Software Architecture
The other component to any computer-based system is the software. No matter how sophisticated your hardware may be, if it does not have an operating system, it is probably good only as a heater or paperweight.
Fortunately, the FWSM has lots of features that you can take advantage of and many “nerd knobs” that you can tweak. Understanding how the software handles traffic is fundamental, and you should spend a considerable amount of time in the next section to become very familiar with the software characteristics.
Input packets are first checked for fragmentation and, if required, will be reassembled before delivering to the “Mgmt/Routing” decision process. This process determines if the packet is routing information or is a management packet, such as telnet, SSH, or Hypertext Transfer Protocol Secure (HTTPS). If the packet matches this criterion and passes the interface ACL, it is sent to the session management process and handled accordingly. If not, the third decision process (TCP/UDP/ICMP) separates non-TCP/UDP/ICMP packets from those requiring Destination Network Address Translation (DNAT), RPF check, and address pool allocation. An ACL check is also performed to validate the packet. If the packet is part of an existing session, it is directed to the NAT process and sent out; otherwise, an ACL check is performed and if necessary the protocol-inspection process. The protocol-inspection process, previously known as the “fixup” protocol, inspects and modifies packets that require special attention, such as the following:
•
Computer Telephony Integration Quick Buffer Encoding (CTIQBE): CTIQBE is a Cisco proprietary VoIP protocol used for Telephony Application Programming Interface (TAPI) and Java Telephony Application Programming Interface (JTAPI) to communicate with Call Manager.•
Domain Name System (DNS): DNS is used to convert a hostname or domain name into an IP address.•
File Transfer Protocol (FTP): FTP is a communication protocol used for exchanging files between computers.•
General Packet Radio Service (GPRS) Tunneling Protocol (GTP): This is used to carry signaling and user traffic between nodes.•
H.323:H.323 is the International Telecommunications Union (ITU) recommended method for multimedia communication.•
Hypertext Transfer Protocol (HTTP): HTTP is a protocol used for the transfer of information.•
Internet Control Message Protocol (ICMP): ICMP is used to exchange control, error, and information messages.•
Internet Locator Service (ILS): ILS is used to support Microsoft NetMeeting clients.•
Media Gateway Control Protocol (MGCP): MGCP is used for signaling and control in VoIP applications.•
Network Basic Input/Output System (NetBIOS): NetBIOS is a mechanism used for computers to communicate within the same Layer 2 network.•
Point-to-Point Tunneling Protocol (PPTP): PPTP is a tunneling protocol used to extend Point-to-Point (PPP) sessions across an IP network.•
Remote Shell (RSH): RSH is a UNIX command used to remotely execute commands.•
Real-Time Streaming Protocol (RTSP): RTSP is used to control data delivery of real-time traffic.•
Session Initiation Protocol (SIP): SIP is a signaling protocol used for multimedia sessions.•
Skinny Call Control Protocol (SCCP): SCCP is a Cisco proprietary protocol used for communication in VoIP applications.•
Simple Mail Transfer Protocol (SMTP)/ Extended Simple Mail Transfer Protocol (ESMTP): These two protocols are used for the sending and receiving of e-mail messages.•
Simple Network Management Protocol (SNMP): SNMP is a protocol used to manage and monitor network devices.•
Structured Query Language SQL*Net/Net8: These are used in client/server applications for database access.•
Sun’s Remote Procedure Call (SunRPC): SunRPC is a function that allows a procedure to be run on another computer; it was developed by Sun Microsystems.•
Trivial File Transfer Protocol (TFTP): TFTP is a mechanism to transfer information.•
X Display Manager Control Protocol (XDMCP): XDMCP is used to set up X sessions with remote systems.These applications either have embedded IP addresses in the data portion of the packet, open secondary channels, or require additional inspection of the data portion of the packet. Unless the firewall is aware of these “special applications,” they may not work properly or may allow unnecessary access to applications.
As you might have noticed from the flow, packets that are part of an existing session are not checked by an ACL. What this means from an implementation perspective is that if you allow traffic to pass from one interface to another, it will be initially checked by an ACL, but the return traffic now part of a session will not be checked. Remember this aspect when allowing access to services or applications.
Summary 31
You can place these services on a specific interface and create a static entry that allows traffic from a lower interface (in regard to the security level, see Chapter 4, “Understanding Security Levels,” for details) to a higher interface (in regard to the security level, which is where the services are located) without creating any ACL on the higher-level interface. Traffic will return because of the established session. Recognize also that traffic will not be allowed to initiate from the higher-level interface without an ACL. This function enhances the security of those devices by minimizing any carbon-based (human) configuration errors and not allowing someone with access to one of these devices to establish outbound connections for illegitimate purposes.
Figure 2-3 shows an overview of the decision process, which should help you understand the flow.
An ACL is still required when going from a higher-level interface to a lower-level interface. The point is that traffic matches an existing session first.
With an understanding of how, through which components, and in what order traffic passes through the FWSM, you will substantially increase your success in design, implementation, and troubleshooting.
Summary
The FWSM is a firewall line-card hosted in a 6500 series switch or 7600 series router chassis. It uses a 6-gigabit EtherChannel to connect to the host-chassis backplane, eliminating the need for any external connections. You can leverage your investment in hardware by virtualizing up to 250 firewall instances, reducing the number of appliances, saving rack space, and minimizing heating and cooling. Understanding the hardware and software capabilities is paramount to a successful implementation.
Figure 2-3 FWSM Software Architecture Protocol Inspection Required Pass ACL Existing Session TCP/UDP/ ICMP Protocol Inspection Session Management Mgmt/ Routing Management Fragment Reassemble NAT Packet Output Drop/Log Packet Input Y N N N N N N Y Y Y Y Y