Authored in collaboration with Sunil Kumar Guduru (Enterprise Networking) and Kamaraj P (Security)
The integration of information technology (IT) and operational technology (OT) systems, also known as IT/OT integration, is a crucial process in industries such as manufacturing, energy, and utilities. While IT systems handle data management, OT systems manage physical processes and control systems for critical infrastructure such as power grids, water treatment plants, and manufacturing equipment.
OT systems were once isolated from external networks, making them less vulnerable to cyber threats. Digital Transformation and Smart Manufacturing have accelerated the convergence of IT & OT networks in the process industry with Industry 4.0. While this integration can bring significant benefits such as increased efficiency, improved visibility, and better decision-making, it can also increase the risk of cyber-attacks.
IoT (Internet of Things) devices and sensors are proliferating into IT networks and are managed under a single IT network infrastructure to build smarter and safer workspaces. These IoT devices introduce several security threats to IT networks since IoT devices often have limited processing power and memory, making it challenging to implement robust security features and are mostly deprived of security updates. Attackers exploit these vulnerabilities to pivot from compromised IoT devices to more critical systems and data.
In a recent Gartner Market Guide for OT Cybersecurity, it was reported that 82% of organizations have moved beyond the awareness phase and are now exploring and implementing OT security solutions. As industries continue to embrace new technologies, the need for secure IT/OT integration will continue to grow.
Security should be an integral part of Network Design
As networks converge and smart manufacturing accelerates, it is imperative that security should be an integral part of the network design and not after thought. The IT/OT integration is driving the need for network segmentation, access control, and stateful inspection of traffic moving across different domains. To address these challenges, secure firewall services need to be inserted into the network at the IT/OT convergence points. These firewalls become essential to modern cybersecurity strategies to secure critical networks and safeguard valuable data from modern sophisticated threats.
Adding physical firewalls at IT/OT convergence points in the network can create additional points of congestion, which may impact the network’s overall performance. Moreover, these new firewall appliances will require additional rack space, cooling, power, and link redundancy leading to increased operational expenses.
Cisco’s Enterprise Networking and Security teams have collaborated to develop an innovative solution to seamlessly insert containerized firewall services at IT/OT convergence points. The Cisco Secure Firewall ASA Virtual is a stateful firewall that is packaged as a Docker container and is hosted on Cisco Catalyst 9300 series switches as an application, instead of being physically present next to them. The virtual and container form factors of Cisco Secure Firewall ASA Virtual provides an identical set of capabilities.
Benefits of hosting containerized Cisco Secure Firewall capabilities on Catalyst 9300 switches
By hosting the containerized Secure Firewall ASA on Catalyst 9300 access switches, organizations benefit from enhanced security and simplified network deployment. This not only reduces the complexity of steering the traffic to centralized firewalls using complex tunnels but also eliminates the need for additional hardware.
Positioning the firewall services nearer to the source provides a cost-effective and highly efficient way of securing IT/OT converged networks. It also minimises the latency for time-sensitive SOS applications, by enforcing the policies near the source where the devices connect to the network.
The redundant links and power supplies of the Catalyst 9300 switch are leveraged by the virtual firewall instance hosted on them. This reduces the need for additional servers and physical firewall appliances, saving on rack space, cooling requirements, and operational costs.
By leveraging these capabilities, organizations can simplify network design, reduce costs, and improve their security posture.
How does the containerized Secure Firewall ASA protect the IT/OT network from threats?
Stateful Inspection: All traffic that crosses the IT/OT domains should be subjected to stateful inspection to comply with security compliance. The containzerized Secure Firewall ASA maintains a stateful connection table that keeps track of the state and context of each network connection passing through and applies context-based access control. If any application requires additional ports for its operation, the firewall dynamically opens and tracks those ports while ensuring that security policies and access controls remain in place. All these events are logged for audit purposes and can be used for tracing and preventing security breaches.
Network Segmentation: One of the primary use cases for hosting the containerized Secure Firewall ASA on Catalyst 9300 at IT/OT convergence is network segmentation. By segmenting internal networks, organizations improve their security posture by limiting the spread of cyber-attacks. The firewall can be used to create separate security zones within the network, allowing organizations to control traffic flow between these zones. The firewall instance supports up to 10 logical (in/out) interfaces, which can be leveraged for segmentation. This segmentation helps limit the ability of an attacker to move laterally within the network by containing any breach to a specific zone.
Access Control: The containerized Secure Firewall ASA provides access control in the IT/OT network through ACLs and Security Group Tags (SGT). With SGTs, the firewall applies security policies based on labels instead of IP addresses. The firewall uses SGTs to authenticate OT devices and assign them to a specific security group, such as “OT,” which can further be used for stateful inspection.
Traffic Encryption: The firewall supports encryption protocols like SSL (Secure Sockets Layer) and IPsec (Internet Protocol Security) to secure IoT/OT traffic from eavesdropping and man-in-middle attacks. The communication between different IoT/OT clusters that pass through the shared IT network can be encrypted using IPsec, allowing isolated IoT/OT networks to be connected securely.
Secure Remote Management: The containerized firewall supports SSL and TLS VPNs, allowing remote users to establish secure connections to the Catalyst 9300. SSL/TLS VPNs provide encrypted communication tunnels for secure access to internal network resources, protecting sensitive data during remote management activities.
Management and Orchestration
Cisco Enterprise DNA Center (DNAC) is a management and orchestration controller that provides an automated workflow for the life cycle management and network connectivity configurations for applications like the containerized Secure Firewall ASA hosted on Catalyst switches. It ensures the firewall application is always up-to-date and secure, which is critical for maintaining the integrity and performance of the network. DNAC provides greater agility and scalability in the deployment and management of the containerized Secure Firewall ASA in large deployments where the firewall functionality is distributed across the network. Once the firewall is instantiated and network services configured, it is onboarded to Cisco Defencs Orchestrator for security policy management and event logging. Cisco Defense Orchestrator is a cloud-based centralized management and orchestration platform that simplifies policy management for various Cisco security products including the containerized firewall. Defense Orchestrator is recommended for creating and deploying consistent security policies across large networks. It performs policy analysis and streamlines the configuration and management processes.
For small deployments, the firewall application can be hosted on Catalyst switches manually using CLI or programmatically using RESTOCONF/NETCONF. Cisco Adaptive Security Device Manager (ASDM) is a web-based management and monitoring software packaged in a Secure Firewall ASA image. ASDM empowers users to configure, monitor, and troubleshoot the firewall in smaller deployments through a user-friendly interface, enhancing security management capabilities.
Licensing
Customers can leverage their existing virtual Secure Firewall ASA Virtual license entitlement to run containerized Secure Firewall ASA instances on the Catalyst 9300 switches. This provides investment protection and flexibility to migrate existing virtual ASA instances hosted on servers to Catalyst 9300 switches. This allows customers to seamlessly transition their network security infrastructure while maximizing the value of their Secure Firewall ASA Virtual licenses.
Conclusion
As industries continue to digitize and adopt advanced technologies, IT/OT integration has become essential. However, this integration also introduces new cybersecurity risks, making it more important than ever to implement effective security measures.
Hosting a containerized Secure Firewall ASA on Cisco Catalyst 9300 switches offers a flexible and convenient solution for inserting Secure Firewall services in the modern network. It offers stateful inspection for traffic flowing across the domains, reduces the attack surface by logically segmenting the network, enforces granular access controls across the network, and connects isolated OT/IoT clusters securely for secure remote management. Overall, it can help to mitigate the risks associated with IT/OT integration, keeping critical infrastructure safe from cyber-attacks.
To learn more about Application Hosting solutions on Catalyst Switching, please visit Enterprise Switching Page on DevNet: https://developer.cisco.com/app-hosting/
Cisco Secure Firewall ASA Virtual:
https://www.cisco.com/c/en/us/products/collateral/security/adaptive-security-virtual-appliance-asav/adapt-security-virtual-appliance-ds.html
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Instagram
Facebook
Twitter
LinkedIn
Nice Article… what is the specification (vcpu/memory..etc) for this cASA instance? also what are the performance metrics?
Also is the management of catalyst switch and firewall unified? or is it separate?
ASAc can be hosted on all C9300 series switches. However, the performance is better on C9300X since additional resources are reserved for app hosting infra. It supports around 150 -250 Mbps throughput with iMIX traffic. It can support up to 100K sessions/connections.
C9300/L – 2 vCPU & 2GB
C9300X – 4 vCPU & 8GB
The ASAc and Catalyst 9300 switches can be managed differently, ensuring clear ownership for SecOps and NetOps teams.
It is a great and notable innovation. Great solution for SMB and large enterprise and great step to secure-by design and ZTNA framework
I like the idea of providing security by infra and not as add-on. Good job Cisco