Cisco ASAv: The “v” makes it better
I’d like share this guest blog with you from our partner iland who are leading the way when it comes to adopting new technologies. The author, Garrett Nowark is an engineer at iland and in this blog he talks about one of these new technologies, the Cisco ASAv and how it is revolutionising the way engineers work and how his clients deploy security in the cloud.
When companies move to the cloud, one of the biggest topics is getting rid of all the server hardware and how freeing it is to no longer have to manage them. However, something a lot of people don’t realise is that this plan gives network engineers pause.
I talk to a lot of network engineers during their migration to iland’s cloud environment, and there is an overwhelming opinion that software networking can’t compete with tried and true network hardware. The common misconception is that they’ll have to ditch their firewall hardware and get a junky virtual machine running an “out of the box” service as their corporate firewall replacement instead.
I explain why – first, a bit about me. I joined iland with a desire to be at the front of the pack when it came to learning new technologies. I wanted to be the guy that was playing around with new technology as soon as it was released. I got lucky and iland just so happened to be the perfect place for me to do that.
One of these new technologies is the Cisco ASAv, the first virtual version of Cisco’s famous ASA firewall. Almost everyone I’ve come into contact with is familiar with the Cisco ASA, and most of those people have used them in some shape or form previously.
Today, iland not only takes company servers and makes them virtual, but it also takes company networking and makes it virtual… all without losing any functionality. The Cisco ASAv gets deployed from a template in our environment and goes from non-existent to powered on and running in 5 minutes. By the end of the day, we have the ASAv attached to a public network and our customer has an SSH connection open to it and we’re working together on the phone to finalise their configuration.
Sure, it’s a cool idea; a virtual Cisco ASA is a shiny new toy. But what’s the big deal if it just does what the hardware ASA does? Well, it doesn’t just do what a hardware ASA does, it allows us to deploy a high-availability pair that is setup for failover events, and then we utilise VMware host rules to keep the ASAv firewalls on separate hosts:
In the event a VMware host goes down, the ASAv fails over to the backup ASAv.
- In the event where the ASAv itself goes down, it fails over to the backup ASAv.
- In the event that you accidentally wipe your entire config, we’ll pull a backup of your config from our monitoring system.
- In the event that you delete the ASAv pair, we’ll pull a backup of your ASAv itself.
Let’s take a look at the hardware ASA… In the event the ISP at your datacentre goes down, you’re gonna have a problem. In the event that your power at the datacentre goes out, you’re gonna have a problem. In the event that the ASA is old and finally packs up in the middle of the night, you’re gonna have a problem. This could go on forever.
So we have a high-availability pair of virtual ASA firewalls on flexible, redundant hosts. Is there anything else? Enter Cisco REST API. Welcome to automated configurations and error checking, advanced monitoring, and so much more. Imagine deploying a server and having your ASAv automatically add firewall rules based on your server’s role in your network. For me, this means deploying an entire customer network in a few minutes; everything from the base network to an SSL VPN for remote management to multiple IPSEC VPN tunnels for securing WAN traffic.
The Cisco ASAv is a game changer in the software-defined networking world, and iland is a seasoned veteran when it comes to migrating customers off of hardware networking devices. The reliability, redundancy, speed, and ease is what we’ve all wanted in our networking job, and iland has found a way to turn that pipe dream into reality.
Tags:
