There is a security problem in the current datacenter. We all know this problem exists, but it seems insurmountable. I am talking about how do you secure an environment where my uplinks are 10Gbps+ and the firewalls simply don’t go that fast? And when I put on intrusion protection…well why did I buy a Nexus switch again…speed – HA!!
As I have said before, you must segregate your datacenter at this point by VLAN. High value targets vs low value targets (this paradigm changes in the software defined data center, but we are still at the early stages of that). Typically though I will have 20-80Gbps links headed down to each of the chassis based on utilization.
The fastest IPS devices run at 40G, fastest firewalls run about the same. To get the most out of them you need to dedicate functionality, a combined Firewall/IPS runs much slower (doesn’t matter who the manufacturer is).
Cisco has come out with a solution, but like any solution you will have to pay for the speed. The good news is that you can mix the vendors in this solution if you have other vendors you like for IPS.
I am going to link to a couple of external articles, as there is no need to rewrite them. Instead I will explain a couple of options, which were not discussed. Both articles work within the confines of clustered ASAs. For those who are not as familiar with this solution, you can now take 8 ASAs and combine throughput of many ASAs (it is actually 70% of combined throughput). This means I can now have up to 128Gbps of firewall throughput in a cluster. If you are familiar with ASAs and data center routing, your mind may immediately run to asymmetric routing problems and the ASA will drop the traffic. This has been fixed via a control link between all of the ASAs, which will take data not meant for the return path ASA and get it to the original ASA for processing; this is called a normalization process.
So that is great, it may solve most of your firewall throughput needs, but IPS…well that is a much more intensive process.
First, find those services that do not need IPS. On the high-end IPS solutions, you can bypass those connections in hardware, so the performance of the platform is not reduced by systems for which you don’t need to protect. That will help, but not solve this, to remediate this problem you need to scale the IPS solutions in the same way as the ASAs.
We have two options:
Option 1: Include firepower services in the ASA. This is an all Cisco solution and is not the fastest. Even the fastest solution from Cisco provides up to 6Gbps of throughput per firewall/IPS combo. Combine this across 8 and you get 48 Gbps (you don’t need to take the .7 calculation as the 6Gbps is under the ASA throughput after 70% is taken into account). This works because the normalization process ensures that the traffic is symmetric across the IPS.
Option 2: Behind each ASA in the cluster put an IPS. You have to use two contexts with the ASA to make this work and sandwich the IPS. This is described in much greater depth here.
The nice thing about option 2: the IPS vendor is irrelevant. Do you like Blue Coat, Palo Alto or Fire Eye – use them, but you need to dedicate one per ASA.
Another VERY important point about all of these solutions in a datacenter with a Nexus 7000 version 6.x or lower is that you cannot use the layer 2 option (vPC) with dynamic routing. Another way to say this is that you cannot dynamically route over a vPC. You must do equal cost multi-pathing (EMCP) to the ASA, and therefore the ASA acts as a routed hop in the network. You can do static routes over a vPC, just not dynamic. Here is an excellent article describing this.
Share this Post