As they grow to the next level, data centers have the following security requirements, to support their changing needs:Scalable Security: The amount of data and transactions moving through most data centers requires ever-increasing levels of performance. Security must have the ability to scale to meet these seemingly insatiable performance requirements, while ensuring the highest levels of security.Physical & Virtual: Modern-day data centers are no longer comprised solely of physical deployments. Instead, they are a mixture of physical, virtual, and cloud infrastructures – built to solve the business’ specific needs. Security policies must have the ability work consistently across hybrid environments.Business Integration: While security is certainly important to data center administrators, it isn’t their only concern. They must also focus on maintaining business/IT alignment and avoiding chokepoints that can degrade performance and jeopardize their SLAs. Security needs to be an integral part of the network architecture, so that it can help maintain business/IT alignment, avoid performance chokepoints, and enable business flexibility.
The ASA 5585-X is available at four performance levels ...
Now for some of the new products we’re announcing today …ASA 9.0 is a major release of our core operating system, which powers the entire line of ASA security appliances.One of the most significant improvements in this release is its ability to cluster up to eight of our highest performing firewall appliances to produce the fastest firewall in the worldIt also integrates Cisco TrustSec security group tags (SGTs); along with Identity Firewall capabilities (for active and passive authentication) introduced in our previous release, we are the only security provider with the ability to deliver next-generation firewall capabilities at data center speedsIntegrates with Cisco Cloud Web Security (formerly ScanSafe) to enable administrators to perform deep content scanning on a subset of traffic, without degrading performanceIPv6 support with a minimal performance degradation from IPv4 traffic (15% vs 80% for competitors)[!-- Explanation of the blue “Data Boxes”: --!]700% Higher Performance Density: ASA 5585-X delivers the performance in 2RU that Juniper requires 16RU to match … the math holds up in a clustered environment as well on the firewall side – and adds 60 Gbps IPS throughput (Juniper is limited to 10 Gbps IPS when colocated with the firewall)84% Less Power Consumption: we require less than 400 watts of power, compared to ~5100 watts with Juniper87% Less Rack Space: this is tied to the first point – we use 1/8 the rack space
The industry’s first IPS that is fit to handle data center workflows10 Gbps in a single blade – expandable to two blades in the near futureIntelligent and context-aware for the most effective, proactive IPS in the industry[!-- Explanation of the blue “Data Boxes”: --!]400% Higher Performance Density: IPS 4520 delivers the IPS throughput in 1 blade that Juniper requires 4 blades to match …75% Less Power Consumption: due to the 1:4 hardware ratio discussed above50% Less Rack Space: due to the fact that we can do it with a 2RU unit, vs4RU
CPU and Memory for any unit within the cluster. When you click on environment status button, you can see exact what has failed on the specific cluster node
Identity repository is AD based at phase 1 and is forward compatible with Identity Services Engine.User Logs into ADAD Agent retrieves IP information from ADASA retrieves IP-User mapping from AD AgentPermit/Deny based on Policy
Technology trends such as cloud computing, proliferation of personal devices, and collaboration are enabling more efficient business practices, but they are also putting a strain on the data center and adding new security risks. As technology becomes more sophisticated, so are targeted attacks, and these security breaches, as a result, are far more costly. Many security breaches are caused by external forces such as hackers, organized crime and cybercriminals, and internally, disgruntled employees pose a threat. Businesses must be protected from these threats. Cisco offers two key threat defense options and then supports these with Cisco’s Security Intelligence Operations (SIO).
The Cisco ASA 1000V Cloud Firewall uses the same base ASA code that runs our physical appliances, but is optimized for virtual and cloud environments. That provides some key advantages over “virtual firewalls”, which negate most of the reasons for virtualizing in the first place!Consistent security across hybrid infrastructures – single policy can span physical, virtual, and cloudFlexibility – can secure multiple ESX hosts and can span multiple virtual datacenters; supports VMOTION, so applications can be moved without breaking security policies [!-- Explanation of the blue “Data Boxes”: --!]Unmatched Deployment Flexibility: ASA code – consistency across hybrid infrastructure. Also, ASA 1000V supports VMOTION, so when applications and workloads are moved, security policies move with them – enabling ongoing infrastructure flexibility, without having to re-work security.Lowest Operational Complexity: Unlike “virtual firewalls”, a single instance of ASA 1000V can secure multiple ESX hosts and span multiple virtual datacenters. Also works in conjunction with Nexus 1000V and VSG (using a common management tool for all three) for an end-to-end virtual/cloud solutionEnhanced Network Scalability: Rather than ~4,000 VLANs that are possible in the physical world, Virtual Extensible LAN (VXLAN) can manage 16 million segments.
For the multi tenant DC sometimes there need to clone a specific set of machines so we want to clone a complete tenant. We will have the same IP address with clone. To avoid overlap and collision we can take advantage of the NAT address translation functionality that’s built into Nexus 1K with ASA 1K
Virtual machines are quickly brought up and down in virtual environments. These virtual machines need dynamic IP address assignment. ASA 1000V acts as a DHCP server and allocates IP addresses when a request is received from any of the virtual machines in the tenant.When new virtual machines are instantiated we need to assign them with the appropriate IP addresses and the ASA 1000V has built in DHCP capability so it will assign the IP and will keep those IP in the right network segments as the policy dictates
In conclusion, Cisco enables consistent security across physical, virtual, and cloud environments – with flexible, comprehensive security solutions that:Maintain business/IT alignmentEnable one layer of security policies to work throughout your hybrid environmentAvoid chokepoints that can degrade performance and jeopardize SLAsDeliver context-aware access control by leveraging the entire network… therefore, we enable security decisions to be made using the same flexibility and fluidity you employ for your network implementation decisions – for a high level of security with operational consistency