Cisco Catalyst 6500 Series Configuration Manual page 32
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Features
Other Protection Features
Table 1-3
activity associated with specific kinds of attacks.
Table 1-3
Protection Features
Protection Feature
Description
ARP Inspection
For transparent firewall mode, you can enable ARP inspection. By default, ARP inspection is disabled
on all interfaces; all ARP packets are allowed through the FWSM. When you enable ARP inspection,
the FWSM compares the MAC address and IP address in all ARP packets to static entries in the ARP
table. Enable this feature using the arp inspection command.
DNS Guard
DNS Guard identifies each outbound DNS
host might query several servers for a response (in the case that the first server is slow in responding),
but only the first answer to the request is allowed. All additional responses to the request are dropped
by the firewall. This feature is always enabled. This feature is unrelated to the DNS inspection engine.
Flood Guard
Flood Guard controls the tolerance of the AAA server for unanswered login attempts. This helps to
prevent a DoS
Guard is enabled by default and can be controlled with the floodguard command.
Frag Guard
Frag Guard provides IP fragment protection, and can be configured with the fragment command.
Note
ICMP Filtering
The FWSM automatically denies ICMP access to FWSM interfaces. This feature shields FWSM
interfaces from detection by users on an external network. You can allow ICMP to FWSM interfaces
using the icmp command.
Mail Guard
Mail Guard provides safe access for SMTP
This feature lets you deploy a single mail server within the internal network without it being exposed to
known security problems with some SMTP server implementations. This eliminates the need for an
external mail relay (or bastion host) system. Mail Guard enforces a safe minimal set of SMTP commands
to avoid an SMTP server system from being compromised. Enable this feature using the fixup protocol
smtp 25 command.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
1-6
Some established session packets must continue to go through the session management path or the
control plane path. Packets that go through the session management path include HTTP packets that
require inspection or content filtering. Packets that go through the control plane path include the
control packets for protocols that require Layer 7 inspection.
describes the protection features provided by the FWSM. These features control network
2
attack on AAA services in particular. This feature optimizes AAA system use. Flood
In FWSM 1.1, the default fragment size was 1, which caused the FWSM to drop all fragments
by default. In FWSM 2.3, the default fragment size is 200 (the same as the PIX default).
Chapter 1
Introduction to the Firewall Services Module
1
resolve request, and allows only a single DNS response. A
3
connections from the outside to an inside messaging server.
OL-6392-01
Advertisement
Table of Contents
Troubleshooting
Related Manuals for Cisco Catalyst 6500 Series
Related Products for Cisco Catalyst 6500 Series
- Cisco 6503 - Catalyst Firewall Security Sys
- Cisco 6503-E - Catalyst Chassis With Supervisor Engine 32 Switch
- Cisco 6504-E - Catalyst Chassis With Supervisor Engine 32 Switch
- Cisco 6506 - Catalyst Chassis Switch
- Cisco 6513 - Catalyst Switch
- Cisco Catalyst 6509
- Cisco Catalyst 6513-E
- Cisco Catalyst 6500-E Series