1-6
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 1 Introduction to the Firewall Services Module
Features
Some established session packets must continue to go through the session management path or the
control plane path. Packets that go through the session management path include HTTP packets that
require inspection or content filtering. Packets that go through the control plane path include the
control packets for protocols that require Layer 7 inspection.
Other Protection Features
Table 1-3 describes the protection features provided by the FWSM. These features control network
activity associated with specific kinds of attacks.
Table 1-3 Protection Features
Protection Feature Description
ARP Inspection For transparent firewall mode, you can enable ARP inspection. By default, ARP inspection is disabled
on all interfaces; all ARP packets are allowed through the FWSM. When you enable ARP inspection,
the FWSM compares the MAC address and IP address in all ARP packets to static entries in the ARP
table. Enable this feature using the arp inspection command.
DNS Guard DNS Guard identifies each outbound DNS
1
resolve request, and allows only a single DNS response. A
host might query several servers for a response (in the case that the first server is slow in responding),
but only the first answer to the request is allowed. All additional responses to the request are dropped
by the firewall. This feature is always enabled. This feature is unrelated to the DNS inspection engine.
Flood Guard Flood Guard controls the tolerance of the AAA server for unanswered login attempts. This helps to
prevent a DoS
2
attack on AAA services in particular. This feature optimizes AAA system use. Flood
Guard is enabled by default and can be controlled with the floodguard command.
Frag Guard Frag Guard provides IP fragment protection, and can be configured with the fragment command.
Note In FWSM 1.1, the default fragment size was 1, which caused the FWSM to drop all fragments
by default. In FWSM 2.3, the default fragment size is 200 (the same as the PIX default).
ICMP Filtering The FWSM automatically denies ICMP access to FWSM interfaces. This feature shields FWSM
interfaces from detection by users on an external network. You can allow ICMP to FWSM interfaces
using the icmp command.
Mail Guard Mail Guard provides safe access for SMTP
3
connections from the outside to an inside messaging server.
This feature lets you deploy a single mail server within the internal network without it being exposed to
known security problems with some SMTP server implementations. This eliminates the need for an
external mail relay (or bastion host) system. Mail Guard enforces a safe minimal set of SMTP commands
to avoid an SMTP server system from being compromised. Enable this feature using the fixup protocol
smtp 25 command.
To Next Page
Loading...
Need help?
General