• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Cisco Cloud Firewall QnA Sheet
 

Cisco Cloud Firewall QnA Sheet

on

  • 1,356 views

Data Center Security for Virtualization - Question and Answer Sheet

Data Center Security for Virtualization - Question and Answer Sheet

Statistics

Views

Total Views
1,356
Views on SlideShare
1,356
Embed Views
0

Actions

Likes
0
Downloads
3
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Cisco Cloud Firewall QnA Sheet Cisco Cloud Firewall QnA Sheet Document Transcript

    • Q&A Cisco ASA 1000V Cloud Firewall Section 1: General Questions ® Q. What is the Cisco ASA 1000V Cloud Firewall? A. The Cisco ASA 1000V Cloud Firewall is a virtual security appliance that provides consistent, enterprise-class security for private and public clouds. Scheduled to release in the first half of 2012, the Cisco ASA 1000V Cloud Firewall will employ mainstream, proven Adaptive Security Appliance (ASA) security technology that has been optimized for virtual and cloud environments. This approach helps enable consistency across physical, virtual, and cloud infrastructures. The ASA 1000V will complement Cisco Virtual Security Gateway ® (VSG) for Nexus 1000V Series Switches to extend Cisco’s virtual and cloud security portfolio. It will provide multi-tenant edge security, default gateway functionality, and protection against network-based attacks. Q. How will the Cisco ASA 1000V Cloud Firewall be different from Cisco Virtual Security Gateway (VSG)? A. The ASA 1000V will provide strong multi-tenant edge security for highly secure communications between multiple tenants, whereas VSG provides zone-based security policies for highly secure intra-tenant communications. These two products will complement each other to provide strong end-to-end security for virtual and cloud infrastructures. Q. Will the ASA 1000V co-exist with VSG? A. Yes. The ASA 1000V and VSG will co-exist, with complementary functionality. Q. How will the ASA 1000V fit into the larger Cisco network virtualization vision? A. Cisco’s vision is to extend the components and “norms” from the physical environment into the virtual and cloud environment, while addressing the blind spots and security loopholes created by virtualization: ● Using Cisco Nexus 1000V Series Switches, the ASA 1000V extends Cisco’s proven networking components to virtualized and cloud environments. ● The ASA 1000V will extend the well-proven security component from the physical environment to now secure the virtual and cloud infrastructure. It will integrate with vPath, an integral component of the Cisco Nexus 1000V, which serves as a single data plane for all the virtual service nodes including ASA 1000V, VSG, and vWAAS. ● The ASA 1000V ensures that current operational workflows are not disrupted, by maintaining separate management control points for security teams, network teams, and server teams. Cisco Virtual Network Management Center (VNMC) acts as a single point of management for the Cisco virtual security services. Q. How will the ASA 1000V fit into the larger Cisco security strategy? A. The ASA 1000V is being developed using the existing Cisco Adaptive Security Appliances (ASA) infrastructure. It will maintain consistent security with other ASA form factors, including ASA 5500 Series Adaptive Security Appliances and the Cisco Catalyst 6500 Series ASA Services Module. This approach will provide consistency with other physical ASA deployments, while being optimized for cloud-specific use cases. Customers will have the flexibility to choose the ASA form factor that best fits their network infrastructure and deployment use case, while creating an integrated best-of-breed security framework.© 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 4
    • Section 2: Features and Benefits Q. What features will the ASA 1000V support? A. The ASA 1000V uses the ASA infrastructure. As such, it will maintain feature consistency with physical ASA form factors, while being optimized for cloud use cases. It will provide multi-tenant edge security, default gateway functionality, and protection against network-based attacks: ● Employs the most widely deployed secure connectivity solution that reliably extends IT infrastructure to the cloud and transfers mission-critical workload between distributed locations without compromise. ● Captures operational efficiency with an option to support consistent address space between the existing physical and extended cloud infrastructure or between multiple tenants within the cloud infrastructure. ● Decreases end-to-end time to deploy a fully functional VM by automatically provisioning IP addresses to VMs being provisioned at a rapid pace. ● Secures the cloud perimeter against network based attacks. Q. What are the benefits of building cloud security appliances using the ASA infrastructure? A. Utilizing the ASA infrastructure for the ASA 1000V will enable you to secure your private and public clouds using a proven firewall. The ASA 1000V will: ● Extend proven ASA capabilities to help secure multi-tenant virtual and cloud infrastructure at the edge. ● Help secure the cloud perimeter against network based attacks. ● Help enable consistent capabilities across hybrid infrastructure - physical, virtual, and cloud. ● Employ the most widely-deployed, highly secure connectivity solution that reliably extends IT infrastructure to the cloud and transfers mission-critical workload between distributed locations without compromise. Q. Will the ASA 1000V support site-to-site and remote access VPN? A. At first customer shipping, the ASA 1000V will support site-to-site VPN. Remote-access VPN is being explored for a future release. ™ Q. Will I be able to use the ASA 1000V to build a Cisco AnyConnect remote-access VPN offering for a cloud provider? A. No, the initial release of the ASA 1000V will not support Cisco AnyConnect remote-access VPN. Remote- access VPN is being explored for a future release. Q. How many interfaces will the ASA 1000V have? A. The ASA 1000V will have four interfaces - inside, outside, failover, and management. The interfaces have been optimized to suit cloud-specific use cases. Section 3: ASA 1000V Solution Components Q. Will the ASA 1000V require the Cisco Nexus 1000V Series Switch? Why won’t it run on the native VMware switch? A. The ASA 1000V will be optimized for the Nexus 1000V Series Switch to provide an end-to-end solution to secure virtual and cloud infrastructures. vPath, an integral component of the Nexus 1000V: ● Enables deployment flexibility and simpler management with unique capabilities for a single ASA 1000V to secure multiple ESX hosts. ● Eliminates vendor lock-in by providing a multi- hypervisor capable solution.© 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 4
    • Q. Will the ASA 1000V be a feature on the Cisco Nexus 1000V? A. No, the ASA 1000V will be a separate product. However, it has been specifically developed for environments with Cisco Nexus 1000V deployments. Q. How will the ASA 1000V be managed? A. Cisco Virtual Network Management Center (VNMC) will be the primary manager for both the ASA 1000V and VSG. In addition, Cisco Adaptive Security Device Manager (ASDM) will also be able to manage the ASA 1000V. Q. What is Cisco VNMC? Why will I have to use another management system for my edge firewall? A. Cisco VNMC is a transparent, scalable, multi-tenant-capable, policy-driven management solution for the Cisco virtual security appliances (such as the ASA 1000V and VSG) to provide end-to-end security of virtual and cloud infrastructures. VNMC benefits customers because it: ● Helps enable rapid and scalable deployment through dynamic, template-driven policy management based on security profiles. ● Enhances management flexibility through an XML API that helps enable programmatic integration with third-party management and orchestration tools. ● Helps ensure collaborative governance with role-relevant management interfaces for network, server, and security administrators. Q. Will I be able to write policies based on VM attributes (like VSG)? A. This will not be available in the initial release. However, this support is expected to be added with the next ASA 1000V release. VSG currently supports this feature. Q. Will Cisco Security Manager manage the ASA 1000V? A. No, the ASA 1000V will not be managed by Cisco Security Manager, since managers of virtual security appliances must support features like multi-tenancy and policy creation based on VM attributes. These features are supported by VNMC. Q. Will the ASA 1000V integrate with VMware vCenter? How about vCloud Director? A. Cisco VNMC obtains virtual machine contexts from VMware vCenter, allowing security administrators to institute granular VM based policy controls across the cloud infrastructure. VSG currently supports VM attribute-based policies. The first release of the ASA 1000V will not support this feature. Integration of Cisco Nexus 1000V with vCloud Director is already supported. The support for vCloud Director for the ASA 1000V and VSG is being explored for future releases. Q. Which hypervisors will the ASA 1000V support at launch? A. The ASA 1000V will run atop the Cisco Nexus 1000V, which presently runs on several versions of vSphere hypervisor from VMware. Q. When will the ASA 1000V support other hypervisors? A. The Cisco Nexus 1000V provides the required visibility into the hypervisor, unlike offerings which require the APIs provided by hypervisor vendors (e.g., VMSafe) to gain this visibility. The ASA 1000V solution is multi- hypervisor-capable and can easily extend to other hypervisors with its future versions. ™ Q. Will the ASA 1000V have to be deployed on the Cisco Unified Computing System ? A. No, the ASA 1000V will not have to be deployed on the Cisco Unified Computing System (UCS). It will be ™ capable of running on any of the hardware platforms supported by VMware. Cisco UCS is just one of them.© 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 4
    • Section 4: Licensing, Timelines and Other Details Q. What are the performance metrics? A. The performance of the Cisco ASA 1000V Cloud Firewall will depend on the physical hardware on which it is running and the resources available. The virtual solution makes it easier to spin up or down another instance of ASA 1000V as per the performance requirements of the customer. Cisco’s management solution makes this process very easy for the customer. More details will be available closer to first customer shipment. Q. What ASA software versions will it support? Will it support identity firewall features? A. The ASA 1000V is based on the ASA Software Release 8.4. The identity firewall feature is not supported on the ASA 1000V during its initial release due to the focus on multi-tenant edge use cases. Q. How is the ASA 1000V licensed? A. The ASA 1000V adopts a licensing model similar to that of Cisco Nexus 1000V and VSG. Q. What is the beta timeframe for the ASA 1000V? A. We should be in formal beta early in calendar year 2012. Section 5: Partnerships Q. Cisco is a strategic partner with VMWare. What does this mean? A. Cisco’s strategic partnership with VMware enables us to collaborate on developing solutions together for virtual environments. We have worked closely with VMware during the development of Cisco Nexus 1000V, which has a prime space on the VMware website. We continue to collaborate for developing cloud security solutions as well. Q. Where can I find more details? Who should I contact for more information? A. For more information on the Cisco ASA 1000V Cloud Firewall, visit: ● http://www.cisco.com/go/asa1000v For more information on the Cisco Nexus 1000V Series Switches, visit: ● http://www.cisco.com/go/1000v For more information on Cisco VSG, visit: ● http://www.cisco.com/go/vsg For more information on Cisco VNMC, visit: ● http://www.cisco.com/go/vnmcPrinted in USA C67-688050-00 10/11© 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 4