Cisco FWSM

Firewall Services Module (FWSM) is a firewall module integrated by Cisco into its Catalyst 6500 Switches and 7600 Series Routers.

Installed inside a Cisco Catalyst 6500 Series Switch or Cisco 7600 Internet Router, the FWSM allows any VLAN on the switch to be passed through to the device to operate as a firewall port and integrates firewall security inside the network infrastructure.

The FWSM is based on Cisco PIX technology and uses the same time-tested Cisco PIX Operating System, a secure, real-time operating system. The Cisco FWSM enables organizations to manage multiple firewalls from the same management platform.

Hardware

The FWSM has 4 processors, one central CPU (Pentium III 1 GHz processor) and 3 network processors (IBM 4GS3 PowerNP)

The central CPU is responsible for fixups and for traffic sourced from and destined to the FWSM itself (mainly management traffic). The central CPU is also responsible for rule-base compilation. The rulebe base in converted (compiled) into configuration for the Network Processors, so the majority of the traffic is handled in dedicated hardware.

The three Network Processors in the FWSM handle the majority of the traffic. Fast Path NP1 and NP2 handle the main traffic and have each three 1 Gigabit connections to the Backplane. The third NP sits above NP1 and NP2 and is the session manager.[1].

As the rulebase is compiled into hardware, the FWSM has clear restrictions on the maximum number of Access Control Entries (ACE). The limitation is only reached with large and inefficient rulebases. The limit cannot be extended by memory upgrade as on PIX and ASA platforms.

Features

Resource manager helps organizations limit the resources allocated to any security context at any time thus ensuring that one security context does not interfere with another. The transparent firewall feature configures the FWSM to act as a Layer 2 bridging firewall resulting in minimal changes to network topology. [2]

References