Hi All,

Correct me if i am wrong---

Two things,

1- External link---In-FWSM-Out---MSFC-- or

2- External link----MSFC---In-FWSM-Out---

for solution one you will have FWSM as a front end for external link. and for solution 2 you will have MSFC as a front end for external link.

While configuring solution 1, place you external link on L2 VLAN and assign IP add inside the FW context. For Solution 2 configure VLAN interface assign IP address on switch itself.

Actions

This Discussion