For starters, Cisco announced an ACI Application Policy Infrastructure Controller, due to be released in April 2014, designed to enforce access and security policies across the network fabric. ACI Security Solutions will support next-generation Cisco ASA physical and virtual firewall technologies by stitching them directly into the ACI network fabric, and can be managed using the ACI Policy Infrastructure Controller management tool, Chris Young, senior VP of Cisco Security Group, said Wednesday in a blog post.
In addition, Cisco updated its ASA 5585-X Series Next-Generation Security Appliance -- which it said can be scaled up to handle 640 Gbps, work with Nexus 9000 data center switches and also provide automatic load balancing -- to be compatible with ACI. It's also released a virtual version of its popular ASA firewall, dubbed the Cisco ASA Virtual Firewall (ASAv), which will likewise work with the ACI fabric. "The ASAv maintains its own data path. This allows it to work with any virtual switch and it will be available on multiple hypervisors," said Young.
All told, the new Cisco ACI products will give businesses a unified single pane of glass across networking, application, firewall and other security, Young said, as well as a single way to set network-related policies both for physical as well as virtual products.
[ CEO Chambers: Don't underestimate Cisco. Read more at Chambers: Cisco Will Win Tech's Next Elimination Round. ]
Scott Harrell, VP of product management for the Cisco Security Group, said that ACI attempts to find a middle ground between having IT managers manually provision and install every box, or attempting to use software-based network virtualization, which creates instances that -- at scale -- might be difficult to manage or protect. "What Cisco has tried to do with this Application Center Infrastructure launch product line is come up with a new approach to address these data center problems," he said, speaking by phone.
In particular, Harrell explained, the Application Policy Infrastructure Controller allows you to use the fabric to determine which app can talk to which app, as opposed to having a firewall do this. "And it allows you to have a single, consistent policy -- across apps -- that you program once, and it works across both virtual and physical instances," he added.
In other words, rather than forcing data center managers to apply firewall rules at every point between any two given applications, Cisco's goal with ACI is to allow IT managers to create just one set of security policies governing how the applications should be allowed to communicate, and then step back and let the network fabric handle the nitty-gritty.
Today, correctly applying and managing firewall rules continues to be a bugbear for data center managers. Market researcher Gartner estimates that no less than 95% of all firewall breaches, in fact, stem from misconfigured firewalls.
Part of the problem is the need to configure not only one firewall, but all of them. "Different businesses do different things depending on their risk posture, but for the most part you have a single piece of iron -- a firewall -- that sits at the ingress to a data center node and controls the ingress and egress to those applications as a big pool," Harrell explained. "The problem with that is that doesn't really scale if you have physical as well as virtual machines -- you have to go and program those as well."
As a result, data centers managers soon end up needing to juggle thousands of firewall rules. "It's not very granular, it's hard to maintain, and because you have to apply thousands of firewall rules, it becomes a choke point," said Harrell.
Hence Cisco's attempt to eliminate firewall rules whenever possible, and instead enforce access rights from one application to another. The upside of this approach is that applications can be given the minimum access right required. In addition, administrators can create a single policy and apply it across both physical and virtual instances.
"Everyone is scared to remove a rule because even when an app disappears, they weren't quite sure what a rule was doing," said Harrell. "The nice thing here is that when apps disappear, the rule will be automatically decommissioned -- and that's a nontrivial advantage that helps you a lot, because it keeps your firewall rules clean."