DATA SHEET
CISCO CATALYST 6500 SERIES FIREWALL SERVICES MODULE
FOR CISCO CATALYST 6500 SERIES AND CISCO 7600 SERIES
Figure 1. Cisco Catalyst 6500 Series Firewall Services ModuleThe Cisco Catalyst 6500 Series Firewall Services Module (FWSM), a high-speed, integrated firewall module for Cisco® Catalyst® 6500 Series switches and Cisco 7600 Series routers, provides 5.5 Gbps throughput, 100,000 connections per second, and 1 million concurrent connections. Up to four FWSMs can be installed in a single chassis, providing scalability to 20 Gbps per chassis. As part of the Cisco PIX® family of security appliances, the FWSM provides large enterprises and service providers with superior security, reliability, and performance.
The FWSM uses Cisco PIX technology and runs the Cisco PIX OS, a real-time, hardened, embedded system that eliminates security holes and performance-degrading overhead. At the heart of the system, a protection scheme based on the Adaptive Security Algorithm (ASA) offers stateful connection-oriented firewalling. Using ASA, the FWSM creates a connection table entry for a session flow based on the source and destination addresses, randomized TCP sequence numbers, port numbers, and additional TCP flags. The FWSM controls all inbound and outbound traffic by applying the security policy to these connection table entries.
The FWSM includes many advanced features like multiple security contexts both at the routed levels and in bridging mode, helping to reduce cost and operational complexity while managing multiple firewalls from the same management platform. The virtualization on the FWSM reinforces the investment protection provided on Cisco Catalyst 6500 Series switches and 7600 Series routers. FWSM virtualization, when combined with other security services within the Cisco Catalyst 6500 Series Switch or Cisco 7600 Series Router, presents a powerful defense in-depth solution. Using features like Resource Manager, organizations can limit the resources allocated to any security context at any time, which helps to ensure that one security context does not interfere with another. With the default software license, up to two security contexts can be run, in addition to a special admin context. For more security contexts, a license must be purchased.
Using the transparent firewall feature, which configures the FWSM to act as a Layer 2 bridging firewall, there are minimal changes required to the network topology. The use of a transparent firewall reduces both the configuration and deployment time---a definite plus for any business with limited IT resources. There are no IP addresses except the management interface; no subnetting or configuration updates are required with transparent firewalls.
The FWSM Services Management and Enhanced Resource Management and Limiting features more effectively provision and monitor security services, even within and across multiple virtual contexts. This includes class creation, resource limiting, per-user/Cisco Access Control Server (ACS)-based access control lists (ACLs), syslogs per ACL, syslog level configuration, Address Resolution Protocol (ARP) inspection, and multicast pass-through support.
Enhanced filtering provides extended protection and application support, such as voice applications. It also includes policy-based Network Address Translation (NAT), bidirectional NAT, bidirectional ACLs, voice over IP (VoIP) enhancements, Port Address Translation (PAT) for skinny and Session Initiation Protocol (SIP), Media Gateway Control Protocol (MGCP), H.323 v3 and v4, Multiprotocol Label Switching (MPLS) and firewall integration, URL filtering with WebSense and N2H2, and shunning and blocking attacks.
FIREWALL SERVICES MODULE BENEFITS
The traditional role of firewalls has changed. Today’s firewalls do more than protect a corporate network from unauthorized external access. Besides protecting the perimeter of the corporate network from threats, firewalls can also prevent unauthorized users from accessing a particular subnet, workgroup, or LAN within a corporate network. The cost of not building a layered, defense-in-depth system can be devastating. In the United States alone in 2003, the overall reported corporate loss due to theft and insider abuse totaled 82 million dollars (CSI/FBI Report, 2003). FBI statistics indicate that 70 percent of all security problems originate from inside an organization. According to one in five respondents to the FBI’s survey, intruders broke into, or tried to break into, their corporate networks during the preceding 12 months and most experts agree that the majority of network break-ins go undetected. Corporate networks need a reliable, integrated security solution to protect their business assets from these increasing threats.
Integrated Module
Installed inside a Cisco Catalyst 6500 Series Switch or Cisco 7600 Series Router, the FWSM allows any port on the switch to operate as a firewall port and integrates stateful firewall security inside the network infrastructure. This becomes especially important where rack space is at a premium. Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers truly emerge as the IP services switch of choice for customers requiring intelligent services such as firewall services, intrusion detection, and VPN, along with multilayer LAN, WAN, and MAN switching capabilities.
Ready for the Future
The FWSM can handle up to 5.5 Gbps of traffic, providing superior performance to meet future requirements without requiring a system overhaul. Up to three additional FWSMs (a total of four modules) can be added to the Cisco Catalyst 6500 Series to meet growing demands.
Reliability and High Availability
The FWSM is based on Cisco PIX technology and uses the time-tested Cisco PIX OS, a secure, real-time operating system. The FWSM offers a unique combination of performance and security on the same platform, using proven Cisco PIX technology for inspecting packets. For resiliency, the FWSM supports high-speed failover between modules within a single 6500 or 7600 chassis and between modules in separate chassis. This support of both intra-chassis and inter-chassis failover offers customers complete flexibility in their firewall deployments.
Lower Cost of Ownership
The FWSM offers the best price-performance ratio of any firewall. Because the FWSM is based on the Cisco PIX firewall, the cost of training and management is lower; because the FWSM is integrated in the chassis, there are fewer boxes to manage.
Ease of Management
The Cisco PIX Device Manager’s intuitive GUI can be used to manage and configure the features within the FWSM. The FWSM is supported by the Cisco management framework and for configuration and monitoring by Cisco AVVID (Architecture for Voice, Video and Integrated Data) partners. The Cisco PIX Device Manager allows simplified management and monitoring of the FWSM at the system and device level, as well as at the more detailed security context level.
The FWSM is also manageable from a central console using the scalable CiscoWorks VPN/Security Management Solution (VMS). CiscoWorks VMS provides a modular approach to managing and monitoring security solutions throughout a Cisco network. Integrated, extensible management centers are available for several solutions, including VPNs, routers, switches, firewall, and Cisco security agents. In particular, the CiscoWorks Management Center for Firewalls supports centralized, comprehensive firewall administration of FWSMs, Cisco PIX security appliances, and Cisco IOS® router-based firewalls throughout the network in a consistent, uniform manner to best expedite large security deployments.
FWSM KEY FEATURES Table 1. Features and Details
Features Details
Performance • 5.5 Gbps
• 1 million concurrent connections
• 100,000 connection setup and teardowns per second • 256,000 PAT and 256,000 NAT translations
Routed and Transparent Firewall The firewall can run in one of the following modes:
• Routed---The FWSM is considered to be a router hop in the network.
• Transparent---The FWSM acts like a “bump in the wire” and is not a router hop. The FWSM
connects the same network on its inside and outside ports, but each port must be on a different VLAN. No dynamic routing protocols or NAT are required.
Multiple Security Contexts • In multiple-context mode, you can create up to 100 separate security contexts (depending on
your software license). A security context is a virtual firewall that has its own security policy and interfaces. Each context can support 256 VLANs in routed mode. Transparent mode supports only two interfaces per context.
• Multiple contexts are similar to having multiple standalone firewalls. • All security contexts can be run in routed mode or in transparent mode
Bidirectional NAT and Policy-based NAT • Provides dynamic/static NAT and PAT
• You can configure NAT on inside and outside addresses. For Policy-based NAT, you can identify addresses to be translated using an extended ACL, which allows you more control in determining which addresses to translate.
Resource Management • Allows limiting of resources per context, so one context does not use up all the resources. Same Security Level Communication • Allows interfaces which share the same security level to communicate without NAT/STATIC
policies.
• Per-host maximum connection limit can be enforced.
Cut-Through Proxies • Enforces high performance user-authentication policies on a per-VLAN basis for TCP, HTTP,
FTP, HTTPS, and others.
URL Filtering • Filter HTTP, HTTPS, and FTP requests using WebSense Enterprise or HTTP filtering by N2H2
Features Details
Configuration Support • Console to command-line interface (CLI) (session from switch)
• Telnet to the inside interface of the FWSM
• Telnet over IP Security (IPSec) to the outside interface of the FWSM • Secure Shell Protocol (SSH) to CLI
• Secure Sockets Layer (SSL) to Cisco PIX Device Manager • CiscoWorks VMS Management Center for Firewalls
AAA Support • Integrates with popular authentication, authorization, and accounting (AAA) services through
TACACS+ and RADIUS support
Cisco PIX Device Manager • Simple, intuitive, Web-based GUI supports remote firewall management
• Numerous real-time and historical reports providing usage trend, performance baseline, and security event information
• Cisco PIX Device Manager is also integrated with an overall device management tool for the Cisco Catalyst 6500 Series---CiscoView Device Manager. From CiscoView Device Manager, modules within the Cisco Catalyst 6500 system, such as the FWSM and the supervisor module, can be managed collectively through an easy-to-use GUI.
Secure Network Management • Secure, Triple Data Encryption Standard (3DES)-encrypted network management access
Access Lists • Up to 80,000 ACLs
The following ACLs types are supported:
• Extended ACL to control IP traffic on an interface: – Inbound
– Outbound
• For transparent firewall mode, EtherType ACL to control non-IP traffic on an interface: – Inbound
– Outbound
• Standard ACL for Open Shortest Path First (OSPF) route redistribution • Per-user Cisco Secure ACS-based ACLs
Dynamic Routing Protocols In single-context mode, the FWSM supports the following routing protocols.
• Routing Information Protocol (RIP) v1 and v2 (passive mode) • OSPF
Transparent mode supports static routing only
Command Authorization • Allows you to control user access to commands and to create user accounts or logins tied to
privilege levels
Features Details
Protection from Denial of Service (DoS) • DNS Guard
• Flood Defender • Flood Guard
• TCP Intercept with SYN cookies optimization • Unicast Reverse Path Forwarding (uRPF) • Mail Guard
• FragGuard and Virtual Reassembly
• Internet Control Message Protocol (ICMP) stateful inspection • User Datagram Protocol (UDP) rate control
ARP Inspection • For transparent firewall mode, the FWSM compares the MAC address and IP address in all ARP
packets to static entries in the ARP table.
Dynamic Host Control Protocol (DHCP) • The FWSM acts as a DHCP server. The FWSM also supports DHCP relay to forward DHCP
requests to an upstream router.
High Availability • Active-standby stateful failover---intra-chassis and inter-chassis
Logging • Comprehensive syslogging, FTP, URL, and ACL logging
Additional Protocols • H.323 v3 and 4
• NetBios over IP • RAS Version 2
• Real-Time Streaming Protocol (RTSP) • SIP with PAT
• XDMCP • Skinny
EXAMPLE FWSM DEPLOYMENTS
The FWSM can be deployed in topologies serving enterprise campuses, data centers, or service providers.
Today’s enterprises need more than just perimeter security---they need to connect business partners and provide campus security domains that serve multiple groups within these organizations. The FWSM provides a flexible, cost-effective, and performance-based solution by allowing users and administrators to establish security domains with different policies within the organization. Figure 2 shows a campus deployment using stateful filtering to establish separate VLAN-based security domains.
Figure 2. Campus Deployment
Using the FWSM, users can set appropriate policies for different VLANs.
Data centers also require stateful firewall security solutions to protect data while delivering gigabit performance at the lowest possible cost. Figure 2 shows a data center with redundant FWSMs protecting server data.
Figure 3. e-Commerce Data Center Deployment
The FWSM maximizes capital investment by providing the best price-performance ratio in a firewall, and allows customers to replace expensive multiple firewalls that require additional firewall load balancer devices.
In multiple context mode, each firewall runs its own policies, its own management domain, and its own syslogging; in essence, providing a completely independent security domain. Virtual firewall security contexts configured with their own policies are functionally similar to a collection of independent physical firewalls, but also provide ease of management. Virtualization makes it easier to add or delete security contexts based on subscriber growth. This helps in costs savings through lower deployment costs, as organizations do not need to deploy multiple devices yet are able to achieve the same capabilities and maintain complete control of configuration, management, and provisioning of security contexts. Service providers can offer security contexts to individual customers, while enterprises can assign a security context to each department or division.
ORDERING INFORMATION
Table 2. Firewall Services Module Hardware and Software Part Numbers
Product Number Description
Hardware
WS-SVC-FWM-1-K9 Firewall Services Module for Cisco Catalyst 6500 and 7600 Series WS-SVC-FWM-1-K9= Firewall Services Module for Cisco Catalyst 6500 and 7600 Series (spare)
Software
SC-SVC-FWM-1.1-K9 Firewall Services Module Software Release 1.1 for Cisco Catalyst 6500 and 7600 Series SC-SVC-FWM-1.1-K9= Firewall Services Module Software Release 1.1 for Cisco Catalyst 6500 and 7600 Series (spare) SC-SVC-FWM-2.2-K9 Firewall Services Module Software Release 2.2 for Cisco Catalyst 6500 and 7600 Series SC-SVC-FWM-2.2-K9= Firewall Services Module Software Release 2.2 for Cisco Catalyst 6500 and 7600 Series (spare) SC-SVC-FWM-2.3-K9 Firewall Services Module Software Release 2.3 for Cisco Catalyst 6500 and 7600 Series SC-SVC-FWM-2.3-K9= Firewall Services Module Software Release 2.3 for Cisco Catalyst 6500 and 7600 Series (spare)
LICENSING
Table 1 lists the part numbers that are needed when ordering security context licenses. Cisco supports three tiers of licenses. To be able to order any of these license tiers, you must be running FWSM Software Release 2.2(1) or later. No changes in hardware are required when upgrading from FWSM Software Release 1.1 to Release 2.2 and 2.3.
Table 3. Context License Part Numbers
PART NUMBER DESCRIPTION
FR-SVC-FWM-VC-T1 20 virtual firewalls
FR-SVC-FWM-VC-T2 50 virtual firewalls
Table 4 lists upgrade part numbers.
Table 4. Upgrade Part Numbers
PART NUMBER DESCRIPTION
FR-SVC-FWM-UPGR1 Upgrade from 20 to 50 virtual firewalls
FR-SVC-FWM-UPGR2 Upgrade from 50 to 100 virtual firewalls
SYSTEM REQUIREMENTS
• Cisco Catalyst 6500 Series Supervisor Engine 2 with Multilayer Switch Feature Card 2 (MSFC2) or Cisco Catalyst 6500 Series Supervisor Engine 720
• Native Cisco IOS Software Release 12.1(13)E or later. If you are running a Supervisor Engine 720, you will need Cisco IOS Software Release 12.2(14)SX or later
• Hybrid Cisco Catalyst OS Software Release 7.5(1) or later. If you are using a Supervisor Engine 720, you will need a minimum of Cisco Catalyst OS Software Release 8.2
• If you intend to use the multi-SVI feature, you will need Cisco IOS Software Release 12.2(20)E or later for native Cisco IOS Software, and for Cisco Catalyst OS software you will need version 7.(6) or later
• Occupies one slot in a Cisco Catalyst 6500 Series Switch or Cisco 7600 Series Router • Up to four firewall modules may be deployed in the same chassis
FOR MORE INFORMATION
For more information about the Cisco FWSM Software Release 2.3, contact your local account representative or visit: http://www.cisco.com/go/tds
To obtain additional information about Cisco security solutions, visit:
• Cisco Self-Defending Networking Strategy: http://www.cisco.com/go/selfdefend
• Cisco Threat Defense System: http://www.cisco.com/go/tds
• Cisco Integrated Security Solutions: http://www.cisco.com/go/security
HARDWARE SPECIFICATION
Weight: 10 pounds
Power Consumption: 171.78 watts
REGULATORY COMPLIANCE Safety • UL 1950 • CSA C22.2 No. 950-95 • EN60950 • EN60825-1 • TS001 • CE Marking • IEC 60950 •
EMI • FCC Part 15 Class A • ICES-003 Class A • VCCI Class B • EN55022 Class B • CISPR22 Class B • CE Marking • AS/NZS3548 Class B NEBS
• SR-3580---NEBS: Criteria Levels (Level 3 compliant) • GR-63-CORE---NEBS: Physical Protection
• GR-1089-CORE---NEBS: EMC and Safety
ETSI
• ETS-300386-2 Switching Equipment
Telecommunications • ITU-T G.610 • ITU-T G.703 • ITU-T G.707 • ITU-T G.783 Sections 9-10 • ITU-T G.784 • ITU-T G.803 • ITU-T G.813 • ITU-T G.825 • ITU-T G.826 • ITU-T G.841 • ITU-T G.957 Table 3 • ITU-T G.958 • ITU-T I.361 • ITU-T I.363 • ITU I.432 • ITU-T Q.2110 • ITU-T Q.2130 • ITU-T Q.2140 • ITU-T Q.2931 • ITU-T O.151 • ITU-T O.171 • ETSI ETS 300 417-1-1 • TAS SC BISDN (1998)
Corporate Headquarters
Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 European Headquarters
Cisco Systems International BV Haarlerbergpark Haarlerbergweg 13-19 1101 CH Amsterdam The Netherlands www-europe.cisco.com Tel: 31 0 20 357 1000 Fax: 31 0 20 357 1100 Americas Headquarters
Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA
www.cisco.com Tel: 408 526-7660 Fax: 408 527-0883
Asia Pacific Headquarters
Cisco Systems, Inc. 168 Robinson Road #28-01 Capital Tower Singapore 068912 www.cisco.com Tel: +65 6317 7777 Fax: +65 6317 7799
Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax numbers are listed on
the Cisco Website at www.cisco.com/go/offices.
Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China PRC • Colombia • Costa Rica • Croatia • Cyprus Czech Republic • Denmark • Dubai, UAE • Finland • France • Germany • Greece • Hong Kong SAR • Hungary • India • Indonesia • Ireland • Israel Italy • Japan • Korea • Luxembourg • Malaysia • Mexico • The Netherlands • New Zealand • Norway • Peru • Philippines • Poland • Portugal Puerto Rico • Romania • Russia • Saudi Arabia • Scotland • Singapore • Slovakia • Slovenia • South Africa • Spain • Sweden • Switzerland • Taiwan Thailand • Turkey • Ukraine • United Kingdom • United States • Venezuela • Vietnam • Zimbabwe
Copyright 2005 Cisco Systems, Inc. All rights reserved. CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity,
