Oracle Cloud Infrastructure (OCI) provides a wide range of cloud-computing services, workloads, and applications to organizations globally. With Cisco Secure Firewall, organizations are able to build a scalable RAVPN architecture on OCI, providing employees secure remote access to their organization’s resources from any location or endpoint.
This scalable architecture brings together Cisco Security and OCI Infrastructure-as-a-service (IaaS) and extends remote access VPN capabilities with the combination of Cisco Duo, Cisco Umbrella, and AMP Enabler, also known as Cisco Secure Remote Worker. Extending this solution to your OCI environment protects multi-region, multi-availability domains.
◉ Cisco AnyConnect Secure Mobility Client – Cisco AnyConnect Secure Mobility Client empowers remote workers with frictionless, highly secure access to the enterprise network from any device, at any time, in any location while protecting the organization.
◉ Cisco Duo – Multi-factor authentication from Duo protects the network by using a second source of validation and authentication.
◉ Cisco Umbrella Roaming Security Module – Cisco Umbrella Roaming Security module for Cisco AnyConnect provides always-on security on any network, anywhere, any time — both on and off your corporate VPN. It enforces security at the DNS layer to block malware, phishing, and command and control callbacks over any port.
◉ Cisco AnyConnect AMP Enabler – Cisco AnyConnect AMP Enabler module protects against malware.
Organizations can deploy Cisco Secure Firewall Threat Defense Virtual (formerly FTDv/NGFWv) and Cisco Secure Firewall ASA Virtual (formerly ASAv) in the OCI environment to enable a secure connection back to the application in the cloud. Traditionally, firewalls scale using clustering but, in the cloud, due to abstraction of layer-2, it is not possible to implement native high-availability and native firewall clustering.
Architects can still design a scalable architecture using cloud components like Oracle’s Network Load Balancer (NLB) and DNS.
◉ Design 1 – Load balance RAVPN sessions to multiple firewalls using OCI DNS service
◉ Design 2 – Load balance RAVPN sessions to multiple Cisco Secure Firewalls using OCI network load balancer service
◉ Design 3 – Load balance RAVPN sessions across multiple regions using OCI DNS and a network load balancer
Note: Each firewall uses a unique VPN pool, and the OCI route table points to the respective firewall for the VPN pool.
Load balance RAVPN sessions to multiple firewalls using OCI DNS service
In this architecture, we have deployed multiple firewalls in multi-availability domains. OCI DNS service provides a mechanism for RAVPN load balancing.
◉ DNS provides an FQDN (example.vpn.com)
◉ DNS has “A” record for each firewall
◉ DNS monitors the health of each firewalls using probes
◉ DNS receives DNS query for FQDN and replies with the public IP address of the Cisco Secure Firewall
◉ The user connects directly to Cisco Secure Firewall
Posts
0 comments:
Post a Comment