Book review: Cisco Secure Firewall Services Module
I was very anxious to get my copy of Cisco Secure Firewall Services Module (FWSM) from Cisco Press, as I’m a purely router-focused person, and I wanted to understand the capabilities of the Firewall Services Module (PIX/ASA-like blade for the Catalyst 6500 switching system with virtual firewall capability). I have a good background in IOS-based firewalls and network address translation (NAT), so the book was a perfect fit for me. However, if you’re looking for “best practices for securing networks with FWSM,” you’ve been misled by the subtitle.
The book does a good job of explaining the functionality of FWSM. The coverage of advanced topics, including transparent/routed modes, virtual firewall contexts and the intricacies of resource allocation between virtual firewalls, gave me all the information I needed. Unfortunately, I’ve sorely missed the command syntax descriptions; sometimes you could deduce the command syntax from the examples. Every now and then the meaning of some of the command parameters (for example, the number after the interface name in the NAT pool definition) remains a mystery, and you’ll have to refer to Cisco’s online documentation to sort it out. It’s too bad, really; without these minor omissions, the book could be the definitive reference on FWSM. More annoying are typos in the crucial parts of the text; for example, in the introductory NAT section. I know how NAT works, so I was able to skip across the inconsistent IP addresses (between the sample configuration command and the following figure), but such a minor error could spell disaster for a beginning reader.
The “Advanced Configuration” section covers numerous topics that you might not need immediately, but it’s good to know that they are covered in the book. These topics include failover configuration, application-level inspection, URL filters, IP multicast and load balancing. Unfortunately, some of this coverage looks like the result of “feature creep” triggered by product managers; there’s very little substance beyond basic descriptions of the features.
“Design Scenarios” is one of the last chapters in the book, which is (in my personal opinion) very appropriate placement: you have to know what a box does before you can start discussing how to design networks using it. Most of the chapter covers variants of the same basic principle: how you can use VRF Lite, available on Catalyst 6500, to implement a virtual firewall. I am probably biased since I’m very familiar with the MPLS VPN, but I was hoping for a slightly wider look at the design challenges.
Recommendation: If you’re vaguely familiar with firewalls and network address translation and you want to get fluent with FWSM, this is the book you need. If you know what FWSM does and you’re looking for best practice recommendations, you’ll be disappointed. Last but not least, if you’re a beginner in the security world, start somewhere else.
3 comments: