Cisco Blogs

Duct Tape and Chewing Gum Isn’t Enough: Cloud and Virtual Environments Require Specialized Security

October 26, 2011 - 2 Comments

By now, just about everybody who works in any area of IT knows that moving multiple workloads into one physical server optimizes server usage, minimizes procurement and operational costs, and increases overall efficiency of the network. As a result, virtualization technology remains one of the hottest topics in IT today, due to its overwhelming benefits to organizations of all sizes. In fact, it seems like just about every company is investing in, or at least seriously considering a move to, virtualization and cloud computing infrastructures. And according to analysts, they’re not exactly dipping their pinkie toes in the shallow end of the pool – of those who have made the virtualization decision, 64% of servers, 70-80% of server workloads, are virtualized.

While virtual and cloud environments continue to gain momentum, an increasingly significant problem is evolving: how to properly secure them. The problem is that most security solutions were built for the physical world. Of course, this makes sense, since physical network environments have been around for many years, while virtual and cloud infrastructures are relative newcomers. Many security vendors claim to have security solutions for virtual environments – but in reality, they’re simply the same products they have for the physical world, but they’ve retrofitted them for virtual environments.

Now don’t get me wrong – I’m as big a fan of mutating an existing device to serve a new purpose as the next guy. But let’s face it, there are issues in our world that we really ought not attempt to resolve with duct tape and chewing gum! With that said, I’m hoping we can all agree that network security would certainly be one of them. It’s kind of like how I approach most DIY projects. Even if I’ve never done it before, if I think I have a reasonable chance at success, and failure has relatively painless consequences, I’ll give it a whack. But if it’s something like complex electrical work, where I’m really outside my area of expertise, and failure means I die, well then I may just be more inclined to call an expert.

The same rationale should really be applied to network security. Though personal death isn’t a typical outcome of a failed security strategy, still the consequences of failure are “bad.” So I think again, we can all agree that it’s a good idea to try to get it right the first time.

The physical world employs a specific set of rules, policy handling, and access privileges. Those really don’t translate cleanly to the virtual world, and cloud environments are even more different! As a result, to properly secure these environments, you really need a solution that’s been built from the ground up for this brave new world, taking into full account all of its specialized security requirements.

Cisco understands all of this, and has built a cloud firewall to address these specific security needs. The ASA 1000V Cloud Firewall secures multi-tenant virtual and cloud infrastructures at the network edge. It works in parallel with the Cisco Virtual Security Gateway, which provides zone-based security policies for highly secure intra-tenant communications. It also integrates with Cisco Nexus 1000V Series Switches, which enables the ASA 1000V to inherit the many capabilities of the Nexus 1000V Series Switch, including support for multiple hypervisors (most vendors lock you in to one specific hypervisor) and the ability of a single ASA 1000V instance to secure multiple VMware ESX hosts. These “little extras” provide enhanced deployment flexibility and simplified management – thereby making your life easier, while you make your network more secure.

The ASA 1000V also leverages mainstream Adaptive Security Appliance (ASA) security technology, but has been optimized for virtual and cloud environments. This enables the ASA 1000V to really provide the best of both worlds. On the one hand, it was built specifically for virtual and cloud environments, rather than being a retrofit of a physical world firewall. But on the other hand, it uses the ASA code base, so it can easily work in conjunction with physical ASA appliances for consistent security capabilities across physical, virtual, and cloud infrastructures. As a result, you get an advanced, end-to-end security solution for hybrid infrastructures.

For more information on the Cisco ASA 1000V Cloud Firewall, see the video below or visit

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. In The Cisco UCS book, page 92/93, there are 3 models for edge connectivity, all under the banner of VN-Link. Model 1 - Software Switching Nexus 1000V Model 2 - VNTag in Hardware Model 3 - VNTag in Hardware with VMDirect Path How do/ don't the Cisco VSD and ASA 1000V apply to the 3 models? Is Cisco pursuing each model with similar effort? Is Cisco working on security innovation for models 2 and 3, assuming VSD and ASA 1000V don't apply to these models. Are there any numbers available around deployments of models 2 and 3? Thanks Steve

  2. Like the title, and it definitely reflects the idea of the post. When it comes to using a cloud for storing data, everyone is concerned about security, and it's only normal that this happens. It seems that some companies have done more than questioning the safety of the cloud and have some up with solutions, which is a great thing for all of us.