Enterprise firewall protection: Where it stands, where it's headed
A comprehensive collection of articles, videos and more, hand-picked by our editors
Cisco has built a data-center-class network security portfolio, this week unveiling an Adaptive Security Appliance clustering feature that delivers 320 Gbps firewall performance, as well as a new virtual firewall and a super-capacity intrusion prevention appliance.
Why Cisco ASA clustering?
With application traffic and mobile devices exploding on the corporate network, vendors are racing to add scalability and throughput to data center security appliances, particularly firewalls and intrusion prevention appliances. Until now, these appliances have been traffic bottlenecks.
For Cisco, part of the answer is in a new clustering capability in version 9.0 of its Adaptive Security Appliance operating system that will allow network engineers to manage and operate as many as eight ASAs as a single logical device. A full cluster of Cisco's top-of-the-line ASA 5585X appliances can provide up to 320 Gbps of firewall performance, according to Jeff Aboud, Cisco's marketing manager for enterprise security. In addition, because these devices can be co-populated with intrusion prevention, clusters support 60 Gbps of intrusion prevention system (IPS) throughput. Together, the appliances can support 1 million connections per second and 50 million concurrent sessions, he said.
This type of speed is crucial for data centers, since many "aren't protected by even a basic firewall [due to bottleneck concerns]," said John Kindervag, principal analyst at Forrester Research Inc.
The clustered performance Cisco claims appears to eclipse the validated capabilities of network security hardware provider Crossbeam Systems Inc., which offers modular security chassis products running third-party security software from vendors like Check Point Software Technologies Ltd. and McAfee Inc. Tests have shown that a fully loaded Crossbeam X80-S chassis can provide 140 Gbps of firewall throughput and support 1 million connections per second.
Cisco's ASA and Crossbeam are a good comparison match, said Ken Owens, vice president of security and virtualization technologies for cloud provider Savvis Inc. Cisco's clustering approach and Crossbeam's chassis approach both have pros and cons, he said.
"With the clustered ASA, the benefits are a smaller footprint required and a lower cost as you first get the solution rolled out," Owens said. For instance, a company can start small, clustering just two ASAs, and add more as performance requirements grow. On the other hand, Crossbeam's chassis offers seamless integration, he said.
Savvis uses Cisco ASAs in its environment, and Owens has been evaluating the clustering feature. Overall he's positive, although he'd like to see less management complexity. "It's a little bit harder to understand and manage multiple individual components [in an ASA cluster]," he said. Cisco Security Manager, the company's management platform, doesn't provide a great level of visibility across the cluster, he added. He'd prefer a management experience similar to that of the Nexus 1000V distributed virtual switch, where the 1000V Virtual Switch Module "looks like a supervisor card within a chassis and the VEMs [Virtual Ethernet Modules] look like line cards. I'd like to see a similar model from the ASA."
For now, Owens doesn't need the kind of throughput that a fully populated ASA cluster could provide, but he does need the large-scale support of simultaneous connections and sessions, as well as the ability to maintain performance with additional security features enabled. "From a firewall standpoint, most of our customers are not pushing more than two or three gigs to a firewall, so we're not looking for massive scale. But as you look at an edge device in the cloud with the ability to do firewall and IPS and the ability to manage the number of connections and the packet rates of various sizes, normally you need a higher-performing system than your customers typically use," he said.
Cisco ASA 1000V: A virtual firewall
Cisco also is offering a new virtual firewall based on its ASA technology. One ASA 1000V instance can secure multiple workloads with different security policies, and it can span multiple ESX hosts. The product is designed to protect the tenant edge in a multi-tenant data center or cloud environment. Virtual Security Gateway, Cisco's older virtual security product, provides similar protection within a tenant's domain, enabling the creation of different security zones within a virtual environment.
The ASA 1000V is a modified version of Cisco's ASA firmware for virtual environments, and is coded to run as a service on top of the Nexus 1000V virtual switch.
More on Cisco ASA and the Cisco security portfolio
Cisco SecureX: Contextual security and application awareness
Cisco shifts strategy toward contextual security
Cisco now has two virtual security products in a market that is still taking shape, Forrester's Kindervag said. "No one knows where virtualization security is going to go," he said. "Each organization that deploys virtualization has to decide for itself what the best practices are going to be, because I think there are a lot of conflicting ones. The fact is, not a lot of these [virtual] security methodologies have been tested in real-life combat."
Savvis' Owens is strongly considering ASA 1000V for his company's managed security services and general cloud services. Today he uses physical ASA appliances to deliver these services to Savvis customers. "Anytime you have a physical deployment of a solution, that's not a great cloud model," he said. "We're very interested in the ASA 1000V because it gives us the ability to have VPN and perimeter security components within our cloud deployment model virtually."
Owens wants to embed security into Savvis' cloud environment and provide more visibility and transparency to his customers. He believes the ASA 1000V can deliver on that need, especially to customers who have physical ASAs deployed in their own environments. "We see a lot of hybrid cloud," he said. "For customers already using the physical ASA, the ability to connect that to the virtual ASA [in Savvis' environment] is a very seamless process."
Cisco's new data center IPS and a new Cisco security philosophy
Cisco also introduced the IPS 4500 series standalone intrusion-prevention appliance that can provide 10 Gbps throughput and 100,000 connections per second. It ships in an expandable 2U chassis, with capacity for a second IPS blade. When those blades become available next year, customers will be able to double the performance of the appliance, according to Cisco's Aboud.
These product releases indicate that Cisco is in the process of changing how its security business is run under Chris Young, senior vice president for the Cisco security and government group, Kindervag said. "These announcements signal that there is new leadership and they are … enhancing the portfolio which had languished under the previous regime," he said. "This new leadership has to evolve the business unit without disrupting their customer base. I think they've positioned [security] to ultimately interact with the rest of their product portfolio. In the past, all the different product lines were very siloed."
Let us know what you think about the story; email: Shamus McGillicuddy, News Director