Cisco introduced a containerized firewall package deal for its venerable Catalyst swap household that’s designed to assist enterprise prospects with blended IT and OT methods extra simply phase community assets and get monetary savings by consolidating community and safety deployments.
Particularly, Cisco constructed a Docker-based container for its Safe Firewall Adaptive Safety Equipment (ASA) that may be hosted on its Catalyst 9300 entry switches. Cisco Safe Firewall ASA combines firewall, antivirus, intrusion prevention, encryption and digital personal community (VPN) help.
The firewall helps as much as 10 logical interfaces, which can be utilized for segmentation. This segmentation helps restrict the flexibility of an attacker to maneuver laterally inside the community by containing any breach to a particular zone, wrote Pal Lakatos-Toth, an engineering product supervisor with Cisco’s safety enterprise group, in a weblog concerning the information.
“The mixing of data know-how (IT) and operational know-how (OT) methods, also called IT/OT integration, is an important course of in industries similar to manufacturing, power, and utilities. Whereas IT methods deal with knowledge administration, OT methods handle bodily processes and management methods for essential infrastructure similar to energy grids, water therapy vegetation, and manufacturing gear,” Lakatos-Toth wrote.
Digital transformation and sensible manufacturing initiatives have accelerated the convergence of IT and OT networks, and “whereas this integration can deliver vital advantages similar to elevated effectivity, improved visibility, and higher decision-making, it could actually additionally enhance the chance of cyber-attacks,” Lakatos-Toth said.
By internet hosting the containerized Safe Firewall ASA on Catalyst 9300 entry switches, organizations can scale back the complexity of steering visitors to centralized firewalls utilizing complicated tunnels, Lakatos-Toth said. It positions firewall companies nearer to the supply, providing an economical and environment friendly approach of securing IT/OT converged networks. It additionally minimizes the latency for time-sensitive functions by imposing the insurance policies close to the supply the place the units connect with the community, Lakatos-Toth said.
The containerized Safe Firewall ASA maintains a stateful connection desk that retains monitor of the state and context of every community connection passing by and applies context-based entry management.
“If any software requires further ports for its operation, the firewall dynamically opens and tracks these ports whereas making certain that safety insurance policies and entry controls stay in place. All these occasions are logged for audit functions and can be utilized for tracing and stopping safety breaches,” Lakatos-Toth said.
For entry management within the IT/OT community, the containerized Safe Firewall ASA makes use of entry management lists (ACL) and safety group tags (SGT). “With SGTs, the firewall applies safety insurance policies based mostly on labels as a substitute of IP addresses. The firewall makes use of SGTs to authenticate OT units and assign them to a particular safety group, similar to ‘OT,’ which might additional be used for stateful inspection,” Lakatos-Toth said.
The ASA package deal is managed by way of Cisco’s Enterprise DNA Heart (DNAC) to help administration and community connectivity configurations. DNAC ensures the firewall software is all the time up-to-date and safe. Cisco Protection Orchestrator additionally helps the system and may create and deploy constant safety insurance policies throughout massive networks. It performs coverage evaluation and streamlines the configuration and administration processes, Lakatos-Toth wrote.
Whereas that is the primary time Cisco has deployed a firewall on the 9300, the swap has included Docker container help for a few years. The concept was to let prospects construct their very own functions to the swap with out having to rewrite them each time there may be an infrastructure change. Docker containers are light-weight and use little or no CPU and reminiscence overhead, based on Cisco.
“For instance, a community operator in a big enterprise can host a community monitoring software on the Cisco Catalyst entry platforms to know clearly the place within the community the problems are and act accordingly, because of the real-time insights being obtained,” Cisco said.
The containerized Safe Firewall ASA can be obtainable on the Catalyst 9300 Change in October with IOS EX 17.12.2 launch.
Copyright © 2023 IDG Communications, Inc.