Introduction to the Firewall Services Module
The FWSM is a high-performance, space-saving, stateful firewall module that installs in the
Catalyst 6500 series switches and the Cisco 7600 series routers.
Firewalls protect inside networks from unauthorized access by users on an outside network. The firewall
can also protect inside networks from each other, for example, by keeping a human resources network
separate from a user network. If you have network resources that need to be available to an outside user,
such as a web or FTP server, you can place these resources on a separate network behind the firewall,
called a demilitarized zone (DMZ). The firewall allows limited access to the DMZ, but because the DMZ
includes only the public servers, an attack there affects only the servers and does not affect the other
inside networks. You can also control when inside users access outside networks (for example, access to
the Internet), by allowing only certain addresses out, by requiring authentication or authorization, or by
coordinating with an external URL filtering server.
The FWSM includes many advanced features, such as multiple security contexts (similar to virtualized
firewalls), transparent (Layer 2) firewall or routed (Layer 3) firewall operation, hundreds of interfaces,
and many more features.
When discussing networks connected to a firewall, the outside network is in front of the firewall, the
inside network is protected and behind the firewall, and a DMZ, while behind the firewall, allows limited
access to outside users. Because the FWSM lets you configure many interfaces with varied security
policies, including many inside interfaces, many DMZs, and even many outside interfaces if desired,
these terms are used in a general sense only.
This chapter includes the following sections:
New Features, page 1-2
•
Security Policy Overview, page 1-3
•
How the Firewall Services Module Works with the Switch, page 1-5
•
Firewall Mode Overview, page 1-7
•
Stateful Inspection Overview, page 1-8
•
Security Context Overview, page 1-9
•
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
1
C H A P T E R
1-1