Avatar

Today, companies invest in making their security controls scalable and dynamic to meet the ever-increasing demand on their network(s). In many cases, the response is a massive shift to Kubernetes® (K8s®) orchestrated infrastructure that provides a cloud-native, scalable, and resilient infrastructure.

This is where Cisco Secure Firewall Cloud Native (SFCN) comes in. It gives you the flexibility to provision, run, and scale containerized security services. Cisco Secure Firewall Cloud Native brings together the benefits of Kubernetes and Cisco’s industry-leading security technologies, providing a resilient architecture for infrastructure security at scale.

Figure 1 – Cisco Secure Firewall Cloud Native platform overview
Figure 1 – Cisco Secure Firewall Cloud Native platform overview

The architecture depicted above shows a modular platform that is scalable, resilient, DevOps friendly, and Kubernetes-orchestrated. In the initial release of Cisco Secure Firewall Cloud Native, we have added support for CNFW (L3/L4 + VPN) in AWS. Future releases will add support for CNTD (L7) security and other cloud providers.

Key capabilities of Cisco Secure Firewall Cloud Native include:

  • Modular and scalable architecture
  • Kubernetes orchestrated deployment
  • DevOps friendly with Infrastructure-as-Code support (IaC)
  • Data externalization for stateless services via a high-performance Redis™ database
  • Multi-AZ, multi-region, and multi-tenant support
Figure 2 – Cisco Secure Firewall Cloud Native platform components
Figure 2 – Cisco Secure Firewall Cloud Native platform components

The architecture depicted above shows the Cisco Secure Firewall Cloud Native platform, which uses Amazon EKS, Amazon ElastiCache™, Amazon EFS with industry-leading Cisco VPN and L3/L4 security control for the edge firewall use-case. The administrator can manage Cisco Secure Firewall Cloud Native infrastructure using kubectl + YAML or Cisco Defense Orchestrator (CDO). Cisco provides APIs, CRDs, and Helm™ charts for this deployment. It uses custom metric and Kubernetes horizontal pod autoscaler (HPA) to scale pods horizontally.

Key components include:

  • Control Point (CP): The Control Point is responsible for config validation, compilation and distribution, licensing, routes management. CP pods accept configuration from REST APIs, kubectl+YAML, or Cisco Defense Orchestrator.
  • Enforcement Point (EP): CNFW EP pods are responsible for L3/L4 and VPN traffic handling and VPN termination.
  • Redirector: Redirector pod is responsible for intelligent load balancing remote access VPN traffic. When the redirector receives a request, it contacts Redis DB and provides Fully Qualified Domain Name (FQDN) of the enforcement pods handling the least number of VPN sessions.
  • Redis DB: The Redis database has information on VPN sessions. The redirector uses this information to enable smart load balancing and recovery. 

The following instance type is supported for each component.

firewall

Initial use-cases:

  • Scalable Remote Access VPN architecture
  • Scalable Remote Access VPN architecture with smart load balancing and session resiliency
  • Scalable DC backhauls
  • Multi-tenancy
  • Scalable cloud hub
  • Scalable edge firewall

Scalable Remote Access VPN architecture

Cisco Secure Firewall Cloud Native provides an easy way to deploy scalable remote access VPN architecture. It uses custom metrics and horizontal pod autoscaler to increase or decrease the number of CNFW Enforcement Points as needed. The Control Point controls configuration, routing, and Amazon Route 53™ configuration for the auto-scaled Enforcement Point.

Figure 3 – Scalable Remote Access VPN architecture
Figure 3 – Scalable Remote Access VPN architecture

Traffic flow:

  1. The remote VPN user sends a DNS query for vpn.mydomain.com. Amazon Route 53 keeps track of all CNFW nodes, and it has “A record” for each node with weighted average load balancing enabled for incoming DNS requests.
  2. The remote VPN user receives “Elastic IP – EIP” of the outside interfaces of the CNFW node.
  3. The remote VPN user connects to the CNFW node. Each node provides a separate VPN pool for proper routing.

Scalable Remote Access VPN architecture, with smart load balancing and session resiliency

Cisco Secure Firewall Cloud Native architecture with smart load balancing uses Amazon ElastiCache (Redis DB) to store VPN session information. Redirector node consults Redis database to perform load balancing based VPN session count, instead of weighted average load balancing.

The Control Point controls configuration, routing, redirector configuration, and Route 53 configuration for the auto-scaled enforcement point.

Figure 4 – Scalable Remote Access VPN architecture with smart load balancing and session resiliency
Figure 4 – Scalable Remote Access VPN architecture with smart load balancing and session resiliency

Traffic flow:

  1. The remote VPN user sends a DNS query for vpn.mydomain.com, and vpn.mydomain.com points to the CNFW redirector.
  2. The remote VPN user then sends the request to the redirector.
  3. CNFW redirector periodically polls the Redis database (Amazon ElastiCache) to find out the FQDN of the Cisco Secure Firewall Cloud Native nodes with the least number of VPN endpoints. CNFW redirector provides FQDN of the least loaded CNFW node to the remote VPN user.
  4. The remote user resolves FQDN, we automatically add “A” record for each CNFW enforcement point in Amazon Route 53.
  5. The remote VPN user connects to the CNFW node that has the least number of VPN sessions.

Scalable DC backhauls

The autoscaled Enforcement Points can form a tunnel back to the data center automatically. Cisco provides a sample Kubernetes deployment to enable this functionality.

Figure 5 – Scalable DC backhaul
Figure 5 – Scalable DC backhaul

Multi-tenancy

This architecture provides multi-tenant architecture using cloud-native constructs such as namespace, EKS cluster, nodes, subnets, and security groups.

Figure 6 – Multi-tenancy
Figure 6 – Multi-tenancy

Scalable cloud hub

This architecture provides a scalable cloud architecture using CNFW, Amazon EKS, and other cloud native controls.

Figure 7 – Scalable cloud hub
Figure 7 – Scalable cloud hub

Scalable edge firewall

This architecture provides a scalable architecture using CNFW, Amazon EKS, and other cloud-native controls.

Figure 8 – Scalable edge firewall
Figure 8 – Scalable edge firewall

Licensing

Cisco Secure Firewall Cloud Native is available starting with ASA 9.16. This release brings CNFW (L3/L4 + VPN) security with Bring Your Own Licensing (BYOL), using Cisco Smart Licensing.

  • Licenses are based on CPU cores used
  • Supports multi-tenancy
  • Unlicensed Cisco Secure Firewall Cloud Native EP runs at 100 Kbps
  • AnyConnect license model is the same as the ASA AnyConnect license model

Resources


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn



Authors

Anubhav Swami

Principal Architect

Security Business Group