CLDFND: Cisco ASA 1000V Cloud Firewall


The ASA has been a firewall technology that is known and loved by security admins and network admins for quite a while. And, being able to provide that same functionality for a cloud-based environment, the ASAv is extremely appealing. All right, this is good news to be able to deploy this – it’s also called the ASA 1000V. So, our cloud firewall, our software-appliance, virtualized firewall that’s going to give us the tools to be able to control the behavior of access.

So, whether we’re talking about edge security amongst our tenants, providing the ability to route out with a default gateway, and the elements that we look to a firewall to provide – to say, ‘Okay, shield’s up’, protect me against various different types of network attacks, to be able to recognize those things. Those are the elements that we expect from an ASA, and we’re going to get them here, protecting our tenants inside of our virtualized infrastructure, all right. So we’re following the same kind of thought process that we looked at before. We’re now…we’re looking at it inside of a virtualized system.

So again, here we see this idea that we’ve got a couple of tenants, and each tenant…all right, let’s look at the big picture here. With each tenant, we know that everything’s being managed by hosts, and that means hypervisors. Deployed to all those hosts, we have consistent Cisco Nexus 1000V. So we’re all plugged into the same kind of switches as we’re all initially connected to essentially – this fabric. We have vPath that is going to be responsible for ensuring that we have the most efficient forwarding decisions made by those Cisco devices throughout our network. Within each tenant, we utilize the VSG. And, remember, that’s going to be what provides the framework for security between the virtual machines, governs the policies for VM-to-VM communication within a tenant that is actually applied, remember, at the Cisco Nexus level.

Then, we have the virtualized ASA for this tenant. And so, when these VMs need to get out of their tenant-based environment, which is recognized – again by vPath, then we can apply those Cisco ASA firewall rules and definitions. So, it integrates with the switch, recognizes the path, and this can be managed with a Virtual Network Management Center. Then it complements the VSG because of that extra layer of security – providing the security that we need to control access out of our network and keep things, again, secure and consistent. So, acting as a gateway for VXLANs, right, when we’re controlling that behavior – it can be dedicated as we can put this on a specific server and manage it to ensure it has the best performance because, again, everything is going to funnel through it, just like in a physical firewall. So we have to be considerate of that, but it’s going to essentially give me all the tools I need to have the administrative deployment of edge support.

So, notice in here, we’ve got a couple of Virtual Device Contexts, so we can create essentially two separate virtual firewalls, as necessary, with one software deployment of the ASA. So we’ve just subdivided that to create two worlds – they’re isolated, still within our tenant though. So, each one of those separate worlds is going to be managed by their own VSG for the tenant, but then is also governed by the ASA for the access out, right. So it is always the big picture of leaving the tenancy, leaving the boundary of administrative functionality that you’ve created within this environment.

Our goal is, of course, end-to-end security, right, and so that means being considerate of the physical appliances and modules and the software virtual appliances that we can deploy. So, again, familiar with the ASA, familiar with Cisco devices and cards and components. Again, great to have those – I’m not saying we’re going to get rid of those – those are already performing great functions. But, as we look to cloud deploy our environment, what we often find is they are too rigid for all of our needs. So, to create a more virtualized end-to-end environment, that’s where we start allowing for…essentially delegated control at the VSG level for what happens within each of these virtualized networks and then egress control at…with the Cisco ASA.
So, again, same technologies really for the most part. We’re talking about policies and controls, which should be very familiar to someone who has managed Cisco Security. Automated policy-based provisioning, right, so workflows are going to roll these out, allow us to templatize the process to get us up and started with. Okay, here’s a new tenancy, here’s going to be the network infrastructure that you need. So this is something that we can automate using our administrative tools to be able to roll this out consistently. But this is…the plan is to have a secure environment guided by the integration of all these products. And, again, remember how fast this is going to actually perform as we look at the underlying communication plane being very much separated from the concerns that we have in the physical plane, right, with a lot of crossover, high availability, virtualization-based communication that’s occurring that gives us a kind of a single-unit reward for deployment.

Comments are closed.