Network security refers to the practice of implementing measures to protect the integrity, confidentiality, and availability of data and resources in a network. Firewalls, such as Cisco ASA firewalls, are an integral part of network security, as they act as a barrier between a trusted network and untrusted networks. They help prevent unauthorized access, filter out malicious traffic, and enforce security policies to protect against threats.

Cisco ASA Firewalls are designed to provide comprehensive security solutions for organizations of all sizes, from small businesses to large enterprises. ASA firewalls perform stateful packet inspection, which means they keep track of the state of active connections and apply security policies accordingly. This allows them to make context-aware decisions, enhancing security.

Containerized Cisco ASAc Firewall on Catalyst 9300 Platforms

The acceleration of Digital Transformation and Smart Manufacturing has led to the increased convergence of IT and OT domains within the process industry. Additionally, the growing prevalence of IoT is evident in IT networks, where HVAC, lighting, alarms, and security systems merge into a unified IT-managed network infrastructure, contributing to the development of more intelligent and secure workspaces.

It is essential to position the Firewall closer to the IT/OT convergence point to facilitate stateful inspection of traffic at the edge. This ensures the examination of laterally moving traffic within the Enterprise network, not exclusively traffic leaving it. While Cisco Catalyst switches currently offer ACL capabilities, these are stateless and rely on per-packet inspection. Meeting compliance requirements necessitates the generation and logging of security events, a functionality inherently supported by security devices.

Positioning ASAc Firewall nearer to the endpoints provides a cost-effective and highly efficient way of securing IT/OT converged networks. It also minimizes the latency for time-sensitive applications as well as save bandwidth to centralized firewall. With IOS-XE 17.12.2, Cisco Catalyst 9300 series can now host containerized ASAc Firewall to provide enhanced security and simplified network deployment.

Benefits of hosting containerized Cisco ASAc on Catalyst 9300 switches.

Hosting the containerized ASAc Firewall on Catalyst 9300 access switches is not only reduces the complexity of steering the traffic to centralized firewalls but also eliminates the need for additional hardware. The main use case for this solution is Stateful inspection of traffic flowing across IT/OT domains. ASAc can support granular access controls , Secure remote management  and IPsec tunnels and more.

ASAc and ASAv differ in their formats, with ASAc adopting a lightweight Docker format and ASAv utilizing KVM format. Despite this distinction, ASAc achieves feature parity with ASAv. Additionally, organizations have the option to utilize their current ASAv license entitlement for ASAc instances on Catalyst 9300 switches. This not only ensures investment protection but also offers flexibility in migrating existing ASAv instances hosted on servers to Catalyst 9300 switches.

ASAc container can support up to 10 logical interfaces for multiple segmentations and supported on routed mode where you can have different subnets for inside and outside interfaces. ASAc high availability (cold) is also supported on 9300 stack switches. While ASAc is running on active switch, standby switch is automatically syncing application data in the background. In case of active switch goes down or during switchover , standby switch will take over control plane and ASAc container will bring up from that switch. Since this is cold HA, there will be some application downtime during switchover. However, application's data will not be lost.

For ASAc application management, Cisco Catalyst Center provides an automated workflow for life cycle management and network configurations. Multiple ASAc firewalls can be deployed with single Catalyst Center’s workflow for large deployments where the firewall functionality is distributed across the network.

Once ASAc firewall is deployed on Catalyst 9300 platforms, it is onboarded to Cisco Defense Orchestrator (CDO)  for security policy management and event logging. Cisco Defense Orchestrator (CDO) serves as a cloud-based centralized management and orchestration platform, streamlining policy management for a range of Cisco security products, including the containerized ASAv firewall. Particularly recommended for establishing uniform security policies across extensive networks, Defense Orchestrator excels in policy analysis, simplifying both configuration and management processes.

For small deployments, The ASAc firewall application can be deployed on Catalyst 9300 switches either through the Command Line Interface (CLI) or programmatically using RESTCONF/NETCONF. Cisco Adaptive Security Device Manager (ASDM) is a web-based management and monitoring software integrated into a Secure Firewall ASA image. ASDM provides a user-friendly interface for configuring, monitoring, and troubleshooting the firewall in smaller deployments.

Conclusion

Deploying a containerized ASAc firewall on Cisco Catalyst 9300 switches provides a versatile and efficient method to integrate firewall services into enterprise networks. This solution enables stateful inspection of traffic within domains, diminishes the attack surface through logical network segmentation, enforces detailed access controls, and securely connects isolated OT/IoT clusters for remote management. In essence, it serves as a proactive measure to mitigate risks tied to IT/OT integration, ensuring the safety of critical infrastructure against potential threats.