Cisco hosts containerized firewall on Catalyst switches to protect mixed IT/OT networks

Cisco announced a containerized firewall package for its venerable Catalyst switch family that’s designed to help enterprise customers with mixed IT and OT systems more easily segment network resources and save money by consolidating network and security deployments.

Specifically, Cisco built a Docker-based container for its Secure Firewall Adaptive Security Appliance (ASA) that can be hosted on its Catalyst 9300 access switches. Cisco Secure Firewall ASA combines firewall, antivirus, intrusion prevention, encryption and virtual private network (VPN) support.

The firewall supports up to 10 logical interfaces, which can be used for segmentation. This segmentation helps limit the ability of an attacker to move laterally within the network by containing any breach to a specific zone, wrote Pal Lakatos-Toth, an engineering product manager with Cisco’s security business group, in a blog about the news.

“The integration of information technology (IT) and operational technology (OT) systems, also known as IT/OT integration, is a crucial process in industries such as manufacturing, energy, and utilities. While IT systems handle data management, OT systems manage physical processes and control systems for critical infrastructure such as power grids, water treatment plants, and manufacturing equipment,” Lakatos-Toth wrote.

Digital transformation and smart manufacturing initiatives have accelerated the convergence of IT and OT networks, and “while this integration can bring significant benefits such as increased efficiency, improved visibility, and better decision-making, it can also increase the risk of cyber-attacks,” Lakatos-Toth stated.

By hosting the containerized Secure Firewall ASA on Catalyst 9300 access switches, organizations can reduce the complexity of steering traffic to centralized firewalls using complex tunnels, Lakatos-Toth stated. It positions firewall services nearer to the source, offering a cost-effective and efficient way of securing IT/OT converged networks. It also minimizes the latency for time-sensitive applications by enforcing the policies near the source where the devices connect to the network, Lakatos-Toth stated.

The containerized Secure Firewall ASA maintains a stateful connection table that keeps track of the state and context of each network connection passing through and applies context-based access control.

“If any application requires additional ports for its operation, the firewall dynamically opens and tracks those ports while ensuring that security policies and access controls remain in place. All these events are logged for audit purposes and can be used for tracing and preventing security breaches,” Lakatos-Toth stated.

For access control in the IT/OT network, the containerized Secure Firewall ASA uses access control lists (ACL) and security group tags (SGT). “With SGTs, the firewall applies security policies based on labels instead of IP addresses. The firewall uses SGTs to authenticate OT devices and assign them to a specific security group, such as ‘OT,’ which can further be used for stateful inspection,” Lakatos-Toth stated.

The ASA package is managed via Cisco’s Enterprise DNA Center (DNAC) to support management and network connectivity configurations. DNAC ensures the firewall application is always up-to-date and secure. Cisco Defense Orchestrator also supports the system and can create and deploy consistent security policies across large networks. It performs policy analysis and streamlines the configuration and management processes, Lakatos-Toth wrote.

While this is the first time Cisco has deployed a firewall on the 9300, the switch has included Docker container support for a couple of years. The idea was to let customers build their own applications to the switch without having to rewrite them every time there is an infrastructure change. Docker containers are lightweight and use very little CPU and memory overhead, according to Cisco.

“For example, a network operator in a large enterprise can host a network monitoring application on the Cisco Catalyst access platforms to know clearly where in the network the issues are and act accordingly, due to the real-time insights being received,” Cisco stated.

The containerized Secure Firewall ASA will be available on the Catalyst 9300 Switch in October with IOS EX 17.12.2 release.

Next read this: