Cisco Blogs


Cisco Blog > Cisco Interaction Network

Cisco ASA 1000V: The Cloud Ready Firewall

November 28, 2011
at 11:57 am PST

Juniper Reality

In this show, we cover the new ASA 1000V and how this security family represents the oldest yet most future ready security platform.

What is the relevance of a Firewall in today’s modern world where security must encompass every part of increasingly distributed operations? What is really meant by a Cloud Ready Firewall?  What the heck is this new ‘virtual ASA’…didn’t we already have the Virtual Security Gateway?  Perhaps its all just marketing hype…

Or not.

In my estimation, the cloud is overhyped in the short run, but underestimated in the long run.  Every enterprise is now exploring some aspect of a cloud based service model – whether this represents you now or in the future, the notion of a flexible security solution remains important.  Incredible advances for data center infrastructure with the flexibility and speed enabled by the virtualized tools we are all now using – MUST be accompanied by equally capable security tools.

The original maxim still rings true: Security must be addressed at every layer.

Questions we must answer:

  • Where is security best addressed in a hyperactive virtualized enterprise with the traditional organizational edges now so ‘cloudy…’
  • How do we isolate the business and the service without compromising the integrity of the data?
  • What, in the cloud, are you responsible for securing? This is crucial no matter what your style, public/private/hybrid.

The security game has not changed: It’s still about protecting the confidentiality, integrity and availability of data.

This show looks closely at the ASA family and goes deep on its newest member the ASA 1000V

Here is what we cover:

  • Healthy discussion on the firewall relevance debate
  • What is the right way to measure performance?
  • We introduce the new ASA 1000V Firewall for the Cloud and cover hard questions about how familiar it will seem to hardcore ASA engineers.
  • Break down the ASA’s virtual offering and ensure the clarity and relationship to Cisco’s Virtual Security Gateway (VSG)
  • Juniper Competitive Reality check – you need to know what you are looking at with high end firewalls…

Key Points:

Single ASA code base; consistency across form factors; we are now able to provide consistent security for your hybrid networks (physical, virtual, and cloud) using a proven firewall.

Integration with Nexus 1000V (vPath) – We have not just thrown the ASA into a VM; but it is a solution which is optimized to cater to the new virtualization and cloud challenges and use cases. vPath helps us provide a solution which is simpler, cleaner, much more flexible and efficient.

Enables multi-hypervisor support where we don’t need to develop a different virtual firewall for each different hypervisor. As Nexus1000V spans across hypervisors, we can easily start supporting those as well.

vPath enables a single instance of ASA 1000V to secure multiple ESX hosts. So, we don’t need 100 ASA 1000V instances to secure 100 ESX hosts. Customers can segregate their resources on which they deploy ASA 1000V and VSG instances and those on which they run their applications

VNMC – single point manager for VSG and ASA 1000V, which is custom made for addressing virtualization specific workflows. It integrates with vCenter to fetch VM attributes that provides us with the capability to define policies based on VM attributes (on top of out good old 5tuple)

  • Break down the ASA’s virtual offering and ensure the clarity and relationship to Cisco’s Virtual Security Gateway (VSG)
  • Juniper Competitive Reality check – you need to know what you are looking at with high end firewalls…

Further Reading:

Cisco Unveils Virtual Firewall Appliance to Protect Multi-Tenant Cloud

Gary Kinghorn’s blog: A New Virtual ASA: On Full Display at VMworld

ASA 1000V: Firewall for the Cloud

Sylvia Hooks and Rajneesh Chopra

Sylvia Hooks and Rajneesh Chopra

Virtual ASA and the Virtual Security Gateway

Jimmy Ray and Brian Conklin

Jimmy Ray and Brian Conklin

FEEDBACK LOOP: Firewall Troubleshooting

Ringo from Liverpool wants to know; “We can access some websites but not all thru our ASA. We have checked our filtering and even ran log on all of our ACL’s to see if that was the cause but no luck. Do you have any ideas?”

FEEDBACK LOOP: Firewall Troubleshooting

ASA 1000V: Configuration Tips and Tricks

Jimmy Ray and Brian Conklin

Brian Conklin

The Cisco Juniper Reality Check

Jimmy Ray and Mike Storm

Mike Storm is a Consulting Systems Engineer in our Irvine office…he supports a broad geography with thousands of customers.  As a security specialized engineer he is the one the field calls for the most challenging situations.  We heard from multiple sources that he would be a fantastic guest engineer to walk us through the reality of the Juniper SRX security solutions and how they stack up (for real) with the Cisco ASA.

This is a great segment…look for:

- Performance and connection limits

- Different Models

- How performance is REALLY tested

- Limited features

- Stripped configuration

- All high-end gear

- Packet size manipulation

- Data stream manipulation

- How this compares to Juniper SRX3600

- Size (form factor)

- Cost

- CPS

- Power used

- Concurrent Connections

- IPS impact on system performance

Four things we need to really hold Juniper accountable to:

1) Performance

2) Credibility

3) One OS story

4) False perception that they are ‘cheaper’

As always, thank you for watching!

________
Robb Boyd
Senior Executive Producer Creative Manager
Watch all the Shows at techwisetv.com
facebook.com/techwise
twitter.com/robbboyd

BONUS: Did you see our ‘Fundamentals of IPS’?

Tags: , , , , , , , ,

Comments Are Closed