Today, companies invest in making their security controls scalable and dynamic to meet the ever-increasing demand on their network(s). In many cases, the response is a massive shift to Kubernetes? (K8s?) orchestrated infrastructure that provides a cloud-native, scalable, and resilient infrastructure.
This is where Cisco Secure Firewall Cloud Native (SFCN) comes in. It gives you the flexibility to provision, run, and scale containerized security services. Cisco Secure Firewall Cloud Native brings together the benefits of Kubernetes and Cisco's industry-leading security technologies, providing a resilient architecture for infrastructure security at scale.
Figure 1 -Cisco Secure Firewall Cloud Native platform overviewThe architecture depicted above shows a modular platform that is scalable, resilient, DevOps friendly, and Kubernetes-orchestrated. In the initial release of Cisco Secure Firewall Cloud Native, we have added support for CNFW (L3/L4 + VPN) in AWS. Future releases will add support for CNTD (L7) security and other cloud providers.
Key capabilities of Cisco Secure Firewall Cloud Native include:
The architecture depicted above shows the Cisco Secure Firewall Cloud Native platform, which uses Amazon EKS, Amazon ElastiCache?, Amazon EFS with industry-leading Cisco VPN and L3/L4 security control for the edge firewall use-case. The administrator can manage Cisco Secure Firewall Cloud Native infrastructure using kubectl + YAML or Cisco Defense Orchestrator (CDO). Cisco provides APIs, CRDs, and Helm? charts for this deployment. It uses custom metric and Kubernetes horizontal pod autoscaler (HPA) to scale pods horizontally.
Key components include:
The following instance type is supported for each component.
Initial use-cases:
Scalable Remote Access VPN architecture
Cisco Secure Firewall Cloud Native provides an easy way to deploy scalable remote access VPN architecture. It uses custom metrics and horizontal pod autoscaler to increase or decrease the number of CNFW Enforcement Points as needed. The Control Point controls configuration, routing, and Amazon Route 53? configuration for the auto-scaled Enforcement Point.
Figure 3 -Scalable Remote Access VPN architectureTraffic flow:
Scalable Remote Access VPN architecture, with smart load balancing and session resiliency
Cisco Secure Firewall Cloud Native architecture with smart load balancing uses Amazon ElastiCache (Redis DB) to store VPN session information. Redirector node consults Redis database to perform load balancing based VPN session count, instead of weighted average load balancing.
The Control Point controls configuration, routing, redirector configuration, and Route 53 configuration for the auto-scaled enforcement point.
Figure 4 -Scalable Remote Access VPN architecture with smart load balancing and session resiliencyTraffic flow:
Scalable DC backhauls
The autoscaled Enforcement Points can form a tunnel back to the data center automatically. Cisco provides a sample Kubernetes deployment to enable this functionality.
Figure 5 -Scalable DC backhaulMulti-tenancy
This architecture provides multi-tenant architecture using cloud-native constructs such as namespace, EKS cluster, nodes, subnets, and security groups.
Figure 6 -Multi-tenancyScalable cloud hub
This architecture provides a scalable cloud architecture using CNFW, Amazon EKS, and other cloud native controls.
Figure 7 -Scalable cloud hubScalable edge firewall
This architecture provides a scalable architecture using CNFW, Amazon EKS, and other cloud-native controls.
Figure 8 -Scalable edge firewallLicensing
Cisco Secure Firewall Cloud Native is available starting with ASA 9.16. This release brings CNFW (L3/L4 + VPN) security with Bring Your Own Licensing (BYOL), using Cisco Smart Licensing.
Resources
We'd love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Instagram
Facebook
Twitter
LinkedIn