Last month the VCE Company, the joint venture between Cisco and EMC (with investments from VMware and Intel) that makes the Vblock infrastructure platforms, released a report on Cisco’s virtual services validating their suitability on the Vblock platform. The 40 page technical report covers both Cisco’s Virtual Security Gateway (VSG) firewall, and our Virtual Wide Area Application Services (vWAAS) WAN optimization solution. Both Cisco products run as virtual machines on a VMware hypervisor and the Nexus 1000V virtual switch on an application server, or in the case of VSG, on a Nexus 1010 services appliance. Read More »
This week Cisco is announcing the ASA 1000V cloud firewall, a product that we previewed at VMworld last month and in an earlier blog post. This video provides a very high level introduction to our latest virtual security product.
At VMworld this week in Las Vegas, Cisco will be providing a preview of a virtual implementation of our ASA security appliance. A “preview” implies that we aren’t ready to announce ultimate pricing or availability, but we are demonstrating a strategic direction for the ASA product line. Earlier, I alluded to important new advances in our virtual security story upcoming at VMworld in the comments section of a recent blog post I wrote responding to HP criticisms of our Virtual Security Gateway (VSG) product.
With security concerns being the most frequently cited obstacle to large scale virtualization projects and adopting cloud computing models, Cisco will be greatly enhancing its industry-leading virtual security infrastructure with this product. The new virtual ASA introduces a wide range of security services that have not been available from Cisco before in a virtual form factor. The virtual ASA will enable more sophisticated security policies that better align with business and compliance needs in the virtual data center.
Some of the key aspects of this new virtual ASA product:
- The ASA family is one of the most deployed and trusted security products in the industry, with over 15 years of security experience and more than 1 million appliances installed, and now is available in a virtual form factor for greater flexibility in the data center
- Virtual ASA runs the ASA feature set, so important capabilities such as VPN , NAT, and much more will be available in addition to firewall capabilities
- The Virtual ASA will run on top of the Nexus 1000V virtual switch, fully leveraging the VM and traffic visibility provided by the Cisco virtual fabric, as well as optimal traffic steering to the security node from the VM and virtual switch
Rather than replacing our VSG virtual firewall, the virtual ASA will be a strong complement for the current VSG capabilities. The virtual ASA includes security functionality most often deployed at the edge of an organization and the edge of the data center. As such, it is better suited for North-South traffic into the data center and virtual applications. VSG, with its greater visibility to VM-specific and application attributes, enforces security policies between applications and virtual machines, and is more East-West traffic oriented.
Across the whole ASA product line, customers will be able to get consistent functionality, management and policy enforcement across all form factors (stand-alone appliance, modular blade, and now virtual instances). And with Nexus 1000V integration, Virtual ASA customers will also get consistency in management, provisioning and service routing with Cisco’s other virtual services including VSG and vWAAS. At a minimum, this should alleviate all objections that we just offered a virtual firewall and not other key security services.
If you are in Las Vegas next week, we encourage you to come by the Cisco booth (#700) for a look. If not, stay tuned for more details…
One of the things I admire about Cisco marketing, and I think generates a lot of respect for us from our customers, is how we approach competitive marketing. Most importantly, we hardly ever do it. Sure, we arm our sales teams with specific comparison data, but it’s rare we feel the need to compare ourselves publically or to bash competitors. When you bash a competitor, it really only serves to give them credibility, and highlights that they must be doing something important to occupy your mindshare, or that of your customer’s. Occasionally though, we are faced with not only having to take the gloves off a little more, but responding to the inevitable FUD that gets thrown our way.
This brings us to a blog post written by HP about Cisco’s Virtual Security Gateway (VSG), which unfortunately contains a number of inaccuracies and misrepresentations of our product that we have to clear up.
Let’s start with this example:
Cisco has a product called the Virtual Security Gateway (VSG) for the Nexus 1000V Series. It is a virtual firewall that lets you enforce policy and segmentation virtual environments. All associated security profiles are configured to include trust-zone definitions and access control lists (ACLs) or rules. They also support VM mobility when properly configured. If there’s one thing the company is good at, it is those good-old ACLs developed back in the early 90s!
The strength of VSG’s firewall capabilities is its awareness of the virtual machine environment, and specifically the ability to write firewall rules based on the attributes of the virtual machine, attributes such as the NAME of the VM. This gives tremendous power to establish policies in virtual environments, such as logically isolating tenants running on the same machine, or separating VMs based on operating system or application type in virtual desktop environments, a use case I wrote about earlier. To imply VSG is enforcing good-old ACL’s from the 90’s is disingenuous at best. Read More »
Today, I wanted to point out a couple of great resources to develop a deeper understanding of Cisco’s virtual switch, the Nexus 1000V.
First, we were excited to have Prashant Gandhi, our Sr. Director of Product Management for the Nexus 1000V, be invited onto the latest Packet Pushers Podcast, hosted by Greg Ferro. If you aren’t yet familiar with the PP Podcasts, they are an entertaining technical dive into a wide range of networking concepts with guests from vendors as well as large IT organizations. Greg’s expertise lies in the data center and with all things networking, including virtualization and L4-7 application services. In this podcast, all about the Nexus 1000V, Greg, Prashant and the other co-hosts talk about the architecture and deployment issues. There’s an extensive comparison of Cisco’s 802.1Qbh virtual Ethernet bridge protocol with the 802.1Qbg proposal from HP, VEPA. Listen to the full podcast here.
Greg had made an earlier plea on his blog that he wasn’t getting enough Cisco guests. We were happy to help out and enjoyed the interaction. We talked about having Prashant back on a future show to talk about vPath and the Virtual Security Gateway (VSG), the virtual firewall running on the Nexus 1000V. We look forward to that as well.
For a deeper, hand-on dive into the Nexus 1000V, nothing beats the Cisco CloudLab (http://cloudlab.cisco.com). We’ve set up an online workbench configured with all the tools and software to play around with the virtual switch yourself. Cisco Cloudlab is available to folks outside Cisco, but you will have enter the name of a Cisco employee sponsor to approve access. There are a number of lab exercises you can walk through to get a general overview, install or upgrade the Nexus 1000V, as well as VSG.