Catalyst 9300 gains Cisco Secure Firewall ASA, packaged as a Docker container, to enable more simplified, secure segmentation of network resources. Credit: GreenButterfly / Shutterstock Cisco announced a containerized firewall package for its venerable Catalyst switch family that’s designed to help enterprise customers with mixed IT and OT systems more easily segment network resources and save money by consolidating network and security deployments. Specifically, Cisco built a Docker-based container for its Secure Firewall Adaptive Security Appliance (ASA) that can be hosted on its Catalyst 9300 access switches. Cisco Secure Firewall ASA combines firewall, antivirus, intrusion prevention, encryption and virtual private network (VPN) support. The firewall supports up to 10 logical interfaces, which can be used for segmentation. This segmentation helps limit the ability of an attacker to move laterally within the network by containing any breach to a specific zone, wrote Pal Lakatos-Toth, an engineering product manager with Cisco’s security business group, in a blog about the news. “The integration of information technology (IT) and operational technology (OT) systems, also known as IT/OT integration, is a crucial process in industries such as manufacturing, energy, and utilities. While IT systems handle data management, OT systems manage physical processes and control systems for critical infrastructure such as power grids, water treatment plants, and manufacturing equipment,” Lakatos-Toth wrote. Digital transformation and smart manufacturing initiatives have accelerated the convergence of IT and OT networks, and “while this integration can bring significant benefits such as increased efficiency, improved visibility, and better decision-making, it can also increase the risk of cyber-attacks,” Lakatos-Toth stated. By hosting the containerized Secure Firewall ASA on Catalyst 9300 access switches, organizations can reduce the complexity of steering traffic to centralized firewalls using complex tunnels, Lakatos-Toth stated. It positions firewall services nearer to the source, offering a cost-effective and efficient way of securing IT/OT converged networks. It also minimizes the latency for time-sensitive applications by enforcing the policies near the source where the devices connect to the network, Lakatos-Toth stated. How Cisco Secure Firewall ASA works with Catalyst 9300 The containerized Secure Firewall ASA maintains a stateful connection table that keeps track of the state and context of each network connection passing through and applies context-based access control. “If any application requires additional ports for its operation, the firewall dynamically opens and tracks those ports while ensuring that security policies and access controls remain in place. All these events are logged for audit purposes and can be used for tracing and preventing security breaches,” Lakatos-Toth stated. For access control in the IT/OT network, the containerized Secure Firewall ASA uses access control lists (ACL) and security group tags (SGT). “With SGTs, the firewall applies security policies based on labels instead of IP addresses. The firewall uses SGTs to authenticate OT devices and assign them to a specific security group, such as ‘OT,’ which can further be used for stateful inspection,” Lakatos-Toth stated. The ASA package is managed via Cisco’s Enterprise DNA Center (DNAC) to support management and network connectivity configurations. DNAC ensures the firewall application is always up-to-date and secure. Cisco Defense Orchestrator also supports the system and can create and deploy consistent security policies across large networks. It performs policy analysis and streamlines the configuration and management processes, Lakatos-Toth wrote. While this is the first time Cisco has deployed a firewall on the 9300, the switch has included Docker container support for a couple of years. The idea was to let customers build their own applications to the switch without having to rewrite them every time there is an infrastructure change. Docker containers are lightweight and use very little CPU and memory overhead, according to Cisco. “For example, a network operator in a large enterprise can host a network monitoring application on the Cisco Catalyst access platforms to know clearly where in the network the issues are and act accordingly, due to the real-time insights being received,” Cisco stated. The containerized Secure Firewall ASA will be available on the Catalyst 9300 Switch in October with IOS XE 17.12.2 release. Related content news analysis Red Hat extends Lightspeed generative AI tool to OpenShift and Enterprise Linux Red Hat's Lightspeed, a gen AI-powered assistant, will be extended to RHEL and OpenShift to help enterprises that want to use Linux, automation, and hybrid clouds but may not have the skills in house. By Maria Korolov May 07, 2024 4 mins Linux Network Management Software Servers news analysis Red Hat introduces 'policy as code' for Ansible New 'policy as code' capability for the Red Hat Ansible automation platform is aimed at reducing human error and the cost of implementing compliance directives. By Maria Korolov May 07, 2024 5 mins Linux Network Management Software news Riverbed launches AI-powered observability platform A new agent and updated capabilities across Riverbed's product portfolio are designed to improve network observability, enable AI-driven automation, and provide data-driven insights for enterprise IT managers. By Denise Dubie May 07, 2024 6 mins Network Management Software Network Monitoring news Tata Communications launches edge computing platform for enterprises The company will offer two pricing models for CloudLyte — one based on CPU resources used, and the other it terms as “use case as a service.” By Prasanth Aby Thomas May 07, 2024 3 mins Edge Computing Internet of Things PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe