Security Policies Made Easy in New Virtual Network Management Center 2.0

August 27, 2012 - 0 Comments

As VMworld swings into high gear on a bright Monday morning in San Francisco (well it promises to be bright, once the sun comes up here), we continue our series on the virtualization product updates we are unveiling this week (see earlier news on the new Nexus 1000V and the ASA Cloud Firewall). One of the exciting new components of our Nexus 1000V virtualization stack is the Cisco Virtual Network Management Center (VNMC) 2.0, part of the Intelligent Automation portfolio.

VNMC 2.0 is a template-driven policy management tool that is now bundled with Cisco Virtual Security Gateway (VSG) and Cisco ASA 1000V Cloud Firewall. This new release now has expanded capabilities to configure the security of your virtual cloud environment. Because VNMC 2.0 is such a step up from prior releases, and fewer people are familiar with its functionality, this is going to be a bit longer of a post than usual (but with lots of screen shots).

Let’s take a look at some of the key VNMC features and how it works with the two virtual firewalls:

Resource Objects for ASA 1000V

Cisco VNMC abstracts the devices it manages. As part of provisioning, devices are configured to point to Cisco VNMC for policy management. Cisco VNMC discovers all devices and lists them under the Resources pane. In addition to the ASA 1000V, the Resources pane has other resources such as Cisco VSGs, VSMs, and VMs.

VNMC screen shot

Adding and Configuring Edge Firewalls

In Cisco VNMC, a logical edge firewall object for a tenant must be created in the Managed Resources pane. The Edge Firewall object type refers to the ASA 1000V and represents a logical instance of the ASA 1000V. This object defines the inside and outside interfaces and allows device profiles and edge device profiles to be applied to the ASA 1000V. In addition, edge security profile for the outside interface is applied here.

Creating and Applying Edge Device Profiles

Multiple ASA1000V instances can use the same edge device profile. This profile type contains policies that are unique to the ASA 1000V only; for example, the DHCP server, routing policies, VPN device policies that are not applicable to Cisco VSG, or other devices.

Creating and Applying Edge Security Profiles

Edge Security Profiles include policies that can be applied to port profiles or VMs. Most of the firewall policies are defined in this type including ACLs, NAT, VPN and so on. Edge security profiles can also be applied to outside interfaces of the ASA 1000V. In this case, the policies are applied to traffic from sources that do not have a security profile attached. Typically, edge security profile is used on the outside interface of the ASA 1000V to define permit ACLs.

Site-to-Site IPsec VPNs

A site-to-site VPN connects networks in different geographic locations. The ASA 1000V supports IPsec site-to-site connections (called tunnels) to Cisco or third-party peers. The supported protocols for IPsec site-to-site tunnels are IKEv1 and IKEv2 using a pre-shared key.

In Cisco VNMC, the VPN configuration is divided into two sections: Device configuration and Interface configuration. Device configuration must be done using Edge Device Profile – IKE configuration and tunnel-group peer configuration.

Interface configuration must be configured under Edge Security Profile – crypto map configuration is considered an interface configuration.

Centralized Device Administration using device profiles

Device profiles include policies that are global, regardless of the type of appliance. The same device profile can be shared between Cisco VSG and the ASA 1000V. This profile type contains policies like NTP server, syslog server, etc.

These are a comprehensive set of features, but needless to say this isn’t a complete list of VNMC’s capabilities. For more information, please check out our product page and the more in-depth materials. If you’re at VMworld 2012 in San Francisco, we hope you’ll come check out VNMC at the Cisco booth! We’ll be performing demos there so you can check out the full suite of security features first-hand.

And remember, if you are around #VMworld this week, give us a shout out on twitter using Cisco hash tag #ciscovmw or to me @gkinghorn.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.