Implementing a Firewall Services Module (FWSM) in a Virtualized Network
A context on a Firewall Services Module (FWSM) is analogous to a virtual machine in VMware or to a switch that supports multiple VLANs. Although you are using the same physical hardware, you can logically separate the firewall functionality into unique instances. This is also known as virtualization. Each context has a unique set of interfaces, rules, and/or policies applied.
Rather than install a new firewall every time a new customer, department, agency, application, and so on is added, creating a new context is very simple and does not require any additional rack space. The footprint of a device is a huge concern in locations where customers lease space by the Rack Unit (RU). Multiple contexts do not require additional space. The "green" initiative is concerned with the impact on our environment. Reducing the amount of power consumed by leveraging multiple contexts and consequently reducing the hardware will help us do our part in being ecologically responsible.
Many organizations support multiple customers, departments, agencies, applications, and so on that not only require unique security policies, but also separation of those security policies. These security policies may be managed by different groups, which may need to be isolated.
Managing a single context with a single configuration and multiple groups will create a very complex rule set. Mistakes are more likely when working with a complex configuration. Separating the configurations into smaller, more manageable components will make the job of administration much easier and consequently make your network more secure.
The following diagram shows an example of a virtualized network infrastructure using Multi-protocol Label Switching – Virtual Private Network (MPLS-VPN). A pair of FWSMs in separate 6500s configured in an active–active configuration provide separation between multiple Virtual Routing and Forwarding (VRF) instances, control access to the Internet, protect shared services, and provide high–availability.
With the FWSM configured in transparent mode, a routing protocol can be allowed to pass through each context. Using eBGP, specifically with MPLS–VPN simplifies the configuration on the 6500 with the FWSM by not having to redistribute routes into another routing protocol. The routing protocol also provides a mechanism for failover at layer 3 in the event of a device malfunction or failure. This minimizes the configuration in each FWSM context by not having to support a routing protocol and also makes troubleshooting easier. If traffic flow is desired between VRFs, you will need to configure the BGP address family for each VRF in the 6500 with "allowas–in", to prevent BGP from discarding routes received from an autonomous system with the same number. Traffic between VRFs will transit the FWSM context associated with the local VRF, route through the Internet access router and traverse back through the FWSM context associated with the destination VRF.
Virtualization is one of the fundamental elements of the FWSM. It provides the ability to logically separate firewall instances into contexts, consequently providing separation of policies and leveraging the investment in hardware.
About the Author:
Cisco Secure Firewall Services Module (FWSM)