Cisco Catalyst Switches: Enabling Secure Firewall Service Insertion

IBSCY Ltd Team

IT/OT integration is a crucial process in industries like manufacturing, energy, and utilities, but it also increases the risk of cyber-attacks. The convergence of IT and OT networks brings benefits such as increased efficiency and improved decision-making. However, it also introduces security threats from IoT devices with limited security features and outdated software.

To address these challenges, organizations are exploring and implementing OT security solutions. Integrating security into network design is crucial for secure IT/OT convergence. Firewall services play a vital role in securing critical networks and data, but physical firewalls can create congestion and increase operational expenses.

To overcome these challenges, Cisco has developed an innovative solution. The Cisco Secure Firewall ASA Virtual, packaged as a Docker container, can be hosted on Cisco Catalyst 9300 series switches. This containerized firewall provides the same capabilities as physical firewalls but eliminates the need for additional hardware and reduces complexity.

Hosting the containerized Secure Firewall ASA on Catalyst 9300 switches offers several benefits. It enhances security and simplifies network deployment, reducing costs and improving efficiency. Leveraging the redundant links and power supplies of the Catalyst 9300 switch further saves rack space, cooling requirements, and operational costs.

The containerized Secure Firewall ASA protects the IT/OT network from threats through stateful inspection, network segmentation, access control, traffic encryption, and secure remote management. By maintaining a stateful connection table, the firewall ensures compliance with security standards. Network segmentation limits the spread of cyber-attacks, while access control based on Security Group Tags (SGTs) and ACLs improves security posture. Traffic encryption protects against eavesdropping and man-in-the-middle attacks, and secure remote management enables encrypted connections for remote access.

Cisco Enterprise DNA Center (DNAC) provides management and orchestration for the containerized firewall, ensuring up-to-date security and performance. Cisco Defense Orchestrator simplifies policy management for large networks, while Cisco Adaptive Security Device Manager (ASDM) offers a user-friendly interface for smaller deployments.

Customers can leverage their existing virtual Secure Firewall ASA licenses for containerized instances on Catalyst 9300 switches, maximizing their investment and flexibility.

In conclusion

As industries digitize and adopt advanced technologies, secure IT/OT integration becomes crucial. Cisco Catalyst 9300 switches, with the containerized Secure Firewall ASA, provide a flexible and convenient solution. It enables stateful inspection, network segmentation, access control, traffic encryption, and secure remote management, effectively mitigating the risks associated with IT/OT integration and safeguarding critical infrastructure.