Catalyst 9300 gains Cisco Secure Firewall ASA, packaged as a Docker container, to enable more simplified, secure segmentation of network resources. Credit: GreenButterfly / Shutterstock Cisco announced a containerized firewall package for its venerable Catalyst switch family that’s designed to help enterprise customers with mixed IT and OT systems more easily segment network resources and save money by consolidating network and security deployments. Specifically, Cisco built a Docker-based container for its Secure Firewall Adaptive Security Appliance (ASA) that can be hosted on its Catalyst 9300 access switches. Cisco Secure Firewall ASA combines firewall, antivirus, intrusion prevention, encryption and virtual private network (VPN) support. The firewall supports up to 10 logical interfaces, which can be used for segmentation. This segmentation helps limit the ability of an attacker to move laterally within the network by containing any breach to a specific zone, wrote Pal Lakatos-Toth, an engineering product manager with Cisco’s security business group, in a blog about the news. “The integration of information technology (IT) and operational technology (OT) systems, also known as IT/OT integration, is a crucial process in industries such as manufacturing, energy, and utilities. While IT systems handle data management, OT systems manage physical processes and control systems for critical infrastructure such as power grids, water treatment plants, and manufacturing equipment,” Lakatos-Toth wrote. Digital transformation and smart manufacturing initiatives have accelerated the convergence of IT and OT networks, and “while this integration can bring significant benefits such as increased efficiency, improved visibility, and better decision-making, it can also increase the risk of cyber-attacks,” Lakatos-Toth stated. By hosting the containerized Secure Firewall ASA on Catalyst 9300 access switches, organizations can reduce the complexity of steering traffic to centralized firewalls using complex tunnels, Lakatos-Toth stated. It positions firewall services nearer to the source, offering a cost-effective and efficient way of securing IT/OT converged networks. It also minimizes the latency for time-sensitive applications by enforcing the policies near the source where the devices connect to the network, Lakatos-Toth stated. How Cisco Secure Firewall ASA works with Catalyst 9300 The containerized Secure Firewall ASA maintains a stateful connection table that keeps track of the state and context of each network connection passing through and applies context-based access control. “If any application requires additional ports for its operation, the firewall dynamically opens and tracks those ports while ensuring that security policies and access controls remain in place. All these events are logged for audit purposes and can be used for tracing and preventing security breaches,” Lakatos-Toth stated. For access control in the IT/OT network, the containerized Secure Firewall ASA uses access control lists (ACL) and security group tags (SGT). “With SGTs, the firewall applies security policies based on labels instead of IP addresses. The firewall uses SGTs to authenticate OT devices and assign them to a specific security group, such as ‘OT,’ which can further be used for stateful inspection,” Lakatos-Toth stated. The ASA package is managed via Cisco’s Enterprise DNA Center (DNAC) to support management and network connectivity configurations. DNAC ensures the firewall application is always up-to-date and secure. Cisco Defense Orchestrator also supports the system and can create and deploy consistent security policies across large networks. It performs policy analysis and streamlines the configuration and management processes, Lakatos-Toth wrote. While this is the first time Cisco has deployed a firewall on the 9300, the switch has included Docker container support for a couple of years. The idea was to let customers build their own applications to the switch without having to rewrite them every time there is an infrastructure change. Docker containers are lightweight and use very little CPU and memory overhead, according to Cisco. “For example, a network operator in a large enterprise can host a network monitoring application on the Cisco Catalyst access platforms to know clearly where in the network the issues are and act accordingly, due to the real-time insights being received,” Cisco stated. The containerized Secure Firewall ASA will be available on the Catalyst 9300 Switch in October with IOS XE 17.12.2 release. Related content news Cisco research highlights network complexity, security challenges Cisco’s 2024 Global Networking Trends Report finds IT leaders are besieged by rising cybersecurity risks, workload types, and distributed infrastructures. By Michael Cooney May 22, 2024 6 mins Network Security Cloud Computing Networking news AWS clarifies Nvidia chip order: Upgrade, not halt AWS will use Nvidia’s new Blackwell GPUs for Project Ceiba instead of Nvidia’s Grace Hopper chips that were earlier planned. By Gyana Swain May 22, 2024 3 mins Amazon Web Services news SolarWinds debuts AI framework in its service desk product SolarWinds AI will first be put to use in its service desk solution to improve service agent workflows and reduce the time it takes to resolve tickets. By Denise Dubie May 21, 2024 4 mins Network Management Software Network Monitoring news Broadcom launches 400G Ethernet adapters The highly scalable, low-power 400G PCIe Gen 5.0 Ethernet adapters are designed for AI in the data center. By Andy Patrizio May 21, 2024 3 mins CPUs and Processors Networking PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe