The risks are primarily logical and configuration issues.
1) Logical. Because it is virtualised it can sometimes be quite difficult to visualise what you are trying to do. And if you do not visualise it correctly then there is a very good chance that you could setup it incorrectly and introduce security risks into your environment.
2) Configuration. Again because it is virtualised and uses vlans within the same chassis to create DMZ's a mistake in configuration can have inadvertant consequences. A good example is contained here from a recent discussion.
To be honest, although i'm sure there may be people doing this i would not feel comfortable using the FWSM as my primary firewall for connecting to the Internet. But if you have firewalling requirements within your data centre for example and you already have a 6500 infrastructure then the FWSM can be a very good choice.
You can create a VLAN on the switches, if you don't create an interface for the VLAN it stays in a L2 state rather than creating a L3 interface for it. Once you type interface vlan 10 and put an ip address on this it creates a L3 interface, if you don't do that then the VLAN stays at L2 without a L3 interface, effectively staying at L2 rather than going to L3.
We use a FWSM for all connectivity to/from the internet. It's no different than a PIX or ASA if you implement it correctly.
One of the tricks we used was to create a VRF on the 'outside' of the FWSM. Placing the serial interface from the provider and the VLAN that becomes your 'outside' interface. We used the same techniques for the DMZs and Inside Interface. We also have a number of customer circuits riding Frame PVCs into our router (it's in a 7609). We also create VRFs for those customers and place the PVC/VLAN into the VRF. This ensures complete isolation.
I look at it as a PIX/ASA with up to 255 Interfaces this way. Each VRF becomes a 'bastion' router for each in/out interface on the firewall. This simplifies routing and subnetting.
I feel, after configuring as we have, we are using a more versatile and managable router than I ever had with a PIX. The risks are mitigated to a very low level using it the way we have (VRFs are your friend). If you have the capability to use it in this way, you'll see the benefits as well.
BTW, a 6500 does not support VRFs. It must be in a 7600 chassis to work in the manner I have implemented.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :