The Cisco® ASA 1000V Cloud Firewall is a virtual security appliance that extends the proven Adaptive Security Appliance (ASA) security platform to consistently secure physical, virtual, and cloud infrastructures. Complementing the zone-based security capabilities of the Cisco Virtual Security Gateway (VSG), the Cisco ASA 1000V Cloud Firewall provides multitenant edge security, default gateway functionality, and protection against network-based attacks, for a comprehensive cloud security solution. The Cisco ASA 1000V Cloud Firewall integrates with the Cisco Nexus®1000V Series Switch which supports multiple hypervisors to eliminate vendor lock-in, and enables a single ASA1000V instance to secure multiple ESX hosts for superior deployment flexibility and simplified management. Cisco Virtual Network Management Center (VNMC) is used to offer dynamic, policy-driven, multitenant management.
Features and Benefits
The Cisco ASA 1000V Cloud Firewall employs mainstream ASA security technology that has been optimized for virtual environments. It transparently integrates with Cisco Nexus 1000V, VSG, and VNMC components, and works in conjunction with physical ASA appliances to provide end-to-end security for hybrid infrastructures. The features and benefits are detailed in Table 1.
Table 1. Cisco ASA 1000V Cloud Firewall Features and Benefits
Feature
Benefit
Proven firewall to secure private and public clouds
• Extends proven ASA capabilities to secure multitenant virtual and cloud infrastructure at the edge
• Secures the cloud perimeter against network-based attacks
• Supports consistent capabilities across hybrid infrastructures: physical, virtual, and cloud
• Uses the most widely deployed secure connectivity solution that reliably extends IT infrastructure to the cloud and transfers mission-critical workload between distributed locations without compromise
Increased solution flexibility and operational efficiency
• Provides deployment flexibility and simpler management with distinctive capabilities for a single ASA 1000V instance to span multiple ESX hosts
• Eliminates vendor lock-in with a multihypervisor-capable solution
• Captures operational efficiency with an option to support consistent address space between the existing physical and extended cloud infrastructure, or between multiple tenants within the cloud infrastructure
• Decreases end-to-end time to deploy a fully functional virtual machine by automatically provisioning IP addresses to virtual machines being provisioned at a rapid pace
• Enhances management flexibility through XML APIs that support integration with third-party management and orchestration tools
Comprehensive approach to new virtualization workflows
• Employs an advanced, cloud-ready manager, offering a transparent, scalable, multitenant-capable, policy-based solution, for end-to-end security of virtual and cloud environments
• Provides uniform management and monitoring capabilities across physical, virtual, and cloud workflows
• Helps ensure collaborative governance with role-relevant management interfaces for network, server, and security administrators
Solution Components
• Integrates with the Nexus 1000V Series Switch: The Cisco ASA 1000V Cloud Firewall secures virtualized environments using advanced networking concepts to provide efficiency, availability, and high performance. Operating in conjunction with the Cisco Nexus1000V Series distributed virtual switches in the VMware vSphere hypervisor, the Cisco ASA 1000V Cloud Firewall uses virtual network service data path (vPath) technology embedded in the Nexus1000V Series Switch.
• Integrates with Cisco VNMC: The Cisco ASA 1000V Cloud Firewall is managed using the Cisco VNMC to provide a nondisruptive administration model.
– Security administrators can author and manage security profiles as well as manage Cisco ASA 1000V instances; security profiles are referenced in Cisco Nexus 1000V Series port profiles.
– Network administrators can author and manage port profiles as well as manage Cisco Nexus 1000V Series distributed virtual switches. Port profiles are referenced in the VMware vCenter through the programmatic interface of the Cisco Nexus 1000V Series VSM.
– Server administrators can select the appropriate port profile in VMware vCenter when instantiating a virtual machine. Additionally, third-party management and orchestration tools can interact programmatically, through XML APIs, with Cisco VNMC for automated management and provisioning of Cisco VSG.
• Complements Virtual Security Gateway: Cisco VSG integrates with Cisco Nexus 1000V Series Switches to provide granular, zone-based security for virtual environments. The Cisco ASA 1000V Cloud Firewall complements Cisco VSG to provide multitenant edge security and default gateway functionality, and protect against network-based attacks.
Figure 1 illustrates the integration of solution components.
Figure 1. ASA1000V Solution Components
Software Packaging and Installation
Table 2 describes how to obtain the Cisco ASA 1000V Cloud Firewall
Table 2. Software Packaging and Installation
Package
Description
Open Virtualization Format (OVF)
• Downloadable OVF virtual appliance in the form of a single file with the.ova extension
• Deployed with OVF Templates/Packages
Solution Deployment Requirements
The products listed in Table 3 must be deployed to secure virtualized and cloud environments using the Cisco ASA 1000V Cloud Firewall.
• VMware vSphere 4.1 or later releases with VMware ESX or ESXi
• VMware vCenter 4.1 or later releases
Distributed virtual switch
Cisco Nexus 1000V Series Software Release 4.2(1)SV1(4) or later, including the Virtual Ethernet Module (embedded in the VMware vSphere ESX or ESXi hypervisor)
Management
Cisco Virtual Network Management Center (deployed as a virtual appliance)
Cisco services help you protect your network investment, optimize network operations, and prepare your network for new applications to extend network intelligence and the power of your business. Included in the "Operate" phase of the service lifecycle are Cisco Security IntelliShield Alert Manager Service, Cisco SMARTnet®, and Cisco Service Provider Base. These services are suitable for enterprise, commercial, and service provider customers.
Cisco Security IntelliShield Alert Manager Service provides a customizable, web-based threat and vulnerability alert service that allows organizations to easily access timely, accurate, and credible information about potential vulnerabilities in their environment.
For More Information
For more information, please contact your local account representative, or visit the following websites:
