Introduction
With traditional firewalls, network security teams are charged with the heavy lifting of deploying new solutions. They are responsible for a variety of costs, including licensing, appliance, related infrastructure updates, and ongoing maintenance. From a time-value perspective, inserting firewalls also creates additional complexity for NetOps and SecOps teams, delaying time to deployment in production environments due to design and testing required to integrate the new firewall into the network.
To become more agile, organizations are increasingly moving towards deploying SaaS-based security offerings hosted directly by vendors. According to Gartner, by 2025, 30% of new deployments of distributed branch-office firewalls will switch to firewall-as-a-service, up from less than 10% in 2021.
Reduce management and deployment complexity
Cisco has collaborated with AWS to simplify the way organizations secure their public cloud infrastructure using Firewall-as-a-Service (FWaaS) where Cisco Secure Firewall is integrated with the AWS Gateway Load Balancer (GWLB). AWS Gateway Load Balancer enables elastic scaling, improves availability, and simplifies insertion and management of the Cisco Secure Firewall. Starting with version 7.1 of Cisco Secure Firewall Threat Defense, we support integration with AWS Gateway Load Balancer.
What does this mean for Cisco Secure Firewall customers?
Simply put, experience your firewall working for you, not the other way around. Cisco Secure Firewall-as-a-service on AWS enables you to simply consume our virtual firewall in AWS, without rearchitecting, deploying, or managing new infrastructure. Now, you can simplify security at its core by leaving the heavy lifting to us. Other benefits include:
◉ Simplified security architecture – Provisioning of firewalls and control plane infrastructure are managed by Cisco, saving time and accelerating value.
◉ Flexible and scalable security – Elastic firewall infrastructure meets demand by scaling as throughput requirements change.
◉ Security that works with you – Simplified firewall insertion delivers the security you need, without having to rearchitect your network. Additionally, traffic routing configurations and firewall monitoring are performed by Cisco.
◉ Stay agile – Say goodbye to the traditional refresh cycle and stay instantly up to date with the latest firewall software versions and IPS signatures. No hardware required.
◉ Achieve better ROI, fast – Our OPEX-based model will demonstrate to your CFO that you’re both a technology and business partner. And you’ll reduce upfront costs, paying for only what you need.
Customers also benefit from support for dynamic policies for AWS tags, plus improved threat detection, simplified customization, and enhanced performance of our latest, industry-leading open-source IPS, Snort3.
Architecture and use cases for Secure Firewall-as-a-service on AWS
Cisco Secure Firewall-as-a-service on AWS consists of:
A.) Managed Gateway Load Balancer endpoints (MGE) – MGEs reside in the customer’s VPC/account and are responsible for routing the traffic from the customer’s VPC to the Cisco-managed security VPC, where it will be inspected.
B.) Gateway Load Balancer (GWLB) – GWLB resides on the Cisco managed VPC/account, this is responsible for hosting the Secure Firewall appliance fleet.
Together, these components bring best-in-class managed security infrastructure for customers using AWS.
With Cisco Secure Firewall-as-a-service on AWS, we intend to support:
◉ Inspection for ingress (inbound) and egress (outbound) traffic from and to the internet
◉ East-West (E/W) traffic between subnets (resources) within a VPC (Intra-VPC) and between VPCs (Inter-VPC)
◉ Traffic between the on-premises network and customer VPC’s, when passed over a Transit Gateway using VPN.
East-West traffic
East-west traffic flow for firewall-as-a-service
Ingress and egress traffic
Ingress and egress traffic flow for firewall-as-a-service
Choose between fully managed and partially managed Firewall-as-a-service
We recognize some customers want a fully managed service while others wish to configure their own policy. To satisfy both, Cisco is offering a partially managed Firewall-as-a-service option as well. This option provides the customer with most of the benefits of the fully managed service above, but with a partially managed environment where Cisco continues to manage the infrastructure, but lets the customer retain policy management responsibilities.
And if customers wish to manage and deploy their own
Looking to manage and deploy your own Cisco firewalls on AWS? The release of Cisco Secure Firewall Threat Defense 7.1 introduces GENEVE support, integrating Cisco Secure Firewall with AWS Gateway Load Balancer, giving customers full control of their infrastructure while simplifying deployment, management, and scaling of firewalls. This integration ensures traffic to and from AWS VMs are inspected by Secure Firewall without requiring any routing changes. This enables rapidly scalable, highly available security with simplified insertion, removing the need to rearchitect your network.
Source: cisco.com