Threat Control

SOLUTION OVERVIEW

Many customers today have implemented or are planning to implement a structured campus network providing all their users with ubiquitous access to the information resources they need to operate at maximum productivity in their roles (enabling connected business processes to operate effectively throughout the organization). In addition the campus network is often being shared among independent business units or departments in order to maximize return on investment of their network. Often, this has resulted in completely open networks that have very few security mechanisms to prevent malicious and non-intentional attacks from affecting their networked business operation. Segmenting the campus-wide network into security zones is a very key requirement for these enterprises today,
but what to do?

· Implementing layer 2 and layer 3 access-lists is possible but often these can easily be circumvented with today's attacks

· Having individual firewalls spread out across the campus network at the distribution layer is possible but as the network grows
and the requirements change, supporting and maintaining these individual devices can prove to be a costly experience

· Retrofitting existing networks with overlay security solutions can often lead to band-aid approaches which are only effective for a short period of time

Cisco's vision of the self-defending network includes providing network designers with the tools to deploy multiple security layers across the enterprise network that provide an in-depth threat defense system. The latest (2.2) software release of the FWSM, which is
part of the family of service blades that exist for the Catalyst 6500 switches and 7600 Routers, provides many of the key firewall and networking features that are necessary to implement multiple security zones throughout a switched campus network and within the enterprise data center. A key component within the Cisco Threat Defense System, the FWSM, now includes the following features:

· Multiple firewall contexts: Up to 100 independent firewall contexts in the same module and up to 4 modules in a chassis, allowing up
to 4000 individual VLANs to be secured in the same chassis. In order to deploy this type of technology in a real network the following
are provided:

· Layer 2 firewalls: Firewall technology can be inserted in an existing network without requiring a change in addressing schemes and at the same time preventing hackers from querying the firewall directly

· Active/Standby failover: Resiliency is a necessary feature in today's enterprise networks and an in-line network security layer should be able to provide failover capability between multiple blades in the same chassis or between blades in different chassis

· Policy-based Network Address Translation: For many campus networks, simplified address schemes have become complex to manage. Policy-based NAT provides customers with the full granularity to translate all/any portion of the packet address parameters.

The Catalyst 6500 family of LAN switches and the 7600 series of Routers deliver a robust range of services and functionality including L2 switching, L3 routing, Wide Area Networking (WAN) connectivity, firewalls, IPSec and MPLS VPNs, IDS, Network Analysis and Content security and caching in one integrated system. With the added functionality of security contexts, customers can easily segment their structured campus networks into several network-wide trust zones and continue to enjoy the benefits of a distributed network that extends to all parts of the organization.

Combining this new security functionality with the superior scalability, reliability and manageability that support mission-critical business applications, network and security managers are able to implement the necessary security policies required by current legislation and best practices while maintaining the productivity gains expected from today's networks

With this latest release, Cisco continues to provide unmatched investment protection to its network customers by leveraging their installed campus network infrastructure to deliver security services integrated in the network. This added functionality is provided by
a software license and no hardware upgrade is necessary for customers that already have the FWSM. Please contact your Cisco account representative for examples on how Cisco customers are already taking advantage of the new functionality in the FWSM.

With 100's of contexts available in one switch or router chassis the number of design deployments are limitless. This section is a
brief description of the two principle design criteria that should be considered when deploying the FWSM: resource allocation and
VLAN assignment.

Resource allocation allows customers to allocate a number of the key performance parameters of the FWSM to individual or classes of contexts. The parameters to be shared are: 5.5 Gbps of throughput, 1 million connections, 260,000 translations, 100,000 connections per second, 100,000 fix-ups per second, and 27,000 syslogs per second. If all firewall contexts are to be treated equally, then a single FWSM can be divided in as many as one hundred 50-Mbps firewalls (roughly equivalent to a PIX506) using a default resource class. If several firewalls need to be assigned more performance or resources, then a separate class can be created and limited to a fixed percentage of performance (e.g. 40%) so that the rest of the firewalls will not be affected. Note that the FWSM resources can be oversubscribed if
the design requirements allow it. By default, the FWSM is available with three contexts: one special administrative context and two customer contexts.

VLAN assignment is quite simple if deploying completely independent firewalls, since data separation was the overriding design criteria when deploying context functionality for the FWSM. For large complex firewall implementations, Cisco has added the functionality
of "equal-security-levels" to facilitate deployment of multi-interface firewalls. The challenge is to deploy multiple firewalls that share common interfaces. In theory, any permutation can be deployed, but to simplify configuration Cisco recommends deployments with
one common interface as the outside (least trusted) network. In this way, packets that arrive at the interface can easily be switched to
the correct firewall context. This type of configuration might suit a large enterprise data center, a university campus with common access to the Internet, or a managed security service for many small businesses.

For more detailed information on design issues and architecture recommendations, visit http://www.cisco.com/go/tds and select the white paper which corresponds to your network security deployment.

Cisco's 20 Gbps switched firewall solution now supports multiple contexts for either Layer 3 (IP-based) or Layer 2 (Ethernet-based) security services. The deployment of these multiple firewall contexts provides for full separation of security policy including: authentication, Network Address Translation, stateful access control and syslog/statistics recording.

By offering Layer 2 firewall support in the FWSM, Cisco customers are able to implement multiple contexts throughout an existing network campus deployment without having to change IP network addresses. In addition, ARP inspection and multicast pass-thru security features are provided as datalink firewall protection.

Enhanced resource allocation and limiting in the FWSM provides customers with the necessary tools to enforce policy implementation
of the firewall contexts in an efficient manner. Using class creation, each context can be limited to a pre-determined amount of resources depending on its role in the security deployment.

The latest release of the Cisco FWSM provides the full suite of security application filtering required for today's networks. This includes Voice-over-IP protocols (SIP, Skinny, MGCP, H.323 v3 and v4), URL filtering (WebSense and N2H2) and IDS response options (blocking and resetting).

For more information about the Cisco FWSM release v2.2, visit www.cisco.com/go/tds or contact your local account representative.
To obtain additional information on Cisco security solutions, access the following web sites:

· Cisco Self-Defending networking Strategy: www.cisco.com/go/selfdefend

· Cisco Threat Defense System: www.cisco.com/go/tds

·

Cisco Integrated Security Solutions: www.cisco.com/go/security