Cisco partner Imperva formally announced plans this week to deploy and host their SecureSphere Web Application Firewall (WAF) on the Nexus 1010 and 1110 Virtual Service Appliances. The SecureSphere WAF will be the first third party virtual service available on the Cisco virtual service appliances, joining Cisco virtual services such as the Virtual Security Gateway (VSG), the ASA 1000V Cloud Firewall, virtual Network Analysis Module (vNAM), Data Center Network Manager (DCNM), and the Nexus 1000V Virtual Supervisor Module (VSM).
In earlier posts, I have described how virtual services can be best deployed on a separate UCS-based appliance running NX-OS. The Nexus 1100 series are dedicated platforms for hosting virtual service nodes that run in a virtual machine, rather than taking up valuable resources on application servers, and allow for easier manageability by the networking and security teams (rather than the server team).
By moving the WAF from the application server to a virtual services appliance, the virtual solution will provide separation of duties between the security administrator and server administrators, while offloading security processing from application servers to a dedicated appliance. Maintaining separation of duties is a key objective of many compliance initiatives, including the Payment Card Industry (PCI) Data Security Standard specification, e.g.
From the Imperva press release:
The interoperability of SecureSphere WAF with the Cisco Nexus 1110/1010 virtual service appliances is designed to simplify and accelerate deployment of networking and security services in a virtual and private cloud environment. Specifically, this solution is designed to provide separation of duties between the SecureSphere WAF administrator and server administrators and offload security processing from virtual server clusters to a dedicated Nexus 1110/1010 appliance.
“We believe the interoperability between Cisco Nexus 1110/1010 and Imperva Web Application Firewall will offer our joint customers a convenient, cost-effective option to protect sensitive Web applications as well as enable them to meet PCI compliance requirements,” explained Imperva CTO Amichai Shulman. “We believe the need for application security is growing and the Cisco-Imperva collaboration will help organizations protect business applications and data.”
Integration benefits include the ability to:
· Protect sensitive Web applications and data
· Satisfy PCI 6.6 compliance requirements
· Ease deployment of Web application security in a multi-vendor hypervisor environment
· Provide separation of duties for network or security administrators and server administrators
· Leverage Cisco Nexus 1110/1010 virtual service blade management capabilities to manage and monitor the SecureSphere WAF
· Reduce management overhead by consolidating multiple network services on a single platform
SecureSphere WAF provides protection against a variety of web-based attacks, including theOpen Web Application Security Project (OWASP) Top Ten attacks, such as SQL Injection,Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF). For more detailed information on the Imperva WAF, check out their announcement.